+ All Categories
Home > Documents > | GOPAS a.s. | [email protected] | ......Cert Publishers, Backup Operators, Replicator, Server...

| GOPAS a.s. | [email protected] | ......Cert Publishers, Backup Operators, Replicator, Server...

Date post: 22-Sep-2020
Category:
Upload: others
View: 6 times
Download: 0 times
Share this document with a friend
49
ADVANCED TOPICS Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CISA | [email protected] | www.sevecek.com | SEARCHES Active Directory Troubleshooting
Transcript
Page 1: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

ADVANCED TOPICS

Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CISA |[email protected] | www.sevecek.com |

SEARCHESActive Directory Troubleshooting

Page 2: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Search Syntax

physicalDeliveryOfficeName=C*AND NOTtelephoneNumber=20*

(&(physicalDeliveryOfficeName=C*)(!telephoneNumber=20*))

AND = &

OR = |

NOT = !

=, <=, >=, *

Searches

(objectClass=user)

(&(objectClass=user)(givenName=o*))

(mail=*)

(&(objectClass=user)(!objectClass=computer)

(|(sn=s*)(sn=d*))

(logonCount>=1)

(!telephoneNumber=+4*)

Page 3: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Type objectClass objectCategory sAMAccountType userAccountControlgroupType

user user person 805306368 (NORMAL_USER_ACCOUNT)

NORMAL_ACCOUNT

contact contact person - -

computer computer, user computer 805306369 (MACHINE_ACCOUNT)

WORKSTATION_TRUST_ACCOUNT

DC computer, user computer 805306369 (MACHINE_ACCOUNT)

SERVER_TRUST_ACCOUNT

RODC computer, user computer 805306369 (MACHINE_ACCOUNT)

WORKSTATION_TRUST_ACCOUNTPARTIAL_SECRETS_ACCOUNT

group group group 268435456 (GROUP_OBJECT [G, U])536870912 (ALIAS_OBJECT [DL])

dist.group (NON_SECURITY…)

SECURITY_ENABLEDUNIVERSAL_GROUPACCOUNT_GROUPRESOURCE_GROUP

trust user person TRUST_ACCOUNT805306370

INTERDOMAIN_TRUST_ACCOUNT

krbtgt(RID 502)

user person 805306368(NORMAL_USER_ACCOUNT)

NORMAL_ACCOUNT

group svc account

msDS-GroupManagedServiceAccount, user, computer

msDS-GroupManagedServiceAccount

805306369(MACHINE_ACCOUNT)

WORKSTATION_TRUST_ACCOUNT

Demo: Search tools

dsquery * OU=Company,DC=idtt,DC=local-filter “(physicalDeliveryOfficeName=c*)”

Page 4: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Indexed vs. non-indexed attributes

Searching non-indexed attributes requires going through all the individual database rows

unnecessary overhead on DC part

LDP, Search, Options - SearchStats

Indexed vs. non-indexed attributes

Indexed attributes

givenName, sn, physicalDeliveryOfficeName

objectCategory

objectClass with Windows 2008+ schema

Non-indexed attributes

objectClass with Windows 2003- schema

telephoneNumber, …

Page 5: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Advanced searches

(whenCreated>=19991122000000.0Z) (whenCreated>=19990323205258.0+1200) pwdLastSet

100 ns intervals starting 1.1.1601 (pwdLastSet>= 128962296000000000)

1.2.840.113556.1.4.803 = LDAP_MATCHING_RULE_BIT_AND

1.2.840.113556.1.4.804 = LDAP_MATCHING_RULE_BIT_OR

1.2.840.113556.1.4.1941 = LDAP_MATCHING_RULE_IN_CHAIN

Advanced searches

Boolean true, false

GUID {BF967ABA-0DE6-11D0-A285-00AA003049E2}

(objectGuid=\BA\7A\96\BF\E6\0D\D0\11\A2\85\00\AA\00\30\49\E2)

SID S-1-5-21-1935655697-308236825-1417001333

(objectSid=\01\04\00\00\00\00\00\05\15\00\00\00\11\C3\5Fs\19R\5F\12u\B9)

Page 6: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Advanced searches

Escaping special charracters

\\, \), \(, \/, \*, ...

