Active Directory: Permission Delegation

 

Preface:

Our organization is growing day by day, AD security becomes strict & its monitoring & auditing has been done frequently. The AD infrastructure was built almost 13 years back. Initially, it was built on Windows Server 2003, then from time to time, it is migrated & presently all DCs are Windows Server 2019. (Domain & Forest Functional Level is Windows Server 2008R2).

Goals:

Delegate IT Helpdesk ID (a member of G_ITHelpdesk) for AD ID unlock, password reset & domain joining permission.

Observation & Actions:

1.       IT Helpdesk Team uses a Domain Admin ID for their day to day jobs -  AD ID unlocks, password reset, domain joining.

-          It is clearly security breaching. Before revoking domain admin permission, we need to create one Helpdesk ID (i.e. ITHelpdesk), I’ll prefer to delegate AD job permission to a group (i.e. G_ITHelpdesk) & ITHelpdesk is the member of this group.  

2.       “Users” and “Computers” OU for each department & nested in individual “Department” OU.

-          Suppose there is “Finance Dept” OU - Users & Computers are two OU nested into this OU, similarly for “Marketing Dept” & other departments. This kind of AD structure is never recommended. It not only makes delegation tasks difficult, also makes it difficult to apply GPO.

So, I have created two master OU, one for all computers (i.e. BLUE_Computers) & other for all users (i.e. BLUE_Users). Under these OU, we have created different OU, such as Department, Building or Floorwise. It is a good practice not to keep computers under the default “Computers” container, move it to different OU.

3.       Servers are kept in the same master OU along with desktops/laptops. AD Groups are also sharing the same places along with users.

-          Servers are moved to separate master OU (I.e BLUE_Servers). We can create separate OU under this by their OS.

4.       Several unused/disabled users & inactive/disabled computers are scattered across the AD.

-          For disabled, inactive object, separate master OU (i.e. BLUE_InactiveObjects).

So, before AD permission delegation, in my scenario, AD restructure is required. Restructuring existing AD required the utmost care. Before starting check all the GPOs deeply- what is their settings, where it is applied, any exception or not, any “Block Policy Inheritance”.Also sometimes application-specific OU is created, which means the path of the OU is hardcoded into the application & only users from this OU can be authenticated & permitted to access the application. I have segregated all the GPOs according to their settings – either user-based or computer base. (i.e. GPO_USR_Friendly Name or GPO_DTP_Friendly Name). Also recommend you to start with either users or computers, not both at a time. My experience says, start with computers because there are fewer GPOs for computers.

Pix-01: AD Restructure

Process:

Delegation: Password Reset & ID Unlock

We’ll delegate all permission to the G_ITHelpdesk group. ITHelpdesk user is a member of this group.

Select BLUE_Users > Delegate Control > Select User or Group (i.e. G_ITHelpdesk) > Select “Create a custom task to delegate” > Select “Only the following objects in the folder” & “User objects” > Select only “General & “Property-specific” > In the permissions box select following permission :

ü  Reset password

ü  Read lockout Time

ü  Write lockout Time

ü  Write pwdLast Set

 Finish windows display the details of the delegation with which permissions are delegated to the users/group.

 

Pix-02:Delegation: Password Reset & ID Unlock

  

Pix-03: Delegation: Password Reset & ID Unlock


Pix:04: Delegation: Password Reset & ID Unlock

 

Pix:05: Delegation: Password Reset & ID Unlock


Pix:06: Delegation: Password Reset & ID Unlock

Pix:07: Delegation: Password Reset & ID Unlock


Pix:08: Delegation: Password Reset & ID Unlock

 

Issue: Helpdesk Team may complain that for few users, they are not able to unlock the AD ID or reset the password. Definitely, the delegated user can’t do these activities for domain users or protected users (have higher privileged users). But issues may arise for a few normal users also. It happens due to some changes in the properties of user ID – once these users may had a higher privilege. You need to check the properties of these user ID > Security tab > Advanced button > Check Inheritance button -inheritance should be Enabled.


Pix:09: Delegation: Password Reset & ID Unlock

 

Delegation: Domain Join & Disjoin :

We’ll delegate this permission also to G_ITHelpdesk group. ITHelpdesk user is a member of this group.

Select BLUE_Computers > Delegate Control > Select User or Group (i.e. G_ITHelpdesk) > Select “Create a custom task to delegate” > Select “Only the following objects in the folder” & “Computer objects” > Select only “General & “Property-specific” > In the permissions box select following permission :

ü  Reset password

ü  Read and write account restrictions

ü  Validated write to DNS hostname

ü  Validated write to service principal name

 

Finish windows display the details of the delegation with which permissions are delegated to the users/group. We’ll do the same delegation process for the “Computers” container. Because it is the default location for domain-joined computers. Though you can change it.

