Some notes I took while learning about Active Directory

AD notes.md

Notes on learning Active Directory

1. NetBIOS name should match your forest FQDN. So if FQDN=adlunches.net, NetBIOS name is ADLUNCHES

2. Every AD forest has a server which indexes all the objects in the forest. This is known as the Global Catalog server.

   1. Each domain needs at least 1 GC server, can have more for redundancy. This is so it can find objects in other domains.
   2. Any DC can be GC.
   3. By default all DCs will be GCs. GCs take up disk space and bandwidth, but both are plentiful.
   4. Microsoft Exchange requires GC server to run.
   5. Allow logins via UPN eg. [email protected], which may be on same domain.
   6. GC servers should be deployed at sites with poor WAN links or filtered connections.
   7. GC facilitate login for members of universal groups, which are groups with members belonging to different domains.
   8. Sited near high use applications like Exchange.

3. Everything in the AD forest shares the same database schema and the structure of stored objects. Each domain has its own DB but the schema determines the design of that DB.

4. Trust relationships are generated automatically within the same forest between domains. Trust relations allow users in separate domains to connect to resources.

5. NTDS = NT Dir Services (old Win NT name). Database stored in NTDS.dit file, which stores data in X.500 standard.

6. Five operation master roles. To check roles, type dcdiag /test:knowsofroleholders /v for LDAP format or or netdom query fsmothis for FQDN format

   1. Schema master: Make changes to schema. Forest-wide.
   2. Domain naming master: Add/remove/rename domains. Forest-wide
   3. RID master: Allocates RID pools, RIDs are appended to SIDs. Domain-wide.
      1. Can be placed on slow network link if AD objects are not created frequently.
   4. Placed on same DC as PDC emulator because PDC uses a lot more RID's than others.
   5. PDC emulator. Domain wide. Placed on network with most users to facilitate password changes.
      1. Time sync server. All DCs time sync with PDC, and clients sync with their DC.
      2. Final authority on domain passwords.
      3. Group policy editor makes changes here and replicates to other DCs.
   6. Infrastructure master: Keeps object references across domains in forest. Tracks object moves, renames, deletions across domains. Domain wide.
      1. In multi-domain forests, make sure IM role is not a GC server because otherwise it would not update the DCs of changes once it checks itself (GC) that object changes are already made. Fixed in Server 2008.
      2. Doesn't matter if there's only 1 forest and domain used.

7. Upon first domain logon, Windows creates Access token with these characteristics:

Domain functional level features

1. To check last logon of user, go toADSI Edit -> Users -> Properties -> Last logon
2. Delegation in Win Server 2003 allows admin to provide client PCs with creds to access selected services such as file servers to DL things. Go to ADUC, OU=Computers, Properties -> Delegation tab. Select delegation by service only to limit delegating authority.
3. Service Principal Name in Svr 2008 allows for application-based accounts needed to access external resources. It's a CNAME for a AD record. Server 2008 and later manages the SPN accounts such that the sysadmin would not need to track password expiration/renewal upon which the application access will fail. Reference
4. UserPassword attribute supported on iNetOrgPerson object, allows for importing into AD from non-AD LDAP server.
5. Able to set one set of password policy to different OU in same domain.

Forest functional level features

1. Can raise forest functional level to X only if all the domains inside are at least X and above.
2. Forest trust allows sharing of information between separate forests.
3. Dynamic entries in AD can be set to be automatically delete after a set amount of time has passed
4. Convert between inetOrgPerson object and AD user object to faciliate inter-operability between AD non-AD directory services like LDAP. Reference
5. AD recycle bin introduced Server 2008. Previously had to boot DC into recovery mode and do authority restore
6. Can migrate child domain into root domain as an OU.

Creating child domains

Reasons for:

1. Keep different management structures separate
2. Different budget requirement
3. Different security level of each network; segregate access/write permissions.

Reasons not to:

1. Adds complexity to administer.
2. AD can now scale easily to manage millions of objects.
3. Support multiple password policies per domain.

AD trusts

1. Trusts create a path for user to access resources across domains, doesn't grant them permissions.
   1. If domain A trusts domain B, and user John in B, John has a path to access resources in A, but doesn't have permissions unless explicitly granted.

Types of trust

1. Transitive trusts - A trusts B, B trusts C => A trusts C
2. Shortcut trusts - Trust link created directly between two domains without going through others
3. Forest trusts - Not automatically created, must be manually created by admin. Forest trusts are transitive.
4. Realm trust
   1. Both system uses Kerberos
   2. Between AD and non-AD system.
   3. May be transitive or not, one or 2-way.
5. External trust
   1. Used when a path is to a domain located in another forest not joined via forest trust. Ref
   2. Non-transitive by nature.
   3. Typically used to connect to NT4 (legacy) systems

Misc

You can check forest root domain by running this VBS code, gives result in LDAP format.

Set objRootDSE = GetObject("LDAP://RootDSE")
Wscript.Echo "Root Domain: " & objRootDSE.Get("RootDomainNamingContext")

Sites and subnets

1. AD sites are used group together subnets which share same physical location.
2. Site is a group of "well-connected networks". It allows you to model AD around your physical network.
3. Site segregation can be due to security such as firewall instead of physical location.
4. Managed under AD sites and services.

AD replication

Note: Administered under AD sites and services

What are sites for?

