Daniel Ramawidjaja Blog

July 25, 2009

Delegation Control to Modify Only Certain User Attributes (Part 2)

Filed under: Active Directory,Windows Server — Daniel Ramawidjaja @ 9:33 am
Tags:

In this post, I will explain how to delegate certain users to be able to modify attributes that can not be delegated by using Delegation of Control Wizard. Not all attributes can be delegated using the wizard, without allowing other attributes that you do not want to delegate.
For example, Office location. You can delegate the Office location attribute by selecting Read/Write Permissions for Private Information. But, may be you need to for the delegation to be more specific. In this case, using ADSIEDIT.MSC.

If you do not have ADSIEDIT.MSC ready (test by run ADSIEDIT.MSC from Run), you should install first.
It’s available on the Windows Server 2003 CD, in folder \Support\Tools. Install by double-click on suptools.msi.
For Windows Server 2008, it has been available on the Domain Controller since you installed the Active Directory.

Create connection to open the Domain partition.
Then you can modify the permissions of an OU just like the following picture:

Custom Delegation (Part 2)

This tip has been tested to work successfully, such as in the following picture.

Custom Delegation (Part 2)

The Office location attribute was changed to Semarang.

Custom Delegation (Part 2)

Advertisements

Delegation Control to Modify Only Certain User Attributes (Part 1)

Filed under: Active Directory,Windows Server — Daniel Ramawidjaja @ 9:14 am
Tags:

Based on my student request, I post an article about custom delegation task in Active Directory. This delegation will allow user with specific function, for example, Human Resource to edit only certain properties of users in certain OUs.

User Attributes that can be changed after the custom delegation:
Job Title, Department, Company, Manager, and Direct Reports.

Testing will be done by user Jet Lee (JetL) as a member of Human Resources group.

 

Attributes that Will Be Allowed to Be Changed in This Custom Delegation Example

Custom Delegation

 

Delegation Control Steps
Right-click on Finance OU, for example, and then click Delegate Control. It will launch the Delegation of Control Wizard.

Custom Delegation

Select users or groups for delegation

Custom Delegation

Select Create a custom task to delegate

Custom Delegation

Select Only the following objects in the folder, then select User objects.

Custom Delegation

On the Permissions page, select Property-specific. Then select read and write permissions for the following attribute:
– Department
– Job Title
– Company
– Direct Reports
– Manager
Click Next, and then click Finish.

Custom Delegation

 

Test the Delegation
For testing I use user Jet Lee (JetL) that is a member of Human Resources group.

Custom Delegation

Now, JetL can modify the user properties in the Organization tab like the following picture:

Custom Delegation

Here the result of setting the Manager property as you can see in Direct Reports list in the user properties for the manager (NaomiW)

Custom Delegation

June 22, 2009

Restore Deleted Objects from Active Directory Database Using Tombstone Reanimation (AdRestore.exe and ADRestore.NET)

By using AdRestore.exe or ADRestore.NET, you can implement tombstone reanimation method to restore deleted objects from Active Directory database easily. So it basically do the same as using LDP in my previous post, Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE)

I wrote the previous post to make deep understanding of the tombstone reanimation concept.

AdRestore.exe
Formerly Sysinternals and now Microsoft, Mark Russinovich has created a command-line freeware application called ADRestore. The tool enumerates all of the currently tombstoned objects in a domain and allows you to restore them selectively, and provides a convenient command-line interface for using the Active Directory reanimation functionality.

You can download this tool from here:
http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx

ADrestore.exe

 

ADRestore.NET
Restoring objects with ADRestore.net
Guy Teverovsky has written a GUI version that allows you to easily restore deleted AD objects.
I found this tool will help you a lot when you need to restore more than one deleted objects, for example, an OU contains some objects.

You can download the ADRestore.NET here:
http://blogs.microsoft.co.il/files/folders/guyt/entry40811.aspx

Here the demo steps:
I deleted an OU named Accounting contained some objects including users and groups.
Delete an OU

Enumerating Tombstones
ADRestore.NET

First restore the OU.
ADRestore.NET

Then restore the other objects one by one.
ADRestore.NET

Until the last object
ADRestore.NET

Then view the result
ADRestore.NET - The Result

You can see from the steps above that using ADRestore.NET will be a lot of easier to restore more than one objects.

Restore Deleted Objects in Active Directory Database Using Tombstone Reanimation (LDP.EXE)

This tip has been tested that it works for Windows Server 2003, Windows Server 2008, or later.
For Windows Server 2008 R2, it is recommended to use Active Directory Recycle Bin feature. It’s more efficient method and can do complete restore of the previous deleted objects.

What Is a Tombstone?
When Active Directory deletes an object from the directory, it does not physically remove the object from the database. Instead, Active Directory marks the object as deleted by setting the object’s isDeleted attribute to TRUE, stripping most of the attributes from the object, renaming the object, and then moving the object to a special container in the object’s naming context (NC) named CN=Deleted Objects. The object, now called a tombstone, is invisible to normal directory operations.

