Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Active Directory for Auditors
Similar to Active Directory for Auditors (20)
More from Andrew Clark
More from Andrew Clark (14)
Recently uploaded
Recently uploaded (20)
Active Directory for Auditors
- 1. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Andrew Clark, GStat, CAP, AWS Solutions Architect – Associate Principal, Machine Learning Audit, Capital One Active Directory For Auditors
- 2. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. About me • B.S. in Business Administration with a concentration in Accounting, Summa Cum Laude, from University of Tennessee at Chattanooga. • M.S. in Data Science from Southern Methodist University. • American Statistical Association Graduate Statistician (GStat), INFORMS Certified Analytics Professional (CAP) and AWS Certified Solutions Architect – Associate. • Has designed, built and deployed numerous machine learning and continuous auditing solutions using open source technologies.
- 3. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Overview • What is Active Directory and why is it needed? • Broadly, how does Active Directory work? • What are domains and forests? • The power of Powershell for self service IT Auditing • Introducing Diomedes - an Active Directory Data Warehouse
- 4. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. What is Active Directory? "Active Directory enables administrators to manage enterprise-wide information efficiently from a central repository that can be globally distributed.” - Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory.O'Reilly Media. Kindle Edition.
- 5. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Okay, fine, but what does that definition mean? • Active Directory (AD) is used for IT Administrators to manage user access in one location via ‘groups’ which is easier to manage and control than having to update Access Control List (ACLs) manually when access needs change. • Everything is an object. • Storage is hierarchical, similar to a filesystem.
- 6. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Building blocks • Distinguished Name (DN) • Common Name (CN) • Globally Unique Identifier (GUID) • Organizational Unit (OU) • Domain • Forest • The Global Catalog • Global Policy Object (GPO) • Group
- 7. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Distinguished Names (DN) • “The LDAP API references an LDAP object by its distinguished name (DN). A DN is a sequence of relative distinguished names (RDN) connected by commas.” - "Distinguished Names." Distinguished Names (Windows). Accessed January 17, 2018. https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).aspx. • Example: CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM
- 8. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Common Name (CN) • The Common Name, sometimes referred to as the relative distinguished name (RDN) of an object, the ”human readable” name; and is unique at its current level in the naming hierarch. In the figure below, the Common Name of the object is JSmith. - "Object Naming." Microsoft TechNet. Accessed January 17, 2018. https://technet.microsoft.com/en-us/library/cc977992.aspx.
- 9. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Globally Unique Identifier - GUID • Objects have a globally unique identifier (GUID) assigned to them by the system at creation. Although all objects have Globally Unique Identifier (GUID) which follows them from creation to destruction, Distinguished Names (DNs) are used to uniquely reference an object. Relative distinguished names (RDN) are used to uniquely identify an object within its parent container in the directory. RDNs must be unique in their container. - Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory. O'Reilly Media. Kindle Edition.
- 10. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Organizational Unit - The Basic Container • “The most common type of container you will create in Active Directory is an organizational unit (OU), but there are others as well, such as the type called “container.”” - Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory. O'Reilly Media. Kindle Edition.
- 11. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Domains • Active Directory’s logical structure is built around the concept of domains. • “Each domain tree is tree trust one another implicitly with transitive trusts. In a transitive trust, if Domain A trusts Domain B and Domain B trusts Domain C, this implies that Domain A trusts Domain C as well.” - Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe- Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory. O'Reilly Media. Kindle Edition.
- 12. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Forests • "Where a domain tree was a collection of domains, a forest is a collection of one or more domain trees. These domain trees share a common Schema and Configuration container, and the trees as a whole are connected together through transitive trusts. As soon as you create a single domain, you have a forest. If you add any domains to the initial domain tree or add new domain trees, you still have one forest. A forest is named after the first domain that is created, also known as the forest root domain. The forest root domain is important because it has special properties.” - Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory. O'Reilly Media. Kindle Edition. • “An Active Directory forest is a distributed database, which is a database made up of many partial databases spread across multiple computers. Distributing the database increases network efficiency by letting the data be located where it is most used. The forest's database partitions are defined by domains, that is, a forest consists of one or more domains.” -"Active Directory Architecture." Microsoft TechNet. Accessed January 17, 2018. https://technet.microsoft.com/en-us/library/bb727030.aspx.