Sites in Active Directory® represent the physical structure, or topology, of your network. Active Directory uses topology information, stored as site and site link objects in the directory, to build the most efficient replication topology. You use Active Directory Sites and Services to define sites and site links. A site is a set of well-connected subnets. Sites differ from domains; sites represent the physical structure of your network, while domains represent the logical structure of your organization.

Intra-site replication

1. Occurs 15s after changes made on a site DC.
2. All intra-site DCs are connected to each other via a ring connection (ie. each DC connects to 2 others) for <8 DCs.
3. For >8 DCs, additional connections are made between the site DCs to ensure <4 hops for each DC to the others.

Inter-site replication

1. Site links connect different sites, and created only manually by admin.
2. Each site has a designated bridgehead server.
   1. Bridgehead DCs are responsible to replicate AD changes intersite when AD changes reach them.
   2. Preferred bridgehead DCs can be selected but if they go down, no replication will occur until the DCs come back online.
   3. Can have multiple bridgehead servers in 1 site, but only 1 is used.
3. Site link configurables
   1. Schedule or frequency of inter-site replication.2
   2. Cost of site link (similar to routing metric)

Site transport protocols

1. RPC over IP (or just IP) - Supports replication of all objects. Synchronous by nature. a. Intra-site uses IP only.
2. SMTP - Supports all except file replication (ie. SYSVOL share containing login scripts and group policies). Asynchronous by nature.

Knowledge Consistency Checker (KCC)

1. Automatically creates links between sites without configuration.
2. Reconfigures when links go down.
3. Selects bridgehead DCs with info from AD database.
4. Always comes up with same results (links, bridgeheads) between sites.
5. Troubleshooting tip: If connections not made between DCs, check for replication errors in event viewer and DNS related errors (of other DCs).
6. To force KCC to rerun on a DC, go to AD sites and services -> Site-name -> Servers -> [DC-name] -> NTDS Settings. Then right click All tasks -> Check Replication Topology

repadmin CLI tool

1. repadmin /kcc site:NewYork - Forces KCC to run on all DCs on New York site. Omit site argument to run KCC on local DC only.
2. repadmin /SyncAll - Force replication
3. repadmin /BridgeHeads - Show all DCs working as bridgeheads.

Site link bridges

1. If site A links to B and B links to C, then a site link bridge can be created from A to C.
2. Created automatically by KCC, manual ones will be ignored unless automatic site bridging disabled.

AD User and Computer Accounts

AD users

1. All accounts have SID associated, independent of user name, computer or group name.
2. Check HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList for list of users that exist on local computer
3. Short SIDs are local profiles, longer ones are domain SIDs.
4. Make sure C:\Users\<username> and ProfileImagePath reg key matches when renaming profiles so Windows recognises them if not Windows will create new profile
5. User name standards
   1. NT4 : Domain\Username. Limited to 20 chars.
   2. After 2000 (User Principal Name): [email protected] -> New UPN suffix can be created under AD domains and trust

User AD authentication

1. When user is authenticated, access token is generated for that user.
2. Access token can be used to access network resources. It contains SID.
3. When user tries to access resources such as file server,
   1. SID in token is compared against the file server's access list to see if it has access.
   2. Group SID in token is compared to see if user belongs to group which has access.
   3. Once token generated, the SIDs on it allow it access even when user/group is denied permission. This persists until token is regenerated on re-logon.
4. Login with UPN suffix need access to global catalog server.

AD Users account (in ADUC)

Tabs:

1. Account
   1. Set logon hours, restrict logon computers, unlock account (applies to new connections, not existing sessions)
   2. Account options -
      1. Disable account instead of deleting when user leaves (security certificates deleted as well).
      2. Disable delegation even when Windows allows it.
      3. Option to downgrade to DES encryption or enable AES 128/256 encryption.
      4. Disable requirement for Kerberos authentication removes timestamp (allows replay attack).
      5. Account expires on specified date.
2. Profile
   1. Specify profile path to use roaming (network-hosted) profiles instead of local ones. Use %username%.
   2. Run script on logon.
   3. Specify location for user to store files (can map drive to specified location)
3. Member of - Set groups user belongs to
4. Remote Desktop Services Profile - Similar to Profile tab but for RDP only. Overrides Profile tab settings. Can disable RDP for specific user.
5. Dial-in - Ignore for modern systems. Just make sure "Control access through NPS network policy" is set.
6. Environment - Overrides client specified logon programs
7. Sessions - RDP-only settings (note: can configure on server end as well)
   1. End disconnected session - Disconnect/end session after network disconnection after X mins
   2. Active session limit - Specify how long user can be connected.
   3. Idle session limit - Disconnect/end session after idling for X min.
   4. Allow reconnection - Specify reconnection allowed from any client or just originating session client.
8. Remote control - Allow admins to observe/interact with user sessions.

Misc:

1. Copy profile as template for new user.
2. Select multiple users -> Properties, allow you to change profile path for multiple users, logon scripts.
3. Disable user account if needed.

AD computers (in ADUC)

1. All domain computers need AD computer account.
2. Password protected, randomly generated, automatically changed every 30 days w/o admin intervention. Password management is hidden from admins.
3. Move computers to designated OU so group policies can be applied.
4. If the computer account password the local computer differs from DC's, authentication fails and message The trust relationship between this workstation and the primary domain failed To fix, login with local admin account, move computer back to workgroup, then join back to domain to restore trust relationship.

AD groups

1. Security vs distribution groups. Can switch any time. Note that if security change to distribution permissions not valid anymore.

