Sunday, September 8, 2013

MCITP 70-640:Delegation of Control

Delegation of control allows a user to have permission to perform administration actions on a selection of users. This video looks at how to achieve this using delegation of control wizard and what the wizard changes in order to provide this access.

Delegation of control
Although there is almost an endless amount of options in the Delegation wizard, the most common one use for administrators are to do with users and groups. Used correctly, you could give a user permissions to perform user administration of a particular OU rather than giving them access to perform administration for all users in the domain.

Demonstration
To use the delegation wizard, first open Active Directory Users and Computers.
Right click the OU you want to perform delegation on and select the option Delegate Control.

In the wizard select the users that you want to administration to be delegated to. It is recommended to create a group as if you want to remove or add additional users later it is a simple matter of changing the members in the group.

When asked in the wizard, choose which tasks to want to delegate to that user or users when prompted.

If you open the properties for the OU and select the security tab, you can see the permissions that have been assigned to the OU.

The delegation wizard effectively changes the permissions on the OU. The administrator could have change the permissions in the OU manually. If they want to reverse the changes done by the wizard modify the permissions for the OU and remove any permissions assigned by the delegation wizard.

Posted by at No comments:
Labels: ,

MCITP 70-640:Organizational Unit & Shadow Groups

Organizational Units (OU) allow you to divide up objects in Active Directory into different locations, the same way that you would organize files into folders on your hard disk. Since OU's cannot be used directly in security, a shadow group can be created with the object inside that OU. This shadow group can be used in security. This videos looks at how to create OU's and use shadow groups.

Organizational Units
Like the folders on your hard disk, Organizational Units allows Active Directory objects to be organized into separate folders. Most administrators will create an OU hierarchy that matches their company layout. A common layout out is geographical, department and than computers. Group Policy is applied to Organizational Units and thus places users and computers into separate OU's can be beneficial when using Group Policy.

Shadow Groups
A shadow group is a regular Active Directory group that contains the objects under an Organizational Unit. Since a shadow group is a regular group it can be used for security, for example it can be used to assign NTFS permissions in a folder. A Shadow group effectively bridges the gap between not being able to use a OU with security. A shadow group needs to be manually updated or updates performed using a script. There is no automated method in Windows to do this.

An example script to keep shadow groups up to date can be found in Administration Resource Kit: Productivity Solutions for IT Professionals by Dan Holme (Microsoft Press, 2008).
None Microsoft version
http://www.sole.dk/active-directory-s...

Default OU
When you promote your first Domain Controller and thus create your Active Directory environment, a number of OU's are created automatically. These default OU cannot be deleted. Also these OU's can't have Group Policy applied to them expect for the Domain Controllers OU which can have Group Policy applied to it.
Builtin: When a server is promoted to a Domain Controller it local user database is no longer accessible. To make up for this, any users accounts that exist in Builtin are shared between all Domain Controllers.
Users: This is the default location for user accounts when a location is given. In most case, when creating a new user the administrator will decide which OU the user account will be created in.
Computers: This is the default location for computer accounts. When a computer is added to the Domain, the computer account for this computer is placed in this OU. Since Group Policy cannot be applied to this OU, and administrator will normal move computer accounts of the Computer OU to another OU.
Domain Controllers: This OU contains all the computer accounts for the Domain Controllers in your domain. Unlike the other OU's, Group Policy can be applied to this OU. By default, the Default Domain Controller Group Policy is applied to this OU.

Demonstration
To perform administration of your OU's this can be done using the Active Directory Users and Computers tools.
To create an OU, right click where you want it created, select new and than select new Organizational Unit.
When creating the Organizational Unit, you have the option to protect the container from accidental deletion.
In the properties of the OU, there are a lot of settings that can be configured. In a lot of case the information is informational only but does help.

What is an Organizational unit?
An organizational unit is effectively a container for storing Active Directory objects.
What is the difference between an OU and a group?
An OU is essentially used for Group Policy and delegation besides providing an infrastructure to sort and organize objects in Active Directory. Since an Active Directory object can only exist in one location at one time, OU's are limited to what they can achieve.
A group is contains objects from anywhere in the domain. The main different is that a group can contain an object that is used in anther group. For example, a user that travels between New York and Washington Offices could not be a member of a multiple OU's, however they could be a member of two groups called New_York_Users and Washington_users. With this extra flexibility that groups offer, group can be applied to resources like NTFS permissions which OU's cannot.

References
"MCTS 70-640 Configuring Windows Server 2008 Active Directory" pg 11 46-48
"Organizational Units " http://technet.microsoft.com/en-us/li...
"Organizational Unit" http://en.wikipedia.org/wiki/Organiza...

Posted by at No comments:
Labels: ,

MCITP 70-640: Offline Domain Join

Normally a Domain Controller needs to be available in order to add a computer to the domain. With Windows 7 and Windows Server 2008 R2 comes a new tool called Offline Domain Join. This allows a computer to be added to the domain without a Domain Controller being available. This video looks at different ways Offline Domain Join can be used.

