Archive

Author Archive

AD DS – Services & Ports Overview

November 14, 2012 1 comment

I actually made this Visio drawing for quite some time ago, however today a friend of mine asked me if I knew what ports AD DS used, so I just thought that I would share this with everybody 🙂

AD DS – Services and Ports Overview

Categories: Uncategorized

Set NTFS folder permissions using GPO

January 13, 2012 1 comment

Okay… so… todays posts isn’t something big and all rewamping of how you should do your daily tasks however it’s a small piece of advice on how to get business running again should you encounter a specific situation.

Imagine the following case; You and your collegaues around different departments have been hard at work making the entire setup for your new customer.
Servers has been in-sourced, client computers has been changed to meet new standards and a new Windows 7 image has been created with some of their business critical applications directly integrated while SCCM is configured to take care of the rest of the deployment once the right users logs in for the first time.
Your colleagues in the Remote Desktop Services department has even setup 50 new RDS servers in a special Home Workspace setup. Everything is tested and has been found to work beautifully.

Monday comes and the customer starts working on the new system but just as they fire up one of their business critical applications it crashes – for all of the users.

You discover that this is all due to incorrect NTFS permissions on the applications folder. The application is, sadly, installed directly in the image for all the client computers and even on the RDS servers.

Of course the image and the RDS servers setup needs to be corrected and repacked but this won’t solve the current incident for all teh users right now.

You could of course create a script and / or use cacls.exe to set the right permissions on the folder BUT let me show another neat trick you can do with Group Policy Objects directly through GUI.

Here’s a Step By Step guide to how you can do this.

1. Go to Start >“Search Programs and files”.

2. Type GPMC.msc and hit enter.

Please see Figure 1 for an image corresponding to the above steps.

NTFS folder permissions 1

Figure 1: Open GPMC

3. Go to the Group Policy Objects folder.

4. Right click and select “New”.

Please see Figure 2 for an image corresponding to the above steps.

NTFS folder permissions 2

Figure 2: Create a new GPO

5. Give the new GPO a good name so it’s easy to identify later on.

6. Click “OK”.

Please see Figure 3 for an image corresponding to the above steps.

NTFS folder permissions 3

Figure 3: Give the GPO a *good* name (Do not use the one in the example)

7. Edit the GPO and browse to the following location within:
Computer Configuration > Policies > Windows Settings > Security Settings > File System.

8. Right click at “File System” and click “Add File…”.

Please see Figure 4 for an image corresponding to the above steps.

NTFS folder permissions 4

Figure 4: Go to the File System part and select New

9. Select the application folder at the correct file system position.
If the application folder doesn’t exist at the computer you’re using simply create the folder at the correct place and select that.

10. Click the “OK” button.

Please see Figure 5 for an image corresponding to the above steps.

NTFSfolderpermissions5

Figure 5: Select or create the needed folder

11. You’ll now be presented with a Security window for the selected folder.
You should verify the permissions shown in the window before you proceed to the next step.

12. In our example we’ll add the “Domain Users” group to the security permissions. Do this by selecting the “Add” button.

Please see Figure 6 for an image corresponding to the above steps.

NTFS folder permissions 6

Figure 6: The Security window will appear

13. Type “Domain Users” into the “Enter the object names to select” field.

14. Select the “OK” button.

15. Select “Domain Users” and set the needed permissions. Here we have added Allow::Modify.
Your setup might need a whole lot of other permissions – this is only shown as an example and you should verify that all the permissions is setup as needed in your environment.

16. When done simply selct the “OK” button.

Please see Figure 7 for an image corresponding to the above steps.

NTFS folder permissions 7

Figure 7: Edit the security permissions

17. The “Add Object” window will now appear where you’ll have to make the final decision on how the permissions should be set upon the subfolders and files in regards to inheritable permissions on the files and folders.

18. When done simply selct the “OK” button.

Please see Figure 8 for an image corresponding to the above steps.