   1. Distribution - No SID, security settings possible.
   2. Security - SID, can be assigned for object security.

2. Use nested groups to control shares. Also known as role-based access control.

   1. Eg. put Accounts in Invoice_share (R/W) group, to give them R/W, move them to Invoice_read (R) to remove group permissions.
   2. Abstracts away servers/shares hosting shared files; just moving groups.
   3. Used by enterprises with large number of people. Wikipedia on role-based access control

3. AD group types - Note can change types any time.

   1. Local
      1. Scope: local PC only
      2. Allowed memberships: Users, computers. Groups: DL, G, U
   2. Domain local
      1. Scope: Domain-wide
      2. Allowed memberships: Users, computers. Groups: DL, G, U
   3. Global
      1. Scope: Forest
      2. Allowed memberships: User, computers. Groups: G
      3. Notes: Can't be used outside domain.
   4. Universal
      1. Scope: Forest
      2. Allowed memberships: User, computers. Groups: G, U.

4. Example of how to apply group memberships.

6. Think of Global group as "Account groups" and Domain local groups as "Resource Groups". User accounts go into global groups which then get assigned to DLG to grant access to resources. Explanation

7. Explanation of group types

Default local groups

Reference Will highlight only non-common interesting groups here.

1. Power users - Legacy group released to allow backward compatibility with XP applications, doesn't nothing in Vista and later.
2. Remote Desktop users - RDP login
3. Offer Remote Assistance Helpers - Allow unsolicited remote assistance help
4. Network Configuration Operators - Change TCP/IP settings, renew/release DHCP info.
5. Performance Log Users - Manage performance, logs, alerts on computer, local and remotely.
6. Performance Monitor Users - Monitor performance counters local and remotely.
7. IIS_USRS - Automatically created by IIS to run, with best selected settings. Don't need to touch.
8. Replicator - Used by AD on DC for replication. Don't add users to group. Not used on Win 7.
9. Distributed COM Users - Members can start, activate, use DCOM objects.
10. Cryptographic operators - Members can change system level cryptographic settings. Will not need to touch.

Domain Builtin groups

1. When a server becomes AD, local accounts are disabled, local groups are migrated to Builtin folder on AD. This gets replicated to all other ADs but unavailable to domain computers. All DCs share same Builtin.

2. Server operators

   1. Purpose: Server maintenance of DCs only, no AD administration.
   2. Default: no member.
   3. Rights: Can login, create/delete shared resources, start/stop services, backup/restore HDD, format and shutdown DCs.

3. Account operators

   1. Purpose: AD administration only, cannot manage accounts of Administrators, Server operators, or modify user rights.
   2. Default: No members
   3. Rights: Create, modify, delete domain accounts.

4. Print operators

   1. Purpose: Manage printer objects in AD
   2. Default: No members
   3. Rights: Manage all printer objects in AD, and printers connected to DC. Can shutdown DC.

5. Incoming forest trust builders

   1. Purpose: Create incoming one-way trust to forest.

6. Certificate Service DCOM Access

   1. Purpose: Members can obtain certificates from CA.

7. Windows Authorization Access Group

   1. Purpose: No idea what this does.

Default domain groups

1. Enterprise Admins

   1. Purpose: Most powerful admin group in AD.
   2. Default: Admin account for forest root domain.
   3. Rights: Sits in root domain, but members can come from any domain. Can add/remove domains in forest. Added to all domain admin groups in forest. Forest-wide config.

2. Schema admin

   1. Purpose: Modify the AD schema.
   2. Default: Admin account for forest root domain.
   3. Rights: Defines schema, which affects all domains in forest.

3. Domain guest

   1. Rights: Unlike domain users, they have no login rights or automatic membership in local guest group.

4. Domain controllers

   1. Purpose: Contains all domain controllers for group less RODCs.

5. RODC

   1. Default: All RODCs automatically gets placed here.

6. Enterprise RODCs

   1. Purpose: Exist only on root domain.
   2. Default: No members.

7. Denied RODC password replication group

   1. No idea WTF is this.

8. DNS Admins

   1. Purpose: DNS administration
   2. Default: No idea.
   3. Rights: Start/stop DNS service

9. Group Policy Creators Owners

   1. Purpose: Modify domain group policy.
   2. Default: Domain admin.
   3. Rights: Create, edit, delete GPO in domain.

10. Cert publisher

    1. Purpose: If CA is used, can store certs in AD for use in computers.

11. RAS and IAS Servers

    1. Purpose: No idea what this does.

Special Identities

Reference

Note: These exist on local computer only, with same SID on all Windows PCs.

Some interesting special identities

1. Anonymous logon - Login without username/password
2. Authenticated users - Users authenticated by DC or local.
3. Everyone - Interactive, network, authenticated users included. Pre-Windows 2000, included Anonymous logon.
4. Interactive - Users logged on locally, include RDP.
5. Remote Interactive - RDP logon only, subset of Interactive.
6. Local Service - The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with anonymous credentials. The name of the account is NT AUTHORITY\LocalService. This account does not have a password.
7. Network Service - The Network Service account is similar to an Authenticated User account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources by using the credentials of the computer account. The name of the account is NT AUTHORITY\NetworkService. This account does not have a password.
8. Local System - This is a service account that is used by the operating system. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password. AKA NT AUTHORITY\SYSTEM
9. Network - This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system.

