Building the Admin Area (Tier0) is a challenge on its own. This area is not only the OU subtree, but many other containers, which will have the “accessing” groups stored here.
There are several steps to build this tier:
- Organizational Units
- Move objects
- Default Administrators Accounts
- Creating Groups
- Fine Grained Password Policy
- Group Nesting
- Modify AdminSdHolder
- Default Container Redirection
- Initial setup of Servers Area (Tier1)
- Initial setup of Sites Area (Tier2)
- Start with Delegations
Organizational Units needed to build Admin Area (Tier0)
We will start with the “Admin” Organizational Unit. When creating an OU, this one does have inherit permissions from the parent, which might become a issue when dealing with high privileged accounts. For example, if there is a rouge delegation at the domain level, which can reset AD User password, this one will be applied to this new Admin OU, which is a security risk.
We start by creating our OU:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | # Create OU $parameters = @{ Name = 'ouName' Path = 'ouPath' City = 'ouCity' Country = 'ouCountry' Description = 'ouDescription' DisplayName = 'strOuDisplayName' PostalCode = 'ouZIPCode' ProtectedFromAccidentalDeletion = $true StreetAddress = 'ouStreetAddress' State = 'ouState' } $OUexists = New-ADOrganizationalUnit @parameters |
This will create the OU, with all pre-defined ACL’s (including Orphan SIDs) and inheritance. And as we already mention, is not what we want. So now that we have this OU, we have to block inheritance, copy ACLs and “Clan it up”; this is done by removing inheritance, and copying the inherited ACLs; then we do remove all of those ACEs that we do not need, as is the case of “Pre-Windows 2000”, “Account Operators” and “Print Operators”. We also be removing any orphan SID (this SID on the ACE which cannot be resolved to a name, most likely because the object was deleted) and any other delegation that might interfere with the setup we are doing here. We will end up with something similar to this:
In order to automate the build of Admin Area (Tier0), EguibarIT PowerShell Module provides some CMDlets that can help:
New-DelegateAdOU
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | New-DelegateAdOU -? NAME New-DelegateAdOU SYNOPSIS Create New custom delegated AD OU SYNTAX New-DelegateAdOU [-ouName] <String> [-ouPath] <String> [[-ouDescription] <String>] [[-ouCity] <String>] [[-ouCountry] <String>] [[-ouStreetAddress] <String>] [[-ouState] <String>] [[-ouZIPCode] <String>] [[-strOuDisplayName] <String>] [[-RemoveAuthenticatedUsers]] [[-CleanACL]] [-WhatIf] [-Confirm] [<CommonParameters>] DESCRIPTION Create New custom delegated AD OU, and remove some groups as Account Operators and Print Operators |
This is a wrapper functions that 1) Checks for OU existence, and create it if doe not exist 2) Calls “Start-AdCleanOU” to remove unwanted ACEs 3) Call “Remove-SpecificACLandEnableInheritance” to manage inheritance and specific ACEs
Start-AdCleanOU
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | Start-AdCleanOU -? NAME Start-AdCleanOU SYNOPSIS Clean default OU permissions. SYNTAX Start-AdCleanOU [-LDAPpath] <String> [[-RemoveAuthenticatedUsers]] [[-RemoveUnknownSIDs]] [<CommonParameters>] DESCRIPTION The function will remove some of the default premission on the provided OU. It will remove the "Account Operators" and "Print Operators" built-in groups. |