NTFS folder permissions 8

Figure 8: Select the appropriate settings

19. Once you’re through you’ll be presented with a view more or less identical to Figure 9.
All you need now is to link the GPO to the correct OU in the Group Policy Management Console and if you’re not using the User part of the GPO, it should be disabled just to keep things as they should be.

NTFS folder permissions 9

Figure 9: Done! You're Now a Hero!

I hope you enjoyed this little guide on how to save the day. I look forward to read your comments 🙂

Categories: Group Policy

“Recover” GPO Rights

January 6, 2012 2 comments

Have you ever experienced that a junior administrator or someone else by accident set a Deny “Read” permission for ie. “Authenticated Users” on a Group Policy Object when they actually wanted Deny “Apply GPO”? If you’re experiencing this problem or something similar, this post is certainly for you.

I’d like to show you 2 methods to discover the GUID for the Group Policy Object which is needed to “recover” the rights, which I’ll show you in the last part of this post.

Anyway… go grab a cup of coffee and let’s get started! 🙂

Part 1 – Find GUID – Easy Way

If the GPO link isn’t deleted in the Group Policy Management Console, you can easily find the GUID using these simple steps.

1. Go to Start > Run.
In Server 2008 simply use “Search Programs and files” in the Start menu instead.

2. Type GPMC.msc and hit enter.

3. Browse to the location where the object is LINKED to.
You won’t be able to find it in the Group Policy Objects container since you no longer have access to “read” it.

Recover GPO 1

Figure1: Open GPMC and browse to the linked location of the object.

4. Select the GPO object named “Inaccessible”.

Recover GPO 2

Figure 2: Select "Inaccessible".

5. Copy the GUID which appears under the scope tab in the content view of the Group Policy console.

Recover GPO 3

Figure 3: Copy the GUID (Unique ID) from the content view.

That’s it. If you could find the GUID using this way you can now jump to the 3rd part of this guide.

Part 2 – Find GUID – Advanced

If the link is deleted within the GPMC console you’ll have to use another approach to find the GUID.
My best offer is to use adsiedit.msc, which requires the Windows Support Tools to be installed on a Windows 2003 Server however this tool is available by default on a Windows 2008 Server.

In the next few steps I’ll show you how to use adsiedit.msc to discover the GUID of the Group Policy Object.

1. Go to Start > Run.

2. Type adsiedit.msc and hit enter.
In Server 2008 simply use “Search Programs and files” in the Start menu instead.

Recover GPO 4

Figure 4: Go to Run and type adsiedit.msc

3. Expand the DC container.

4. Expand the System container.

5. Expand the Policies container.

Recover GPO 5

Figure 5: Expand the Containers

6. Scroll through the list of group policy objects using the content view part of adsiedit.msc and locate the GUID which is represented by a notepad like document.
Notice that other GUIDs are looking like a folder.

7. Copy this GUID.

Recover GPO 6

Figure 6: Copy the GUID

Okay… now we have the GUID of the object we need to recover the rights too.
If you’re done with your coffee you should grap another one now and come back to part 3 afterwards!

Part 3 – Recover Procedure

1. Go to Start > Run.
In Server 2008 simply use “Search Programs and files” in the Start menu instead.

2. Type cmd and hit enter.

Recover GPO 7

Figure 7: Run CMD

3. Type the following command: dsacls cn=<GUID>,cn=policies,cn=system,dc=<domain>,dc=<domain>
Please notice that you should of course replace <GUID> with the one you copied from either part 1 or part 2 in this guide and that <domain> should be replaced with the name of your domain.
Example: cn={E44507AF-29F1-4057-8EDE-6A97A147AAA5},cn=Policies,cn=system,dc=contoso,dc=com

Recover GPO 8

Figure 8: Run the dsacls commandline tool

 

You’ll now be shown a list with 2 columns. First part lists the users and groups and the second column lists the permissions.
In the example provided here you should simply look for the word “Deny”.