Accounts, Global, Universal, Domain Local, Permissions (AGUDLP) vs AGDLP

1. AGUDLP - Add the Accounts to Global group, add the Global group to Universal group, add Universal group to Domain Local group, then assign permissions to Domain Local group.

2. AGDLP - Add the Accounts to Global group, Add the Global group scope to Domain Local group, then assign permissions to Domain Local group.

Universal Group Membership Caching - UGMC

1. UG members requite GCS to login to network, if none available login not possible unless caching is enabled.

2. Cache is updated every 8 hrs, and is used only when GCS is unavailable. Enabled in AD Sites and services.

Windows Contacts

1. A way to create AD users for external parties not in organisation, without assigning SID. Instead of creating new User, create new Contact in ADUC. This creates a common identity for corporate users to refer to instead of creating separate identities for each user in their address book.

2. Can be put in AD groups, but Security tab disabled in Server 2016; no resource access granted.

User Account Control (UAC)

1. Works by having two SIDs for admin account. One user, one administrator.

Service Accounts

1. It's an AD user account created to run a particular service.
2. Typically passwords not set to expire.
3. Given minimum rights, typically just domain user rights.
4. Implementation
   1. Create ServiceAccounts Global group in ADUC to hold all service accounts
   2. Add service account as member.
   3. Start services.msc, find service, go to Log On tab to change to service account log on.
   4. Restart service and done.

Managed service accounts

1. Similar to service accounts, except that passwords are 120 chars long randomly set and automatically changed every 30 days, like AD computers.

2. They are bound to one AD computer, but can be placed into groups to give access to network resources.

3. Check supported software for managed service account. Google for guides on how to set up.

4. Creation of managed service account in PS:

Import-Module ActiveDirectory
New-ADServiceAccount -name [MSA-name] -Enable $True
Add-ComputerServiceAccount -Identity [AD computer] -ServiceAccount [MSA-name]
Install-ADServiceAccount -Identity [MSA-name]

5. Then go to software, and enter Domain\[MSA-name]$, include dollar sign so Windows can find account. Leave password blank.

Offline domain join

1. Join computers to domain without access to DC, whether due to unavailable or not yet set up networking.

2. Use cases:

   1. Automated installs of Windows. Computer can join domain during Windows installation without network access.
   2. If RODC in use: While pending replication with writable DC, RODC can store domain join changes via offline domain join. However, logins or network access is granted only once changes are passed to writable DC and replicated to RODC.
   3. Non-admin can add computer to domain without username/password, as long as have the domain join text file. Login not available until DC network access is granted. Reference

Organisational Units (OUs)

1. OUs are used to organise AD objects (users, computers, other OUs) otherwise AD database will just have one large folder of objects, without any organisational structure.
2. Unlike groups, objects can only belong to one OU; similar to how files are stored in folders.
3. GPO is applied to OUs and not groups.
4. OU is also used for delegation of administration. Can grant admin rights to manage just one OU within a domain instead of the entire domain.
5. Apart from Domain Controllers OU containing list of DCs, none of the default OUs allow GPO to be applied.
6. Shadow groups are groups which mirror OU membership so permissions can be granted/denied based on this list.
7. Default OUs
   1. Builtin - Default accounts moved from local DB to AD DB after promotion to DC.
   2. Users - Default location of user account if created by software.
   3. Computers - New computers which joined domian added here.
   4. Domain controllers - Only OU where GPO is applicable.
   5. LostAndFound - Orphaned objects go here. For eg, objects created but deleted before it gets replicated to all the DCs are moved here. Check occsaionally to see if objects here should be moved elsewhere.
8. OU - Managed by user setting doesn't grant any permissions. Just there for admin purposes.

Delegation of control

1. Allow admins to delegate control or admin rights for certain tasks to specific users eg. reset/change passwords for users in a given OU.
2. Right-click OU -> Delegate control, follow wizard.
3. Delegation of control wizard doesn't do anything which the Security tab of the OU can't do. Just a wizard which simplifies permissions.

AD CLI tools - Some selected commands which work in cmd Reference

1. DSAdd - Adds AD object.
2. DSGet - Retrieves information on AD object.
3. DSMod - Modify AD object, eg. changing user password or force them to change passwords on next logon.
4. DSRM - Deletes AD object.
5. DSQuery - Searches AD with given parameters.
6. CSVDE - Import/export AD DB in CSV format.
7. LDIFDE - Import/export AD DB in LDF format.

AD Migration Tool (ADMT)

1. Used for inter-forest, intra-forest migration and SID history preservation for migrated users.
2. Advised not to install on DC but instead member server.
3. Check online or watch video for details.

RSAT & MMC Snap-Ins

Skipped. Remote administration tools. Not applicable.

Group Policy

Group Policy introduction

1. Registry developed by Microsoft as a centralised replacement for text config files. This is where all changes are reflected.

2. Changes made to Registry, however cannot be rolled back easily.

3. GP developed to allow easy rollback of these Registry changes.

   1. GP directory in Registry in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

4. GP is created on AD, domain Client PCs download them. Non Windows clients can choose not to download GP. GP once downloaded is processed/applied by Client Side Extensions

Group policy configuration

1. Group Policy Management Editor -> GP Management Editor -> Right-click Filter Options:

   1. Managed: Yes means if GP is removed, any changes made is reverted. Otherwise it stays.
   2. When Enabled, it is applied immediately no need to be saved.
   3. Difference between Disabled and Not Configured. Suppose GP disables a default behaviour, Enable disables it, Disabled enables default behaviour while Not Configured lets other GP decide. Explanation. Also see explanation in Video MCITP 70-640 - Group Policy Processing Order 12:00 and GP processing order below.

