Daniel Ramawidjaja Blog

July 25, 2009

Delegation Control to Modify Only Certain User Attributes (Part 2)

Filed under: Active Directory,Windows Server — Daniel Ramawidjaja @ 9:33 am

In this post, I will explain how to delegate certain users to be able to modify attributes that can not be delegated by using Delegation of Control Wizard. Not all attributes can be delegated using the wizard, without allowing other attributes that you do not want to delegate.
For example, Office location. You can delegate the Office location attribute by selecting Read/Write Permissions for Private Information. But, may be you need to for the delegation to be more specific. In this case, using ADSIEDIT.MSC.

If you do not have ADSIEDIT.MSC ready (test by run ADSIEDIT.MSC from Run), you should install first.
It’s available on the Windows Server 2003 CD, in folder \Support\Tools. Install by double-click on suptools.msi.
For Windows Server 2008, it has been available on the Domain Controller since you installed the Active Directory.

Create connection to open the Domain partition.
Then you can modify the permissions of an OU just like the following picture:

Custom Delegation (Part 2)

This tip has been tested to work successfully, such as in the following picture.

Custom Delegation (Part 2)

The Office location attribute was changed to Semarang.

Custom Delegation (Part 2)

Delegation Control to Modify Only Certain User Attributes (Part 1)

Filed under: Active Directory,Windows Server — Daniel Ramawidjaja @ 9:14 am

Based on my student request, I post an article about custom delegation task in Active Directory. This delegation will allow user with specific function, for example, Human Resource to edit only certain properties of users in certain OUs.

User Attributes that can be changed after the custom delegation:
Job Title, Department, Company, Manager, and Direct Reports.

Testing will be done by user Jet Lee (JetL) as a member of Human Resources group.


Attributes that Will Be Allowed to Be Changed in This Custom Delegation Example

Custom Delegation


Delegation Control Steps
Right-click on Finance OU, for example, and then click Delegate Control. It will launch the Delegation of Control Wizard.

Custom Delegation

Select users or groups for delegation

Custom Delegation

Select Create a custom task to delegate

Custom Delegation

Select Only the following objects in the folder, then select User objects.

Custom Delegation

On the Permissions page, select Property-specific. Then select read and write permissions for the following attribute:
– Department
– Job Title
– Company
– Direct Reports
– Manager
Click Next, and then click Finish.

Custom Delegation


Test the Delegation
For testing I use user Jet Lee (JetL) that is a member of Human Resources group.

Custom Delegation

Now, JetL can modify the user properties in the Organization tab like the following picture:

Custom Delegation

Here the result of setting the Manager property as you can see in Direct Reports list in the user properties for the manager (NaomiW)

Custom Delegation

June 27, 2009

Group Policy Management Console (GPMC) Installation on Windows Server 2003 R2 x64

Filed under: Group Policy,Windows Server 2003 R2 — Daniel Ramawidjaja @ 4:41 am
Tags: ,

You can download the GPMC here:

Unfortunately, GPMC need the .NET Framework 1.1 while the Windows Server 2003 R2 x64 includes only .NET Framework 2.0.

GPMC Installation Needs .NET Framework 1.1

You can install .NET Framework 1.1, but you may find error on other web applications. See my previous post, Error on Certificate Services Web Enrollment After Installing .NET Framework 1.1 on Windows Server 2003 R2 x64.

After installing .NET Framework 1.1 and some troubleshooting when necessary, you can install install GPMC sucessfully.

GPMC Installation completed


Here the test of GPMC usage after installation

GPMC Testing

GPMC Testing

GPMC Testing


To avoid problems with incompatibility of .NET Framework 1.1, it is recommended for you to install GPMC on client computers, such as Windows XP or Windows Vista. I wrote this post just to show you that actually we can install GPMC on Windows Server 2003 x64 that includes only .NET Framework 2.

June 22, 2009

Restore Deleted Objects from Active Directory Database Using Tombstone Reanimation (AdRestore.exe and ADRestore.NET)

By using AdRestore.exe or ADRestore.NET, you can implement tombstone reanimation method to restore deleted objects from Active Directory database easily. So it basically do the same as using LDP in my previous post, Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE)

I wrote the previous post to make deep understanding of the tombstone reanimation concept.

Formerly Sysinternals and now Microsoft, Mark Russinovich has created a command-line freeware application called ADRestore. The tool enumerates all of the currently tombstoned objects in a domain and allows you to restore them selectively, and provides a convenient command-line interface for using the Active Directory reanimation functionality.

You can download this tool from here:



Restoring objects with ADRestore.net
Guy Teverovsky has written a GUI version that allows you to easily restore deleted AD objects.
I found this tool will help you a lot when you need to restore more than one deleted objects, for example, an OU contains some objects.

You can download the ADRestore.NET here:

Here the demo steps:
I deleted an OU named Accounting contained some objects including users and groups.
Delete an OU

Enumerating Tombstones

First restore the OU.

Then restore the other objects one by one.