- 13. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Global Catalog The Global Catalog (GC) is a very important part of Active Directory because it is used to perform forest-wide searches. As its name implies, the Global Catalog is a catalog of all objects in a forest that contains a subset of attributes for each object. The GC can be accessed via LDAP over port 3268 or LDAP/ SSL over port 3269. The Global Catalog is read-only and cannot be updated directly.
- 14. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Group Policy Objects (GPOs) • The goal of Group Policy is for an administrator to: • Define the environment for users and computers • Rely on the system to enforce those policies • Group Policy can be assigned to: • Individual computers • Users • Sites • Domains • Organizational units. • Administrators can set values and automatically unset them in specified situations. Policy can be set to run at user logon and logoff and computer startup and shutdown. • “There are literally tens of thousands of settings that you can apply to control everything from screensaver timeouts to desktop backgrounds to workstation power management, and practically everything in between.” - Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory. O'Reilly Media. Kindle Edition.
- 15. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Groups • Global groups and domain local groups are the direct descendants of Windows NT groups • Groups are created from like users who need the same access. More efficient and reliable than assigning access to individual users. • Example groups of utmost importance to auditors: • Domain Admins • Enterprise Admins • Administrator • Schema Admins
- 16. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Various Domain Architecture Designs • Single tree, multiple domain • Single tree, multiple domain, multiple OU • Single tree, multiple OU • Multiple tree, multiple domain, multiple ou
- 17. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Miscellaneous Properties • Time Synchronization • Kerberos • Functional levels • Best Practices Analyzer
- 18. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Powershell for Active Directory • Groups and users can be obtained from the Powershell terminal via the Powershell cmdlet. Cmdlet are essentially little programs that perform specific tasks. • Domain GPO policies can be obtain via another cmdlet. • Both can be installed on Windows 7 and 10 machines.
- 19. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Get all organizational units in root domain • import-module ActiveDirectory • Get-ADOrganizationalUnit -Filter 'Name -like "*"' -Server FOREST_GLOBAL_CATALOGUE:3268 | FT Name, DistinguishedName -A
- 20. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Active Directory Users query • import-module ActiveDirectory • Get-ADUser -Filter * -Properties Name, CN, Department, Description, Title, Enabled, -Server ROOTNAME:3268 | SELECT Name, CN, Department, Description, Title, Enabled | Export-CSV FILE_NAME_HERE
- 21. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Powershell Group Policy auditing import-module GroupPolicy $currentDate = Get-Date -format "MM-dd-yy" $fileName = ("C:usersUSERNAMEHEREdesktopDomain_GroupPolicy_" + $currentDate + ".html") Get-GPOReport -All -Domain YOURDOMAINHERE -ReportType HTML -path $fileName
- 22. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Introduced Diomedes - an Active Directory Data Warehouse • Time-phased ‘Data Warehouse’ for Active Directory user and group data. • Audit can self-service Active Directory data for audits, which is a significant time saver. • Current interface via SQL, web service in the works. • Source code available at: https://github.com/aclarkData/Diomedes
- 23. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Components • MySQL Relational Database server • Windows Server • Python batch job • Query tool (Python program or GUI)
- 24. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Diomedes Schema
- 25. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Diomedes Schema Cont.
- 26. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Example Queries SELECT DISTINCT * FROM GroupsNonRecursive –or Groups WHERE RunDate = '08-28-17' AND Company = ‘NAME’ SELECT DISTINCT * FROM Users WHERE RunDate = '11-30-17' AND CanonicalName LIKE ‘COMPANY%%'
- 27. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Conclusion • Defined what is Active Directory and why it is needed. • Provided an overview of how Active Directory works. • An overview of domains and forests. • The power of Powershell for self-service IT Auditing • Introduced Diomedes - an Active Directory Data Warehouse
- 28. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Questions?