2. In Group Policy Management Editor, any settings under Policies user is forced to have. Any settings under Preferences is optional to the user; ie. does not overwrite what the user configured.

3. Difference between Computer Configuration and User Configuration:

Computer configurations only apply to computer objects, user configurations only apply to user objects. To phrase it another way, a GPO containing only computer configurations applied to an OU containing only users will have no effect whatsoever. A GPO containing only user configurations applied to an OU containing only computer objects will have no effect - unless loopback policy processing mode is enabled, which is a different story - but even then, the user configurations will only apply to users logging into computers in that OU. Source

4. Administrative Templates. Contains the policy templates created by Microsoft to apply across AD users and computers groups. Hover above folder to see whether it is retrieved from shared folder on SYSVOL or local computer.
   1. Introduced in Windows Vista and Windows Server 2008, ADMX files — sometimes called Administrative Template XML-Based files — specify which registry keys in the Windows Registry are changed when a certain Group Policy setting is changed. For example, one ADMX file might prevent users from accessing Internet Explorer. The information for this block is located in the ADMX file which in turn is reflected in the registry. Source
   2. To install latest ADMX templates, search for "ADMX templates for Server 2016" then download.
   3. Local PC ADMX path - C:\Windows\PolicyDefinitions.
   4. To load Administrative Templates, copy PolicyDefinitions folder where you downloaded in (ii) to \\DC-share\SYSVOL\domain\Policies. Verify in GP Management Editor -> Administrative Templates, hovering that it says "retrieved from central store"

Group Policy processing order

1. GP applied in this order: Local -> Site -> Domain -> OUs -> Child OU's. Applied from left to right. Mnemonic L-S-D-OU-Child.OU
2. Later ones applied overwrite the earlier ones. GP applied upon login. Don't need to save, just logout and back in.
3. gpedit.msc to edit the local ones.
4. Configure site-level GP:
   1. GP Management -> Right-click GPO -> New (name the GPO)
   2. Right-click Sites -> Show Sites -> Select sites to show
   3. Right-click selected site -> Link existing GPO -> Select GPO created in (i) above.
   4. Right-click GPO under selected site -> Edit and configure GP. Logout and login again to take effect.
5. Configure OU-level GP:
   1. GP Management -> Select OU -> Create a GPO in this Domain and link it here.
   2. Right click new GP on right hand window and Edit
   3. Search for policy -> Configure -> Enable. Logout and login again.
6. GP is processed backwards for Link Order, eg. 2 first then 1.
7. Computer side GP applied first, then User side. This allows User GP to overwrite Computer GP, although there aren't many overlaps between Computer and User GPs.

Block inheritance of GP

1. GP inheritance from higher-level order can be blocked. Eg. Domain, OU, Child OU (blocked), Child-Child-OU. Domain and parent OU GP's are not applied, but from Child OU onwards allowed.
2. Configuration: Right-click OU -> Block Inheritance (white exclamation on blue icon appears)

Enforced GP

1. Enforced GP are applied in the reverse order of default GP application. ie. S-D-OU(blocked)-Child.OU -> Child.OU-D(enforced)-S(enforced). This prevents lower OU admins from blocking higher level GP from being enforced.
2. Configuration: Right-click GP -> Enforced (Lock icon appears)

General tips on blocking/enforcing GP

1. Avoid using blocking/enforcing GP because it adds complexity.
2. Instead right-click OU -> Link an Existing GPO -> Select GPO (OK)
3. Delete domain wide GP if not needed (delete the shortcut directly under domain).
4. Verify which OU's have a specific GP applied: Go to Group Policy Objects -> select GP -> Look at Scope tab on RHS window
5. Verify which GP's are applied on a specific OU: Select OU -> Look at Linked Group Objects tab and Group Policy Inheritance

Group Policy Lookback processing

1. Typically when users login to a PC, the GPOs applied to that session will be from their user OU's. However, in some circumstances such as training kiosks you don't want the user's GPO settings to apply but rather from the Users OU where the computer is located in AD.

   1. Replace mode - What is configured in GPO User Configuration where computer is located replaces the GPO in the user's OU.

      1. Configuration: Go to GPO where computer is stored in. Then enable via this node: Computer Configuration\Policies\Administrative Templates\System\Group Policy

   2. Merge mode - GPO in user's OU is applied first, then the User Configuration in the computer's OU is applied and overwrites those settings which conflict in user's OU.

      1. Same as Replace, just choose Merge.

Group Policy preferences

1. Doesn't overwrite GP but can be used to push down files/folders to workstations eg. desktop wallpaper containing messages.
2. Supports item-level targeting - OS version, security groups, domain, disk space, IP range. Applicable only to users/computers who meet these criteria
3. gpupdate /force to download group policies from DC instead of relying on cache.

