Tag Archives: AD Attributes

Active Directory Protected Users Security Group

Active Directory is great tool, no doubt about it, administrators can do their magic to manage resources in infrastructure with it. But same time if someone able to gain access to AD account with privileges, easily they can use those across the domain joined resources. So the protection of the AD infrastructure is critical.

Microsoft continues with implementing new security features to the Active Directory Services to protect infrastructures with emerging threats. “Protected Users Group” also a great feature implemented with windows server 2012 R2 active directory services to protect “High Valued” accounts in AD infrastructure. Advantage of this feature is member of this security group will have “non-configurable” protection automatically. I think it’s a good point especially for security feature. When have configurable options admins make changes to make their life easier and sometime losing the whole concept about security. With this security group the only way to modify the protection for account is to remove it from the group.

To use this feature the primary domain controller needs to be run on windows 2012 R2 domain functional level and devices should need to run minimum of windows 2012 R2 or windows 8.1.

What it does?

According to Microsoft,

1.    The member of the Protected Users group cannot authenticate by using NTLM, Digest Authentication, or CredSSP. On a device running Windows 8.1, passwords are not cached, so the device that uses any one of these Security Support Providers (SSPs) will fail to authenticate to a domain when the account is a member of the Protected User group.
2.    The Kerberos protocol will not use the weaker DES or RC4 encryption types in the pre-authentication process. This means that the domain must be configured to support at least the AES cipher suite.
3.    The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This means that former connections to other systems may fail if the user is a member of the Protected Users group.
4.    The default Kerberos Ticket Granting Tickets (TGTs) lifetime setting of four hours is configurable by using Authentication Policies and Silos, which can be accessed through the Active Directory Administrative Center (ADAC). This means that when four hours has passed, the user must authenticate again.

This protection should not use for accounts for service and computers.
This table includes the properties of the group

Attribute

Value

Well-known SID/RID

S-1-5-21-<domain>-525

Type

Domain Global

Default container

CN=Users, DC=<domain>, DC=

Default members

None

Default member of

None

Protected by ADMINSDHOLDER?

No

Safe to move out of default container?

Yes

Safe to delegate management of this group to non-service admins?

No

Default user rights

No default user rights

How to add member to the group?

To add user,

1)    Log in to the Domain controller as Domain admin or Enterprise Admin
2)    Go to Server Manager > Tools > Active Directory Users and Computers
3)    Then under “Users” can find the “Protected Users” group

protect1

4)    Double click to open the group properties and under the “members” tab you can add the users, groups

protect2

Hope this help, If you have any questions about the post feel free to contact me on rebeladm@live.com

Active Directory Recycle Bin

 What will happen if you have deleted the wrong user account? Or any other AD object? In your AD environment. “Recovery” is the answer but issue is how fast and how easy you can do it.

Once active directory object is deleted, it is automatically goes in to the deleted object container in the AD. Then during the active directory garbage collection process it will clean up these deleted AD objects permanently. By default this process is occurs in every 12 hours. So if need to recover a deleted object (unless you use an active directory backup) it is possible to do before the garbage collection process occurs in AD using LPD.exe tool. But the issue is even you can recover the object along with metadata it will lose its some attributes such as group membership.

Microsoft has come with a feature to answer this. It starts with windows server 2008 R2 and called as “Active Directory Recycle Bin”. This feature is exactly work as “Recycle Bin” in windows operating system. You can use this to undelete any deleted AD objects. More importantly you can restore it with few clicks along with all the attributes. By default AD recycle bin holds deleted objects for 180 days before permanently remove from the system.

This feature is need to be enabled manually in active directory. To use this feature the domain forest functional level at least need to be set to windows server 2008 R2.  Also you need to manually enable this feature and once this feature is enabled you can’t disable it.

Let’s see how we can do this. In my demo I am using active directory runs on windows server 2012 R2.

