Category Archives: AD

#RuTeched: answering the questions. Does the Dynamic Access Control work over replication?

imageAs I said previously my labs were a success, still I wasn’t able to answer some questions and promised to answer them later. the time has come for the first of them. One of the visitors told me that he had had an experience when some of files’ attributes wouldn’t replicate over DFSR and asked me if there is any problem with DAC in the same situation. I could definitely experiment myself (and I will), but any experiment of mine would just give me an answer: “yes” or “no”. Or “may be” for that matter. It wouldn’t explain why. As I’m not great with the replication, I had to beg for help and, luckily, I knew were to get it: the AskDS blog.

In no time a received the answer. The short one is: “everything will be ok with your files”. The long one I will just cite here:

“Let me clarify some aspects of your question as I answer each part

When enabling Dynamic Access Control on files and folders there are multiple aspects to consider that are stored on the files and folders.

Resource Properties

– Resource Properties are defined in AD and used as a template to stamp additional metadata on a file or folder that can be used during an authorization decision.  That information is stored in an alternate data stream on the file or folder.  This would replicate with the file, the same as the security descriptor

Security Descriptor

The security descriptor replicates with the file or folder.  Therefore, any conditional expression would replicate in the security descriptor.

All of this occurs outside of Dynamic Access Control– it is a result of replicating the file throughout the topology, for example if using DFSR.  Central Access Policy has nothing to do with these results.

Central Access Policy

Central Access Policy is a way to distribute permissions without writing them directly to the DACL of a security descriptor. So, when a Central Access Policy is deployed to a server, the administrator must then link the policy to a folder on the file system.  This linking is accomplish by inserting a special ACE in the auditing portion of the security descriptor informs Windows that the file/folder is protected by a Central Access Policy.  The permissions in the Central Access Policy are then combined with Share and NTFS permissions to create an effective permission.

If the a file/folder is replicated to a server that does not have the Central Access Policy deployed to it then the Central Access Policy is not valid on that server.  The permissions would not apply”.

Thanks, guys. You’re the best Winking smile

Myths #1: Number of previous logons to cache

imageYou know, as an IT Pro I often meet some persistent myths about OS, protocols or whatever else. Sometimes these encounters become sooo frequent, that explaining these wrongs just bore  me to death. What’s even more amazing: these wrongs are explained usually on so many blogs, pages and other places that… Well, anyway, probably some people who know people who read my blog don’t read those blogs and pages, therefore I’ll try to show some more of these mistakes.

Let’s begin from the very basic, but one of the most frequent mistakes about Group Policy. Yeah, the one which is in the subject of the post. I saw once a man who was nearly fired because of it. Really. Like always: “the boss comes in and tells an IT guy to restrict number of times his sales managers can logon into their laptops without connecting to the company’s LAN by 15 times”. “No problem” answers the guy, changes the setting to 15 and reports the task is done. Some time later it occurs that it wasn’t and all hell’s broke loose. What’s happened and how to fix it?

First of all, it was a mistake not to check if everything works smoothly after changes (I’ve done some nasty things over it too… Bad memories Winking smile).

Next, the settings is not what many think of it. If we read its description (this is a good thing to do before a change) then we’ll see the following line: “Determines the number of users who can have cached credentials on the computer”. Number of users, not number of logons per user. That’s it. If you have notebook with 15 users using it (wow…), then the setting will help you. But no restriction for the only one.

Third. Bad news here: I don’t know actually the way to do what this boss wants. And I am not sure that it exists while using only built-in means. Still it is not a cause for telling the boss that you’ve done it Smile

Press a button–get the result

GPODo you know at which moment exactly does your GPO apply really? When you switch the radio button to “Enabled”? Or when you close a GPO console? I’ve been wondering about it for some time (but of course I was to lazy to test it myself 😉 ), but some time ago, while being on a training I asked a trainer and we conducted experiment on spot, because he didn’t know it either. During the experiment we got proof that the settings you change are implemented as soon as you press the “OK” or “Apply” button with this particular setting. You don’t believe me? Test it yourself or watch the short clip about it if you are lazy too (but remember: my English is far from ideal =( ):

Delegate permissions for creating GPO objects in other domain

imageThe task is obviously necessary to complete on your way to implementing Role-Based Administration concept. And, to be honest, being in euphoria after quick acquaintance with AGPM I thought that it was no deal at all: give an account or a group a membership in some special groups including “Group Policy Creator Owners” and voila – you’ve got it. Aha. Like hell it can succeed! =) This darn group is global and thus cannot be populated with objects from other domains. And moreover, you are unable to change the fact: everything is dimmed.

image

At least I don’t know a way to change the group’s scope (but I noted to myself to find out everything about it). So we won’t get this easy way. Will we retreat? No way. If we can’t add our object to the group, we can create other group and grant permission to the group directly. What permissions does have “Group Policy Creator Owners” group? As far as I know to create any GPO we need permissions in two places: Policies container in AD and Policies folder in sysvol. So let us delegate the permissions for the brand-new group “Role GP Creator Owners”:

1) in AD on Domain/System/Policies container:

image

image

image

image

I guess, “Create All Child Objects” is a bit overkill, and we can do better (just a guess), but the “Group Policy Creator Owners” group has these permissions, so we won’t do it worse.