Obviously, objects don’t remain in the CN=Deleted Objects container forever. The default tombstone lifetime is 60 days for forests initially built using Windows® 2000 and Windows Server 2003, and 180 days for forests that were initially built with Windows Server 2003 SP1. You can change the tombstone lifetime by setting the tombstoneLifetime attribute of the CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration, DC= object.

Every 12 hours, each domain controller starts a garbage collection process. (This can be changed by setting a new value for the garbageCollPeriod attribute of the CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration,DC= object.) This garbage collection scans all of the tombstones on the DC and physically deletes any that are older than the tombstone lifetime.

The Deleted Objects container is hidden and can not be viewed by using Active Directory Users and Computers and ADSIEDIT.MSC. But you can use LDP.EXE.

For example, in this documentation, I delete an account with distinguishedName: CN=Jenny Gates,OU=Marketing,DC=Microship,DC=com.
That account will be stored in Deleted Objects container in the form:
CN=Jenny GatesADEL:c7f41f06-7f02-42c9-8701-d5ad5ee3a7d0,CN=Deleted Objects,DC=Microship,DC=com
and with the attribute isDeleted is set TRUE.

To restore the user account, you have to use LDP.EXE to modify the properties of the deleted objects.
Here the snapshots

 

The previous condition
Jenny Gates (username: JennyG) has the following attributes:

Tombstone Reanimation - Before Deletion

Tombstone Reanimation - Before Deletion

Jenny has permissions set to C:\Data\Marketing folder.

Tombstone Reanimation - Before Deletion

Delete the user account Jenny

Tombstone Reanimation - Deletion

As the Result of Deletion
The Jenny’s previous account will be shown in the folder as her old SID. If you create a new user, it actually create a new object with the new SID for the user. That’s why you have to use the Tombstone Reanimation method to restore the old object.

Tombstone Reanimation - Impact of Deletion

 

For preparation to restore the deleted object, you have to install Windows Server 2003 Support Tools. From the Windows Server 2003 Installation CD, it is located on \SUPPORT\TOOLS\SUPTOOLS.MSI
You do not need to follow this step, if using Windows Server 2008.

Tombstone Reanimation - Support Tools

 

Process to Restore the Deleted Object
Run LDP.exe.
On LDP window, click Connection menu, click Connect, type the appropriate server name and port.
Click Connection menu, click Bind, and type the Administrator account and password.

Click Options menu, click Controls.
On Load Predefined, select Return deleted objects.
This option will show the Deleted Objects container that is hidden by default.

Tombstone Reanimation

Click View menu, click Tree, and then select the distinguished name of the domain name.
On the left, select DC=Microship,DC=com.
Then expand the Deleted Objects container, and find Jenny Gates.

Right click on the Jenny account, then click Modify.

Tombstone Reanimation

In the Attribute box, type isDeleted. Under Operation, click Delete, and then click Enter.
In the Attribute box, type distinguishedName, in the Values box, type CN=Jenny Gates,OU=Marketing,DC=Microship,DC=com. Under operation, click Replace, and then click Enter.
Select the Extended check box, and then click Run.

Tombstone Reanimation

The result of restoring deleted objects using Tombstone Reanimation procedure is not perfect. You will restore a disabled account with all attributes has been stripped. You have to set the password and enable the account.

Tombstone Reanimation - The Result

But as you can see from the following picture that the permissions for Jenny has been restored.
Now Jenny can access the shared folder.

Tombstone Reanimation - The Result

The next pictures show that, although you can restore the object, but many attributes has gone including the membership of the user.

Tombstone Reanimation - The Result

Tombstone Reanimation - The Result

If you want to have a successful restore including all attributes of the user, you should consider to do Authoritative Restore that need you to restore from backup. and you can not restore the active directory database from backup without restarting to Active Directory Restore Mode.

June 19, 2009

Impact of Disjoining Domain to Group Policy Implementation

Filed under: Active Directory,Group Policy — Daniel Ramawidjaja @ 7:12 pm
Tags: ,

One discussion with my student make me think again, try to open my mind, and doing some simulation to prove the concept and my knowledge about the impact if a client computer disjoin domain to avoid Group Policy implementation. Then I take conclusion that the dis-joining process will remove all group policy implementation that was retrieved previously from the domain’s Group Policy.
I did some testing on Windows XP and Windows Vista, but only documented the test result on Windows XP.

 

Verify the implementation of Group Policy that was retrieved from Domain.
The execution of vbs file was denied.

Effect of Disjoining Domain to Group Policy Implementation - Before

The interactive logon message text appeared.

Effect of Disjoining Domain to Group Policy Implementation - Before

 

Disjoin from the Domain

Disjoin from Domain

 

Verify the Impact of Disjoining Domain to Previous Group Policy Implementation
Software Restriction Policy to deny access to vbs files does not apply.