This is another wrapper function that provides functionality to clean any other OU. It relies on EguibarIT.Delegation PowerShell Module CMDlets.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | $parameters = @{ Group = 'Account Operators' LDAPPath = 'LDAPPath' RemoveRule = $true } # Remove the Account Operators group from ACL to Create/Delete Users Set-AdAclCreateDeleteUser @parameters # Remove the Account Operators group from ACL to Create/Delete Computers Set-AdAclCreateDeleteComputer @parameters # Remove the Account Operators group from ACL to Create/Delete Groups Set-AdAclCreateDeleteGroup @parameters # Remove the Account Operators group from ACL to Create/Delete Contacts Set-AdAclCreateDeleteContact @parameters # Remove the Account Operators group from ACL to Create/Delete inetOrgPerson Set-CreateDeleteInetOrgPerson @parameters # Remove the Print Operators group from ACL to Create/Delete PrintQueues Set-AdAclCreateDeletePrintQueue @parameters # Remove Pre-Windows 2000 Compatible Access group from Admin-User Remove-PreWin2000 -LDAPPath 'LDAPPath' # Remove Pre-Windows 2000 Access group from OU Remove-PreWin2000FromOU -LDAPPath 'LDAPPath' # Remove ACCOUNT OPERATORS 2000 Access group from OU Remove-AccountOperator -LDAPPath 'LDAPPath' # Remove PRINT OPERATORS 2000 Access group from OU Remove-PrintOperator -LDAPPath 'LDAPPath' # Remove AUTHENTICATED USERS group from OU Remove-AuthUser -LDAPPath 'LDAPPath' # Remove Un-Resolvable SID from a given object Remove-UnknownSID -LDAPPath 'LDAPPath' -RemoveSID |
Creating the sub-OU structure
The following step is to create remaining OUs. By using these functions, we can optimize the creation of ANY OU that we might need, and as described before, building the Admin Area (Tier0). So the following sub-OU have to be created (but not limited to…):
| Sub-OU | Objects | Justification |
| Users | User Identities | Any user object which has administrative rights within the domain. The rights can be inherited, as the Administrator account, by group membership of privileged groups as Domain Admins or Account operators, or any other group used to delegate rights. This OU will have its own set of configurations for the users (GPO) and it will have a Fine Grained Password Policy. |
| Groups | Global/Universal Groups | This container will differentiate the organizational groups from the ones belonging to the Rights OU. These groups (as per definition) should only contain as members, users and other groups, and shall not be granted any right. Only Privileged, Semi-Privileged and Service Accounts can belong to these kinds of groups. This OU will have its own set of configurations for the computers (GPO). |
| Housekeeping | Users & Computers | Staled user objects and computer objects. An automated procedure will search for staled objects and move those to this container in order to delete when thresholds are met. |
| Infrastructure Services | Computers | Any server belonging to Tier0 and providing services exclusively to this area/tier. This could be the virtualization servers, patching servers, deployment servers, monitoring servers, etc. |
| Privileged Groups | Global/Universal Groups | Delegation model Privileged groups. |
| Privileged Access Workstations | Computers | Highly secured computers (known as PAW) used to administer the domain. RDP to manage Domain Controllers is not a desired practice, and doing so from a “standard” PC must be avoided by any means. Instead these designated management computers will fulfill this request. |
| PAW Tier0 | Computers | Privileged Access Workstation restricted exclusively for Administration Area / Tier0 |
| PAW Tier1 | Computers | Privileged Access Workstation restricted exclusively for Servers Area / Tier1 |
| PAW Tier2 | Computers | Privileged Access Workstation restricted exclusively for Sites Area / Tier2 |
| Rights | Domain Local Groups | Any ACL granting access within the domain has to be assigned to these groups. This container will only have groups which are delegated rights. Although this container could be merged with the Groups one, is a good idea to have clearly identified the standard groups (As the ones in the groups container, which its SACLs are not modified nor assigned to any other system object) from the groups which DO have additional access rights. |