\5C, \29, \28, \2F, \2A

Search examples

Disabled account userAccountControl = 2

Locked account (until unlocked or tried again) lockoutTime msDS-User-Account-Control-Computed = 16

Last password change/reset pwdLastSet

Cannot change password permissions: Deny – Self – Change password

Must change password at next logon pwdLastSet = 0 msDS-User-Account-Control-Computed = 8 388 608

Page 7: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Search examples

Domain Admins (&(objectClass=user)(|(memberOf:

1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=idtt,DC=local)(primaryGroupID=512)))

Computer or member server objectClass = computer userAccountControl =

WORKSTATION_TRUST_ACCOUNT

Domain Controller objectClass = computer userAccountControl = SERVER_TRUST_ACCOUNT

Search examples

Inactive computers

(&(objectClass=computer)(lastLogonTimestamp<=129274916816708588)(!userAccountControl: 1.2.840.113556.1.4.1941 :=2))

Confidential attributes

dsquery * CN=schema,CN=configuration,DC=idtt,DC=local-filter (searchFlags:1.2.840.113556.1.4.803:=128)

Page 8: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

ADSI Schema Cache

Client’s ADSI client caches the whole schema

re-cache per DC! on every schema change

schema about 1,5 MB

Not important with local DCs

Worse with WAN clients without a local DC

HKLM\SOFTWARE\Microsoft\ADs\Providers\LDAP\schemaContainerDN

Time of last update

File that stores the cache

ACCESS CONTROLActive Directory Troubleshooting

Page 9: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Security permissions

Everything requires authentication

except for RootDSE

Delegate Control wizard

DELEGWIZ.INF

Security tab

DSA.MSC and ADSI Edit

Never use DSA or ADSI Edit to check permissions

example - mail attribute

Use either DSACLS or LDP

Page 10: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

LDP and permissions

Default Security Descriptor

User class example

Windows 2000

Windows 2003 added 2 new permission ACEs

Windows Authorization Access Group

Terminal Server Licensing Servers

Windows 2003 R2 no change

Windows 2008 added 1 new permission ACE

Terminal Server Licensing Servers

Not changed on existing objects!

Page 11: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Property sets

Grouping of several attributes for simpler permission assignment

Google: Active Directory Property Sets

http://technet.microsoft.com/en-us/library/cc755430(WS.10).aspx

User DSD

Self Read all Write Personal Information Write Private Information Write Phone and Mail Options Write Web Information

Authenticated Users Read General Information Read Public Information Read Personal Information Read Web Information Read Permissions

Account Operators Full Control

Domain Admins Full Control

Page 12: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Group DSD

Authenticated Users

Read all

Account Operators

Full Control

Domain Admins

Full Control

Pre-Windows 2000 Compatible Access

By default contains Authenticated Users

should be removed

Inherited from domain level

not part of the default security descriptor

Assigned

List (all sub-objects)

Read (all User objects)

Read (all Group objects)

Read (all OUs)

Page 13: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Pre-Windows 2000 Compatible Access on Windows 2003-

Administrators and Deny

Inherited Deny is overwritten by explicit Allow

Default Security Descriptor in schema

To prevent Domain Admins and Account Operators to do something, use explicit Denyon the objects

Page 14: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Authenticated Users and Deny

Read cannot be limited by inheritance

Default Security Descriptor in schema

Confidential attributes

would require Full Control

Scripts must be used to define individual Deny

Change Password vs. Reset Password

Change Password

Everyone

must know current password

Reset Password

admins only

Page 15: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Anonymous Access

CN=Directory Services,CN=Services,CN=Configuration,...

dsHeuristics

7th possition character = 2 to enable anonymousbind (0000002)

Anonymous Access and LDP

Simple Bind: empty password = ANONYMOUS

anonymous simple bind does not receive Pre-Windows 2000 Compatible Access membership

it does not receive access token at all

Bind with Credentials: empty/empty = ANONYMOUS

Page 16: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

tokenGroups

Some applications require reading the group membership of user accounts either memberOf or tokenGroups and

tokenGroupsGlobalAndUniversal

Required by Kerberos protocol transition

ISA/TMG smart card authentication required Kerberos protocol transition

IAS/NPS RADIUS user authentication

SCOM 2007 to be able to Push Agent installations

tokenGroups

Pre-Windows 2000 Compatible Access

Windows Authorization Access Group

added in 2003 SP1 to replace the Pre-Windows 2000 Compatible Access

modified in schema in Default Security Descriptor

not modified on existing objects

Page 17: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Windows Authorization Access Group required on users