- 29. Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved. Thank you! • Email: andrewtaylorclark@gmail.com • GitHub: aclarkData • Blog: https://aclarkdata.github.io/ • LinkedIn: www.linkedin.com/in/andrew-clark-b326b767
Editor's Notes
- Active Directory is based off an authentication system called Kerberos, which was built by MIT researchers in the late 1980s. The name Kerberos comes from the three-headed guard dog from Hades in Greek Mythology, most widely known from his capture by Hercules as the last of his twelve labors, additionally appeared in Homer’s Iliad. As Kerberos was the guardian Hades, to keep the dead from leaving in Greek mythology, most likely the Kerberos protocol is underpinning the logical access security on your company’s network. Arguably the most popular implementation of Kerberos in the enterprise setting is Microsoft’s Active Directory, which we will talk about today. We will go over what Active Directory is, in broad strokes, how it works, and introduce some tools that can be used to help you more effectively conduct ITGC, SOX and other logical access system audits.
- Active Directory is the backbone of user authentication for a large percentage of organizations. Although audited loosely during SOX and ITGC audits, it is often misunderstood and often audited ineffectively and inefficiently. Traditional compliance auditing requires screenshots of key groups, configurations, etc., and creates a significant burden upon IT personnel to provide the requested support. By strictly utilizing PowerShell cmdlets, along with a broad understanding of how Active Directory functions, the requisite audit documentation can be obtained by the auditor, without elevated system privileges.
- Common Name == Relative Distinguished Name
- The primary type of container that you will create to house objects is called an organizational unit (OU). Another type of container, which is actually called a container, can also be used to store a hierarchy of objects and containers. Although both can contain huge hierarchies of containers and objects, an organizational unit can have group policies applied to it.
- An Active Directory domain is made up of the following components: An X. 500-based hierarchical structure of containers and objects A DNS domain name as a unique identifier A security service, which authenticates and authorizes any access to resources via accounts in the domain or trusts with other domains Policies that dictate how functionality is restricted for users or machines within that domain A domain controller (DC) can be authoritative for one and only one domain. It is not possible to host multiple domains on a single DC. The mycorp.com domain itself, ignoring its contents, is automatically created as the root node of a hierarchical structure called a domain tree. This is literally a series of domains connected together in a hierarchical fashion, all using a contiguous naming scheme. If Mycorp were to add domains called Europe, Asia, and Americas, then the names would be europe.mycorp.com, asia.mycorp.com, and americas.mycorp.com. Each domain tree is tree trust one another implicitly with transitive trusts. In a transitive trust, if Domain A trusts Domain B and Domain B trusts Domain C, this implies that Domain A trusts Domain C as well.
- Now that you understand what a domain tree is, we can move on to the next piece of the Active Directory structure, the forest. Where a domain tree was a collection of domains, a forest is a collection of one or more domain trees. These domain trees share a common Schema and Configuration container, and the trees as a whole are connected together through transitive trusts. As soon as you create a single domain, you have a forest. If you add any domains to the initial domain tree or add new domain trees, you still have one forest. A forest is named after the first domain that is created, also known as the forest root domain. The forest root domain is important because it has special properties.