1)    Log in to the Domain Controller as member of domain admin group or enterprise admin group.
2)    Then Server Manager > Tools >  Active Directory Administrative Center

re1

3)    It will open Active Directory Administrative Center mmc and click on the domain name

re2

4)    Then under Tasks panel click on “Enable Recycle Bin

re3

5)    Once click on it, it will open up pop up saying to confirm the action. As I mentioned earlier once this feature is enable you can’t disable it.

re4

6)    Then it will give info window about the function and the replication. Click ok to exit form window.

re5

It will take some time to replicate across the domain controller in the forest. After replication it’s time to test the functions and see how the restore process works.

For my demo I am using a user account called “User A” and he is member of Gorup_A and Group_B as well. I am going to delete the user and recover it using the AD recycle bin feature.

re6

re7

 

To recover the object

1)    Go to Server Manager > Tools > Active Directory Administrative Center
2)    Then click on domain name and the arrow in front. Then click on option “Deleted Objects

re8

3)    Then it will show the objects captured by the AD recycle bin feature. In here we can see the UserA account I have just deleted.

re9

4)    To restore the object, right click on object and select “Restore”. This will restore it to original location it was. If you need you also can select which container it should restore to using “restore to” option.

re10

5)    Now in AD I can see the restored object along with its attributes.

re11

So as you can see it was very fast and effective solution. This is the end of this article and if you have any questions feel free to contact me on rebeladm@live.com

Create Users with User Templates in AD

This is one of the features in Active directory which most administrators, system engineers not using in typical networks. Even though this is very small feature it’s very helpful in larger infrastructure systems and will save lot of time, errors with user creation in AD and permissions, membership assign.

Even most not using this, user account templates feature was in place from Windows NT 4.0. In domain environment, we will be able to see many shares similar properties in user accounts. For example if we take users in sales department, almost all will be member of same security groups, distribution groups. So every time when you need to create new sales department user you will need to add these group membership manually. What if users are in 10 groups? How much time it will take to map membership from existing user to new user? If you need to add 10 new users have to follow same procedure? Can we guarantee the system administrator assigned for the task will not miss any? If we delegate control to HR department for account creations will typical Clark can process this complex procedure? Answer for all this questions is use of user account templates for the task.

In AD we can create user template with all common attributes, group memberships and we can use it when we add a new user to AD who will use similar properties.

Let’s look in to the configuration. In my demo I already setup domain contoso.com and in AD there is organization unit called “Sales Department” so everyone in the department will share same properties. Let’s create user account template to use for the task.

To do this right click on the OU and click on New > User

u1

In new user add wizard fill the full name as "Sales User Template" and user name as Sales.Template. Please keep First name, last name empty as its unique. Then Click next to continue.

u2

In next window we can define the password and i have selected options "User must change password at logon" and "Account is disabled options. so every new user account create based on this template will be in disabled mode until its manually enabled. its good practice for user account creation. also user will have option to define his own password at log on. once selection completes click on next to continue.

u3

In next window it gives confirmation about selections and click on "Finish" to create the template in AD.

u4

Even we create user i still need to add some more properties to the template which will be shared among users which will create using this template. To do that right click on user and click on properties.

u5

First i will go to "Member of" tab and using "Add" button will add groups which users will assign to. in my demo i used 3 group membership

All Users, Sales Leads, Sales Users

u6

u7

Then in "Organization" tab i will fill the relevant info for the template.

u8

Then  i will go to the "Account" tab and click on "Logon Hours" button and in pop up i denied sales users log in to network over the weekend.

u9

Then in Profile tab i mapped the Z drive, a common share which will be use by sales department.

u10

Once every thing done, click on "ok' to apply these changes to the template.

u11

Now we have the user template in place. so lets go ahead and add a user based on this template. to do that right click on the "Sales User Template" user we just added and click on "Copy"

u12

In new user wizard fill in the appropriate info, and click on next.

u13

In next window we can see the options we selected on template were already selected ( account disable, user must change password at next log on) and only need to define password and click on next to continue.

u14

In next window it will list the selections and click on finish to create the new sales user.

u15

Now we need to see if this new account have the properties which templates have.

Organization Tab ( Job Title will be shows empty as its unique )

u17

Profile Tab

u18

Account Tab

u19

Member of Tab

u20

so we can see its all worked as expected and saves lot of time and was able to create user with out missing relevant info.