Windows Authorization Access Group not required on groups

Page 18: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

WAAG

Kerberos Protocol Transition

AD CS and Constrained Enrollment Agent

SQL Server for logins

IAS/NPS/TS Gateway with certificate logon

TS Licensing

Demo: TGGAU and WAA group

Check membership of the Pre-Windows 2000 Compatible Access

possibly remove all the members

Check membership of the Windows Authorization Access Group

Check Effective Permission on a user account for Authenticated Users

Page 19: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

AdminSDHolder

Resets permissions for security principals who are members of administrative groups

Enterprise Admins, Schema Admins

Domain Admins, Administrators

Domain Controllers

Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators

CN=AdminSDHolder,CN=System,DC=idtt,DC=local

AdminCount = 1

AdminSDHolder

Done by PDC FSMO

Triggered by

runProtectAdminGroupsTask in 2008 R2+

fixUpInheritance in 2008 and older

needs appropriate control access right on DC=domain,DC=virtual

dsquery * domainroot -filter “(adminCount>=1)”

Page 20: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Orphaned AdminSDHolder objects

Remain with adminCount = 1

Remain with inheritance protection

Lab: AdminSDHolder

Page 21: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

dsHeuristics

CN=Directory Services,CN=Services,CN=Configuration,...

dsHeuristics

16th possition character can exclude groups

Group Bit Value

Account Operators 0001 1

Server Operators 0010 2

Print Operators 0100 4

Backup Operators 1000 8

Permission-based settings

Page 22: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Common permissionsOperation Permissions

Rename object(only by using DSMOVE)

write cnwrite name

Reset password reset passwordwrite pwdLastSet

NETDOM RESETPWD reset passwordwrite pwdLastSet

Join computer write servicePrincipalNamewrite dnsHostNamewrite sAMAccountNamewrite displayNamewrite descriptionwrite Account Restrictionswrite Logon Informationdeletedelete treelist, list objects, read all properties, read permissionscontrol access rights

Common permissionsOperation Permissions

Move object between OUs(DSMOVE)

same as rename

Move object between OUs(DSA console)

delete on sourcecreate on target

Rename object(DSA console)

same as move between OUs in DSA console

Delete object(which does not have any sub-objects)

deleteordelete [objectType] on parentordelete subtree (if Delete Subtree Server Control being used)

Delete object(which does have some sob-objects

delete on all the objectsordelete [all-the-specific-objectTypes] on parent/sordelete subtree (if Delete Subtree Server Control being used)

Page 23: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Common permissionsOperation Permissions

Protect against accidental deletion

deny deletedeny delete tree(this object only)

Install subdomain Enterprise Admins to write to Sites/Servers and Partitionsparent domain Domain Admins to initially replicate from

forest trust Domain Admins of the trusting root domainIncoming Forest Trust Builders in trusted domain

external trust trusting/trusted domain Domain Admins

Search and permissions

LDAP search results are trimmed according to the permissions on the objects

cannot search for attributes that I cannot Read

cannot find objects if I cannot List parent

dSHeuristics, 3rd character = 1

If I cannot read an object, I cannot find it

hidden accounts with SYSTEM allowed to Read

Page 24: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Example: Hidden account

PSEXEC -s -d -i cmd.exe

DSA.MSC, ADSIEDIT.MSC

Create container in Program Data/Microsoft

Create user account in the new container

Allow only SYSTEM to FULL CONTROLL

Allow Domain Admins only READ ATTRIBUTES and READ PERMISSIONS but not LIST

Make the account member of Domain Admins as the only (primary) group

LDAP Simple Bind

Clear text authentication

the same as HTTP/SMTP/POP3 Basic

used by VPN gateways, RADIUS servers, proxy servers, third party integrations

Enabled by default

AD accepts simple binds with

distinguishedName

userPrincipalName (non standard)

sAMAccountName (non standard)

Page 25: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Password trials (lib-utils.ps1)

function global:Try-LdapPassword ([string] $path, [string] $login, [string] $pwd, [string]