Recover GPO 9

Figure 9: View Rights on the GPO

4. If the object has been denied for the specific group or user you can run the following command: dsacls cn=<GUID>,cn=policies,cn=system,dc=<domain>,dc=<domain> /R USER/GROUP
Please notice that you should of course replace <GUID> with the one you copied from either part 1 or part 2 in this guide and that <domain> should be replaced with the name of your domain.
Example: dsacls cn={E44507AF-29F1-4057-8EDE-6A97A147AAA5},cn=Policies,cn=system,dc=contoso,dc=com
/R “Authenticated Users”

5. It might be a good idea to give the user/group who were denied the object earlier some more rights to the object than just Read. You’ll have to adjust this to whatever you’re trying to recover in your environment.
Please type the following line: dsacls cn=<GUID>,cn=policies,cn=system,dc=<domain>,dc=<domain> /G USER/GROUP:GA
Please notice that you should of course replace <GUID> with the one you copied from either part 1 or part 2 in this guide and that <domain> should be replaced with the name of your domain. USER/GROUP should be replaced with the name of the user or group who were denied earlier.
Example: dsacls cn={E44507AF-29F1-4057-8EDE-6A97A147AAA5},cn=Policies,cn=system,dc=contoso,dc=com
/G “Authenticated Users”:GA

Recover GPO 8

Figure 10: Grant "Generic All" to Authenticated Users

5. Head back to the Group Policy Management Console and find the place where the GPO is linked to, or check the Group Policy Objects container.
It’s now possible to edit the group policy object again since rights has been “restored”.

Recover GPO 11

Figure 11: The GPO rights are now "restored".


I hope you enjoyed this little guide and that it might help you in your future work.

What’s going on?

December 16, 2011 Leave a comment

Hey folks

Really sorry for the absence but I’ve been really busy in the last month.

I’m currently involved in a few migration projects for some of our customers and as a bonus I’ve somehow got involved in another case with some strange VDI behavior which is top priority.

However I’ve just been so lucky that I was able to attend a course where Craig Forster were the instructor – this is one hell of a skilled guy… if you ever get a tough case regarding Active Directory, this guy is the one you need to call Microsoft for.
Craig is working for Microsoft as a Senior Premier Field Engineer and he really deserves that title.

Craig has a LinkedIn profile which you can find here: http://www.linkedin.com/in/craigforster

Anyway… please stay tuned as I’m about to post some really sweet new posts here on quite some interesting subjects.

Categories: Uncategorized

Achieved My Enterprise Administrator Title

October 25, 2011 Leave a comment

Just a simple post to let you all know, that I’m now certified as an Enterprise Administrator (MCITP: Enterprise Administrator).

I earned my title the October 14, 2011.

MCITP: Enterprise Administrator Certification

MCITP: Enterprise Administrator Certification

Categories: Uncategorized

AD DS Forest Models

October 7, 2011 Leave a comment

Continuing on the theory concept – let’s take a look at another kind of models regarding the AD DS design; Forest Models.

The following text and images are all copied from the Microsoft 70-647 2nd Edition Training Kit.

Organizational Forest Model

In the organizational forest model, user accounts and resources exist in the same forest and are managed separately. The organizational forest model is used to provide service autonomy, service isolation, or data isolation.

Use the organizational forest model when you need to provide exclusive or inclusive control of the AD DS infrastructure or when you need to prevent administrators from controlling or viewing a subset of data in the directory or on member computers joined to the directory.

The figure below illustrates the organizational forest model.

Organizational Forest Model

Resource Forest Model

In the resource forest model, a separate forest is used to manage resources. Resource forests do not contain user accounts other than those required for services. Forest trusts are established so that users from other forests can access the resources contained in the resource forest. Resource forests, illustrated in the figure below, provide service isolation.

