binaryfactory.ca

Depending on how you use Active Directory in your organization, you may be setting a lot of security policies on workstations, and some of these settings can be problematic during the automated build of computers.

A few workarounds exist to avoid applying those to the workstations being imaged:

* Create a temporary OU for the computer account, and move it to the proper location once the build is done
* Change the order of the steps in your build to avoid issues caused by security settings
* Configure a GPO to override the settings that need to be set only during deployment, and filter that only to machines being used.

For multiple different reasons, I had to use the last option. It is a rather clean option, as it doesn’t involve moving computer accounts after the build or any chances on the domain during the imaging process, other than joining the machine, which is great.

One word of notice: Make sure whatever you are overriding is not a must for security and is simply an “annoyance”, because eventually (within a few minutes probably), a user WILL figure out how you’re doing the filtering and WILL apply it to his own machine, in order to bypass some security settings.

Only a few steps are involved :

1) Create a GPO that will set the values to what they need to be during the build (don’t link it yet)

2) Create a WMI filter called “BoxBeingBuilt” or something similar. Have it do a query on something you know is true only during imaging. If you can’t find anything reliable, do something like this:

Select * from Win32_Environment Where Name = “BuildinDaBox”

3) Ensure your built process sets a system variable with that name at the beginning, and removes it at the end.

Tada!

Having issues similar to:

Trying to enable EFS on a specific OU, while it’s disable at the top of the structure or domain?
Recovery certificates from two different GPOs mixing up instead of being replaced?

Overall EFS GPOs looking like they aren’t merging properly?

Well, it’s not because EFS GPOs are supposed to behave like black magic. Turns out there’s a bug, Microsoft’s aware of it, but doesn’t think it would be a good idea to FIX IT on Windows XP and 2003.

Thankfully, all it means is you need to edit your GPOs from a Vista, 2008 or Windows 7 machine.

KB : EFS may not be enabled expectedly after you disable a policy and this policy turn off the EFS feature

Opening my EFS GPOs in Windows 7, switching the Allow/Don’t allow and applying the ‘change’ fixed my GPOs. A few minutes later, and stuff was behaving like it should’ve been… Can I have those wasted hours of my life back, Mr. Ballmer?

Sometimes, it might be impossible to clean up all old domain accounts at the same time. Maybe you’re using Windows 2000 mixed mode and don’t have the LastLogonTimestamp field handy, maybe your users use some applications that don’t update it properly…there can be many reasons.

However, if it is a huge environment where there are a lot of administrators, and you know that the deprovisioning process is not always followed, you should at least disable the old accounts that are members of Domain Admin.

I use oldcmp by Joeware, maker of the greatest AD tools on Earth.

Oldcmp was originally designed to disable old computer accounts, but it’s also made to work with user accounts. It can use pwdLastSet and LastLogonTimestamp as attributes.

Check out the oldcmp usage first.

Then, it is a matter of running oldcmp with the proper switches, and filters. Always run it in reporting mode first.

oldcmp -users -report -af “memberof=CN=Domain Admins,CN=Users,DC=domain,DC=com” -llts -age 120 -format csv

oldcmp -users -report -af “memberof=CN=Administrators,CN=Builtin,DC=domain,DC=com” -llts -age 120 -format csv

This will output a CSV file with a list of Domain Admins that have not logged in for 120days+ according to the LastLogonTimestamp attribute. Of course, this attribute is not precise as it is replicated roughly every 2 weeks. However, this will give you a pretty good list of “old” admins.

Then, if you only want to remove them from the Domain Admins group, either do it manually or use admod to do it. If your domain is not totally insane, there should be few accounts to remove.

If you want to completely disable the accounts, you can use the same oldcmp string as above, with the safety and reporting removed. I’ll let you read the usage so you don’t blame me if you disable all your domain admins! If you are using pwdLastSet, watch out not to disable accounts that are set so that the password doesn’t expire..

You should do that on Enterprise Admins and other high privilege groups as well obviously, and also, on the whole domain.

Today I read a post on Windows Networking by Brien M. Posey about “The Confusion of AD Design”.

He argues that some people use way too many OUs and that “less is more”.

As I said before, there are situations that do warrant using multiple OUs. This is particularly true in situations in which there are multiple administrators, and each administrator needs to be delegated control over a different portion of the network.

Well, I’m not aware of many domains that do not have “multiple administrators that need to be delegated control over a different portion of the network”. Those that don’t have that usually don’t have any OUs created other than the default ones, with every user under Users, and every computer under Computers. Of course there might be some exception, for example a domain used only to host your Exchange servers, however, most companies that pay high priced consultants to come in and set up their Active Directories have structures a little more complex than a 25 employee small business.

Having a lot of OUs can be very useful in almost any big domain structure. Let’s say you have 50 different types of servers. Each of these server sets has their own Hardening rules. You apply a “master” hardening GPO at the top of your OU structure, that locks everything down, and then you unlock things for each application, at the OU level. This way, your OUs apply in the proper order by default, and delegation is pretty easy as each application has their own container.

At least, at the end of the article, he acknowledges this:

Right about now, you might be wondering what I really have against creating multiple OUs. There are a couple of reasons why I do not like using multiple OUs unless I have to. Maybe it’s just laziness on my part, but the first reason why I like to try to stick to using a single OU in an Active Directory design is because having multiple OUs tends to complicate LDAP queries.