No Networking
In the simplest case Offline Domain Join can be used to join a computer to a domain without a domain controller. For example, if a new site was being set up and the networking at the new site had not been installed as yet.

No networking installed
Offline Domain Join can also be used to join a computer to a domain that does not have networking installed as yet. In some cases a reboot may be required before networking is working. This is often the case with virtual computers. With Offline Domain Join you can join the computer to the domain before any network drivers are installed on the computer.

Unattended installation
Offline Domain Join can also be used with an unattend.txt file. An unattend.txt file is used with automated installs of Windows. The file contains the answer to the setup questions as well as any other required customizations. Using Offline Domain Join like this means you could automate the complete install of Windows 7 using a script including having it added to the domain.

Limited network connectivity
In some cases the network between two locations may only be available at certain times. For example, in a secure environment replication between the main network and the secure network may happen rarely. If the secure network has a writeable Domain Controller then a computer can be added to the Domain at any time. If the secure network only has a read only Domain Controller, a computer cannot be added to the domain unless a writeable Domain Controller is contactable. Using Offline Domain Join, the computer can be added to the Active Directory database ahead of time and replicated to the secure network. Since the read only Domain Controller contains data for the new computer, the computer will be able to be added to the domain using Offline Domain Join even though a writeable Domain Controller is not available.

Add a computer to the domain without a username and password
Offline Domain Join can also be used to add a computer to the domain without the use of a username and password. All that is needed is the file Offline Domain Join generates. This file is considered to have sensitive information so should only be given to people who are trusted.

References
"MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 217-221
"Offline Domain Join (Djoin.exe) Step-by-Step Guide" http://technet.microsoft.com/en-us/li...

Posted by at No comments:
Labels: ,

MCITP 70-640: Managed Service Accounts

This video looks at some of the new features in Windows Server 2008 R2 and Windows 7 that can automate the management of service accounts. If your application supports it, using managed service accounts means that the password of the service account is automatically changed periodically without any interaction from the administrator.

What is a service account
A service account is a user account that is created to run a particular service or software. In order to have good security, a service account should be created for each service/application that is on your network. On large networks this will mean a lot of service accounts and the management of these service accounts can become difficult, thus this is where Managed Service Accounts can help.

Computer Accounts
A computer account is like a user account in that it has a password. The difference is that the password for a computer account is automatically updated by Windows with no interaction from the user. Managed Service Accounts uses the same process to manage the password for a Managed Service Account

Managed Service Accounts Passwords
The password that is associated with a Managed Service Account (MSA) is automatically changed every 30 days. It is a random string of 120 characters so it offers better security than standard passwords even if the standard password uses upper and lower case letters combined with non alphanumeric characters. Unless of course the administrator wants to use their own 120 character password which is difficult for an administrator to work with. Like a computer account, the Managed Service Account is bound to one computer and thus cannot be used on a computer that it was not designed to work with. This provides additional security.

Requirements
In order to start using Managed Service Accounts you need to meet a few requirements.
Domain Functional Level: This needs to be Windows Server 2008 R2 or above.
Forest Functional Level: Does not require any particular forest level.
Schema changes: The schema needs to be up to date. Run ADPrep /ForestPrep to update the schema to the latest version using a Windows Server 2008 R2 DVD or above.
Client: The Managed Service Account can only be used on Windows Server 2008 R2 or Windows 7.
Software components: .Net Frame work 3.5 and Active Directory module for Windows Powershell are required for Managed Service Accounts.
Supported Software
Not all software will work with a Managed Service Accounts. Managed Service Accounts do not allow the software to interact with the Desktop. Thus a Managed Service Account cannot be used to login and cannot be used to display GUI based Windows. Listed below are common software and if they can use a Managed Service Account.
Exchange: Yes, but the Managed Service Account cannot be used for sending e-mail.
IIS: Yes, can be used with application pools.
SQL Server: Some people have got Managed Service Accounts to work with SQL but Microsoft does not support it.
Task Scheduler: No
AD LDS: Yes, Active Directory Light Weight Service works with a Managed Service Account, however a special procedure does need to be followed in order to get it to work.

References
"Service accounts step-by-step guide" http://technet.microsoft.com/en-us/li...
"Managed Service Accounts Frequently Asked Questions (FAQ)" http://technet.microsoft.com/en-us/li...
Keywords: "Managed Service Accounts" "MSA" "Active Directory" 70-640 MCITP MCTS ITFreeTraining

Posted by at No comments:
Labels: ,

MCITP 70-640: Service Accounts

A service account is a user account that is created to isolate a service or application. This video looks at how to create and use service accounts in your organization.

What is a service account
A service account is user account that has been created to run a particular piece of software or service.

Principle of least privilege
The principle of least privilege is giving the user only the minimum required amount of access. For example, if a user only requires access to certain files than they should only have access to those files. If the user only requires access to certain servers or workstations, they should only have access to those. The advantage of this is that it minimizes the amount of damage that can be done if the user account was to become comprised. When used with service accounts, one service account should be created for each service or application. If the same service account is shared between services and applications, and this service account was to stop working (for example the account became locked) all software using this service account would be effected.