Until the last object

Then view the result
ADRestore.NET - The Result

You can see from the steps above that using ADRestore.NET will be a lot of easier to restore more than one objects.

Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE)

This tip has been tested that it works for Windows Server 2003, Windows Server 2008, or later.
For Windows Server 2008 R2, it is recommended to use Active Directory Recycle Bin feature. It’s more efficient method and can do complete restore of the previous deleted objects.

What Is a Tombstone?
When Active Directory deletes an object from the directory, it does not physically remove the object from the database. Instead, Active Directory marks the object as deleted by setting the object’s isDeleted attribute to TRUE, stripping most of the attributes from the object, renaming the object, and then moving the object to a special container in the object’s naming context (NC) named CN=Deleted Objects. The object, now called a tombstone, is invisible to normal directory operations.

Obviously, objects don’t remain in the CN=Deleted Objects container forever. The default tombstone lifetime is 60 days for forests initially built using Windows® 2000 and Windows Server 2003, and 180 days for forests that were initially built with Windows Server 2003 SP1. You can change the tombstone lifetime by setting the tombstoneLifetime attribute of the CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration, DC= object.

Every 12 hours, each domain controller starts a garbage collection process. (This can be changed by setting a new value for the garbageCollPeriod attribute of the CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration,DC= object.) This garbage collection scans all of the tombstones on the DC and physically deletes any that are older than the tombstone lifetime.

The Deleted Objects container is hidden and can not be viewed by using Active Directory Users and Computers and ADSIEDIT.MSC. But you can use LDP.EXE.

For example, in this documentation, I delete an account with distinguishedName: CN=Jenny Gates,OU=Marketing,DC=Microship,DC=com.
That account will be stored in Deleted Objects container in the form:
CN=Jenny GatesADEL:c7f41f06-7f02-42c9-8701-d5ad5ee3a7d0,CN=Deleted Objects,DC=Microship,DC=com
and with the attribute isDeleted is set TRUE.

To restore the user account, you have to use LDP.EXE to modify the properties of the deleted objects.
Here the snapshots


The previous condition
Jenny Gates (username: JennyG) has the following attributes:

Tombstone Reanimation - Before Deletion

Tombstone Reanimation - Before Deletion

Jenny has permissions set to C:\Data\Marketing folder.

Tombstone Reanimation - Before Deletion

Delete the user account Jenny

Tombstone Reanimation - Deletion

As the Result of Deletion
The Jenny’s previous account will be shown in the folder as her old SID. If you create a new user, it actually create a new object with the new SID for the user. That’s why you have to use the Tombstone Reanimation method to restore the old object.

Tombstone Reanimation - Impact of Deletion


For preparation to restore the deleted object, you have to install Windows Server 2003 Support Tools. From the Windows Server 2003 Installation CD, it is located on \SUPPORT\TOOLS\SUPTOOLS.MSI
You do not need to follow this step, if using Windows Server 2008.

Tombstone Reanimation - Support Tools


Process to Restore the Deleted Object
Run LDP.exe.
On LDP window, click Connection menu, click Connect, type the appropriate server name and port.
Click Connection menu, click Bind, and type the Administrator account and password.

Click Options menu, click Controls.
On Load Predefined, select Return deleted objects.
This option will show the Deleted Objects container that is hidden by default.

Tombstone Reanimation

Click View menu, click Tree, and then select the distinguished name of the domain name.
On the left, select DC=Microship,DC=com.
Then expand the Deleted Objects container, and find Jenny Gates.

Right click on the Jenny account, then click Modify.

Tombstone Reanimation

In the Attribute box, type isDeleted. Under Operation, click Delete, and then click Enter.
In the Attribute box, type distinguishedName, in the Values box, type CN=Jenny Gates,OU=Marketing,DC=Microship,DC=com. Under operation, click Replace, and then click Enter.
Select the Extended check box, and then click Run.

Tombstone Reanimation

The result of restoring deleted objects using Tombstone Reanimation procedure is not perfect. You will restore a disabled account with all attributes has been stripped. You have to set the password and enable the account.

Tombstone Reanimation - The Result

But as you can see from the following picture that the permissions for Jenny has been restored.
Now Jenny can access the shared folder.

Tombstone Reanimation - The Result

The next pictures show that, although you can restore the object, but many attributes has gone including the membership of the user.

Tombstone Reanimation - The Result

Tombstone Reanimation - The Result

If you want to have a successful restore including all attributes of the user, you should consider to do Authoritative Restore that need you to restore from backup. and you can not restore the active directory database from backup without restarting to Active Directory Restore Mode.

June 19, 2009

Impact of Disjoining Domain to Group Policy Implementation

Filed under: Active Directory,Group Policy — Daniel Ramawidjaja @ 7:12 pm
Tags: ,

One discussion with my student make me think again, try to open my mind, and doing some simulation to prove the concept and my knowledge about the impact if a client computer disjoin domain to avoid Group Policy implementation. Then I take conclusion that the dis-joining process will remove all group policy implementation that was retrieved previously from the domain’s Group Policy.
I did some testing on Windows XP and Windows Vista, but only documented the test result on Windows XP.


