What Happened To My Custom Delegation?

The concept of delegation on AD objects is known to all AD administrators. The need to create custom delegation on objects is common and even though AD delegation can be quite complex, the amount of experience and knowledge that has been shared, has simplified the process.

Here is the known problem... Imagine you delegate permissions to an OU but for some reason certain objects do not take the new ACL (Access Control List). You perform the delegation again, and confirm that the ACL is on the object correctly. You go about your business and after a while realize that the custom delegation is not working. You go back to check the object and your custom delegation is gone. What happened to my custom delegation?

Active Directory and Protected Groups

Ever since Windows 2000 Active Directory has had a mechanism to ensure members of protected groups have standardized and controlled security descriptors. The process is complex and there are many moving parts that are worth exploring and defining. In the end excluding certain protected groups from this process may be quite helpful.

There is much information on TechNet and MSDN that explores these concepts and a simple Binggle search will uncover additional information.

Let’s explore some of the parts and provide some context.

AdminSDHolder

AdminSDHolder is a container in AD that holds the Security Descriptor applied to members of protected groups. The ACL can be viewed on the AdminSDHolder object itself. Open Active Directory Users and Computers and ensure Advanced Features is selected in the View menu. Navigate to the ‘system’ container under the domain and right click on the sub-container called AdminSDHolder and select properties. The Security tab displays the ACL that will be applied to all members of protected groups.

SD Propagator

The SD Propagator is a process that runs on a schedule on the PDC emulator to find members of protected groups and ensure the appropriate Access Control List (ACL) is present. The SD Propagator runs every hour by default but can run at a different frequency by adding the value AdminSDProtectFrequency to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters. This can be configured anywhere between one minute and two hours. If the value is not present in this registry sub key the default of 60 minutes is applied.

dsHeuristics

The dsHuerisitcs attribute is a Unicode String value on the Directory Service object in the configuration container. It defines multiple forest wide configuration settings on of which being built-in groups to be excluded from the list of Protected Groups. You can view the value of the dsHuristics attribute in the LDP or ADSIEdit tools. Below is the attribute viewed from  ADSIEdit.

If a built-in group, from the table below, needs to be excluded from the protection of the SD Propagator, this value will need to be updated. It must be done carefully as it is a forest wide setting and the value has implications across other pieces of configuration. You can Binggle this to find explicit instructions on how to update this attribute. Below are the groups that can be excluded from the process and the values that they carry. If multiple groups are to be excluded their values are added together.

Bit	Group to Exclude	Binary Value	Hex Value
0	Account Operators	0001	1
1	Server Operators	0010	2
2	Print Operators	0100	4
3	Backup Operators	1000	8

 

adminCount

The adminCount attribute is found on user objects in Active Directory. This is a very simple attribute. If the value is <not set> or 0 then the user is not protected by the SD Propagation. If the value of adminCount is set to 1 that means the user has, or has been a member of a protected group. The value can be seen in ADUC or ADSIEdit or LDP. Below is the attribute viewed via ADUC.

Additional Reading

Make sure to search MSDN, Technet and other web resources to find instructions and guidance on how to manipulate these attributes.. Here are a few articles to get you started:

http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

http://msdn.microsoft.com/en-us/library/windows/desktop/ms675656(v=vs.85).aspx

http://support.nordicedge.com/nsd1313-exclude-protected-groups-from-adminsdholder-in-active-directory/

Moving Azure VM from one Subnet to another

Problem

As I built up my Azure lab I was learning. After a while I have learned quite a bit about how to manage resources on Azure, especially from an IaaS perspective. I love having my lab up on Azure. I get hours through my MSDN subscription and try to keep within those house so size of VMs and what is running at any given time is important to me.

One are that I don't have setup quite as optimally as I would like is my network. I have one Virtual Network and when I created my first subnet I did not allocate enough bits so there are few hosts that can take a spot. So I just created a second subnet (I actually created three). So, not great, but during the process I learned a lot about the Azure Virtual Network stack and it was well worth it.

So, today, I had a need to test something on an un-patched Windows Server 2008 R2 box. I don't tend to keep that server running. I have it in my Azure space but it is marked as 'StoppedDeallocated'. This means it is not taking up any 'billable' resources in Azure. It is there so when you need it you can grab it, but you are not charged for it on an ongoing basis. This is great for labs.

