Tag Archives: domain

Restricted Groups using group policies

In previous post I explain about the different groups we can create in a domain environment. In an organization some time you may need to grant permissions for different users to manage these groups and its memberships. But some time it is better if we can lock some of these memberships for security reasons. For example let’s assume you have a group which have access to financial records of the organization which should only have access to upper management. So membership of the group is important.

Restricted group policy is the answer for that. Using group policy you can specify the membership and enforce. So no one can add or remove members.

Let’s see how we can do it in domain environment.

For the demo I created a group called “Remote Clients” and made usera and userb members of it.
But for the demo I need to restrict the group membership and only use testa user as a member.

restrict1

To do it go to server manager > tools > group policy management

restrict2

Then go to the OU you wish to apply restrict group policy. If it’s going to apply for the organization you can make it global policy as well. Then right click on OU name and select “Create GPO in this domain an link it here

restrict3

Then provide the name for new policy and click ok.

restrict4

Then go to the OU again and right click on the new GPO and click on edit.

restrict5

Then go to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups folder
Right click on it and click “Add Group

restrict6

restrict7

Then go and select the group you need to add, in my demo its Remote Clients. Then click ok.

restrict8

Then it gives option to add members to the group. Also if this group should need to be added as member of another group.

restrict9

In here I added user testa and I need to force the membership only to this user.

restrict10

restrict11

Now it’s all done. Next time when policy applied it will overwrite the current membership.

restrict12

If you have any question feel free to contact me on rebeladm@live.com

Step-by-Step Guide to setup windows azure active directory – Part 01

This is the start of series of post which will explain installation and configuration of WAAD. In previous article I explain about the WAAD and its features. If you not read it yet you can find it here.

Windows Azure Active Directory (WAAD)

In this post I will demonstrate how we can do the WAAD initial setup. As explain on previous post Azure AD comes with 3 versions. Once you subscribed with required version, to setup log in to Azure Management Portal.

azure1

Then click on +New button on the left hand bottom corner.

azure2

Then go and click on App Services > Active Directory > Directory

azure3

Then click on Custom Create to create WAAD instance with your requirements.

azure4

Once click on it will open a form. In here “Name” field refer to the instance name. “Domain Name” should be unique name. Initially it create with .onmicrosoft.com extension. But later you can change it to domain name your organization already using.

Once these info are filed in click on complete button.

azure5

Once it’s complete it can see on the portal as active.

azure6

Then if you click on selected instance it will bring you to the page where you can configure the WAAD instance.

azure7

As the first configuration we need to add the domain to match with our existing organization. Because on setup it uses a name with .onmicrosoft.com extension. To do this click on domains tab.

azure8

Then once load click on “Add a custom domain

azure9

In new wizard, put the domain name to match with local active directory domain. In here later i will configure SSO with local AD. So I selected that option too. Once information are type in click on add to continue.

azure10

Once it’s done it will list on the page. But as we can see here it’s not yet “verified” and set as “primary domain”. To do that we need to do the AD integration with local organization. In next post let’s see how we can do that.

azure11

If you have any questions about the post feel free to contact me on rebeladm@live.com

Active Directory Domain Migration / Active Directory Forest Restructure

When plan for AD infrastructure design main concerns are to maintain the hierarchy and reduce the complexity. We can’t expect businesses to be same for years, as business grows we will also need to apply changes to the infrastructure design. For example company may move to a different business name, may be acquired by another company or else merge with another company. Any of the above situations may cause major AD infrastructure design change. This is where AD migration and Forest restructure techniques comes in handy.

There are mainly two types of AD migrations or restructure.

1)    InterForest – This is mainly happens when company involves with mergers, acquisitions which will need to integrate the resources between forests. When migrate between forest both target forest and source forest will exist. It make easier to roll back changes at any time.

2)    IntraForest – This is mainly apply when you try to reduce the complexity of the domain structure. So it will not involve with multiple forest. Source domain and target domain both will be under same forest. Unlike the interforest, if you need to roll back you need to go with reverse migration to get things back to previous state.

Let’s look in to the comparison between these two types against migration considerations.

Migration Considerations

InterForest

IntraForest

Object Preservation

Objects are cloned. Original objects will be remain in the source.

User and Group objects will be migrated and will not exist in source. Computer and Service accounts will remain enabled in source location.

Password Retention

Optional

Retained

Local Profile Migration

Tools like ADMT should use to migrate the local profiles

Will be migrated automatically

Accounts in Closed Set

Do not need to migrate

Must migrate

Security Identifier (SID) history

Optional

Required for the user, group and computer accounts. No need for managed service accounts.

