12 October 2012

Active Directory Delegation

It's been a while since my last post and now is time to add new one :)

Today I was at the customer with a task to delegate some Active Directory permissions for Help Desk users.

My task was to create a "script" for:
- Delegate Unlock user account.
- Delegate Reset password to user account.
- Delegate Move computer account from default folder to designated OU.
- Delegate Add or remove users from security or distribution group.
- Delegate Change some of user object attributes (Telephone number, Mobile phone number, Office, Department, ...).

Of course you can do all of this with GUI but we're a bit lazy, we don't want to click a lot and the most important reason we sure want to look smart, so that's why we use command line.

If you still decide to use GUI you'll probably need to edit DSSEC.DAT (under Users add pwdLastSet=0), to display some attributes.

For this task I used command dsacls.exe, and here you can find more about it.

We also used two security groups approach. Resource security group (Change password, Unlock user account, ...) and Users security group (Help Desk). At the end we added Users security group into all Resource security groups. With this we achieved that members of Users security group are able to do all the necessary tasks regarding users and computers management.

So let's get to business :)

To delegate password reset and unlock user you can use this command lines:
dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:ca;reset password;user
dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;pwdlastset;user
dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;lockouttime;user

Explanation:
"ou=ou_name,dc=domain,dc=com" is OU where users are located
"domain\SecGroupName" is Resource security group to which we delegate permissions

To delegate add/remove group membership you can use this command lines:
dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupNam:rpwp;member;group

Explanation:
"ou=ou_name,dc=domain,dc=com" is OU where groups are located
"domain\SecGroupName" is Resource security group to which we delegate permissions

To delegate moving computers between OU's you can use this command lines:
dsacls ou=ou_name,dc=domain,dc=com /i:t /g domain\SecGroupName:cc;computer;
dsacls cn=computers,dc=domain,dc=com /g domain\SecGroupName:dc;computer;
dsacls cn=computers,dc=domain,dc=com /i:s /g domain\SecGroupName:wp;;computer

Explanation:
"ou=ou_name,dc=domain,dc=com" is OU to where you want to move computers
"cn=computers,dc=domain,dc=com" is folder from where you want to move computers
"domain\SecGroupName" is Resource security group to which we delegate permissions

To delegate changing user attributes you can use this command lines:
dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;telephonenumber;user
dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;company;user
dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;mobile;user
dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;physicaldeliveryofficename;user
dsacls ou=ou_name,dc=domain,dc=com /i:s /g domain\SecGroupName:rpwp;roomnumber;user

Explanation:
"ou=ou_name,dc=domain,dc=com" is OU to where users are located
"domain\SecGroupName" is Resource security group to which we delegate permissions

There are at least two approaches that can be used in bigger productions instead using command lines below. First is to use Excel (concatenate) and the second is to use batch scripts like in the sample below.

In this sample we'll delegate add/remove group membership with a batch script.

1. Create Delegate-AdRights.bat
2. Edit Delegate-AdRights.bat and copy paste code below into it.
dsacls %1 /i:s /g %2:rpwp;member;group
3. Run batch file in command prompt with additional variables as shown below
Delegate-AdRights.bat ou=ou_name,dc=domain,dc=com domain\SecGroupName

Explanation:
"ou=ou_name,dc=domain,dc=com" is OU where users are located
"domain\SecGroupName" is Resource security group to which we delegate permissions

This is it for today. Have fun!

19 April 2012

Extended Windows Volume

Extending Volume on virtualized Windows server is so easy this days. You just go to your virtual host server and extend virtual disk. After this is done login to your Windows server and open Disk Management then right-click Disk Management and select Refresh.


After this you'll see some Unallocated space.


Now right-click on Volume that you want to extend (in-front of unallocated space) and select Extend Volume ...


Extend Volume Wizard opens and by clicking Next you'll arrive to the part where you need to specify for how much you'll extend selected Volume. In my case I'll use all available space.


Click Next and Finish. After this your Volume will be extended and you'll have additional space on your server that you can use :)


But it's not always that easy. Sometimes can happen that you'll get an error: "The parameter is incorrect."



After that Disk Management shows different size of extended disk as if you check disk properties.



Solution for this problem is simple. Open Command Line (CMD) as Administrator and type DISKPART.

Diskpart
List Volume
Select Volume # (this is the number of the volume listed by the above ‘List Volume’ command)
Extend Filesystem
Exit


All good and now you can recheck disk properties for just in case.


Disk properties also show that disk was successfully extended :)

Few useful links:
http://support.microsoft.com/kb/325590
http://www.jonathanmedd.net/2010/10/windows-server-2008-extend-system-volume-error-the-parameter-is-incorrect.html

This is it for today. Have fun!

02 March 2012

Blocking P2P programs with Group Policy

Some time ago I needed to block as many as possible torrent and other P2P clients with Windows Group Policy. To do this I needed to find as many as possible names of torrent clients executables and prepare a list. The result of all this is this list:

ABC.exe
Ares.exe
Azerues.exe
BitComet.exe
BitLord.exe
BitThief.exe
BitTornado.exe
BitTorrent.exe
Btdownloadgui.exe
Deluge.exe
Emule.exe
Fdm.exe
FlashGet.exe
Giftl.exe
Imesh.exe
KGet.exe
KTorrent.exe
LimeWire.exe
Mediaget.exe
Miro.exe
MLDonkey.exe
Mp3rocket.exe
Msohtmed.exe
µTorrent.exe
Utorrent-2-0-beta.exe
Utorrentportable.exe
OneSwarm.exe
Opera.exe
qBittorrent.exe
Shareaza.exe
Tonido.exe
Swapper.exe
Tribler.exe
Vuze.exe
Wyzo.exe


I hope you'll find this list useful and I'd also like to invite all of you to post me names of the executables that I missed. This way we'll keep this list up-to-date :)

Here are two articles that describe how to block applications with Windows Group Policy:
http://www.technipages.com/prevent-users-from-running-certain-programs.html
http://www.windowsnetworking.com/articles_tutorials/Software-Restriction-Policies.html

This is it for today. Have fun!