Tag Archives: Domain Services

Active Directory Right Management Service (AD RMS) – Part 01

Microsoft had taken their first approach to information rights management (IRM) by introducing Windows Right Management Service with Windows Server 2003. This was fully compliant with Federal Information Processing Standard (FIPS) 140-1. The update version of Windows Right Management was renamed as Active Directory Rights Management Services and re introduced with Windows Server 2008. It continued to grow with features and included with every new windows server versions after that. Microsoft also released Azure RMS (included in Azure Information Protection) which can use in Hybrid-Cloud environment to protect data. 

However, AD RMS is not the solution for all the Data security requirements. In an infrastructure, there is other things attached to data security. First step of the protection is to decide who have access to corporate network and resources. This fall under perimeter defense and Hardware/Software firewalls can use to define rules to manage traffic come in to corporate network and traffic goes out from corporate network. Modern Layer-7 Firewalls and Next Generation Firewalls allows not only to manage connections but go further on analysis traffic based on applications, user accounts (AD integrated). If users are allowed to use Internet, it also can bring threats to corporate data. It can be via viruses, malware, phishing emails etc. Similar threats can be eliminate using Layer 7 firewalls or Proxies. The next step on Data Protection is to controlled the data access for users and groups in the corporate network. This is done by using NTFS and Access Control Lists (ACLs). These helps to control who have access to what data and resources. The challenge is to protect data once users and groups have access to it. As an example, REBELADMIN Inc. does have Sales Department. CEO creates a word document which includes last year total sales and save it in a network folder. The only people have access to it is CEO and Sales Manager. He sent email to Sales Manager and inform about the file. Access to folder is protected by ACLs but ones Sales Manager have access to it, what will prevent him emailing it to a person in Technical Department or bring it home with him and share it with another party? Active Directory Right Management Service controls the behavior of data once users have access it. But this will not prevent data leakage via digital photographs, third-party screen capturing, hard copies or viruses and malware. 

AD RMS can,

Follow Data with Policies (Persistent Usage Rights and Conditions) –  NTFS permission and ACLs only can manage a data within its operation boundaries. In my previous example, when the report is inside the Sales folder it will only can access by CEO and Sales Manager. However, if its copied to local disk, forward as email it will bypass the NTFS permissions and ACLs. AD RMS uses Persistent usage policies which follows the data. Even its moved, forwarded, the policies will follow it. 

Prevent Confidential Emails going in to wrong hands – Emails is one of the media that commonly involves with data leakage. Constants news are coming on medias due to wrong peoples got access to “confidential” emails. Once email is left outgoing email folder, we do not have control over the data and we do not have guarantee if this is only access by the recipient and it’s not forwarded to another party that original sender not aware of. AD RMS can prevent recipient been forwarding, modifying, copying or printing confidential emails. It also guarantees, its only can open by the expected recipient.

Prevent Data been access by unauthorized peoples – Similar to emails, AD RMS can also protect confidential files, reports been modified, copied, forwarded or print by unauthorized users.

Prevent Users by capturing content using Windows Print Screen feature – Even users do not forward or copy method to send data they still can use print screen option to capture the data in another format. AD RMS can prevent users by using windows print screen tool to capture data. However, this not going to prevent users by using third-party screen capturing solutions. 

File Expiration – AD RMS allows to set time limit to files so after certain period of time, content of it will not be able to access. 

Protect Data on Mobile Devices and MAC – People uses mobile devices to access corporate services and data. AD RMS mobile extension allow to extend its data protection capabilities in to mobile devices which runs with Windows, Android or iOS. In order to do that, Device should have latest RMS clients and RMS aware apps installed as well. This also applies to MAC devices as long as it uses Office 2016 for MAC and RMS aware applications. 

Integration with Applications – AD RMS not only support Microsoft office files, its support wide range of applications and file types. As an example, AD RMS directly can integrate with Share Point (2007 onwards) to protect the documents published on intranet site. There are third party applications which support RMS too. It also supports file types such as .pdf, .jpg, .txt, .xml. This allow corporates to protects more and more data types in infrastructure. 