Use the resource forest model when you need to provide exclusive control of the AD DS infrastructure.

Resource Forest Model

Restricted Access Forest Model

In the restricted access forest model, illustrated in the figure below, a separate forest is created to contain user accounts and data that must be isolated from the rest of the organization. Restricted access forests provide data isolation.

Use the restricted access forest model when you need to prevent administrators from controlling or viewing a subset of data in the directory or on member computers joined to the directory.

Restricted Forest Model

Categories: Active Directory

Microsoft Active Directory Topology Diagrammer

September 29, 2011 Leave a comment

Okay… so here’s a tool which’s not that common but actually deserves some attention.

The ADTD utility is a superb small tool which’s really helpful in the event you’re assigned a task at a customer who has no idea where the documentation of their AD DS is or if they even got such.

ADTD will give you the possibility to make a diagram of your Active Directory Topology including Exchange specific details. You’ll also get the possibility to add information about domains, sites, OU’s, GPO objects (including the names and where they’re linked in the OU hierarchy), servers, DFS-R and quite a few other things.

If need be it can even draw partial details of your environment like information regarding a specific domain or site.

Prerequires

  • First of all you need to grab a copy of Visio 2003 or newer and install it.
  • Secondly go to the link in the bottom of this article and download and install the ADTD utility.

Main Window

Once fired up, you’ll be met with the application window as shown in Figure 1.
In the Server/Domain textbox you need to enter an IP address of a Global Catalog DC or the domain name.

When ADTD launches it’s initially placed at the first of the seven tabs, which contain settings regarding Domains.

Domain Tab

  1. If you wish to get a drawing of your domains you must first check the “Draw Domains” checkbox.
  2. Then specify which part of the Active Directory structure you wish to have drawn by selecting it in the dropdown box.
  3. Under “Domain Details” you need to specify from where the ADTD utility needs to gather its information. You can choose either DNS or GC. Personally I recommend going with DNS as a first choice.
  4. Under “Trusts” you must select what kind of information you wish to gather about incomming and outgoing trusts in your AD DS. Please notice the checkbox for gettings details for trusted AD domains.
  5. Under “Users” you simply get the ability to count the amount of user accounts currently present in each domain.
    Beware that this takes quite some time and may cause ADTD to appear like it’s unresponsive.
  6. Finally “Global Catalog” simply gives you the ability to detect which DC’s are also GC’s.
Figure 1:Main Window

Figure 1: Main Window

OUs Tab

  1. If you wish to get a drawing of your OU structure you must first check the “Draw Organizational Units” checkbox.
  2. Then specify which part of the OU structure you wish to have drawn by selecting it in the dropdown box, under the “Draw OUs” section.
  3. If you want to limit the amount of OU levels you want to dive into, you get the possibility by enabling “Limit OU Levels to:” under “OU Details”.
    Leaving it unchecked will render all OU levels.
  4. Under “GPO Details” you get a very cool option to add GPO names to the OU visio drawing.
    By enabling this checkbox you will not just get a OU diagram showing that a GPO is linked to a specific OU but you’ll also get the actual GPO name.
Figure 2: OU Settings

Figure 2: OU Settings

Sites Tab

  1. If you wish to get a drawing of your site structure you must first check the “Draw Sites” checkbox.
  2. Then specify which part of the site structure you wish to have drawn by selecting it in the dropdown box, under the “Draw Site” section.
  3. Under “Site Links” you need yo specify if you want to check for (and if found then draw) IP and SMTP Site Links.
    Normally you’ll be fine with having only “IP Site Links” checked.
  4. Under “Replication Connections” you can specify if you want both intra- and intersite connections added to the drawing.
    You also get to specify whether you want more details or not by checking the “Detailed Replication Connections”.
    Finally you have the possibility to leave empty sites out of the drawing by checking the “Suppress empty Sites”.
  5. Under “Subnets” you get the option to include information about subnets at each site.
  6. Under “Site Links containing >=2 Sites” you can select to have all possible connections drawn.
    Whether you need this or not is probably based upon whatever problem you’re currently trying to solve.
Figure 3: Site Settings