Verify the implementation of Group Policy that was retrieved from Domain.
The execution of vbs file was denied.

Effect of Disjoining Domain to Group Policy Implementation - Before

The interactive logon message text appeared.

Effect of Disjoining Domain to Group Policy Implementation - Before


Disjoin from the Domain

Disjoin from Domain


Verify the Impact of Disjoining Domain to Previous Group Policy Implementation
Software Restriction Policy to deny access to vbs files does not apply.

Effect of Disjoining Domain to Group Policy Implementation - After

The interactive logon text message has been removed.

Effect of Disjoining Domain to Group Policy Implementation - After


Group Policy Settings for Test Computers



June 15, 2009

Restore Deleted Objects with Active Directory Recycle Bin

Filed under: Active Directory,Windows Server 2008 R2 — Daniel Ramawidjaja @ 10:51 am
Tags: ,

Active Directory Recycle Bin is a new feature on Windows Server 2008 R2, so this tip applies only to Windows Server 2008 R2.

Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting AD DS, or rebooting domain controllers. When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains.

You can restore deleted Active Directory objects  by using PowerShell command. Here the snapshots:

Import Active Directory module

> Import-Module ActiveDirectory

Get information about Recycle Bin feature

> Get-ADOptionalFeature -Filter { name -like “Recycle*” }

Enable Recycle Bin feature

> Enable-ADOptionalFeature “Recycle Bin Feature” -Scope ForestOrConfigurationSet -Target MiniSoft.com

Active Directory Recycle Bin

For example here, I deleted the Finance OU

Example: Delete Finance OU

List the deleted objects

> Get-ADObject -SearchScope subtree -SearchBase “cn=Deleted Objects,dc=minisoft,dc=com” -includeDeletedObjects -filter { name -notlike “Deleted*” }

List the Deleted Active Directory Objects

Restore the deleted objects

> Get-ADObject -SearchScope subtree -SearchBase “cn=Deleted Objects,dc=minisoft,dc=com” -IncludeDeletedObjects -filter { name -notlike “Deleted*” } | Restore-ADObject

Restore Objects

Verify that the Active Directory objects has been restored

Verify the Restored Objects

June 7, 2009

Remote Server Administration Tools on Windows Vista

If you want to do remote management using Windows client computers, you should install RSAT. Unfortunately, this tool only available for Windows Vista.

You can download and find more detailed information from here:

Install the RSAT

RSAT Setup

While updating process still run, I examine the Administrative Tools on Windows Vista to show you the previous condition.

Administrative Tools before RSAT Installed

Go to Control Panel, Programs, Programs and Features, and then click Turn Windows features on or off. You will see the differences.

Turn Windows Features On or Off after RSAT

Here is the Administrative Tools program group after I turned on some of the RSAT features.

Administrative Tools After RSAT Installed

June 6, 2009

Change the Local Administrator Password Using Group Policy

Filed under: Group Policy,Windows Server 2008 — Daniel Ramawidjaja @ 11:41 pm
Tags: ,

This tip can be implemented if you have already install Group Policy Client Side Extensions (CSEs) on targetted computers. If not, download from here: http://support.microsoft.com/?kbid=943729
The minimum supported is Windows XP SP2.

By following the steps on the pictures below, you can configure the Group Policy to change local administrator’s password on multiple machines.

Group Policy Preference to Change Admin Local Password - 1

Group Policy Preference to Change Admin Local Password - 2

Group Policy Preference to Change Admin Local Password - 3

Group Policy Preferences on Windows Vista with SP2

Filed under: Group Policy,Windows Vista — Daniel Ramawidjaja @ 3:55 pm
Tags: ,

For Group Policy Preferences (GPP) to apply on Windows Vista, you need to install Group Policy Client Side Extensions (CSEs). You can download from here:

Unfortunately, try to install Group Policy Client Site Extension on Windows Vista with SP2 will end up with the message say, “This update does not apply to this system”
Hope Microsoft release the update for Windows Vista with SP2 as soon as possible.

Update Does Not Apply to This System

But you can force the installation of a Windows update by this way, for example, to force install Group Policy Preferences Client Side Extensions:
> mkdir KB943729
> expand -F:* Windows6.0-KB943729-x64.msu KB943729\
> start /w pkgmgr /ip /m:KB943729\Windows6.0-KB943729-x64.cab

Force Install of the Update

I find that it works, but the update is not full compatible with Windows Vista SP2. Here the result of ‘gpupdate /force’:

gpupdate /force

Although not fully compatible, the goal is achieved. Here the Group Policy Preferences settings:

Group Policy Preference

Group Policy Preference

Here is the snapshot of the result on Windows Vista with SP2.
I got a folder with the same name and attributes as I set on the Group Policy Preferences.

Group Policy Preference on Vista SP2

Next Page »

Blog at WordPress.com.