This marks the end of this blog post. In Part 02 I will be explaining the components of RMS. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Step-by-Step Guide to Setup Read-only Domain Controller (PowerShell Guide)

RODC are a great feature which is introduce with windows server 2008 in order to maintain a low risk domain controller in locations where it cannot guarantee physical security and the maintenance. Though out article we have discussed possible scenarios where we required a domain controller in a remote site. When considering a domain controller in remote site, the link between site is not the only thing we need to focus on. When we deploy a domain controller, by default it will be aware of any changes in active directory structure. Once an update trigger, it updates its own copy of the active directory database. This ntds.dit file is contain everything about active directory infrastructure, including identity data of the user objects. If its falls in to wrong hands, they can retrieve data related to identities and compromise the identity infrastructure. when consider about information security, the physical security is also important. That’s why the datacenters have al sort of security standards. So, when deploying a domain controller in remote site, physical security also a consideration as we do not need to have loose ends. If you have a requirement for domain controller in remote site and yet you cannot confirm its security the RODC is the answer. RODC do not store any password in its database. All the authentication request against an object will be process by the closest writable domain controller. So even someone manage to get copy of the database they will not be able to do much. 

RODC deployment process involves following stages. In this process, we can use a pre-selected account and promote the RODC using it instead of using Domain Admin or Enterprise Administrator account. 

1) Setup Computer Account for RODC domain controller

2) Attached that account to the RODC during the promo process

In order to create RODC computer account we can use Add-ADDSReadOnlyDomainControllerAccount cmdlet. 

Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName REBEL-RODC-01 -DomainName rebeladmin.com -DelegatedAdministratorAccountName "rebeladmin\dfrancis" -SiteName LondonSite

Above command will create RODC domain controller account for REBEL-RODC-01. The domain name is defined using -DomainName and -DelegatedAdministratorAccountName defines which account to delegate the RODC installation. The new RODC will be place in LondonSite

rodc1

Now we can see the newly added object under the Active Directory Domain Controllers.

rodc2

Now we have things ready for the new RODC and next step is to promote it. 

Install-WindowsFeature –Name AD-Domain-Services -IncludeManagementTools

Above command will install the AD DS role first in the RODC. Once its completed we can promote it using, 

Import-Module ADDSDeployment  

Install-ADDSDomainController `  

-Credential (Get-Credential) `  

-CriticalReplicationOnly:$false `  

-DatabasePath "C:\Windows\NTDS" `  

-DomainName "rebeladmin.com" ` 

-LogPath "C:\Windows\NTDS" `

-ReplicationSourceDC "REBEL-PDC-01.rebeladmin.com" `

-SYSVOLPath "C:\Windows\SYSVOL" `  

-UseExistingAccount:$true `  

-Norebootoncompletion:$false  

-Force:$true

Once this is executed it will prompt for the user account and we need to input user account info which was delegated for RODC deployment. The command is very similar to regular domain promotion. 

Now we have the RODC and next steps to look in to password replication policies (PRPs). 

The default policy is already in place and we can view the allowed and denied list using,

Get-ADDomainControllerPasswordReplicationPolicy -Identity REBEL-RODC-01 -Allowed

Above command will list down the allowed objects for password caching. By default, a security group called “Allowed RODC Password Replication Group” is allowed for the replication. This doesn’t contain any members by default. By adding object to this group will allow caching. 

Get-ADDomainControllerPasswordReplicationPolicy -Identity REBEL-RODC-01 -Denied

Above command list down the denied objects for password caching. By default, following security groups are in the denied list. 

Denied RODC Password Replication Group

Account Operators

Server Operators

Backup Operators

Administrators

These are high privileged accounts in active directory infrastructure these should not be cached at all. By adding objects to Denied RODC Password Replication Group, we can simply block the replication. 

Apart from the use of predefine security groups we can add objects to allow and denied list using Add-ADDomainControllerPasswordReplicationPolicy cmdlet. 

Add-ADDomainControllerPasswordReplicationPolicy -Identity REBEL-RODC-01 -AllowedList "user1"

Above command will add user object user1 to the allowed list. 

rodc3

Add-ADDomainControllerPasswordReplicationPolicy -Identity REBEL-RODC-01 -DeniedList "user2"

The above command will add the user object “user2” to the denied list. 

rodc4

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Group Policy: WMI Filters in a nutshell

Windows Management Instrumentation (WMI) filters is another method that we can use to filter the group policy target. This method is only can use to filter the computer objects and it based on computer attribute values. As an example, WMI filters can use to filter out different operating system versions, processor architecture (32bit/64bit), Windows server roles, Registry settings, Event id etc. WMI filters will run against WMI data of the computers and decide if it should apply policy or not. If its match the WMI query it will process the group policy and if its false it will not process the group policy. This method was first introduced with windows server 2003. 