So, I went to launch the VM and it threw up all over the place... can't do it... error... blech.

Get-AzureVM scisrv2 |Start-AzureVM

Seems simple but no. I found a really nifty and quick way to address this. If you Bing around you will find lots of super convoluted ways to create new VMs attach to old disks etc. but this is likely newer... meaning a technique that wasn't available a couple of years ago. I believe this came from a MSDN doc but can't find the reference right now.

Get-AzureVM -Name <VMName> -ServiceName <ServiceName> | Set-AzureSubnet -SubnetNames subnet-2 | Update-AzureVM

Super simple and get's it back up and running. If you have many Azure VMs laying around de-allocated from a subnet, you may find this useful to get them reallocated then launched.

Select-Object and other ways to skin a...

One Problem, Many Solutions

In PowerShell and pretty much any aspect of configuration management, there can be many ways to solve a problem. This really will come down to style at the end of the day. There is a camp where being super explicit in your script/language/examples etc. is desirable. There is another camp that takes the twitter approach and it is a bit of a challenge to see how much functionality can be crammed into the least number of characters as possible. And of course, there are the majority of folks who land smack in the middle.

Which one are you? For many people out there PowerShell is still relatively new and in my opinion being as explicit as possible is a huge benefit to the learning process. Typing everything out can be a pain but with the ISE especially there is amazing auto-complete and IntelliSense which makes this process very easy. Also, in the long run what you write today may not be looked at for a while or some colleague in the future may need to look at what you wrote. Being explicit in your scripts will benefit both of these scenarios. 

On the other hand learning the short-cuts can be super valuable and will help you become a true master of the language. If you use a lot of short cuts make sure to comment your scripts to show what it is you are doing. I know how much IT folks, especially scripters love to comment!

So, these three lines deliver the same information...

1. PS C:\ > Get-ADUser -Identity Kevin | Select-Object -ExpandProperty PropertyNames
2. PS C:\ > Get-ADUser Kevin | % PropertyNames 
3. PS C:\ > (Get-ADUser Kevin).PropertyNames

And there are more ways to get the same results... Check out this quick walk through...

Kevin

Hyper-V lab corrupt after Windows 10 upgrade?

OK, So I have no idea, yet, if this has anything to do with my upgrade to Windows 10 but the timing is suspicious.

I have a simple lab setup in Hyper-V running on my Windows 8.1 Lenovo w550s. Well it was running 8.1 until yesterday.

My lab consists of three VMs, one DC, one member Server and one client. I have three Virtual switches created, one internal and two external. The external switches are simply there so that I can quickly shift from traffic going through my wired network to traffic going through my wifi. There are surely lots of ways to do this but at the end of the day this is the most logical to me.

 


So, the member server is dual-homed and has one NIC on the Internal Network and one NIC on the external. The DC and the Client only have a single NIC each on the Internal Network. The member server runs RRAS and handles all traffic going in and out of the environment. It acts as a router for the Internal network.

"OK, blah, blah, blah. What is the point Kevin?"

I'm getting there... seriously. So, I was happily running this lab with all the great SDM solutions installed. Life was grand! Then I upgraded to Windows 10.

Now I'm a huge fan of Windows 10. I've been using it for months and I was seriously clicking the little logo in the tray of my new work laptop since July 29th to get the upgrade... it wasn't coming. Finally yesterday it is there! Yeah. Now, I'm not quite as excited as I am for the new Star Wars movie but my geek flag was flying.

The upgrade was smooth, really smooth, and quick. It was really nice. One minor issue, my dual monitor stopped working. I have a DisplayLink Thinkpad mini-doc thingy, it needed a new driver. That was it. I had heard some horror stories but my experience was great.

Then I launched my VMs and some super simple config was changed. I can't say it was the upgrade but I can't think of what could have done it. It didn't take long to diagnose but it could have. It wasn't super logical what happened, but it has to do with the above configuration. I just had to go into Hyper-V, check the Switch. My External Switch was changed to Internal. It just needed to be changed back.

I was showing how to do this in PowerShell and realized another issue. It appears the hyper-v help content, even after running update-help, isn't updating. Once I figure that out, I'll get a video posted of how to address this issue with hyper-v. But to get you started...