Using the same user account for multiple services
Some administrators will choose to run multiple services and applications using the same user account. To ensure that there are no problems running their software, some administrators will use a user account that has Domain Administrator access. If you use the same user account for multiple pieces of software, and the user account was to fail for any reason, all the software using that service account would also be affected. Also if the account was to become compromised, this service account could be used to access resources on the network. The more access the service account has the more potential damage that it could do. The service account could prevent applications and services using it from running by simply changing the password of the account.

Service Account Lockout
When the password for a service account is changed, the password must be updated in all locations that use the service account. A user account can become locked after to many wrong password attempts. When the service account is used in multiple locations and the password is not updated in all locations, the old password will still be used. After Windows Server 2003 with Service Pack 1, Active Directory will check the last two passwords used. If there is a match, the service account will not be locked.

Service account expires
It should be noted that if a service account password was to expire, this will prevent the user account from being able to be used until the password for the user account has been changed.

Demonstration
The following procedure can be used to create a service account.
Run Active Directory Users and Computers.
Right click the OU where you want the user to be created.
When prompted, ensure user must change password at next logon is not ticked. This will prevent the service account from being used until the password has been changed.
To prevent the password for the service account from expiring, tick the tick box password never expires. To maintain high security, when ticking this option, the password for the user account should be changed at regular interval.
For additional security for your service account, you can create a domain group and place the service account in that group. Once service account has been added to this group, you can remove all other group membership. This will ensure the service account does not have any permissions, not even Domain User permissions unless they are allocated to the service account.
To give the service account access to a particular service, type lusrmgr.msc in the start menu to edit the local users and groups. Add the service account to the local groups as required.
To the change the password that is being used for a service account, open services from the start menu. Open the properties for the service you want to change the password for and change the password on the log on tab.

References
"Create a Service Account" http://technet.microsoft.com/en-us-li...
"principle of least privilege" http://en.wikipedia.org/wiki/Principl...
"managed service accounts" http://technet.microsoft.com/en-us/li...
"Account Lockout and Password Concepts" http://technet.microsoft.com/en-us/li...
"Securing Critical and Service Accounts" http://technet.microsoft.com/en-us/li...

Posted by at No comments:
Labels: ,

MCITP 70-640: Protected Admin

Protected Admin is essentially a term used to describe the administrator account being protected using User Account Control. This video looks at how User Account Control is used in Windows Server to protect the administrator's account.

User Account Control
User Account Control was first added in Windows Vista and Windows Server 2008. It addresses an issue that was common practice in Windows XP where a user would create an administrator account and use it for day to day activity. On most computer systems, the extra rights that an administrator account provides are only used for a small amount of time. For example, if you need to install software on the computer you would need administrator access to install the software, however to run the software it is unlikely that you would require administrator access. User Account Control essentially divides the administrator account into two,a user part and an administrator part. For normal activity the user part of the administrator account is used. When administrator access is required, the administrator part of the user is used.

To force an application to run with administrator rights, right click the application and select the option "run as administrator".

Posted by at No comments:
Labels: ,

Saturday, September 7, 2013

MCITP 70-640: Windows Contacts

Active Directory allows you to create contacts to hold information about 3rd parties like their phone numbers and e-mail addresses. This kind of information can also be added to a user account, however creating a contact to hold this information means that contacts cannot be used to login like a user can and thus is less of a security concern.

Security Identifier (SID)
The fundamental difference between a user account and contact is a contact does not have a security identifier or SID. A SID is used with security in Windows. Any time that you assign permissions to objects or files the SID is required. Since a contact does not have a SID, by design it cannot be used with security. Also since a contact does not have a SID it cannot be used to login.

Benefits of Active Directory Contacts
Having contacts for your organization stored in Active Directory means that any users can perform searches for this information. Since the contact data is stored in the Active Directory database, this means that data is stored once and thus is also easy to update. Without a centralized system like this, individual users would store multiple copies of the same data making it hard to update when changes occur.

Windows 7 Contacts
Windows supports contacts that can be stored on the local Windows computer. This was first introduced in Windows Vista. The contact data is stored in an XML file which means that it can also be used by non Microsoft software. Windows 7 does not come with any software that uses contacts. Contacts in Windows 7 are there for back compatibility only. The main use of contacts in Windows Vista would most likely be Windows Mail which is no longer included in Windows 7. Microsoft offer a free e-mail software called Windows Live Mail that can be download from the Microsoft web site. This software does not support contacts, but any existing contacts can be imported.

Creating a contact in Active Directory
To create a contact, open Active Directory Users and Computers.
Right click where you want to create the contact and select new contact.
Complete the wizard in order to create the contact.
To configure additional options and properties for the contact, right click the contact and open the properties.

References
"Windows 7 Inside Out" Microsoft Press, pg 276
"Windows Contacts" http://en.wikipedia.org/wiki/Windows_...
"Is Windows Contacts integrated with Windows Live Mail in Windows 7?" http://answers.microsoft.com/en-us/wi...
"Looking for Windows Mail?" http://windows.microsoft.com/en-us/wi...

Posted by at No comments:
Labels: ,
Subscribe to: Comments (Atom)