We can use GPMC to create/manage WMI filters. Before apply filter to a GPO, first we need to create it. Single WMI filter can attach to many GPO buy a GPO only can have single WMI filter attached. 

To create WMI filter, Open GPMC, right click on WMI Filter and click New.

wmi1

It will open up the new window where we can define the WMI query. 

wmi2

By clicking on Add button we can define the Namespace and WMI query. As an example, I have created a WMI query to filter out windows 10 operating system runs 32-bit version. 

select * from Win32_OperatingSystem WHERE Version like "10.%" AND ProductType="1" AND NOT OSArchitecture = "64-bit"

In below you can find few examples of commonly use WMI queries,

To Filter OS – Windows 8 – 64bit

select * from Win32_OperatingSystem WHERE Version like "6.2%" AND ProductType="1" AND OSArchitecture = "64-bit"

To Filter OS – Windows 8 – 32 bit

select * from Win32_OperatingSystem WHERE Version like "6.2%" AND ProductType="1" AND NOT OSArchitecture = "64-bit"

To Filter any Windows server OS – 64bit

select * from Win32_OperatingSystem where (ProductType = "2") OR (ProductType = "3") AND  OSArchitecture = "64-bit"

To apply policy in selected day of the week

select DayOfWeek from Win32_LocalTime where DayOfWeek = 1

Day 1 is Monday. 

Once WMI Filter is created, it need to attach to the GPO. To do that Go to GPMC and select the required GPO. Then under the WMI Filtering section, select the required WMI filter from the drop down box. 

wmi3

Now it is time for testing. Out test query is to target 32 bit windows 10 operating systems. if I try to run it over 64-bit operating system it should not apply. We can check this by running gpupdate /force to apply new group policy and gpresult /r to check results. 

wmi4

Test has been successful and the policy was blocked as I am running windows 10 – 64-bit OS version. 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Understanding Group Policy Conflicts

In an organization, there can be many group policies in used. Sometime multiple policies may target same thing. In that case it is important to understand which policy going to win. Group Polices precedence order LSDOU and Group Policy Inheritance decides which policy will win in Active Directory structure.  Let’s look in to this further with an example, 

gp1

As per above figure we have two policies inherited to “Users” OU. Policy 01 is Domain linked group policy. Policy 02 is OU linked group policy. Each of the group policy have its own values defined for the three selected settings. Based on the default group policy inheritance, Users OU will have both policies applied. According to LSDOU, Policy 02 will have lowest precedence valve as it is the closest policy for the Users OU. For Password Policy Settings, only Policy 01 has a valve defined. There for even it’s the least preferred group policy, that valve will apply to Users OU. For Windows Firewall Settings, only Policy 02 has a valve. It will also apply to the Users OU. When it comes to the Internet Explorer Settings both policies have values. That makes a conflict. The winning valve of conflicting policy settings will be decided based on LSDOU. There for the wining valve will be from Policy 02

Microsoft allows to change this default policy winning procedure by enforcing policies. When group policy been enforced, it will have the lowest precedence valve regardless where it’s been linked. Another advantage of the enforced policy is, it will apply even OU is blocked inheritance. If domain linked policy been enforced, it will apply to any OU under the domain and it will hold the lowest precedence. If multiple policies been enforced, all of them will take the lowest precedence numbers in order. 

To enforced a policy, load GPMC, right click on the selected group policy and then select “Enforced” option. It will enforce the policy and, change the policy icon with small padlock mark. It allows to identify enforced policies quickly from policy list. 

gp2

In above example, Policy 01 been enforced. It is domain linked group policy. In normal circumstances Policy 02 will gets a lowest precedence value when its applies to the Users OU. But when policy been enforced Policy 01 will have the lowest precedence valve. When we look in to winning policy values of the Users OU, For Password Policy Settings it will process the Policy 01 value as it is the only one have value for it. For Windows Firewall Settings, Policy 01 do not have any value defined. So even its been enforced the winning policy setting will be from Policy 02 as it’s the only one have a valve defined. Policy 01 and Policy 02 both have values for Internet Explorer Settings. But enforced Policy 01 is in top of the policy list and winning policy setting will be from it. 