PS C:> Get-VMSwitch
PS C:> Set-VMSwitch

A bit more than that but you get the picture. 

Best,
Kevin

Windows 10 Administrative Templates

Have you been upgraded to Windows 10 yet? Are you a fan? I am. I've been working with and running Windows 10 on most of my home clients for months now. My work computer just upgraded today with little fan fare. One minor issue where Lenovo had a new Win10 Driver for a mini-port/DisplayLink device. Once I updated that driver all seems lovely!

As you may have seen from Group Policy MVPs and other enthusiasts and writers out there, the Windows 10 Settings spread sheet has arrived. I can't tell you how many times I have anxiously awaited the new spreadsheet. I've read through and studied far too many of these that I like to admit. 

If you haven't used the spreadsheet before don't be over whelmed. It is actually quite whelming, it is not over-whelming, nor is it under-whelming... it is just whelming. I literally yawned as I typed that sentence.

It is however cool and interesting. Knowledge of what settings you can manage for these new clients is super important and this spreadsheet is key to that knowledge.

Some Highlights

If you take a look at and filter on the column called 'New in Windows 10' you will find that there are 201 Administrative Template settings that are labeled as New in Windows 10. 

That is 139 Machine settings and 62 user settings. They are in a lot of ADMX files... 46 files to be close. There is one new setting in the grouppolicy.admx file. One setting to prevent programs from loading untrusted fonts. This setting actually has an interesting 'Audit' mode which allows you to see if blocking untrusted fonts makes bad things happen. Seems interesting, we'll see if it is useful. There are a few AppX related settings, there are many additions to inetres.admx and there are 20 settings in microsoftedge.admx.

Managing Edge will be new and it will interesting to see how people are using the new browser. I'll have to add some Edge customization's to my <gratuitous plug>"Managing Group Policy and Active Directory with PowerShell" session at Spiceworld on September 25th! </gratuitous plug>.

There is a new setting related to Credential Providers. I'm sure my friends at Specops Software will be interested in that one! 

Summary

Just a brief overview, check out the spreadsheet and the actual ADMX files at these links..

• ADMX Files
• Settings Spreadsheet

I'll continue to dive in to see what other interesting stuff is in there. I'll take a look at the security tab and put up an overview soon.

Enjoy!

Kevin

Group Policy Comments

Group Policy comments have great potential. I don't seem them used too frequently. This is unfortunate as they can be a simple way to document your GPOs so that you can quickly determine what the intent of a given bag of configuration settings may be.

The life-cycle of a Group Policy Object is not something that has received a lot of attention over the years. Microsoft's Advanced Group Policy Management is great, but not widely used and doesn't cover some key life-cycle needs. There are some tools out there to help in that area and at SDM Software you can find a couple of very nice solutions to common configuration issues. Take a look at Group Policy Compliance Manager and Group Policy Auditing and Attestation when you get a chance.

But, out of the box, comments are great and it may be helpful to take a few minutes to check them out. I recorded a bit of a stream of conscious discussion, with myself, on Group Policy comments. Take a look. If you have ideas of other topics around configuration, Group Policy, PowerShell and more, let me know. I'm happy to drill into different areas that may be helpful to folks.

Enjoy! 

Kevin

Clean up my Azure space

Starting a new job can be filled with rebuilding labs, cleaning up old configurations, essentially building up tech so that you can start from scratch.

There are so many benefits to being a Microsoft Alumni that I was simply not paying attention to. One of those it 50% off MSDN subscription (new subscription). That is amazing. I began my MSDN Pro subscription last week. With that level there are $150 a month worth of Azure services! This is great for testing.

I had used Azure quite a bit for different things while at Specops and my liveID was associated with the company. I had done a lot of configuration up there before and I wanted to clean up... get rid of VMs, Networks, essentially wipe and re-load... but no... not really.

The Directory Services I created for labs while at Specops (SullyCo and Speocps Product Services) are apparently there to stay. They most likely won't interfere with anything (but they could) but it is annoying to see artifacts in there that you won't ever use...

It also took me a while to actually figure out this was not possible, after trying many things... finally found the threads and discussions online about this.

Simply for regulatory reasons there should be a way to remove the Directory Services when they are deprecated. If anyone is aware of a way to do this, please let me know.

Kevin