| Service Accounts | User/Service Identities | By design, a service account should be guarded and kept extremely secured. Whenever possible, a ServiceAccount object should be created instead. If a ServiceAccount object cannot be created, additional security measures should be implemented. This OU will have its own set of configurations for the users (GPO) and it will have a Fine Grained Password Policy. |
| Service-Accounts Tier 0 | User/Service Identities | Service Accounts and/or Managed Service Accounts used exclusively for Administration Area / Tier0 |
| Service-Accounts Tier 1 | User/Service Identities | Service Accounts and/or Managed Service Accounts used exclusively for Servers Area / Tier1 |
| Service-Accounts Tier 2 | User/Service Identities | Service Accounts and/or Managed Service Accounts used exclusively for Sites Area / Tier2 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 | $Splat = @{ ouPath = $ItAdminOuDn CleanACL =$True } New-DelegateAdOU -ouName $ItAdminAccountsOu -ouDescription $confXML.n.Admin.OUs.ItAdminAccountsOU.description @Splat New-DelegateAdOU -ouName $ItAdminGroupsOU -ouDescription $confXML.n.Admin.OUs.ItAdminGroupsOU.description @Splat New-DelegateAdOU -ouName $ItPrivGroupsOU -ouDescription $confXML.n.Admin.OUs.ItPrivGroupsOU.description @Splat New-DelegateAdOU -ouName $ItPawOu -ouDescription $confXML.n.Admin.OUs.ItPawOU.description @Splat New-DelegateAdOU -ouName $ItRightsOu -ouDescription $confXML.n.Admin.OUs.ItRightsOU.description @Splat New-DelegateAdOU -ouName $ItServiceAccountsOu -ouDescription $confXML.n.Admin.OUs.ItServiceAccountsOU.description @Splat New-DelegateAdOU -ouName $ItHousekeepingOu -ouDescription $confXML.n.Admin.OUs.ItHousekeepingOU.description @Splat New-DelegateAdOU -ouName $ItInfraOu -ouDescription $confXML.n.Admin.OUs.ItInfraOU.description @Splat New-DelegateAdOU -ouName $ItAdminSrvGroups -ouDescription $confXML.n.Admin.OUs.ItAdminSrvGroups.description @Splat # Ensure inheritance is enabled for child Admin OUs $Splat = @{ RemoveInheritance = $false RemovePermissions = $True } Set-AdInheritance -LDAPPath $ItAdminAccountsOuDn @Splat Set-AdInheritance -LDAPPath $ItAdminGroupsOUDn @Splat Set-AdInheritance -LDAPPath $ItPrivGroupsOUDn @Splat Set-AdInheritance -LDAPPath $ItPawOuDn @Splat Set-AdInheritance -LDAPPath $ItRightsOuDn @Splat Set-AdInheritance -LDAPPath $ItServiceAccountsOuDn @Splat Set-AdInheritance -LDAPPath $ItHousekeepingOuDn @Splat Set-AdInheritance -LDAPPath $ItInfraOuDn @Splat # PAW Sub-OUs $Splat = @{ ouPath = $ItPawOuDn CleanACL =$True } New-DelegateAdOU -ouName $ItPawT0Ou -ouDescription $confXML.n.Admin.OUs.ItPawT0OU.description @Splat New-DelegateAdOU -ouName $ItPawT1Ou -ouDescription $confXML.n.Admin.OUs.ItPawT1OU.description @Splat New-DelegateAdOU -ouName $ItPawT2Ou -ouDescription $confXML.n.Admin.OUs.ItPawT2OU.description @Splat New-DelegateAdOU -ouName $ItPawStagingOu -ouDescription $confXML.n.Admin.OUs.ItPawStagingOU.description @Splat # Ensure inheritance is enabled for child Admin OUs $Splat = @{ RemoveInheritance = $false RemovePermissions = $True } Set-AdInheritance -LDAPPath $ItPawT0OuDn @Splat Set-AdInheritance -LDAPPath $ItPawT1OuDn @Splat Set-AdInheritance -LDAPPath $ItPawT2OuDn @Splat Set-AdInheritance -LDAPPath $ItPawStagingOuDn @Splat # Service Accounts Sub-OUs $Splat = @{ ouPath = $ItServiceAccountsOuDn CleanACL =$True } New-DelegateAdOU -ouName $ItSAT0OU -ouDescription $confXML.n.Admin.OUs.ItSAT0OU.description @Splat New-DelegateAdOU -ouName $ItSAT1OU -ouDescription $confXML.n.Admin.OUs.ItSAT1OU.description @Splat New-DelegateAdOU -ouName $ItSAT2OU -ouDescription $confXML.n.Admin.OUs.ItSAT2OU.description @Splat # Ensure inheritance is enabled for child Admin OUs $Splat = @{ RemoveInheritance = $false RemovePermissions = $True } Set-AdInheritance -LDAPPath $ItSAT0OuDn @Splat Set-AdInheritance -LDAPPath $ItSAT1OuDn @Splat Set-AdInheritance -LDAPPath $ItSAT2OuDn @Splat # Infrastructure Servers Sub-OUs $Splat = @{ ouPath = $ItInfraOuDn CleanACL =$True } New-DelegateAdOU -ouName $ItInfraT0Ou -ouDescription $confXML.n.Admin.OUs.ItInfraT0.description @Splat New-DelegateAdOU -ouName $ItInfraT1Ou -ouDescription $confXML.n.Admin.OUs.ItInfraT1.description @Splat New-DelegateAdOU -ouName $ItInfraT2Ou -ouDescription $confXML.n.Admin.OUs.ItInfraT2.description @Splat New-DelegateAdOU -ouName $ItInfraStagingOu -ouDescription $confXML.n.Admin.OUs.ItInfraStagingOU.description @Splat # Ensure inheritance is enabled for child Admin OUs $Splat = @{ RemoveInheritance = $false RemovePermissions = $True } Set-AdInheritance -LDAPPath $ItInfraT0OuDn @Splat Set-AdInheritance -LDAPPath $ItInfraT1OuDn @Splat Set-AdInheritance -LDAPPath $ItInfraT2OuDn @Splat Set-AdInheritance -LDAPPath $ItInfraStagingOuDn @Splat |
We will end up having something similar to this:
Move objects to newly created Admin Area (Tier0)
After our “brand new” container was created, and that is secured, is time to move objects into it. There are many objects that cannot be moved (we are talking about many built-in domain local groups), but for those which can be moved.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | Get-ADUser -Identity $AdminName | Move-ADObject -TargetPath $ItAdminAccountsOuDn Get-ADUser -Identity $confXML.n.Admin.users.Guest.Name | Move-ADObject -TargetPath $ItAdminAccountsOuDn Get-ADUser -Identity krbtgt | Move-ADObject -TargetPath $ItAdminAccountsOuDn Get-ADGroup -Identity 'Domain Admins' | Move-ADObject -TargetPath $ItPrivGroupsOUDn Get-ADGroup -Identity 'Enterprise Admins' | Move-ADObject -TargetPath $ItPrivGroupsOUDn Get-ADGroup -Identity 'Schema Admins' | Move-ADObject -TargetPath $ItPrivGroupsOUDn Get-ADGroup -Identity 'Domain Controllers' | Move-ADObject -TargetPath $ItPrivGroupsOUDn Get-ADGroup -Identity 'Group Policy Creator Owners' | Move-ADObject -TargetPath $ItPrivGroupsOUDn Get-ADGroup -Identity 'Read-only Domain Controllers' | Move-ADObject -TargetPath $ItPrivGroupsOUDn Get-ADGroup -Identity 'Enterprise Read-only Domain Controllers' | Move-ADObject -TargetPath $ItPrivGroupsOUDn Get-ADGroup -Identity 'DnsUpdateProxy' | Move-ADObject -TargetPath $ItAdminGroupsOuDn Get-ADGroup -Identity 'Domain Users' | Move-ADObject -TargetPath $ItAdminGroupsOuDn Get-ADGroup -Identity 'Domain Computers' | Move-ADObject -TargetPath $ItAdminGroupsOuDn Get-ADGroup -Identity 'Domain Guests' | Move-ADObject -TargetPath $ItAdminGroupsOuDn Get-ADGroup -Identity 'Allowed RODC Password Replication Group' | Move-ADObject -TargetPath $ItRightsOuDn Get-ADGroup -Identity 'RAS and IAS Servers' | Move-ADObject -TargetPath $ItRightsOuDn Get-ADGroup -Identity 'DNSAdmins' | Move-ADObject -TargetPath $ItRightsOuDn Get-ADGroup -Identity 'Cert Publishers' | Move-ADObject -TargetPath $ItRightsOuDn Get-ADGroup -Identity 'Denied RODC Password Replication Group' | Move-ADObject -TargetPath $ItRightsOuDn # Following groups only exist on Win 2012 Get-ADGroup -Identity 'Protected Users' | Move-ADObject -TargetPath $ItPrivGroupsOUDn Get-ADGroup -Identity 'Cloneable Domain Controllers' | Move-ADObject -TargetPath $ItPrivGroupsOUDn Get-ADGroup -Identity 'Access-Denied Assistance Users' | Move-ADObject -TargetPath $ItPrivGroupsOUDn Get-ADGroup -Filter { SamAccountName -like "WinRMRemoteWMIUsers*" } | Move-ADObject -TargetPath $ItPrivGroupsOUDn # Following groups only exist on Win 2019 Get-ADGroup -Identity 'Enterprise Key Admins' | Move-ADObject -TargetPath $ItPrivGroupsOUDn Get-ADGroup -Identity 'Key Admins' | Move-ADObject -TargetPath $ItPrivGroupsOUDn |
We need to have all important objects (Privileged and Semi-Privileged) under our control, thus the reason to have Admin Area.