So far, we talked about conflicting policy settings from different level on domain structure. How it will work if it’s in same level? Policies in same level also apply according to precedence order. When policies are in same level the LSDOU process is no use. The winning policy will decide based on its position in the policy list. The order of the list decided based on “Linked Group Policy Objects” list. This list can view using the Linked Group Policy Objects tab in the OU detail window in GPMC

gp3

The order of policy in same level can be change using two methods. One method is to enforced the policy. When policy is enforced, it will take the priority from the other policies in the same level. but it will not change the “Link Order” of the policy. The order of the list can change using the up and down buttons in the Linked Group Policy Objects Tab. Link order will match the precedence order of the group policies. 

gp4

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Troubleshooting Active Directory Replication Issues (PowerShell Guide)

There are certain windows cmdlets and utilities which we can use for replication issues troubleshooting purpose. Among those, Repadmin.exe is most commonly used Microsoft utility. This is available in servers which have AD DS or AD LDS role installed. It is also part of Remote Server Administration Tools (RSAT). This utility recommended to run as Domain Administrator or Enterprise Administrator. However, it is also possible to delegate permission only to review and manage replication. 

Let’s see it’s in action 

repadmin /replsummary /bydest

above command summarizes the replication status for all domain controllers based on the replication destination. This parameter does not display the source domain controller.

repadmin /replsummary /bysrc

above command summarizes the replication status for all domain controllers based on the replication source. This parameter does not display the destination domain controller.

repadmin /showrepl REBEL-SRV01.therebeladmin.com 

above command shows the replication partners for REBEL-SRV01.therebeladmin.com and the status of last sync attempt. 

repadmin /showrepl /errorsonly 

above command will list down the replication partners which have replication errors (last sync attempt failed) 

we also can view results in CSV format.

repadmin /showrepl /csv

tr1

repadmin /syncall REBEL-SRV01 dc=therebeladmin,dc=com

above command initiates domain directory partition synchronization with all replication partners of REBEL-SRV01. 

It will also indicate if there were any issues by doing it.

tr2

repadmin /queue

above command shows if there are any unprocessed inbound replications requests. If system keep que requests it can be due to high number of AD changes, System resource issue or too many replication partners. 

repadmin /showchanges REBELNET-PDC01 d3f89917-5fff-40a8-scc2-b148b60d9309 dc=therebeladmin,dc=com

above command list down the changes which are not replicated between server REBELNET-PDC01 and REBEL-SRV01. In here REBEL-SRV01 is the source server and it is listed with object GUID. 

tr3

repadmin /replicate REBEL-SRV01 REBELNET-PDC01 dc=therebeladmin,dc=com

above command initiate immediate directory partition replication from REBELNET-PDC01 to REBEL-SRV01.

Apart from the repadmin, there are certain PowerShell cmdlets which we can use to troubleshoot replication issues. Get-ADReplicationFailure cmdlet is one of those which can collect data about replication failures. 

Get-ADReplicationFailure -Target REBEL-SRV01

Above command will collect information about replication failures associated with REBEL-SRV01. 

This also can do with multiple servers. 

Get-ADReplicationFailure -Target REBEL-SRV01,REBELNET-PDC01

Further we can target all the domain controllers in the domain.

Get-ADReplicationFailure -Target "therebeladmin.com" -Scope Domain

Or even entire forest

Get-ADReplicationFailure -Target " therebeladmin.com" -Scope Forest

Get-ADReplicationConnection cmdlet can list down replication partner details for the given domain controller. 

Get-ADReplicationConnection -Filter *

Above command will list down all replication connection for the domain controller you logged in. 

tr4

We also can filter the replication connections based on the attributes. 

Get-ADReplicationConnection -Filter {ReplicateToDirectoryServer -eq "REBEL-SRV01"}

Above command will list down the replication connections with destination server as REBEL-SRV01.

We also can force sync object between domain controllers. 