$security) {

$ErrorActionPreference = 'SilentlyContinue'

$error.Clear()

$domain = New-Object DirectoryServices.DirectoryEntry $path, $login, $pwd, $security

$domain.RefreshCache('name')

$worked = $error.Count -eq 0

$ErrorActionPreference = 'Continue'

return $worked

}

function global:Try-LdapAllPasswords ([string] $path, [string] $login, [int] $pwdChars,

[string] $security, [byte[]] $charSet = ((48..57) + (65..90) + (97..122)))

{

<#

.DESCRIPTION

security: AuthenticationTypes enumeration = None (simple bind), Singing, Sealing,

SecureSocketsLayer

charSet: (48..57) + (65..90) + (97..122)) = 0-9, A-Z, a-z

(32..126) = !"# ... xyz{|}~

#>

Enforce SSL for Simple Bind

Domain Controller: LDAP Server Signing Requirements

require GSSAPI signing for LDAP

require LDAPS for Simple Bind

Requires TLS Server Authentication certificate

Page 26: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Enforce LDAPS for Simple Bind

LDAP TLS Server Authentication Certificate

Extension Value

Subject DNS

SAN DNS

Exporatable Key no

Archive Key no, transport encryption only

Key Type Encryption (+ Signature must be included illogically)

Key Usage Key Encipherment + Digital Signature

CSP/CNG Microsoft RSA SChannel Cryptographic ProviderMicrosoft Software Key Storage Provider

EKU Server Authentication1.3.6.1.5.5.7.3.1

Autoenrollment yes

Publish in AD no

Store LocalComputer\My (Personal)

Page 27: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Domain Controller Certificates

Template Issued Certificates Availability and Enrollment

Domain Controllerv1

Subject = dc1.idtt.localSAN = GUID&dns=dc1.idtt.localEKU = client / server

Windows 2000 CAWindows 2000+ DCsmanually

Domain Controller Authentictaionv2

Subject =SAN = dns=dc1.idtt.localEKU = client / server / sc

Windows 2003 CAWindows 2003+ DCsautoenrollment

Kerberos Authenticationv2

Subject =SAN = dns=idtt.local&dns=IDTTEKU = client / server / sc / kdc

Windows 2008 CAWindows 2003+ DCsautoenrollment

AD LDS TLS Server Authentication Certificate

Extension Value

Subject DNS

SAN DNS

Exporatable Key no

Archive Key no, transport encryption only

Key Type Encryption

Key Usage Key Encipherment

CSP/CNG Microsoft RSA SChannel Cryptographic ProviderMicrosoft Software Key Storage Provider

EKU Server Authentication1.3.6.1.5.5.7.3.1

Autoenrollment yes

Publish in AD no

Store ADLDSService\My (Personal) or allow Read to the service account

Page 28: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

AD LDS SECURITY

Active Directory Troubleshooting

User Accounts

User class

userPrincipalName or distinguishedName

objectSID, displayName, …

msDS-UserAccountDisabled

MD4/MD5 password

UserProxy

objectSID, displayName

UserProxyFull

objectSID, displayName, …

Page 29: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Authentication

Windows authentication with outside principals NTLM and Kerberos (SPN automatically registered)

LDAP simple bind with AD LDS accounts distinguishedName or userPrincipalName

LDAP simple bind with proxy authentication does not store password

Account Logon Auditing for simple binds AD LDS service account must have SeAuditPrivilege

(Generate Security Audits)

Credential Validation

AD LDS Simple Bind

Does not require TLS by default

Supports DN and userPrincipalName binds

does not support sAMAccountName binds

CN=Directory Services,CN=Windows NT,CN=Services,CN=Config…

msDS-Other-Settings

RequireSecureSimpleBind = 0/1

Page 30: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

TLS

TLS certificate must be placed in service store

does not accept Local Machine certificates

Proxy authentication requires TLS by default

Anonymous access disabled by default

Proxy authentication

TLS requirement

CN=Directory Services,CN=Windows NT,CN=Services,CN=Config…

msDS-Other-Settings

RequireSecureProxyBind = 0/1

Cannot define external SID if not valid/existing

must be also unique in the AD LDS instance

Page 31: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Other LDS settings

ADAMDisableLogonAuditing

ADAMDisablePasswordPolicies

ADAMDisableSPNRegistration

ADAMAllowADAMSecurityPrincipalsInConfigPartition

ADAMLastLogonTimestampWindow ~ msDS-LogonTimeSyncInterval

SelfReferralsOnly, MaxReferrals

ADAMDisableSSI disables DIGEST-MD5 authentication

Chasing referrals

By default automatic DN<>DNS mapping Original request: cn=jinde,dc=sevecek,dc=test