Microsoft provides a great tool called Active Directory Migration Tool (ADMT) to help with the migration and domain restructure process. The latest tool can download using http://go.microsoft.com/fwlink/?LinkId=401534

ADMT

This tool simplifies the migration of AD objects as its automated most of the tasks. Using wizard with few clicks we can complete the process.

ADMT can run via GUI, command line or as a script. You can download complete guide for this tool from http://go.microsoft.com/fwlink/?LinkId=191734

If you have any question about post feel free to contact me on rebeladm@live.com

Configuring Trusts – Part 4

This is the last part of the series which explain about “Trusts” between infrastructures. If you not checked the other 3 parts yet you can find them in here.

Configuring Trusts – Part 1
Configuring Trusts – Part 2
Configuring Trusts – Part 3

This article will explain how to configure trusts between infrastructures.

Demo Setup

For the demonstration I will be using following setup.

Organization

Domain

Primary DC

Contoso Ltd.

Contoso.com

Microsoft Windows Server 2012 R2

XYZ Ltd.

Xyz.com

Microsoft Windows Server 2012 R2

I am going to initiate a “Forest Trust” between the 2 organizations. It will be Two-Way trust which allows each forest, domains and users to access “allowed” resources in each organization infrastructure.

Before start the process the initial step is to make sure following ports are open in firewalls in both organizations to initiate the trusts.

UDP Port 88 – Kerberos Protocol
TCP and UDP Port 387 – LDAP
TCP Port 445 – Microsoft SMB
TCP Port 135 – Trust endpoint resolution

In order to initiate a trust you need to login as user account which is member of Domain Admins or Enterprise Admins groups.

Also you need to consider about the DNS ( domain name services )before proceed with the trust initiation process. If both organizations using root DNS server coming for both forests it will not be an issue. But if not you need to create DNS Zones in each forest dns servers. In here for the demo I have setup secondary dns zone with transferring copy of running DNS zone on XYZ.com. I have explain DNS zone setup in one of my previous articles in blog. If you not familiar with the process please refer to it here

dns1

1)    To start the process I will log in to contoso.com domain as enterprise administrator.

2)    Then Server Manager > Active Directory Domains and Trusts

t1

3)    In active directory domains and trust snap-in right click on contoso.com domain and click properties

t2

4)    In next window go to “Trusts” tab and click on “New Trust” button

t3

5)    It will open the “New Trust Wizard” click next to start the process

t4

6)    In next window we need to specify the DNS name or the netbios name of the domain we going to initiate trust with. In our demo it will be “xyz.com”. then click next to continue

t5

7)    In next window we need to select the trust type. I have selected “Forest Trust” and click next to continue

t6

8)    We are going to setup “Two-Way” trust so in next window I selected “Two-way” from the list and click continue

t7

9)    Trusts are need to initiate in both sides. But if you have appropriate access permissions to the remote forest, you can initiate it. In next window it give option to initiate the trust in remote forest. Since I do have access I select “Both this domain and specified domain” and click next

t8

10)    In next window I have specified the logins to initiate trust in remote forest (the account need to be member of Domain Admins or Enterprise Admins groups). Then click next to continue

t9

11)    In next windows it ask to select the authentication scope for local forest. In here I select forest-wide authentication

t10

12)     In next windows it ask to select the authentication scope for remote forest. In here I select forest-wide authentication

t11

13)    In  next window it gives brief description about the selections we made and click next to initiate the trust

t12

14)    In next window it asks about routed name suffixes for the local forest. I will use default and click next

t13

15)    In another window it asks to confirm the outgoing trust. Since we initiated the other side of trust, select yes and click next

t14

16)    Next window it asks to confirm incoming trust. Since we initiated the other side of trust, select yes and click next

t15

17)    Then it gives confirmation about the successfully create trust. Click finish to exit from wizard.

t16

18)    In remote XYZ.com we can confirm the initiate trust by looking in to domain properties like we did in steps 1-3

t17

This completes the process of creating forest-trust. The options selected on process will change based on trust type, authentication scope etc.

Testing

For the testing purpose of the trust I have created following scenario.

Contoso domain file server hosts a folder called “Share-Contoso”. We need to provide access to user account called “xyz-user” from XYZ forest to this particular folder.

After initiating the trust, when we going to apply share permission to the “Share-Contoso” folder now we can select users from the XYZ.com domain.

sh1

sh2

After applying permissions I am trying to log in to contoso file server from remote location ( here I used a pc which is not added to domain ) and once its ask to provide logins I have provided the login info for xyz-user for XYZ.com domain.

sh3

Once it’s authenticated we can see it’s provided the access to relevant share.

sh4

As we can see the trust is successfully initiated. If you have any questions feel free to contact me on rebeladm@live.com