Pix-10: Delegation: Domain Join & Disjoin


Pix-11: Delegation: Domain Join & Disjoin

 

Pix:12: Delegation: Domain Join & Disjoin


Pix:13: Delegation: Domain Join & Disjoin
 

Pix:14: Delegation: Domain Join & Disjoin

Pix:15: Delegation: Domain Join & Disjoin

 

Pix:16: Delegation: Domain Join & Disjoin


Comments

  1. rajSunday, November 13, 2022

    This is not related to this article, as I find no comment box in the article I read in your blog article.
    This relates to the article in the link
    https://suddhaman.blogspot.com/2019/04/ntp-configuration-for-time-sync.html
    Please note that there is no comment box there.
    The article is very useful in configuring and syncing time for domain and client computers
    Here I find that ntp server ip usage instead of ntp server address
    This has solved my sync problem
    query one: is it risky to use ntp server for syncing purpose, as I read in so many articles that it is used as a source of ddos attack on router.
    query two: How your client config command using ip, dynamically change the special poll interval.
    I am not a network expert, but your command fixed my time sync.
    query three: Even though the time is successfully syncing, windows internet time tab pops up error of timed out period .Is that a kind of bug
    I have also mentioned this article to windows 11 forum tutorial q and a the link is given in post 31
    https://www.elevenforum.com/t/sync-clock-time-with-internet-time-server-in-windows-11.1320/page-2#post-217977

    ReplyDelete
    Replies
    1. rajThursday, December 22, 2022

      Hi, Thanks for your thanks. Please kindly answer my queries

      Delete

Post a Comment

Thank you.

Popular posts from this blog

Google Chrome Bookmark & Homepage through GPO

Image
Goals: We need to create a GPO for Google Chrome Bookmarks & home page/landing page. Under the bookmarks, few URLs would be there. It will be easy for users to access these url/site. Also by home page – most useful/frequently open site can be set, so that when user open Google chrome, the page will be displayed first. Gyan: All policy setting for Group Policy Management Console are not readily available. Sometime to manipulate group policy settings for higher version OS (i.e. Screensaver for Windows 10) or third party application (i.e. Google Chrome),we need to download group policy setting supported files – admx (policy settings) along with adml (language suppot). Both files are stored into central storage repository, known as “ Central Store ”. For higher Windows it is “ PolicyDefinitions” – automaticall created when a DC built under C:\Windows\ Process: Incorporate Chrome GPO templates:         1.       To manage Chrome settings through Group Policies, you
Read more

File Server Migration: Windows Server 2008R2 to Windows Server 2019

Image
  Scenario:   We have a File Server on Windows Server 2008R2 . The File Server has several departmental shares & it is accessed by the department user only. But among them few have RW (Read & Write) permission, rest have only R (Read) permission. Also every dept. share have disk quota & every authorized user has their shared folder mapped as a network drive in their Windows Explorer. In my environment, I have implemented the procedure for 15 different departmental share folders accessing different departments consist of 10-30 users each dept & each shared folder volume is 100 GB to 500GB. Challenges: 1 .       Migrated Share Folders must have the same level of permission as on W2008 Server. 2.        Several Disk quota templates need to export to new W2019 to minimized the effort.   Users should be transparent to this migration & their access to the shared folder must be flowless – that meant users
Read more

DNS Server IP Address change in Client Systems through Group Policy

Image
  Scenario: Recently our network team, restructure IP segments & it is recommended to change the IP address of our DNS server. It is an AD integrated DNS server & around 1000 desktops & laptops are in the network – all have static IP addresses. We need to change the DNS IP for all the systems. Procedure: We can change the DNS IP through Group Policy with the help of a simple *.bat file. We will apply the GPO in Startup as Computer base policy. But here tricky part is, we need run the batch file in "Run as Administrator" mode. Most of the Computer-based Startup GPO is not run in normal mode. The batch file as below, suppose it name DNSIP_Change.bat   :   Replace your DNS Server “ set dnsserver=X.X.X.X ” @echo off set dnsserver=10.10.10.31 set dnsserver2=10.10.10.30 for /f "tokens=1,2,3*" %%i in ('netsh interface show interface') do (   if %%i EQU Enabled (   rem echo change "%%l" : %dnsserver%   netsh interface
Read more