Referral: LDAP://sevecek.test/cn=jinde,dc=sevecek,dc=test

Or create explicit crossRef object dnsRoot = sevecek.testing.local:30000

DNS SRV _ldap._tcp.sevecek.testing.local = dc3.gopas.virtual:30000

DNS SRV _ldap._udp.sevecek.testing.local = dc3.gopas.virtual:30000

dnsRoot = lds5.gopas.virtual:50000

Page 32: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

ADSI authentication for referrals

Windows re-authentication automatic

SPN ldap/dc3.gopas.virtual obtained from RootDSE's dNSHostName attribute

With simple bind referrals are chased anonymously

DELETE OPERATIONSActive Directory Troubleshooting

Page 33: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Delete operations

Delete only removes most attributes from an object

tombstone

Replicates as normal object change/move

Deleted by individual DCs after tombstoneLifetime

CN=Directory Services,CN=Services,CN=Configuration,...

Search options to return deleted objects

Page 34: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Tombstones

isDeleted: true

isRecycled: true

name

objectSID, objectGUID

sIDHistory

laskKnownParent

Others are configured by searchFlags = 8 in the attributeSchema

Lab: Reanimating objects

LDP

Options – Search

Extended

Return deleted objects

View – Tree

CN=Deleted Objects

Page 35: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Tombstone lifetime

Windows 2000

60 days

Windows 2003 SP1+

180 days

upgrade keeps the 60 days from previous version

Tombstone lifetime

CN=Directory Services,CN=Windows NT,CN=Services,CN=Configuration,DC=idtt,DC=local tombstoneLifetime

garbageCollPeriod (12 hours by default)

Garbage collection does not delete white space from the database only offline defragmentation

the amount can be logged by setting HKLM\System\CCS\Services\NTDS\Diagnostics6 Garbage Collection = 1

Page 36: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Lab: Optional: Garbage Collection Decrease tombstone lifetime to 2 days

Delete user Leo

Using LDP tool confirm its tombstone remained in the database

On the Hyper-V host move the date 1 day forward wait until the date is adjusted automatically on the DC you MUST NOT move by more than 1 day!

Replicate all DCs and check it went without errors REPADMIN /replsummary

Move the date once again and repeat the replication

Using LDP issue doGarbageCollection=1 operational attribute write and confirm the tombstones got removed

AD Recycle bin

Optional feature with Windows 2008 R2 forest level

cannot be disabled

Preserves all attributes on deleted objects for the tombstone lifetime

after that, the object becomes normal tombstone for another lifetime

Does not preserve attribute changes

recovery site still useful

Page 37: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Enabling AD Recycle Bin

Raise forest functional level to at least Windows 2008 R2

On Naming FSMO Enable-ADOptionalFeature 'Recycle Bin Feature' -

Scope ForestOrConfigurationSet -Target 'gopas.virtual'

On AD LDS instance … -Target 'CN=Configuration,CN={…}' -Server

adldsSrv:50001

Or from the Active Directory Administrative Center since Windows 2012

TSL and 2008 R2 Schema Update Updating schema to 2008 R2 includes

isRecycled attribute

Attribute is added to existing tombstones which then replicate not an important traffic

If some DC has already deleted the tombstones on a verge of their TSL, it will not replicate with Strict Replication Consistency

repadmin /SetAttr * “” doGarbageCollection Add 1

Page 38: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

AD LDS Recycle Bin

Update schema to 2008 R2

MS-ADAM-Upgrade-2.ldf - schema

MS-ADAM-Upgrade-1.ldf - configuration

Remove all older replicas

Upgrade FFL to 2008 R2

msDS-Behavior-Version = 4

Enable recycle bin with PowerShell

EXPIRING OBJECTSActive Directory Troubleshooting

Page 39: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Expiring objects

$domain = 'DC=ad,DC=sevecek,DC=com'