Sync-ADObject -object “adam” -source REBEL-SRV01 -destination REBELNET-PDC01

Above command will sync user object adam from REBEL-SRV01 to REBELNET-PDC01

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

How to Enable Active Directory Recycle Bin? (PowerShell Guide)

Most common active directory related disasters are due to accidently deleted objects. Once object is deleted from active directory, it is not permanently deleteing from the active directory same time. As soon as an object deleted, it will set the isDeleted object value to True and move the object under CN=Deleted Object.

re1

Then the it is stay there till system reaches the tombstone lifetime value. By default, it is 180 days and this can be change if required. As soon as object passes the tombstone lifetime, it is available for permanent deletion. When I explain about the active directory database in previous section I mentioned about “online defragmentation”. It is uses garbage collector service to remove the deleted objects from the active directory database and release that space to database. This service runs in every 12 hours’ time. Once deleted object exceeded the tombstone lifetime value, it will be permanently removed in next garbage collector service cycle. the problem with this one is, during the tombstone process most of the object values are striped off. So even you were able to recover, these objects values will need to re-enter. 

With windows server 2008 R2, Microsoft introduced Active Directory Recycle Bin feature. When this feature is enabled, once object is deleted, it’s still set isDeleted object value to True and move the object under CN=Deleted Object. but instead of tombstone lifetime, now its control by Deleted Object Lifetime (DOL). Object attributes will remain same in this stage and it is recoverable easily. By default, the DOL value is equal to tombstone lifetime. This value can change by modifying msDS-deletedObjectLifetime object value. Once its exceeded the DOL, it is moved in to Recycled state and isRecycled object value set to True. By this state, it will not be able to recovered and it will be in that state till tombstone lifetime value exceed. After it reach the value it will be permanently delete from the AD. 

Active Directory Recycle Bin feature required minimum of windows server 2008 R2 domain and forest functional level. Once this feature is enabled it cannot be disabled. 

This feature can be enable using,

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target rebeladmin.com

In above -Target can be change with your domain name. 

re2

Once it is enabled, we can revive the objects which is deleted using,

Get-ADObject -filter 'isdeleted -eq $true' -includeDeletedObjects

It will search for the objects where isdeleted attributes set to true. 

Now we know the deleted object and it can be restore using, 

Get-ADObject -Filter 'samaccountname -eq "dfrancis"' -IncludeDeletedObjects | Restore-ADObject

The above will restore user object dfrancis

re3

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Find Active Directory Objects (PowerShell Guide)

Active Directory can hold near 2 billion objects. When the number of objects grows, the requirement for affective object filtering grows as well. Active Directory have several GUI options to search/filter specific objects. We also can filter objects using PowerShell. 

In previous posts, we learned about Get-ADUser and Get-ADComputer cmdlets and how it can be used with other commands to filter out objects from Active directory and perform administrative tasks.  It is also can use to retrieve specific attribute values from filtered objects. 

Get-ADUser -Identity user1 -Properties *

In above command, it will list down all the attributes and its values associated with user1. This helps to find exact attributes names and common values which can use for further filtering. 

I need to know values of Name, UserPrincipalName and Modified for all the users. Following command will create a table with attributes and its values. 

Get-ADUser -Filter * -Properties Name,UserPrincipalName,Modified | ft Name,UserPrincipalName,Modified

fobj01

I can see some accounts in the list which is service accounts and administrator account. I only want to see the accounts which is in Kingston office

Get-ADUser -Filter {City -like "Kingston"} -Properties Name,UserPrincipalName,Modified | ft Name,UserPrincipalName,Modified  

With above it filters it further based on the City value.

Now I have the list of data I needed, I like to export it to a CSV file for future use. 

Get-ADUser -Filter {City -like "Kingston"} -Properties Name,UserPrincipalName,Modified | select-object Name,UserPrincipalName,Modified | Export-csv -path C:\ADUSerList.csv

So, above example shows how search query can build up from granular level to find the exact information needed from objects. 

Search-ADAccount cmdlet can also use to search for the active directory objects based on account and password status. Full syntax for the cmdlet can retrieve using,

Get-Command Search-ADAccount -Syntax 

As an example, it can use to filter the accounts which is locked out. 

Search-ADAccount -LockedOut | FT Name,UserPrincipalName

Above command will list down all the lockout accounts with name and UPN

Unlikely the graphical tools, Powershell queries can build to filter the exact objects and data from active directory. 

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Active Directory Managed Service Accounts (PowerShell Guide)

Services Accounts are recommended to use when install application or services in infrastructure. It is dedicated account with specific privileges which use to run services, batch jobs, management tasks. In most of the infrastructures, service accounts are typical user accounts with “Password never expire” option. Since these service accounts are not been use regularly, Administrators have to keep track of these accounts and their credentials. I have seen in many occasions where engineers face in to issues due to outdated or misplace service account credential details. Pain of it is, if you reset the password of service accounts, you will need to update services, databases, application settings to get application or services up and running again. Apart from it Engineers also have to manage service principle names (SPN) which helps to identify service instance uniquely. 

