Posts

Active Directory: Permission Delegation

Image
  Preface: Our organization is growing day by day, AD security becomes strict & its monitoring & auditing has been done frequently. The AD infrastructure was built almost 13 years back. Initially, it was built on Windows Server 2003, then from time to time, it is migrated & presently all DCs are Windows Server 2019. (Domain & Forest Functional Level is Windows Server 2008R2). Goals: Delegate IT Helpdesk ID (a  member of G_ITHelpdesk ) for AD ID unlock, password reset & domain joining permission. Observation & Actions: 1.        IT Helpdesk Team uses a Domain Admin ID for their day to day jobs -   AD ID unlocks, password reset, domain joining. -           It is clearly security breaching. Before revoking domain admin permission, we need to create one Helpdesk ID (i.e. ITHelpdesk), I’ll prefer to delegate AD job permission to a group (i.e. G_ITHelpdesk) & ITHelpdesk is the member of this group.   2.        “Users” and “Computers” OU for each depa

DNS Server IP Address change in Client Systems through Group Policy

Image
  Scenario: Recently our network team, restructure IP segments & it is recommended to change the IP address of our DNS server. It is an AD integrated DNS server & around 1000 desktops & laptops are in the network – all have static IP addresses. We need to change the DNS IP for all the systems. Procedure: We can change the DNS IP through Group Policy with the help of a simple *.bat file. We will apply the GPO in Startup as Computer base policy. But here tricky part is, we need run the batch file in "Run as Administrator" mode. Most of the Computer-based Startup GPO is not run in normal mode. The batch file as below, suppose it name DNSIP_Change.bat   :   Replace your DNS Server “ set dnsserver=X.X.X.X ” @echo off set dnsserver=10.10.10.31 set dnsserver2=10.10.10.30 for /f "tokens=1,2,3*" %%i in ('netsh interface show interface') do (   if %%i EQU Enabled (   rem echo change "%%l" : %dnsserver%   netsh interface

File Server Migration: Windows Server 2008R2 to Windows Server 2019

Image
  Scenario:   We have a File Server on Windows Server 2008R2 . The File Server has several departmental shares & it is accessed by the department user only. But among them few have RW (Read & Write) permission, rest have only R (Read) permission. Also every dept. share have disk quota & every authorized user has their shared folder mapped as a network drive in their Windows Explorer. In my environment, I have implemented the procedure for 15 different departmental share folders accessing different departments consist of 10-30 users each dept & each shared folder volume is 100 GB to 500GB. Challenges: 1 .       Migrated Share Folders must have the same level of permission as on W2008 Server. 2.        Several Disk quota templates need to export to new W2019 to minimized the effort.   Users should be transparent to this migration & their access to the shared folder must be flowless – that meant users