Figure 3: Site Settings

Exchange Tab

  1. If you wish to get a drawing of your Exchange structure you must first check the “Draw Exchange Organization” checkbox.
  2. Under “Message Connectors” you must specify the connector types you wish to include in the drawing.
    Normally you can probably do with having just SMTP and X.400 selected but there’s a few other interresting entries you might need in your situation i.e Lotus Notes Connectors if Lotus Notes is deployed in the environment.
  3. Under “Replication Connectors” you’ll find the possibility to include Exchange 5.5 site to site connectors.
    You only need this if you got Exchange 5.5.
  4. Under “SMTP Connectors” you can specify to get detailed informations regarding the SMTP Connectors.
    Whether you need this or not depends mostly on your current situations.
  5. Under “Mailboxes” you’ll get an option for counting the mailboxes at each Exchange Server.
    Beware that this takes quite some time and may cause ADTD to appear like it’s unresponsive.
  6. Under “Servers” you get the option to “Suppress Domain Controllers”. Selecting this will display ONLY Exchange Servers at the Exchange visio drawing.
  7. Finally there’s a “Drawing options” section where you’ll get the possibility to select whether you want Exchange servers listed in Exchange RoutingGroups or in AD Sites.
    Whether you want the former or latter depends mostly on what you’re currently trying to accomplish.
    Beware that this option takes quite some time and may cause ADTD to appear like it’s unresponsive.
Figure 4: Exchange Settings

Figure 4: Exchange Settings

Applications Tab

  1. If you wish to get a drawing of your Application Directory Partitions you must first check the “Draw Application Partitions” checkbox.
  2. Then specify which part of the application partition structure you wish to have drawn by selecting it in the dropdown box, under the “Draw Application Partitions” section.
    If you’re drawing these visio documents because you need some detailed informations regarding an AD DS environment, I’d recommend that you draw the entire application partitions structure, since you’ll be able to quickly identify whether or not you have more applications partitions than the default “ForestDNSZones” and “DomainDNSZones”.
Figure 5: Application Partitions

Figure 5: Application Partitions

DFS-R Tab

  1. If you wish to get a drawing of your DFS-R (Distributed File System Replication) structure you must first check the “Draw DFS Replication” checkbox.
  2. Then specify which part of the Active Directory structure you wish to have drawn by selecting it in the dropdown box, under the “Draw DFS Replication” section.
Figure 6: DFS-R Settings

Figure 6: DFS-R Settings

Servers Tab

  1. If you wish to get a drawing of your Domain Controllers you must first check the “Draw Servers” checkbox.
    This will not draw anything else than DCs.
  2. Then specify which informations regarding your DCs you wish to include in the drawnings by selecting one or more of the checkboxed, under the “Draw Servers” section.
    • The “Include Server Version” will include the version of the OS installed at the DC.
    • The “Draw FQDN Server Names” will enter server names as Full Qualified Domain Names instead og just their hostname.
    • The “Colorcode Server per Domain” will groups DCs in color groups depending on which domain they’re part of.
      If you have a Single Domain Forest this option will not give any value for you.
Figure 7: Servers Settings

Figure 7: Servers Settings

Discover Button

Once you’re satisfied with your selections you simply hit the “Discover!” button
Once the discovering is completed you’ll get a status message like in Figure 8.

Figure 8: Statusbar

Figure 8: Statusbar

Draw!

Now, with the discovering process complete, simply hit the “Draw!” button and wait for the magic to happen.
Visio opens and adds the different components to the canvas, but the drawing is not completed before ADTD says “Drawing Complete!” in the status bar.
The drawings are automaticly saved in the Documents folder of your current user account.

External Links

You can download ADTD by clicking the link below:
Download ADTD