Well, just do a subtree search then! Laziness, on my end, makes me want to have a structured design where Group Filtering is the exception rather than the rule.

I have completed my MCITP: Enterprise Admin certification this week.

I never got my MCSE before so I didn’t go the upgrade path, I started from scratch in the middle of May.

Here is a quick rundown of the exams I took:

Exam 70-640 (earns MCTS: Windows Server 2008 Active Directory Configuration)

This exam was pretty easy as I spend most of my days working with AD. Be sure to know the new features of AD in 2008, as well as what is required to make them work. If you already have enough AD experience but you’re lacking on the 2008 side of things, reading the AD chapter of this book should be enough for you: http://www.amazon.com/Introducing-Windows-Server-M…

Exam 70-642 (earns MCTS: Windows Server 2008 Network Infrastructure Configuration)

There isn’t that much new networking stuff in 2008, but NAP is a big one. Make sure to learn how NAP works.

Exam 70-643 (earns MCTS: Windows Server 2008 Applications Infrastructure Configuration)

This is the exam I found the most interesting of all 5, because it got me reading about new Terminal Services features and IIS7 which has some new cool stuff. I read this book to prepare for it http://www.amazon.com/MCTS-Self-Paced-Training-70-… . Make sure you concentrate on the new features. If you already know IIS and Terminal server you should be fine by reading about only the new stuff. Oh, I also got my Charter Member certification on this one. Can’t wait to get my Welcome kit.

Exam 70-620 (earns MCTS: Windows Vista Configuration)

The hardest exam, to me. Yep.

Probably because I don’t use it, and because a lot of questions revolve around Internet explorer, Windows media player, Media center, Windows Defender, and various crap that any sane person doesn’t use. Why did I take this exam instead of Exam 70-624 (earns MCTS: Business Desktop Deployment)? Because I didn’t have any book to prepare for desktop deployment, and this isn’t an area I’m too specialized into, and I wanted to be one of the firsts with the MCITP:Enterprise Admin. However, I think it is ridiculous for a certification that calls itself “Enterprise Admin” to have this option.

70-624 should be required, and 70-620 shouldn’t even be proposed. I didn’t read any book, never used Aero (well I did, for 4minutes), and yet I still passed, just with common sense. The exam was easy because there was never a single question with 4 options that made sense. Sure, I had a crappy score, but I’d rather score 700 and pass without wasting time reading about something I don’t enjoy/don’t need to know when I could be reading about something useful than score 1000 after wasting hours of my life reading books to learn by heart stuff that anyone can figure out in seconds of clicking around the GUI

/rant

Exam 70-647 PRO: Windows Server 2008, Enterprise Administrator

If you have passed the previous exams, especially the one about Active Directory and Networking, you should have no problem passing this one easily, as it is almost a review of the theory learned previously. It seems to focus more on design than actual “doing”.

Conclusion

Maybe it’s because this is the first revision of the exams, but I feel they are too easy. With Microsoft introducing a very high level Master certification, I feel there should be something between MCITP:EA and Master of Windows Server/Directory services. Also, the whole idea that every single exam = a MCTS certification seems to be designed for 8 years old who can’t work towards a long term goal and need immediate reward for their “hard” work.

A limitation of Active Directory that I have always found to be extremely aggravating is the Password and Account lockout policy.

You could only set one for the domain..any other policy defined at the OU level would be applied to local accounts only.

How many times did I wish I could set a different password policy for service accounts ! I had to decide between relying on people to use good service account passwords or forcing end-users to use insane passwords. So we had to trust the people creating the service accounts..

Different departments requiring different policies for auditing purposes were also a reason to setup a separate domain. That means at least two new servers, more management time..ew!

In 2008, if you are running AD in Windows 2008 Native mode, you can now create PSOs (Password Settings Objects)  and therefore apply different password policies to different security groups!

This is absolutely awesome and is a very good argument to migrate to 2008.

See this Technet article about Password Settings Objects/Fine-grained password policies , and use this great tool (PSOMgr from Joeware) to play with the settings, instead of using Adsiedit.

I wonder when Microsoft will have a nice interface to create these..

Oh yeah, and my other favorite reason is Read-Only DCs..let’s say they both rank as #1 reasons

When hardening Windows servers through security templates or Group Policies, it is important to give the proper permissions to services. You might want to grant a helpdesk group the rights to stop, start and pause a service while not being able to change the parameters on the server, and most of all, without being a local admin of that server.

To do that, you create a new Group Policy, and under Computer configuration, you find the System Services section. Then you select your spooler service, you set its startup mode to automatic, and you specify the rights.

Now, the problem is that the default rights the GPMC console shows you is NOT aligned with the actual defaults of Windows !

Here you can see on the left, what GPMC is proposing. On the right, Default Windows 2003 settings.

Now, it is probably a very good thing to remove Power Users. The print spooler might be perfectly fine with what GPMC wants you to use + your own customizations.

However, it is very important to make sure that any service that depends on this service is able to read! For example, if only administrators can read the service, and you have a Fax server that depends on the Print Spooler , it will not be able to start unless the service account it uses is part of Administrators!

Just a thing to keep in mind when hardening a lot of services, or when troubleshooting service startup problems..