After considering all these challenges Microsoft has introduced Managed Service Accounts with windows server 2008 R2. These accounts got following features and limitations,

No more password management. It uses a complex, random, 240-character password and change that automatically when it reaches the domain or computer password expire date.

It cannot be lock out or use for interactive login. 

One managed service account only can use in one computer. it cannot be share between multiple computers

Simplified SPN Management – System will automatically change the SPN value if sAMaccount details of the computer change or DNS name property change. 

In order to create Managed service account, we can use following command, I am running this from the domain controller.

New-ADServiceAccount -Name "MyAcc1" -RestrictToSingleComputer

In above command I am creating service account called MyAcc1 and I am restricting it to one computer. 

Next step is associate the service account with the Host REBEL-SRV01 where I am going to use this service account. 

Add-ADComputerServiceAccount -Identity REBEL-SRV01 -ServiceAccount "MyAcc1"

Next step is to install service account in the REBEL-SRV01 server. We need active directory PowerShell module for this. We can install it using RSAT tools. Once its ready run the command,

Install-ADServiceAccount -Identity "MyAcc1"

Once it’s done, we can test it using,

Test-ADServiceAccount "MyAcc1"

It is return the value True which means the test is successful. 

msa1
 
From active directory server, we can verify the service account by running
 
Get-ADServiceAccount "MyAcc1"
 
msa2
 
Tip – When configure the Manager service account in service make sure to leave the password as empty. You do not need to define any password there as system auto generate the password. 
 
This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Manage Active Directory Organizational Units (OU) with PowerShell

Similar to any other active directory object, OU structure can manage using Active Directory Administrative Center (ADAC), Active Directory Users and Computers (ADUC) MMC and PowerShell. In this post, I am going to demonstrate how to manage OU structure using PowerShell. 

New Organization Unit can create using New-ADOrganizationalUnit cmdlet. The complete syntax can review using,

Get-Command New-ADOrganizationalUnit -Syntax

As the first step, I am going to create new OU called “Asia” to represent Asia Branch. 

New-ADOrganizationalUnit -Name "Asia" -Description "Asia Branch"

In above command -Description defines description for new OU. When there is no path defined, it will create the OU under the root. We can review the details of the new OU using,

Get-ADOrganizationalUnit -Identity “OU=Asia,DC=rebeladmin,DC=com”

oup1

We can add/change values of OU attributes using, 

Get-ADOrganizationalUnit -Identity “OU=Asia,DC=rebeladmin,DC=com” | Set-ADOrganizationalUnit -ManagedBy “Asia IT Team”

Above command will set ManagedBy Attribute to “Asia IT Team”

Tip – When you use ManagedBy attribute, make sure to use existing active directory object for the value. It can be individual user object or group object. If not, command will fail. 

 “Protect from Accidental Deletion” for OU object is nice small safe guard we can apply. It will prevent Accidental OU object deletion. This will be apply by default if you create OU using ADAC or ADUC. 

Get-ADOrganizationalUnit -Identity “OU=Asia,DC=rebeladmin,DC=com” | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

As the next step, I am going to create Sub OU under Asia OU Called “Users”.

New-ADOrganizationalUnit -Name "Users" -Path “OU=Asia,DC=rebeladmin,DC=com” -Description “Users in Asia Branch” -ProtectedFromAccidentalDeletion $true

Above command will create OU called Users under path OU=Asia,DC=rebeladmin,DC=com. It is also protected from accidental deletion. 

Now we have OU structure created and next step is move objects to it. for that we can use Move-ADObject cmdlet. 

Get-ADUser “tuser3” | Move-ADObject -TargetPath “OU=Users,OU=Asia,DC=rebeladmin,DC=com”

Above command will find user “tuser3” and move object to OU=Users,OU=Asia,DC=rebeladmin,DC=com

We also can move multiple object to the new OU. 

Get-ADUser -Filter 'Name -like "Test*"' -SearchBase “OU=Users,OU=Europe,DC=rebeladmin,DC=com” | Move-ADObject -TargetPath “OU=Users,OU=Asia,DC=rebeladmin,DC=com”

In above command, It will first search all the user accounts what is starts with “Test” in OU=Users,OU=Europe,DC=rebeladmin,DC=com and then move all objects it found to new OU path. 