GPO Starters

1. Templates for GPs. Created by Microsoft as suggested GP template settings for workstation/server roles.
2. Starter GPOs only have Administrative Templates.
3. Can copy GPOs and paste to duplicate template.
4. Can backup and import GPO settings
   1. GP Management -> Group Policy Objects, right-click Backup, specify name in Description
   2. Importing steps: Right click GPO -> Import Settings -> select exported GPO

Group Policy Filtering

1. When applying GPO for each OU it is applied to, it is possible to specify whether to apply either the Computer or User configuration settings or both.
   1. GP Management -> OU -> GPO shortcut -> Details tab -> GPO Status - This is for applying Computer/User config settings.
   2. Verify by checking the Settings tab
2. It is also possible to specify at a more detailed level which Global groups this policy should affect only, or even to apply WMI filters to select computers with specific settings.
   1. GP Management -> OU -> GPO shortcut -> Scope tab -> Security filtering - Specify to which security groups this should apply to.
3. It also possible to exclude GPO from being applied to a users security group under an OU. Note that if a user is allowed access under one GPO but denied under another, the denied one overwrites access for the allowed one.
   1. GP Management -> OU -> GPO shortcut -> Delegation tab -> Advanced button -> Add group -> Select Deny for Read and 'Apply group policy'

Group Policy Replication

1. All GPOs consist of two parts: Group Policy Container (GPC) and Group Policy Template (GPT)
2. GPC is an AD object and stored in the AD DB and replicated via AD replication (same as User/Computer accounts)
3. GPT is collection of files stored in the shared SYSVOL folder and replicated via FRS or DFS.
4. Because these two are replicated differently, replication sync errors can occur; check Windows Event Viewer for replication errors.
5. GP Management -> OU -> GPO shortcut -> Details tab Check user/computer version are same for AD and Sysvol replication. Note the Unique ID for GPO as well.
   1. GPT: \\AD\SYSVOL\<domain>\Policies\<Unique ID>\GPT.ini <- Revision number of the GPT in decimal. Convert to hex, 1st hex is user config version, last hex number is computer config version number eg. 0x20009. User configuration version 2, computer configuration version 9.
   2. GPC: ADUC -> View Advanced Features -> System -> Policies -> Unique ID -> Properties -> Attribute Editor tab -> versionNumber

Group Policy Restricted Groups

1. This allows you to modify the local group membership of computers in an OU. In practical terms this means you can add specific Global groups to Computer accounts of an OU to have local admin rights. Note that this cannot be used for Domain groups since Microsoft intended this for local group membership only.

Managing membership of Domain Groups by using Restricted Groups Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups.

Reference

2. Edit GPO in GP Management -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups -> right-click, Add Group -> Specify local group name
   1. Members of this group: Add/remove members to group.
   2. This group is a member of: Allows you to include new group as sub-group of another local group. Eg. Labadmins group can be a member of local Administrators group.

Local Group management with Group Policy Preferences

1. Local groups can also be managed with GP Preferences.
2. GP preferences are overwritten by GP Restricted group settings (above) if both are active.
3. Edit GPO -> User Configuration -> Preferences -> Control Panel settings -> Local Users and Groups -> Right-click New local group/user -> Configure
4. Verify that local group changes are made with Edit local users and groups

Group Policy for software deployment

1. Types of software deployment

   1. Publishing - Allows user to choose whether to install/uninstall software via Control Panel. Able to install on double-clicking associated file.
   2. Assigning computer - Auto install software on start up for all users. User cannot uninstall.
   3. Assigning user - Auto install software on all computers the user logs on to. Can also install via opening associated file.

2. Software installer packages

   1. MSI
      1. Contains all files and config, as well as where to create shortcuts etc. Small database containing all required details.
      2. Able to mass automate via GP with default configuration options.
   2. MST - Transform file
      1. Allows customisation of MSI packages when installed such as shortcuts, install dir, choosing components etc.
   3. MSP - Patch file
      1. Can use only after MSI installed.
      2. Updates or service packs
   4. ZAP - deprecated pre MSI package
      1. Text script which GP uses to run. GP cannot detect if installed succesfully.
      2. Doesn't support elevation to another set of creds to install software; installing user needs to have all rights required.
      3. Can install only once; even if that fails GP will not attempt to reinstall again.
      4. No rollback supported.

GP Software deployment

1. Configure slow link detection at Computer Configuration\Policies\Administrative Templates\System\Group Policy\Group Policy slow link detection. This will prevent software from being installed over a slow network link.

2. Steps to install software via GP

   1. Share the folders containing the MSI files with read-only access.
   2. Edit GP under the relevant OU -> GP Management editor
   3. Two options: Assigning computer vs publishing/assigning to user
      1. Assigning computer - Computer Configuration -> Policies -> Software Settings -> Software Installation -> Advanced (always select this). Deployment tab -> Uninstall application when GPO no longer applies (deleted or permissions changed). Software installed on all computer accounts under this OU.
      2. Assigning/Publishing to user - User Configuration -> Advanced -> Tabs
         1. Deployment tab - select Publish or Assign to user
         2. Modifications tab - apply MST transform file to MSI packages
         3. Upgrades tab - Used for providing software updates. Select Required upgrade for existing packages to mandate upgrades
      3. Right-click name, select All tasks
         1. Redeploy application - Re-installs application if needed
         2. Remove - Either uninstall software or allow users with installed to continue using software and prevent new installation
   4. If software is published to user, they can install by going Control Panel -> Programs & Features -> Install a program from the network (left panel). Install as per wizard

AppLocker - Software restriction policies

1. Block specific software from running, or allow user to run specific software versions only.
2. Running in audit mode allows admin to collect data on how often software is used.
3. Fingerprints software by
   1. Publisher digital signature (version ID)
   2. Hashed value for those w/o digital signatures (version specific only)
   3. Path, where software is stored.