$ou = [ADSI] "LDAP://OU=TRAINING,$domain"

[int] $ttl = 20

[int] $userTTL = 37

$user = $ou.Create('user', 'CN=Josef')

$user.PutEx(2, 'objectClass', @('dynamicObject',

'user'))

$user.Put('entryTTL', ($userTTL * 60))

$user.Put('sAMAccountName', 'josef')

$user.SetInfo()

$user.SetPassword('Pa$$w0rd')

$user.Put('userAccountControl', 512)

$user.SetInfo()

Expiring objects

# ...

$baseGroup = $ou.Create('group', 'CN=IS Access')

$baseGroup.Put('sAMAccountName', 'IS Access')

$baseGroup.SetInfo()

$expiringGroup = $ou.Create('group', "CN=IS Access Expiring in $ttl

minutes")

$expiringGroup.PutEx(2, 'objectClass', @('dynamicObject', 'group'))

$expiringGroup.Put('entryTTL', ($ttl * 60))

$expiringGroup.Put('sAMAccountName', "IS Access Expiring in $ttl

minutes")

$expiringGroup.SetInfo()

$baseGroup.Add($expiringGroup.Path)

$expiringGroup.Add($user.Path)

Page 40: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Privileged Access Management Feature (PAM)

TTL on links

Requires FFL 2016

Enable-ADOptionalFeature

Add-ADGroupMember -Identity Group -Members Member

Get-ADGroup -Properties member -ShowMemberTimeToLive

SCRIPTINGActive Directory Troubleshooting

Page 41: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Scripting tools

LDIFDE attribute/value pairs

CSVDE comma separated values (table)

DSxxx DSADD, DSRM, DSMOD, DSQUERY, DSGET

VBScript (ADSI COM)

PowerShell (ADSI COM, PowerShell v2)

.NET (System.DirectoryServices)

DSACLS

Exports vs. Imports

Export

does not export passwords nor hashes

Import

cannot import GUIDs, SIDs etc.

can import/change/reset passwords

Page 42: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

LDP files

Can contain ADD, DELETE, REPLACE operations

Sometimes can be used to change/reset passwords

unicodePwd

must be surrounded by “” and UTF-16/Base-64 encoded

Pa$$w0rd – “Pa$$w0rd” – 0x22 0x00 0x50 0x00 0x64 ...

userPassword

not encoded

requires 2003 domain level and dsHeuristics with fUserPwdSupport

Reset password with .LDP

dn: CN=Joe,OU=Company,DC=idtt,DC=local

changetype: modify

replace: unicodePwd

unicodePwd::IgBuAGUAdwBQAGEAcwBzAHcAbwByAGQAIgA=

Page 43: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Reset password with .LDP

dn: CN=John Smith, OU=Users,DC=Fabrikam,DC=com

changetype: modify

replace: userPassword

userPassword: newPassword

Change password with .LDP

dn: CN=John, OU=Company,DC=idtt,DC=local

changetype: modify

delete: userPassword

userPassword: oldPassword

-

add: userPassword

userPassword: newPassword

Page 44: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

DSACLS

DSACLS \\dc1\CN=Kamil,OU=London,.../G sales:RPWP;telephoneNumber

DSACLS OU=London,OU=Company,.../I:S /G sales:RPWP;telephoneNumber;user

S – subobjects only

T – this object and subobjects

P – only direct child objects (one level only)

Restore default security

DSACLS \\dc1\OU=London,DC=... /S /T

Page 45: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Security with DSQUERY

FOR /F “tokens=1” %i IN (‘DSQUERY * “DC=idtt,DC=local” –filter “(mail=*)”

‘) DO (DSACLS %i /Gsales:RPWP;telephoneNumber

)

In .BAT files, you need to replace %i with %%i

-limit is by default 100

Query more DCs with REPADMIN

repadmin/showattr *dc=idtt,dc=local/subtree/filter:"(lastLogon<=129254820280000000)" /attrs:lastLogon