Tip – If you have ProtectedFromAccidentalDeletion enable on objects, it will not allow to move object to different OU. It need to remove before object move.

If we need to remove OU object it can be done using Remove-ADOrganizationalUnit cmdlet. 

Remove-ADOrganizationalUnit “OU=Laptops,OU=Europe,DC=rebeladmin,DC=com”

Above command will remove OU=Laptops,OU=Europe,DC=rebeladmin,DC=com Organization Unit. 

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Azure AD now support macOS Conditional Access – Let’s see it in action!

Azure AD conditional access policies allows to provide conditional based access to cloud workloads. 

In one of my previous blog post I explain it in detail what is conditional access policy and how we can configure it. you can find it on http://www.rebeladmin.com/2017/07/conditional-access-policies-azure-active-directory/ . I highly recommend to read it before we continue on this post. 

In Condition Access Policy, there are two main section.

Assignments –  This is where we can define conditions applying to user environment such as users and groups, applications, device platform, login locations etc.

Access Control –  This is to control access for the users and groups when they comply with the conditions specified in the “assignments” section. it can be either allow access or deny access. 

Under Assignment section we can define device platforms involves in the condition. Before when I wrote my previous post it was only supporting for following platforms.

• Android

• iOS

• Windows Phone

• Windows

From November 14th 2017, Azure AD add macOS to the list. With this update following OS versions, applications, and browsers are supported on macOS for conditional access:

Operating Systems

macOS 10.11+

Applications

Microsoft Office 2016 for macOS v15.34 and later

Microsoft Teams

Web applications (via Application Proxy)

Browsers

Safari

Chrome

In original documentation, it didn’t say anything about web apps but in this demo, I am going to use conditional access with on-premises web app which is publish to internet using Azure Application Proxy. I wrote article about application proxy while ago and it can access via http://www.rebeladmin.com/2017/06/azure-active-directory-application-proxy-part-02/ 

Before start configuration, let me explain little bit about my environment. I have on-premises domain environment with therebeladmin.com. I integrated it with Azure AD Premium and I have healthy sync. I have on-premises webapp and I have published it to internet using Azure Application Proxy so I can use Azure AD authentication with it. webapp can access via https://webapp-myrebeladmin.msappproxy.net/webapp/ 

I have a mac with sierra running. In this demo, I am going to setup a conditional access policy to block access to webapp if the request coming from a mac environment. 

mac01

In order to configure this, 

1) Log on to Azure as global admin
2) Click on Azure Active Directory from left menu.
 
mac2
 
3) Then in Azure Active Directory panel, click on Conditional Access under security section. 
 
mac3
 
4) It will load up the conditional access window. Click on + New Policy to create new policy. 
 
mac4
 
5) It will open up policy window where we can define policy settings. First thing first, provide a name for policy. in my case I will use “Block access from macOS
 
mac5
 
6) Then click on User and groups to define target users for the policy. in this demo, I am going to target All users. once selection is done click on Done
 
mac6
 
7) Then Click on Clouds Apps to select application for the policy. in my policy, I am going to target rebelwebapp. Once selection is done click on Select and the Done to complete the process. 
 
mac7
 
8) Next step is to define the conditions. In order to do that click on Conditions option. In here I am only worrying about device platforms. To select platforms, click on option Device Platforms. Then to enable the condition click on Yes under configure and then under include tab select macOS. After that click on Done in both windows to complete the process. 
 
mac8
 
9) Next step to define access control rules. To do that click on Grant under access controls section. in my demo, I am going to block access to app. So, I am selecting block access option. Once selection is done click on select to complete the action. 
 
mac9
 
10) Now policy is ready. To enable it click On tab under Enable Policy option. 
 
mac10
 
11) Then to create the policy, click on Create button. 
 
mac11
 
12) Now policy is ready and next step is to test it. in order to do that I am using webapp url via mac. As soon as I access url, it asks for login.
 
mac12
 
13) As soon as I type user name and password, I get following response saying it is not allowed. 
 
mac13
 
14) If we click on More Details it gives more info about error. As expected it was due to the conditional access policy we set up. Nice ha!!
 
mac14
 
So as expected, conditional access with macOS working fine. This is another good step forward. Well done Microsoft! This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.