Monday, July 6, 2009

AdminSDHolder: Security or Trouble?

Hello Folks,
Most of the times we wonder after setting permissions on some accounts that they are lost after specific period. To be exact with the "period" its 60 minutes. What causes this to revert to what it was?
"AdminSDHolder": is that what you said? You are 100% right then.
What is AdminSDHolder?
The adminSDHolder object is an object in the System (CN=adminSDHolder, CN=System, DC=domain-name, DC=com) container in each domain in the forest that is used as a template for ACLs on members of protected groups.
The PDCe role holder compares the ACL defined on each user object that is a member of a protected group with the ACL defined on the adminSDHolder object every sixty minutes. If the ACL on the user object is different to the ACL on the adminSDHolder object, the ACL on the user object is reset to that of the adminSDHolder object.

So what are protected groups?
Protected groups
All objects in Active Directory have an ACL. These ACLs can be changed by anyone with permissions to do so. By default, only administrators have the necessary permissions to do this, however Active Directory was designed to be scalable; to be used in large, disparate environments and to support many delegation scenarios.

When you delegate control to users and/ or groups (essentially set permissions on objects for these users and/ or groups) you increase the likelihood of giving non-administrative users permissions to modify attributes, permissions, etc. on administrative accounts. For example, consider the scenario in which a group is delegated control over an OU and in that OU resides several members of the domain admins group. Depending on the permissions defined on the OU, this group that have had permissions delegated to it could be able to change the members of the domain admins group.

This is where the protected groups come in - the ACL on any members of a protected group are reset every 60 minutes. This reset is made by the PDCe and the template that contains the ACL to reset the protected group members to is the adminSDHolder object. The reason for protected groups and the adminSDHolder object is so that the aforementioned delegation scenario cannot happen. It would be a grave security hole if any user with permissions to change group memberships on all user objects in an OU were to be able to modify the administrative users.


What groups are considered protected?
The following groups are classed as protected in Windows 2000 SP4 and Windows Server 2003.


Note. Prior to Windows 2000 SP4 this list was somewhat smaller, containing only Administrators, Domain Admins, Enterprise Admins, and Schema Admins.



Administrators

Account Operators

Backup Operators

Cert Publishers

Domain Admins

Enterprise Admins

Print Operators

Schema Admins

Server Operators

The Administrator and krbtgt user objects are also considered protected.

Saturday, July 4, 2009

What's new in Active Directory?

Hi All,
In Windows 2008, Active Directory has been renamed to Active Directory Domain Services (AD DS). AD DS refers to what used to be just called Active Directory in the past with the same tools, architectural design, and structure that was introduced in Windows 2000 and Windows 2003.
Below is a listing of introduced improvements with links to give you further details about each:
· AD DS: Restartable Active Directory Domain Services
Windows 2008 introduced new capabilities to start or stop directory services running on a domain controller without having to shut it down, allowing administrators to perform maintenance (offline defragmentation, security updates ,etc..) or recovery on the AD database without having to reboot into Directory Services Restore Mode
http://technet2.microsoft.com/windowsserver2008/en/library/caa05f49-210f-4f4c-b33f-c8ad50a687101033.mspx
· AD DS: Fine-Grained Password Policies
One very significant change with Windows 2008 AD DS is the ability to implement granular password polices in a single domain. Fine-grained password polices always win over domain password policy and they can be applied to groups or users. For fine-grained password polices to be implemented, all DCs must be running windows 2008 and the domain must in windows 2008 functional mode.
http://technet2.microsoft.com/windowsserver2008/en/library/2199dcf7-68fd-4315-87cc-ade35f8978ea1033.mspx
· AD DS: Auditing
In Microsoft® Windows® 2000 Server and Windows Server 2003, Active Directory audit logs can show you who made changes to what object attributes, but the events do not display the old and new values. In Windows Server 2008 you can now set up AD DS auditing with a new audit subcategory (Directory Service Changes) to log old and new values when changes are made to objects and their attributes.
http://technet2.microsoft.com/windowsserver2008/en/library/a9c25483-89e2-4202-881c-ea8e02b4b2a51033.mspx
· AD DS: Read-Only Domain Controllers (RODC)
Windows 2008 includes the ability to deploy domain controllers that hosts read-only partitions of the Active Directory® Domain Services (AD DS) database. To deploy an RODC, at least one writable domain controller in the domain must be running Windows Server 2008. In addition, the functional level for the domain and forest must be Windows Server 2003 or higher.
http://technet2.microsoft.com/windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db71033.mspx
· AD DS: Database Mounting Tool (Dsamain)
The active directory database mount tool (Dsamain.exe) is a command line tool that allows administrators to view snapshots of data within an AD DS database (can be used with AD Lightweight Directory Services databases also). The tool can improve recovery processes for your organization by providing means to compare data as it exists in snapshots or backups that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain.
http://technet2.microsoft.com/windowsserver2008/en/library/4503d762-0adf-494f-a08b-cf502ecb76021033.mspx

Regards,
Alps

Thursday, September 18, 2008

Introducing the Active Directory Discussion Blog

Hello, all. This is the first post in what I hope will be a useful blog for the Windows admin community. In particular, the AD (or directory services in general) admins out there.

In the next few days I will be posting the first *technical* post (this certainly wasn't). So, come on back. Let's see if I can help when you do.