- Group Policy is a large topic that deserves a book in itself (and there are several of those) to be properly covered. We will discuss Group Policy as it applies specifically to the design and administration of an Active Directory installation in this book, but not as it applies to the actual settings and operations on a workstation. The goal of policy-based administration is for an administrator to define the environment for users and computers once by defining policies, and then to rely on the system to enforce those policies. Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6457-6462). O'Reilly Media. Kindle Edition. The scope and functionality of Active Directory group policies encompass a number of key points: They can be targeted to individual computers and users, sites, domains, and organizational units. They can apply to users, computers, or groups of either. They can set values and automatically unset them in specified situations. They can run scripts at user logon and logoff and computer startup and shutdown. They can do far more than just a desktop lockdown. With Group Policy, administrators can control the behavior of workstations and servers as well as managing the end user experience across the organization. There are literally tens of thousands of settings that you can apply to control everything from screensaver timeouts to desktop backgrounds to workstation power management, and practically everything in between. The remainder of this chapter takes an in-depth look at group policy objects, focusing on two areas: How GPOs work in Active Directory How to manage GPOs Group policies are very simple to understand, but their usage can be quite complex. Each GPO can consist of two parts: one that applies to a computer (such as a startup script or a change to the system portion of the registry) and one that applies to a user (such as a logoff script or a change to the user portion of the registry). You can use GPOs that contain only computer policies, only user policies, or a mixture of the two. GPOs and Active Directory Any GPO is initially created as a standalone Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6591-6598). O'Reilly Media. Kindle Edition. object in Active Directory. Each object can then be linked one or more times to three different types of locations: sites, domains, and organizational units. GPOs for domains and organizational units are held in the domain relating to their application, but creating a GPO for a site stores that GPO in the forest root domain by default; administrators can change this if they wish. Warning You cannot link group policies to containers. Users and computers that are stored in a container will apply policies linked to the domain or their site, however. In the normal state of affairs, an administrator would customarily browse to a site, domain, or organizational unit in the GPMC, and then create a GPO and link it that object. At this point, it appears that you have created a GPO at that location in the tree rather than what really happened, which was that the system created the GPO as a standalone object in the Policies container and then immediately linked it to that container. To apply a GPO to a set of users or computers, you simply create a GPO and link it to a site, domain, or organizational unit. Then, by default, the user portion of the GPO will apply to all users in the tree, and the computer portion of the GPO will apply to all computers in the tree. Thus, if we were to create a policy and link it to a domain, all computers and users of that domain would process the policy. If we were to create a policy and link it to an OU, all users and computers in that OU, and all Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6605-6611). O'Reilly Media. Kindle Edition. users and computers within OUs beneath that OU (and so on down the tree), would process the policy. Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6611-6612). O'Reilly Media. Kindle Edition. GPOs can be linked only to sites, domains, and organizational units. A single GPO can be linked to multiple locations in the tree. GPOs by default affect all of the users and computers in the linked scope. This generates further questions. If multiple policies apply to different locations in a tree, can multiple GPOs apply to the same location, and if so, what takes precedence? Why would you want to apply one GPO to different parts of the tree? In addition, how can we stop the GPO from applying to the entire set of users and computers in the tree? Let’s consider each of these questions to understand policies better. Prioritizing the Application of Multiple Policies Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6617-6624). O'Reilly Media. Kindle Edition. Let’s say that we create and link a GPO for all users in a site to run a logon script that loads an Intranet home page local to that site. Let’s also say that we create and link a domain GPO to set the My Documents folder location for each user in the domain. Finally, we have two user logon scripts that we need to run in a specific order for specific organizational units in that domain. GPOs are applied in a specific order, commonly called LSDOU. Local policies are applied first, and then site policies, then domain policies, and then finally OU policies are applied in the order of the OU hierarchy. Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6624-6629). O'Reilly Media. Kindle Edition. If multiple GPOs are linked to a single site, domain, or organizational unit, the administrator can prioritize the order in which the GPOs from that level are processed. Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6631-6632). O'Reilly Media. Kindle Edition. GPO links are inherited down an OU tree. So, while a child organizational unit can have its own GPOs linked to it, it also will inherit all of its parent’s GPO links. These organizational unit GPOs are applied in order according to the OU hierarchy once the site and domain GPOs have been processed. Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6636-6639). O'Reilly Media. Kindle Edition. For example, Paul Burke’s user account has the following distinguished name (see Figure 11-4): cn = PaulBurke, ou = Databases, ou = Gurus, ou = Financial Sector, dc = mycorp, dc = com When Paul logs onto his machine, the site GPOs are applied first, and then the mycorp.com domain GPOs. Next come the GPOs on the Financial Sector organizational unit, then the GPOs on the Gurus organizational unit, and finally the GPOs on the Databases organizational unit. From this, it’s fairly easy to see how organizational unit hierarchy design has a significant effect on GPO precedence. Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6641-6647). O'Reilly Media. Kindle Edition. Standard GPO Inheritance Rules in Organizational Units Any unconfigured settings anywhere in a GPO are ignored, and only configured settings are inherited. There are three possible scenarios: A higher-level GPO has a value for a setting, and a lower-level GPO does not. A GPO linked to a parent OU has a value for a setting, and a GPO linked to a child OU has a non-conflicting value for the same setting. A GPO linked to a parent OU has a value Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6661-6666). O'Reilly Media. Kindle Edition. Blocking Inheritance and Overriding the Block in Organizational Unit GPOs It is possible to force the settings of a GPO linked to an OU in the tree to be applied as the final settings for a child. Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6677-6679). O'Reilly Media. Kindle Edition. We’ve already said that the computer portion of a GPO applies during boot up and the user portion of a GPO applies during logon. However, that isn’t the only time that a policy can apply. The policies also can be set to refresh periodically after a certain time interval. How often this occurs and what conditions are attached to this refresh operation are specified under the System\ Group Policy key under the Administrative Templates section of the Computer section of a GPO. Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6729-6732). O'Reilly Media. Kindle Edition. Group Policy Refresh Frequency By default, Windows workstations and member servers refresh their policies every 90 minutes, and domain controllers refresh their policies every 5 minutes. In order to avoid having all machines retrieving their policies at once from the domain controllers, there is a random offset interval added to the refresh period on every machine. Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6743-6746). O'Reilly Media. Kindle Edition. Combating Slowdown Due to Group Policy Introducing Group Policy into your environment will affect computer startup and user logon times to a degree. Exactly what degree varies from environment to environment, and you will need to test in yours to come up with a representative figure. We do not recommend foregoing Group Policy in an effort to speed up your startup and logon times, but we do recommend being frugal when planning the number of policies that will apply to a given user or computer. Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6788-6792). O'Reilly Media. Kindle Edition. That’s a lot of information on GPOs. Let’s summarize what we’ve covered about the workings of GPOs so far: GPOs exist in a split state. The configuration data for the GPO, known in shorthand form as GPC data, is held in the AD object itself. The template files and settings that tell the GPO what its capabilities are, known in shorthand form as GPT data, are stored in the SYSVOL. Individual GPOs can be linked to multiple sites, domains, and organizational units in Active Directory, as required. GPOs can contain policies that apply to both computers and users in an OU. The default operation of a GPO on a container is to apply the computer portion of the GPO to every computer in that container Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6981-6987). O'Reilly Media. Kindle Edition. during boot up and to apply the user portion of the GPO to every user in that container during logon. GPOs can also be set to refresh periodically. Multiple GPOs linked to a particular container in Active Directory will be applied in a strict order according to a series of priorities. The default prioritized order corresponds to the exact order in which the GPOs were linked to the container. Administrators can adjust the priorities as required. While GPOs exist only in a domain environment due to their dependence on Active Directory, individual domain or workgroup computers can have local policies defined for them. GPOs are inherited down the organizational unit hierarchy by default. Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6987-6993). O'Reilly Media. Kindle Edition. This inheritance can be blocked using the properties of an OU, domain, or site. Administrators can also set a policy to be enforced. This allows a policy to override all lower settings and bypass any blocks. Loopback mode allows the administrator to specify that user settings can be overridden on a per-machine basis. Effectively, this means that the user parts of policies that normally apply only to computers are applied to the users as well as (merge mode) or instead of (replace mode) the existing user policies. WMI filtering allows you to configure a WMI query that can be used as an additional criterion to determine whether a GPO should be applied. If the filter evaluates to true, the GPO will continue to be processed; if it evaluates to Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6993-6998). O'Reilly Media. Kindle Edition. false, the GPO will not be processed. This is a powerful feature because you have a vast amount of WMI data available to determine whether GPOs should be applied. A number of things can slow down processing on a client, including attempting to process many policies one after the other. Use of loopback mode, especially in merge mode, can significantly impact performance. Attempting to apply GPOs across domains can also lead to slowdowns, depending on the network speed between the domains. Finally, complex queries in WMI filters can have a negative impact on GPO processing. Policies are applied in a strict order known as LSDOU. This notation indicates Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 6998-7003). O'Reilly Media. Kindle Edition. that local policies are applied first, followed by site GPOs, domain GPOs, and finally any organizational unit GPOs hierarchically down the tree. At each point, the policies are applied in prioritized order if multiple policies exist at a location. When policies are to be applied to a client, the system identifies the entire list of policies to be applied before actually applying them in order. This is to determine whether any blocking, overriding, or loopback settings have been put in place that could alter the order or application of the policies. ACLs can be used to limit the application of GPOs to certain individual users or computers or groups of users or computers. Specifically setting up the Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 7003-7008). O'Reilly Media. Kindle Edition. that local policies are applied first, followed by site GPOs, domain GPOs, and finally any organizational unit GPOs hierarchically down the tree. At each point, the policies are applied in prioritized order if multiple policies exist at a location. When policies are to be applied to a client, the system identifies the entire list of policies to be applied before actually applying them in order. This is to determine whether any blocking, overriding, or loopback settings have been put in place that could alter the order or application of the policies. ACLs can be used to limit the application of GPOs to certain individual users or computers or groups of users or computers. Specifically setting up the
- Global groups and domain local groups are the direct descendants of Windows NT groups; the membership of these groups is only available from domain controllers of the domains in which they are created. Universal group membership is available both from the domain controllers of the domains in which they are created in and from all Global Catalogs in the forest. Universal and global groups can be used in access control lists (ACLs) on any resource in the forest or in trusting domains. Domain local groups can only be used in ACLs in the domain in which they are created.
- While legitimate reasons exist to create multitree forests, we recommend that you endeavor to simplify your Active Directory design as much as possible and limit yourself to one domain tree and as few domains as possible. Best practice for new forest designs is almost always a single-domain forest. You would like to be able to give this group limited autonomy over user objects by allowing one of the senior administrators to manage its own section of the tree. Complete segregation of security is not needed, and the manufacturing tree isn’t large enough to justify creating another domain to manage along with the associated domain controllers. You can instead create an organizational unit in your hierarchy called Manufacturing. You then give the senior engineer authority over that organizational unit to create and delete accounts, change passwords, and create other organizational units within the So, throughout this book, whenever we advocate creating hierarchies within domains, we always recommend that you use organizational units. After all, an organizational unit is just a superset of a container. There is nothing a container can do that an organizational unit cannot. The emphasis of this chapter is on planning the structure of your Active Directory installation. Specifically, we will look at the forest and domain tree layout as well as the organizational unit (OU) structure. While it was extremely common (and often necessary) to design a forest with numerous domains when Windows 2000 came about, that need has largely dissipated. We’ll explore how you can reduce the number of domains that you require for Active Directory while gaining administrative control over sections of the Active Directory domain namespace using organizational Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 7893-7897). O'Reilly Media. Kindle Edition. When designing a forest, remember that there are often multiple good answers to forest design for any given company. There is no “best” design for all situations. Microsoft has provided great flexibility in what can be done, which can turn around and bite you with indecision about how you should implement AD. It isn’t unusual for two engineers to have two very different designs for the same company that are both good for completely different reasons. Simply document all recommended designs Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 7900-7903). O'Reilly Media. Kindle Edition. and let the decision makers decide together which one will be the