What Happened To My Custom Delegation?

The concept of delegation on AD objects is known to all AD administrators. The need to create custom delegation on objects is common and even though AD delegation can be quite complex, the amount of experience and knowledge that has been shared, has simplified the process.

Here is the known problem... Imagine you delegate permissions to an OU but for some reason certain objects do not take the new ACL (Access Control List). You perform the delegation again, and confirm that the ACL is on the object correctly. You go about your business and after a while realize that the custom delegation is not working. You go back to check the object and your custom delegation is gone. What happened to my custom delegation?

Active Directory and Protected Groups

Ever since Windows 2000 Active Directory has had a mechanism to ensure members of protected groups have standardized and controlled security descriptors. The process is complex and there are many moving parts that are worth exploring and defining. In the end excluding certain protected groups from this process may be quite helpful.

There is much information on TechNet and MSDN that explores these concepts and a simple Binggle search will uncover additional information.

Let’s explore some of the parts and provide some context.

AdminSDHolder

AdminSDHolder is a container in AD that holds the Security Descriptor applied to members of protected groups. The ACL can be viewed on the AdminSDHolder object itself. Open Active Directory Users and Computers and ensure Advanced Features is selected in the View menu. Navigate to the ‘system’ container under the domain and right click on the sub-container called AdminSDHolder and select properties. The Security tab displays the ACL that will be applied to all members of protected groups.

SD Propagator

The SD Propagator is a process that runs on a schedule on the PDC emulator to find members of protected groups and ensure the appropriate Access Control List (ACL) is present. The SD Propagator runs every hour by default but can run at a different frequency by adding the value AdminSDProtectFrequency to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters. This can be configured anywhere between one minute and two hours. If the value is not present in this registry sub key the default of 60 minutes is applied.

dsHeuristics

The dsHuerisitcs attribute is a Unicode String value on the Directory Service object in the configuration container. It defines multiple forest wide configuration settings on of which being built-in groups to be excluded from the list of Protected Groups. You can view the value of the dsHuristics attribute in the LDP or ADSIEdit tools. Below is the attribute viewed from  ADSIEdit.

If a built-in group, from the table below, needs to be excluded from the protection of the SD Propagator, this value will need to be updated. It must be done carefully as it is a forest wide setting and the value has implications across other pieces of configuration. You can Binggle this to find explicit instructions on how to update this attribute. Below are the groups that can be excluded from the process and the values that they carry. If multiple groups are to be excluded their values are added together.

Bit	Group to Exclude	Binary Value	Hex Value
0	Account Operators	0001	1
1	Server Operators	0010	2
2	Print Operators	0100	4
3	Backup Operators	1000	8

 

adminCount

The adminCount attribute is found on user objects in Active Directory. This is a very simple attribute. If the value is <not set> or 0 then the user is not protected by the SD Propagation. If the value of adminCount is set to 1 that means the user has, or has been a member of a protected group. The value can be seen in ADUC or ADSIEdit or LDP. Below is the attribute viewed via ADUC.

Additional Reading

Make sure to search MSDN, Technet and other web resources to find instructions and guidance on how to manipulate these attributes.. Here are a few articles to get you started:

http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

http://msdn.microsoft.com/en-us/library/windows/desktop/ms675656(v=vs.85).aspx

http://support.nordicedge.com/nsd1313-exclude-protected-groups-from-adminsdholder-in-active-directory/

Hyper-V lab corrupt after Windows 10 upgrade?

OK, So I have no idea, yet, if this has anything to do with my upgrade to Windows 10 but the timing is suspicious.

I have a simple lab setup in Hyper-V running on my Windows 8.1 Lenovo w550s. Well it was running 8.1 until yesterday.

My lab consists of three VMs, one DC, one member Server and one client. I have three Virtual switches created, one internal and two external. The external switches are simply there so that I can quickly shift from traffic going through my wired network to traffic going through my wifi. There are surely lots of ways to do this but at the end of the day this is the most logical to me.

 


So, the member server is dual-homed and has one NIC on the Internal Network and one NIC on the external. The DC and the Client only have a single NIC each on the Internal Network. The member server runs RRAS and handles all traffic going in and out of the environment. It acts as a router for the Internal network.

"OK, blah, blah, blah. What is the point Kevin?"

I'm getting there... seriously. So, I was happily running this lab with all the great SDM solutions installed. Life was grand! Then I upgraded to Windows 10.

Now I'm a huge fan of Windows 10. I've been using it for months and I was seriously clicking the little logo in the tray of my new work laptop since July 29th to get the upgrade... it wasn't coming. Finally yesterday it is there! Yeah. Now, I'm not quite as excited as I am for the new Star Wars movie but my geek flag was flying.

The upgrade was smooth, really smooth, and quick. It was really nice. One minor issue, my dual monitor stopped working. I have a DisplayLink Thinkpad mini-doc thingy, it needed a new driver. That was it. I had heard some horror stories but my experience was great.

Then I launched my VMs and some super simple config was changed. I can't say it was the upgrade but I can't think of what could have done it. It didn't take long to diagnose but it could have. It wasn't super logical what happened, but it has to do with the above configuration. I just had to go into Hyper-V, check the Switch. My External Switch was changed to Internal. It just needed to be changed back.

I was showing how to do this in PowerShell and realized another issue. It appears the hyper-v help content, even after running update-help, isn't updating. Once I figure that out, I'll get a video posted of how to address this issue with hyper-v. But to get you started...

PS C:> Get-VMSwitch
PS C:> Set-VMSwitch

A bit more than that but you get the picture. 

Best,
Kevin

Group Policy 002: The Cmdlets - New-GPO

Simple!