Page 46: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

LDIFDE

Exporting/Importing tombstones

-X

Changing DN references

-C

DC=idtt,DC=local DC=gopas,DC=cz

DC=idtt,DC=local #defaultNamingContext

read from actual RootDSE

Ticks in VBScript (.VBS)function D2T ( byVal dateString )

secDiff = DateDiff("s", "1601-01-01 00:00:00", dateString)

ticksDiff = CStr(secDiff) & "0000000"

D2T = ticksDiff

end function

function T2D ( byVal ticksString )

ticksDbl = CDbl(ticksString)

secDbl = ticksDbl / CDbl(10) / CDbl(1000) / CDbl(1000)

daysDbl = secDbl / CDbl(3600) / CDbl(24)

days = Round(daysDbl)

secRemainder = Round(secDbl - CDbl(days) * CDbl(3600) * CDbl(24))

T2D = DateAdd("s", secRemainder, DateAdd("d", days, "1601-01-01 00:00:00"))

end function

Page 47: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Ticks in PowerShell (.PS1)

[DateTime]::Now

[DateTime]::Parse(“1601-01-01”)

[DateTime]::Now.AddDays(-30)

([DateTime]::Now – [DateTime]::Parse(“1601-01-01”)).Ticks

EXCHANGE CHANGESActive Directory Troubleshooting

Page 48: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

Exchange 2010

Extends schema with new object classes and attributes

Does not touch default security descriptor

Changes AdminSDHolder partially

Creates Security Groups

Changes permissions on domain root

User Accounts which InheritOrganzation Management (INHERITED)Exchange Trusted Subsystem (INHERITED)

FULL CONTROL msExchDynamicDistributionList WRITE Exchange Personal InformationWRITE Exchange InformationWRITE Personal InformationWRITE Public InformationWRITE proxyAddressesWRITE showInAddressBookWRITE adminDisplayNameWRITE displayNameWRITE displayNamePrintableWRITE mailWRITE textEncodedORAddressWRITE publicDelegatesWRITE garbageCollPeriodWRITE legacyExchangeDN

Exchange Servers (INHERITED)CREATE/DELETE msExchActiveSyncDevicesWRITE groupTypeWRITE msExchMailboxSecurityDescriptorWRITE msExchUserCultureWRITE msExchMobileMailboxFlagsWRITE msExchSafeRecipientsHashWRITE userCertificateWRITE msExchBlockedSendersHashWRITE publicDelegatesWRITE msExchSafeSendersHashWRITE msExchUMServerWritableFlags WRITE msExchUMDtmfMapWRITE msExchUMSpokenNameWRITE msExchUMPinChecksum

Exchange Windows Permissions (EXPLICIT)WRITE PERMISSIONSDELETE TREEDELETE

Exchange Windows Permissions (INHERITED)CREATE inetOrgPersonCREATE computerCREATE groupCREATE organizationalUnitCREATE userCREATE contactReset PasswordWRITE Add/Remove self as memberWRITE sAMAccountNameWRITE pwdLastSetWRITE managedByWRITE userAccountControlWRITE countryCodeWRITE wWWHomePage

Page 49: | GOPAS a.s. | ondrej@sevecek.com | ......Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators CN=AdminSDHolder,CN=System ,DC=idtt lo

User Accounts with AdminSDHolder Organzation Management (INHERITED)

Exchange Trusted Subsystem (INHERITED)FULL CONTROL msExchDynamicDistributionList WRITE Exchange Personal InformationWRITE Exchange InformationWRITE Personal InformationWRITE Public InformationWRITE proxyAddressesWRITE showInAddressBookWRITE adminDisplayNameWRITE displayNameWRITE displayNamePrintableWRITE mailWRITE textEncodedORAddressWRITE publicDelegatesWRITE garbageCollPeriodWRITE legacyExchangeDN

Exchange Servers (INHERITED)Replication SynchronizationWRITE groupTypeWRITE msExchMailboxSecurityDescriptorWRITE msExchUserCultureWRITE msExchMobileMailboxFlagsWRITE msExchSafeRecipientsHashWRITE userCertificateWRITE msExchBlockedSendersHashWRITE publicDelegatesWRITE msExchSafeSendersHashWRITE msExchUMServerWritableFlags WRITE msExchUMDtmfMapWRITE msExchUMSpokenNameWRITE msExchUMPinChecksum


Recommended