Effect of Disjoining Domain to Group Policy Implementation - After

The interactive logon text message has been removed.

Effect of Disjoining Domain to Group Policy Implementation - After

 

Group Policy Settings for Test Computers

Test-the-effect-move-to-workgroup

Test-the-effect-move-to-workgroup

June 15, 2009

Restore Deleted Objects with Active Directory Recycle Bin

Filed under: Active Directory,Windows Server 2008 R2 — Daniel Ramawidjaja @ 10:51 am
Tags: ,

Active Directory Recycle Bin is a new feature on Windows Server 2008 R2, so this tip applies only to Windows Server 2008 R2.

Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting AD DS, or rebooting domain controllers. When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains.

You can restore deleted Active Directory objects  by using PowerShell command. Here the snapshots:

Import Active Directory module

> Import-Module ActiveDirectory

Get information about Recycle Bin feature

> Get-ADOptionalFeature -Filter { name -like “Recycle*” }

Enable Recycle Bin feature

> Enable-ADOptionalFeature “Recycle Bin Feature” -Scope ForestOrConfigurationSet -Target MiniSoft.com

Active Directory Recycle Bin

For example here, I deleted the Finance OU

Example: Delete Finance OU

List the deleted objects

> Get-ADObject -SearchScope subtree -SearchBase “cn=Deleted Objects,dc=minisoft,dc=com” -includeDeletedObjects -filter { name -notlike “Deleted*” }

List the Deleted Active Directory Objects

Restore the deleted objects

> Get-ADObject -SearchScope subtree -SearchBase “cn=Deleted Objects,dc=minisoft,dc=com” -IncludeDeletedObjects -filter { name -notlike “Deleted*” } | Restore-ADObject

Restore Objects

Verify that the Active Directory objects has been restored

Verify the Restored Objects

June 7, 2009

Remote Server Administration Tools on Windows Vista

If you want to do remote management using Windows client computers, you should install RSAT. Unfortunately, this tool only available for Windows Vista.

You can download and find more detailed information from here:
http://support.microsoft.com/kb/941314

Install the RSAT

RSAT Setup

While updating process still run, I examine the Administrative Tools on Windows Vista to show you the previous condition.

Administrative Tools before RSAT Installed

Go to Control Panel, Programs, Programs and Features, and then click Turn Windows features on or off. You will see the differences.

Turn Windows Features On or Off after RSAT

Here is the Administrative Tools program group after I turned on some of the RSAT features.

Administrative Tools After RSAT Installed

June 3, 2009

ADMX Migrator

ADMX Migrator, which is created and supported by FullArmor, enables you to convert ADM files to the ADMX format and take advantage of the additional capabilities that it provides. The new XML-based format includes multilanguage support, an optional centralized datastore, and version control capabilities.

ADM
ADM is
Administrative Template files included by default in Windows operating system and service pack releases, beginning with Windows 2000, for managing group policy.

ADMX
If you’ve started using Windows Vista and Windows Server 2008 in your environment, you may have noticed the new Group Policy ADMX format. This new format for Group Policy templates takes advantage of new features and capabilities.
The new ADMX format for displaying registry-based policy settings are defined using XML now, instead of the proprietary format that ADM files used. The new templates come with a lot more settings, almost 2,400 in Windows Vista, which is several hundred more than Windows XP.

ADMX Migrator
I need this tool when I want to convert a customized ADM files to ADMX format that is used in Windows Server 2008.

You can download ADMX Migrator here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=0F1EEC3D-10C4-4B5F-9625-97C2F731090C&displaylang=en

An Example of ADM File

This is the content of my ADM file:

CLASS USER
CATEGORY !!DisableWindowsTour

	KEYNAME "Software\Microsoft\Windows\CurrentVersion\Applets\Tour"

	POLICY !!DisableWindowsTour

		VALUENAME "RunCount"
		VALUEON NUMERIC 1
		VALUEOFF NUMERIC 0

	END POLICY

END CATEGORY

[strings]
DisableWindowsTour="Disable Windows Tour"


Migrate the ADMX File Using ADMX Migrator

ADMX-Test-018

No problem with this warning. You can add the support information later.

ADMX-Test-020

When prompted to load it to ADMX Editor, click Yes.

By default, the template was saved to the current userprofile, you can save as to your preferred folder.

ADMX-Test-023

Verify the template

ADMX-Test-025

ADMX-Test-026

Enter the supported definition

ADMX-Test-027

ADMX-Test-028

ADMX-Test-029

Copy the ADMX file to %SystemRoot%\PolicyDefinitions and en-US\ADML file to %SystemRoot%\PolicyDefinitions\en-US

ADMX-Test-016

Here is the result when opening Group Policy Management Editor.

ADMX-Test-005

ADMX-Test-006

Create a free website or blog at WordPress.com.