Tuesday, October 20, 2015

What Happened To My Custom Delegation?

The concept of delegation on AD objects is known to all AD administrators. The need to create custom delegation on objects is common and even though AD delegation can be quite complex, the amount of experience and knowledge that has been shared, has simplified the process.

Here is the known problem... Imagine you delegate permissions to an OU but for some reason certain objects do not take the new ACL (Access Control List). You perform the delegation again, and confirm that the ACL is on the object correctly. You go about your business and after a while realize that the custom delegation is not working. You go back to check the object and your custom delegation is gone. What happened to my custom delegation?

Active Directory and Protected Groups

Ever since Windows 2000 Active Directory has had a mechanism to ensure members of protected groups have standardized and controlled security descriptors. The process is complex and there are many moving parts that are worth exploring and defining. In the end excluding certain protected groups from this process may be quite helpful.
There is much information on TechNet and MSDN that explores these concepts and a simple Binggle search will uncover additional information.
Let’s explore some of the parts and provide some context.

AdminSDHolder

AdminSDHolder is a container in AD that holds the Security Descriptor applied to members of protected groups. The ACL can be viewed on the AdminSDHolder object itself. Open Active Directory Users and Computers and ensure Advanced Features is selected in the View menu. Navigate to the ‘system’ container under the domain and right click on the sub-container called AdminSDHolder and select properties. The Security tab displays the ACL that will be applied to all members of protected groups.



SD Propagator

The SD Propagator is a process that runs on a schedule on the PDC emulator to find members of protected groups and ensure the appropriate Access Control List (ACL) is present. The SD Propagator runs every hour by default but can run at a different frequency by adding the value AdminSDProtectFrequency to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters. This can be configured anywhere between one minute and two hours. If the value is not present in this registry sub key the default of 60 minutes is applied.

dsHeuristics

The dsHuerisitcs attribute is a Unicode String value on the Directory Service object in the configuration container. It defines multiple forest wide configuration settings on of which being built-in groups to be excluded from the list of Protected Groups. You can view the value of the dsHuristics attribute in the LDP or ADSIEdit tools. Below is the attribute viewed from  ADSIEdit.



If a built-in group, from the table below, needs to be excluded from the protection of the SD Propagator, this value will need to be updated. It must be done carefully as it is a forest wide setting and the value has implications across other pieces of configuration. You can Binggle this to find explicit instructions on how to update this attribute. Below are the groups that can be excluded from the process and the values that they carry. If multiple groups are to be excluded their values are added together.

Bit
Group to Exclude
Binary Value
Hex Value
0
Account Operators
0001
1
1
Server Operators
0010
2
2
Print Operators
0100
4
3
Backup Operators
1000
8

 

adminCount

The adminCount attribute is found on user objects in Active Directory. This is a very simple attribute. If the value is <not set> or 0 then the user is not protected by the SD Propagation. If the value of adminCount is set to 1 that means the user has, or has been a member of a protected group. The value can be seen in ADUC or ADSIEdit or LDP. Below is the attribute viewed via ADUC.



Additional Reading

Make sure to search MSDN, Technet and other web resources to find instructions and guidance on how to manipulate these attributes.. Here are a few articles to get you started:
http://support.nordicedge.com/nsd1313-exclude-protected-groups-from-adminsdholder-in-active-directory/

Wednesday, October 14, 2015

Moving Azure VM from one Subnet to another

Problem

As I built up my Azure lab I was learning. After a while I have learned quite a bit about how to manage resources on Azure, especially from an IaaS perspective. I love having my lab up on Azure. I get hours through my MSDN subscription and try to keep within those house so size of VMs and what is running at any given time is important to me.

One are that I don't have setup quite as optimally as I would like is my network. I have one Virtual Network and when I created my first subnet I did not allocate enough bits so there are few hosts that can take a spot. So I just created a second subnet (I actually created three). So, not great, but during the process I learned a lot about the Azure Virtual Network stack and it was well worth it.

So, today, I had a need to test something on an un-patched Windows Server 2008 R2 box. I don't tend to keep that server running. I have it in my Azure space but it is marked as 'StoppedDeallocated'. This means it is not taking up any 'billable' resources in Azure. It is there so when you need it you can grab it, but you are not charged for it on an ongoing basis. This is great for labs.

So, I went to launch the VM and it threw up all over the place... can't do it... error... blech.

Get-AzureVM scisrv2 |Start-AzureVM

Seems simple but no. I found a really nifty and quick way to address this. If you Bing around you will find lots of super convoluted ways to create new VMs attach to old disks etc. but this is likely newer... meaning a technique that wasn't available a couple of years ago. I believe this came from a MSDN doc but can't find the reference right now.

Get-AzureVM -Name <VMName> -ServiceName <ServiceName> | Set-AzureSubnet -SubnetNames subnet-2 | Update-AzureVM

Super simple and get's it back up and running. If you have many Azure VMs laying around de-allocated from a subnet, you may find this useful to get them reallocated then launched.

Friday, October 2, 2015

Select-Object and other ways to skin a...

One Problem, Many Solutions

In PowerShell and pretty much any aspect of configuration management, there can be many ways to solve a problem. This really will come down to style at the end of the day. There is a camp where being super explicit in your script/language/examples etc. is desirable. There is another camp that takes the twitter approach and it is a bit of a challenge to see how much functionality can be crammed into the least number of characters as possible. And of course, there are the majority of folks who land smack in the middle.

Which one are you? For many people out there PowerShell is still relatively new and in my opinion being as explicit as possible is a huge benefit to the learning process. Typing everything out can be a pain but with the ISE especially there is amazing auto-complete and IntelliSense which makes this process very easy. Also, in the long run what you write today may not be looked at for a while or some colleague in the future may need to look at what you wrote. Being explicit in your scripts will benefit both of these scenarios. 

On the other hand learning the short-cuts can be super valuable and will help you become a true master of the language. If you use a lot of short cuts make sure to comment your scripts to show what it is you are doing. I know how much IT folks, especially scripters love to comment!

So, these three lines deliver the same information...
  1. PS C:\ > Get-ADUser -Identity Kevin | Select-Object -ExpandProperty PropertyNames
  2. PS C:\ > Get-ADUser Kevin | % PropertyNames 
  3. PS C:\ > (Get-ADUser Kevin).PropertyNames
And there are more ways to get the same results... Check out this quick walk through...



Kevin