2) now on a Policies folder:

image

image

That’ll do the job for us. At least at did for me, but still, I recommend to check it with support if you have it. I’ll definitely do that and fix the article if it needs it.

The case of jammed permissions

imageOnce I got a request ticket from one of our administrators whom are delegated some permissions in their parts of AD to. The person told me that he didn’t have permissions for some accounts. Well, no problem: I investigated the issue, found that the inheritance on that record was broken and I fixed it – one checkbox and “OK” button – big deal! The next day I received another request… for the same person. The inheritance was broken again! Ok, I’m not a newbie, I even know something about adminCount, adminSDHolder and SDProp. So I went and checked if the account was a member of any of protected groups: no, it wasn’t though it had been before. So I tried several more tricks, like moving the account to another OU and back. No luck. And and that point I received another request, from other administrator with the same problem but an other account. And this other person had been domain admin before too.

Well, at this point I was almost sure, that it is because SDProp overwrites the permissions. Quick check of adminCount attribute showed that I was right: it was set to 1. After I had set it to 0 and restored inheritance to the object everything became normal. And a bit of investigation showed that when an account leaves a protected group, adminCount attribute doesn’t switch to 0. After that a bit more of investigation showed me that it is by design. In more detail read here and here. Next time, I won’t be so lazy and will trust my inner admin Winking smile

How to change attribute in AD: alternatives #2

Returning to the question of AD attributes change tools I should go on for some more graphical tools. From now on I know only some self-created possibilities, which require some coding. First is to create some

Custom GUI Application

There are multitudes of variants: C#, VBScript, C, you name it. Being somewhat lazy, I decided to take a short cut. In a beautiful book from Windows 2008 resource kit, namely: Windows Administration Resource Kit, there are some useful additions. Among them there is an .HTA script, named “Object_Attribute_EmployeeNumber.hta”. It allows me to show EmployeeNumber attribute and set it. As we were demonstrating EmployeeID attribute changes I had to implement some changes, like replacing where it was needed word “number” with word “ID” (be careful: not every “number” entry needs to be replaced), like that:

image 

and some minor bug fixing. But since I’ve done it – voila:

image

What are pros of the method? Obviously, it is very flexible method and you may create the application as powerful as you need. And this method requires less education for your staff. Still, you have some drawbacks: you have to create some app, you have to support and develop it in case it becomes stale.

Anyway, this leaves us with one more method:

extending the ADUC or other AD mmc consoles

It should be absolutely cool, but it is way over my head at the moment. I am not really ready to give anyone a step-by-step guide how to implement the feature yet, so I will postpone the article till I am able to.

How to change attribute in AD: alternatives

After my post on delegation and filtered attributes I got a question about more convenient means of editing an attribute (say, employeeID) than Attribute Editor in ADUC.

Well, let me enumerate everything I can suggest from tools for the task.

ADUC

It is the most common tool for the single attribute change.

Just launch Active Directory Users And Computers, check that Advanced Features are on:

image

Then find your object and open its properties, select Attribute Editor tab and find your attribute:

image

Drawbacks of the method:

  • You need to find the object in AD tree, else you won’t be able to find Attribute Editor tab.
  • Think of the situation in which you are to change attributes for, say, 100 objects… Crazy, huh?

ADSIEdit

It is more powerful than ADUC, but actually is kind of overkill in this situation. Still some can like it. Almost the same, but first connect to default naming context, found your object and change the attribute in editor. Almost the same window and exactly the same problems.

Active Directory Administrative Center

It is one of the most appropriate tools for managing users and some other objects on a one-by-one basis. Unfortunately in this case it is almost the same as ADUC:

image

the only difference is that you don’t need to go down the AD tree to find your objet. Here you can just search for it from a search box and just edit what you need.

PowerShell

I love it. Really. Even though I am not very proficient in it I can do soooooo much with it. In this case, for example, we can assign a new employeeID attribute value just like that:

image

I’m almost sure it can be done in one line, but here I hadn’t such task. As you can see, this method already can help us to create some script with even something like GUI. You can too create a script for doing some bulk changes. It’s pretty good method, actually.

Enough for today. In one of the following messages I will try to introduce to more methods for changing objects’ attributes.