AppLocker config

1. Edit GPO under Group Policy Management
2. Enable Application Identity service in Computer Configuration -> Policies -> Windows Settings -> Security Settings -> System Services -> Service Startup mode (automatic)
3. Then configures rules at Security Settings -> Application Control Policies -> AppLocker -> Configure Rule Enforcement
4. Generate rules : Executable Rules -> Automatically Generate Rules
   1. If file is not signed, create rule by either file hash or file's path
   2. Reduce number of rules by grouping similar files : Have wizard analyze rules to see if similar rules can be grouped under fewer rules.

OR

5. Create New Rule for manual rule creation

   1. Browse to executable location.
   2. Drag slider up to make rule less specific
   3. Add exception if necessary (eg. block all software versions except one)

6. When rule is applied, popup with message Your system administrator has blocked this program.

How Group Policy changes are promulgated

1. When GP changes are made, by default AD makes them on the DC holding the role of PDC emulator.

2. This can be changed in GP Management -> Right-click domain -> Change domain controller.

3. Regardless of which DC where changes are made, it needs to be replicated to DC which the client is authenticating off.

4. Can manually force DC replication by

   1. AD Sites & Services -> Sites -> Servers -> NTDS Settings -> Right-click Replicate Now
   2. cmd.exe
      1. AD replication: repadmin /SyncAll. Check with dcdiag
      2. FRS SYSVOL replication: ntfrsutl forcerepl <local computer name> /r "Domain System Volume (SYSVOL share)" /p <DNS name of target DC to replicate to>
      3. DFSR SYSVOL replication: Dfsrdiag SyncAll /Partner:<remote computer> /RGname:"Domain System Volume" /time:<how long to ignore current replication schedule>

5. To ensure GP is applied after network is available and computer started up, go to: Computer Configuration\Policies\Administrative Templates\System\Logon\Always wait for the network at computer startup and logon

6. Once GP updated, domain computer will refresh and download GPs certain intervals between 90-120 min. Change refresh rate at Computer Configuration\Policies\Administrative Templates\System\Group Policy\Group Policy Refresh interval for computers

7. Change refresh rate for DCs: Computer Configuration\Policies\Administrative Templates\System\Group Policy\Group Policy Refresh interval for domain controllers

8. Manual gpupdate:

   1. gpupdate /force
   2. gpupdate /target:<USER or COMPUTER> - gpupdates for only computer / user
   3. gpupdate /? to see all options

Group Policy resultant set of policy (RSOP)

1. Allows you to see exactly which GPO's have been applied for each user and computer or simulate the effects of GP for effecting certain changes. This avoids having to look through all the possible settings and determining which apply to your computer.

2. Requires admin rights, ports 135,445 and WMI service WMI Performance Adapter on target computer (not DC) to be running.

   1. Enable Inbound Rules in Windows Firewall rule for:
      1. Remote Event Log Management(NP-In)
      2. Remote Event Log Management(RPC)
      3. Remote Event Log Management(RPC-EPMAP)
      4. Windows Management Instrumentation (WMI-In)

3. To view GP results, go Group Policy Management -> Right-click Group Policy Results -> GP Results Wizard

   1. You can view policy settings for user only if they have logged onto the target computer before.
   2. Policy Events tab tracks all the events which occured such successful/failed application of GP.

4. To view simulated GP results, go GP Mgmt -> Right-click GP Modeling -> GP Modelling Wizard

   1. Select User, Computer to see effects of policies on those.
   2. Enable Loopback processing if you want to see GPOs applied based just on the Computer object in AD. Reference
   3. Select AD site to test applying GPOs from that site.
   4. User location, Computer location lets you simulate the effects of moving around the User, Computer account to different OUs.
   5. Add/remove accounts from security groups.
   6. Can also specify WMI filters.

5. To view RSOP on cmd.exe with gpresult

   1. /r - displays RSOP summary
   2. /v - Verbose RSOP results
   3. /scope <user> or <computer> - to limit results to specific scope
   4. /x - outputs to XML
   5. /h - output to HTML

Windows local security policy (Security Templates)

1. All computers have local security policy, a subset of local group policy. DCs' local account settings are disabled and are instead managed by Default Domain Controllers' Policy in AD

2. Local security policies accessible via Local GP editor -> Computer Configuration -> Windows Settings -> Security Settings or Local Security Editor (which has subset of local GP editor)

3. Local security policies are used when the computer cannot join a domain due to security restrictions eg. DMZ server accessible from Internet.

4. Export local security policy: Local Security Policy -> Right-click Security Settings -> Export policy (INF file)

5. Import local security policy: Local Group Policy Editor -> Computer Configuration -> Windows Settings -> Right-click Security Settings -> Import Policy

6. Compare imported INF local security policy by going to MMC -> File -> Add/Remove Snap-In -> Security Configuration and Analysis then General steps are: 1) Create DB or overwrite existing one 2) Import INF files to DB 3) Select to compare DB with existing computer.