best for long-term operations. Overall, the best solutions are usually the simplest solutions. In most cases, you will want to choose single-forest designs over multiforest designs, single-tree designs over multitree designs, and single-domain designs over multidomain designs. The design example shown here is simply that: an example. The company in question could have designed its Active Directory infrastructure in a number of ways, and this is one of them. There are a number of restrictions that you have to be aware of when beginning your Active Directory design. We will introduce you to them in context as we go along, but here are some important ones: The forest, not the domain, is the security Desmond, Brian; Richards, Joe; Allen, Robbie; Lowe-Norris, Alistair G.. Active Directory: Designing, Deploying, and Running Active Directory (Kindle Locations 7903-7909). O'Reilly Media. Kindle Edition. boundary for Active Directory. Anyone with high-level access rights on any writable domain controller in any domain can negatively impact or take control of any other DC or domain in the forest. You can never remove the forest root domain without destroying the whole forest in the process. The forest root domain is the cornerstone of your forest. Multiple domains cannot be hosted on a single DC. Imagine three child domains under a root domain located in the United States, each of which corresponds to one of three business units. Now imagine that you have a small office of 15 people in Eastern Europe or Latin America with a slow link to the US offices. These 15 users are made up of
- Time Synchronization in Active Directory Active Directory is highly dependent on all of the domain controllers and domain members having synchronized clocks. Kerberos (which is the underlying authentication protocol for Active Directory clients) uses system clocks to verify the authenticity of Kerberos packets. By default, Active Directory supports a tolerance of plus or minus five minutes for clocks. If the time variance exceeds this setting, clients may be unable to authenticate and, in the case of domain controllers, replication will not occur. One of the fundamental underpinnings of any network that runs on Active Directory is the Kerberos security protocol. Kerberos provides the authentication mechanism that powers user logon, application access, and communication between domain controllers (among other things). Implementing Kerberos on its own is a challenging task that Microsoft has almost completely abstracted with Active Directory. Out of the box, there’s virtually zero configuration required to start using Kerberos. In fact, if you never ran across an application that required special Kerberos-specific configuration, you would never even need to know that Kerberos was being used under the covers. The key benefit of the Kerberos security Domain and Forest Functional Levels For the Windows Server 2003 release of Active Directory, Microsoft expanded on the domain mode concept by introducing functional levels. Whereas the domain modes applied only to domains, functional levels apply to both forests and domains. Like the domain mode, functional levels dictate what types of operating systems can assume the role of a domain controller in a domain or forest. Each functional level also has an associated list of features that become available when the domain or forest reaches that particular functional level. 3.4. Best Practices Analyzer Keeping Active Directory healthy is a concern of any administrator, and the definition of a healthy domain controller or forest is a topic of much debate on the Internet. Historically, Microsoft has included a tool called dcdiag with Windows: the multitude of tests dcdiag supports can help an administrator proactively check the health of a domain controller, domain, or forest as well as troubleshoot problems when they arise. The downfall of dcdiag is that the output is difficult to read, the list of switches required to test the intended targets is long, and there is typically no actionable guidance when a problem is identified. Starting with Windows Server 2008 R2, Microsoft set out to solve these problems by creating a Best Practices Analyzer (BPA) for Active Directory that is included as part of the operating system. Windows Server 2012 includes 41 tests that analyze many of the most common issues and misconfigurations that administrators typically run into. To access the BPA, find Server Manager under the AD DS node on the left and scroll down to Best Practices Analyzer. To run a BPA scan, click Tasks → Start BPA Scan on the right. You can select one or more domain controllers to run the BPA scan on, as shown in Figure 3-23
- The Active Directory PowerShell module first appeared in Windows Server 2008 R2 and was enhanced in Windows Server 2012. While the module is currently in its second iteration, there are still some tasks that you cannot accomplish with it. ADAC uses the AD PowerShell module for all of its tasks, so, if you can do something in ADAC, that task can also be accomplished with the AD PowerShell module.
- The Active Directory PowerShell module first appeared in Windows Server 2008 R2 and was enhanced in Windows Server 2012. While the module is currently in its second iteration, there are still some tasks that you cannot accomplish with it. ADAC uses the AD PowerShell module for all of its tasks, so, if you can do something in ADAC, that task can also be accomplished with the AD PowerShell module.
- $fileNameUser = ("C:\users\aclark\desktop\Aclark_GroupPolicy_" + $currentDate + ".html") Get-GPResultantSetofPolicy -user aclark -reporttype html -path $fileNameUser