It really is. I want to create a new GPO from PowerShell. Of course there will be work to do later but just get the GPO created. 

I created a brief video walking through the process.

Enjoy!

PowerShell 005 – Install-ADDSForest

Setting Up a Lab

DCPromo has come a long way in the past 13 + years. Windows Server all up is so incredibly different, more powerful, more intuitive, more manageable. It is simply a great operating system to work with. I have a very specific scenario that I want to talk about here. That is setting up a lab.

There are many ways to do this, and they all have their benefits. I want to start simply. The first machine in the lab, setup as the forest root, your first DC.

The Scenario

This is not simply building a new lab. This is the re-building process that many of us go through every couple of months to get a clear setup to test with. Building the lab manually is a powerful experience especially when you are being introduced to a new OS. In this case I’m running Windows Server 2012 R2. I want to walk through the creation process manually to see if anything noticeable has changed. In this case I have already installed the Active Directory Domain Services Role and now it needs to be configured. This is the DCPromo process we have used for years. The task is initiated from within Server Manager.

After you install the AD DS role you will notice a flag informing you that you now need to ‘promote’ this server to function as a Domain Controller.

Click ‘Promote this server to a domain controller’ and the ‘Deployment Configuration’ Wizard will start.

The purpose of this post is not to walk through the configuration of the domain. In summary you can add a new DC to a domain, add a new domain or create a new forest. I’m going to create a new forest.

After walking through basic configuration, naming your domain, DC options, functional levels, NetBIOS naming, paths to files etc. etc. etc. You will come to a page in the wizard called ‘Review Options’. Along the way there are lots of links to additional information. If you are new to AD or new to Windows Server 2012 R2, take the time to read this information. It will save you time in the future.

Notice the ‘View script’ button in the bottom of the dialog. Hmmm… what could that be?

A simple PowerShell script to configure your first DC. You don’t need to, or want to, run the wizard every time you need to rebuild your lab. Simply save this script as a .ps1 file. Save it in a place that you will keep to use every time you build out a new lab.

I am going to cancel the wizard after I save the script. I want to execute this DC Promotion in PowerShell. I like to use the PowerShell ISE for multiple reasons but when working with scripts you have both the scripting windows right along with the console. Makes things very easy.

You can hit F5 or click the green arrow or get into the ‘Debug’ menu for more options. For the quick and dirty I’m just clicking the green arrow. Provide your SafeModeAdministratorPassword and off it goes.

You may get some messages and warning along the way. PowerShell seems to provide great feedback to help you understand what is going on.

The server will reboot and your DC is setup.

Save the script, store it. You will find many others. I will explore Desired State Configuration (DSC) in the future to really fully leverage PowerShell to manage deployment and configuration of components across your enterprise. I have a long way to go before I’m ready for that! Just getting my feet wet with DSC at this point.

Enjoy!

Group Policy 001: Intro to the GPMC

Tools

There are multiple tools you use when working with Group Policy. The two primary tools have not changed much since Windows Server 2003 R2. The primary reason is they just work great, do what they are supposed to do and focus on key scenarios. This is a quick overview of the Group Policy Management Console or the GPMC, the first of the two primary tools. A follow-up post will explore the editor or the GPME. 

Group Policy Management Console

The Group Policy Management Console or GPMC is the primary tool for managing Group Policy. This is where you create, link, secure, delegate control, report on, monitor status and more. It is a common tool for network administrators and desktop administrators alike and provides for a lot of scenarios. 

GPMC

In the GPMC you will see all domains and sites defined in your forest. Group Policy is primarily a domain specific technology. Keeping your management within a domain makes things easier but being able to apply policy across the enterprise, regardless of which domain a user or computer happens to be in is a very powerful feature.

The tool itself likes to focus its attention on the domain controller that holds the PDC emulator role. Some of us old people actually had to work with actual PDCs. In tools like GPMC if you choose to focus the attention on a different Domain Controller in your enterprise it is an easy change. Simply access the action menu from the Domain you are focused on and choose 'Change Domain Controller..."

Change DC

Create Group Policy Objects

One important aspect to managing Group Policy is where the data is actually stored. This is important because GP is not the most forgiving of technologies. You want to know where you are placing a GPO and who/what it is affecting. There is a container under the Domain node in the GPMC called "Group Policy Objects". This container is where all GPOs are stored if they are 'linked' or not. I like to create my GPOs in this container and manage linking and delegating during my configuration process. To create a GPO;

1. Right click on the "Group Policy Objects" node and select 'New'
2. Give the GPO a Name 
3. Choose to start from scratch or pick a 'Source Starter GPO' (Starter GPOs will have to be another post)
4. Click OK

New GPO

Select the GPO you created in the list under the 'Group Policy Objects' container. The right hand side of the screen will contain the majority of information you need related to this GPO. The 'Scope' tab shows effectively which users and which computers may be affected by this GPO. I say may simply because there are additional caveats to cover in other posts. It will show which OUs the GPO is linked, what security groups will be affected by thsi GPO and even any WMI filters that will more granularly control application of the GPO.

The 'Details' tab shows version information, ownership, versioning and the GUID that references this GPO. This will be very important in other advanced scenarios. 

The 'Settings' tab shows the native Microsoft settings configured in this Group Policy object. The 'Delegation' tab show which users will have access to this GPO for management purposes. 

And the last tab, 'Status' is the newest piece of functionality here and it will show you the replication status of this GPO across other domain controller.

GPO Details

There is a lot more to cover in the GPMC but for this overview that is a good start. Let's look at editing a Group Policy Object in a follow-up post.