   1. Right-click Security Configuration and Analysis -> Open Database -> type in new database name to create -> Import Template (INF)
   2. Right-click Security Configuration and Analysis -> Analyze Computer now -> save log file -> Inspect the elements under Security Configuration and Analysis to see differences in local computer and created database
   3. To apply settings from imported INF, right-click Security Configuration and Analysis -> Configure Computer Now -> save error log file

cmd line options

7. sec-edit
   1. /validate <path to INF> - Checks validity of INF
   2. /Import /db <path to .sdb file> /cfg <path to INF> /Overwrite - Imports saved INF to specified DB and overwrite it.
   3. /analyze /db <path to .sdb file> - Compare DB data settings with existing computer settings

Server hardening with Security Configuration Wizard

1. Hardening, done by disabling unwanted services, closing unused ports and protocols is done to reduce the attack surface from potential hackers

2. Security Configuration Wizard consists of several sections.

   1. Services - Select services/protocols needed on server.
   2. Network (Windows firewall) - Enable/disable DHCP, ipv6, ICMP etc.
   3. Registry settings - SMB signing, NTLM settings
   4. Audit policy - Determine when certain Windows events are logged such as file access/modification or user logons etc.

3. Security policy can be saved as XML to apply elsewhere.

4. Import Security policy can be used on either local or remote servers but beware of locking out access from remote computer after security policies are applied.

5. Rollback last applied security policy is available as option on Security Configuration Wizard.

cmd line options

6. Import saved security policy to GPO with command: scwcmd transform /p:"<path to XML>" /g:"<GPO name>". The GPO is now found in GP Management -> Domain name -> Group Policy Objects. It can now be linked to an OU to apply the settings.

Active Directory Auditing

1. Auditing controls what is logged in Windows Event Viewer, eg. access or logon attempts.

2. ACL's used to control access and auditing. ACL's consist of ACE's or access control entries Reference

   1. Discretionary ACL controls read/modify/execute rights for users.
   2. System ACL allows administrators to log attempts to access a secured object.

3. Configure auditing: GP Management -> Right-click GPO -> Edit -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy

4. Audit policy settings - Most audit settings are configured to record only successful access. Some common ones listed below. See list here

   1. Audit account logon events - Records logon for user via AD or local login
   2. Audit Account Management - Records changes to accounts such as creating/changing user accounts and password resets.
   3. Audit directory service access - Changes to AD objects are recorded
   4. Audit logon events - Records logins after user is authenticated by AD login, eg. file share access after interactive login. A lot more info compared to audit account logon events. Info such as how long logged in and what was accessed.
   5. Audit object access - Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.
   6. Audit policy change - Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
   7. Audit privilege use - Determines whether to audit each instance of a user exercising a user right eg. changing system time, taking ownership of files/folders.
   8. Audit process tracking - Tracks detailed information for events such as program activation, process exit, handle duplication, and indirect object access. Generates a lot of logs when enabled.
   9. Audit system event - Tracks when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log

5. Event Viewer can record what is changed rather than just a change which occurred, to enable run cmd with: AuditPol /Set /SubCategory:"Directory service changes" /Success:Enable

6. Access events added by auditing in Event Viewer -> Windows Logs -> Security.

   1. Event Viewer not intuitive, changes in settings are reflected as Value Deleted and Value Added. Have to open multiple events to understand changes.

Password policies

1. Found in GP Management Editor -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies

2. Explanation of some settings (non-intuitive settings)

   1. Password Policy
      1. Enforce password history - Set no. of passwords stored for each user to prevent reuse. Default 24
      2. Min password age - Min time a password needs to be in use before changing. Prevent users from cycling through 24 passwords just to reuse old pw. Default 1 day.
      3. Note: Settings under Account tab in ADUC will overwrite settings on Domain level.
   2. Account lockout policy
      1. Account lockout duration - Automatically unlock account after X amt of time.
      2. Note that built-in Administrator account cannot be locked out, instead login attempts are delayed.
      3. Note that Windows 2003 and above will compare wrong passwords entered with previous passwords used, if match will not lockout account.
   3. Kerberos policy
      1. Enforce user logon restrictions - Force Key Distribution Center (KDC) to validate every request against the user rights policy of the account before creating Kerberos ticket. Worth turning it off on slow networks because otherwise ticket creation is held back until validation.
      2. Maximum tolerance for computer clock synchronisation - Disallow requests with time stamps differing from DCs by more than X min; mitigates replay attacks.

Fine-grained password policies

3. Able to set different password policies for security groups as opposed to just domain wide.

4. Password settings object (PSO) contain password policy settings for OU.

5. When multiple PSO's used, PSO with lowest priority/value will be applied. 1 is lowest. If multiple PSO's have lowest priority, PSO with lowest GUID will be applied.

6. Use ADSI edit to modify AD database.

   1. Right-click ADSI edit -> Connect to -> Navigate domain -> CN=System -> right-click CN=Password Settings Container -> New Object
   2. Configure password policy as required.
   3. When done, right click PSO -> Properties -> Attribute Editor -> msDS-PSOAppliesTo -> Add Windows Account -> Add security groups
   4. This will apply configured PSO to selected group
   5. Verify that PSO applies to sample users by going to Attribute Editor tab -> Filter Constructued -> msDS-ResultantPSO. Check that PSO name is in the value of the LDAP entry

7. It is also possible to apply password policy objects to an OU by creating a shadow security group mirroring the OU membership and having a PS or VBS script automatically update the membership regularly. See video 13min onwards

Deny domain groups

1. This allows administrators to deny certain access rights to specific groups
2. Options are:
   1. Deny access to this computer from the network (doesn't block RDP)
   2. Deny log on as a batch job - Jobs that are run with task scheduler using the denied user will be blocked.
   3. Deny log on as a service - Prevent user account from being used to run services.
   4. Deny log on locally
   5. Deny log on through Remote Desktop Services