Default Administrators Accounts
Although an Administrator default account can be tracked down by its well-known sid (SID ending with 500) is a good idea to rename it, and possibly disable it. I know there are many different discussions with regards of this, some of them in favor, and some of those against ir… but we are not going to enter this discussion here. Additionally, we will create a new Administrator Like account, which will have a normal SID instead. After initial setup, the well-known Administrator account should not be used; instead the Admin-Like account will be used. Both accounts should be heavily monitored, and of course, jealously guarded.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 | # Try to get the new Admin $NewAdminExists = Get-AdUser -Filter { SamAccountName -eq $newAdminName } # Check if the new Admin account already exist. If not, then create it. If($NewAdminExists) { #The user was found. Proceed to modify it accordingly. $parameters = @{ Enabled = $true UserPrincipalName = ('{0}@{1}' -f $newAdminName, $env:USERDNSDOMAIN) SamAccountName = $newAdminName DisplayName = $newAdminName Description = $confXML.n.Admin.users.NEWAdmin.description employeeId = '0123456' TrustedForDelegation = $false AccountNotDelegated = $true Company = $confXML.n.RegisteredOrg Country = 'MX' Department = $confXML.n.Admin.users.NEWAdmin.department State = 'Puebla' EmailAddress = ('{0}@{1}' -f $newAdminName, $env:USERDNSDOMAIN) Replace = @{ 'employeeType' = $confXML.n.NC.AdminAccSufix0 'msNpAllowDialin' = $false 'msDS-SupportedEncryptionTypes' = '24' } } Set-AdUser -Identity $NewAdminExists } Else { # User was not Found! create new. $parameters = @{ Path = $ItAdminAccountsOuDn Name = $newAdminName AccountPassword = (ConvertTo-SecureString -String $confXML.n.DefaultPassword -AsPlainText -Force) ChangePasswordAtLogon = $false Enabled = $true UserPrincipalName = ('{0}@{1}' -f $newAdminName, $env:USERDNSDOMAIN) SamAccountName = $newAdminName DisplayName = $newAdminName Description = $confXML.n.Admin.users.NEWAdmin.description employeeId = '0123456' TrustedForDelegation = $false AccountNotDelegated = $true Company = $confXML.n.RegisteredOrg Country = 'MX' Department = $confXML.n.Admin.users.NEWAdmin.department State = 'Puebla' EmailAddress = ('{0}@{1}' -f $newAdminName, $env:USERDNSDOMAIN) OtherAttributes = @{ 'employeeType' = $confXML.n.NC.AdminAccSufix0 'msNpAllowDialin' = $false 'msDS-SupportedEncryptionTypes' = '24' } } # Create the new Admin with special values New-AdUser @parameters $NewAdminExists = Get-AdUser -Identity $newAdminName #http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx # 'msDS-SupportedEncryptionTypes'= Kerberos DES Encryption = 2, Kerberos AES 128 = 8, Kerberos AES 256 = 16 } #end esle-if new user created # Set the Protect against accidental deletions attribute Get-AdUser -Identity $AdminName | Set-ADObject -ProtectedFromAccidentalDeletion $true $NewAdminExists | Set-ADObject -ProtectedFromAccidentalDeletion $true # Make it member of administrative groups Add-AdGroupNesting -Identity 'Domain Admins' -Members $NewAdminExists Add-AdGroupNesting -Identity 'Enterprise Admins' -Members $NewAdminExists Add-AdGroupNesting -Identity 'Group Policy Creator Owners' -Members $NewAdminExists Add-AdGroupNesting -Identity 'Denied RODC Password Replication Group' -Members $NewAdminExists #### # Remove Everyone group from Admin-User & Administrator Remove-Everyone -LDAPPath $NewAdminExists.DistinguishedName Remove-Everyone -LDAPPath ('CN={0},{1}' -f $AdminName, $ItAdminAccountsOuDn) #### # Remove AUTHENTICATED USERS group from Admin-User & Administrator #Remove-AuthUser -LDAPPath $NewAdminExists.DistinguishedName #Remove-AuthUser -LDAPPath ('CN={0},{1}' -f $AdminName, $ItAdminAccountsOuDn) #### # Remove Pre-Windows 2000 Compatible Access group from Admin-User & Administrator Remove-PreWin2000 -LDAPPath $NewAdminExists.DistinguishedName Remove-PreWin2000 -LDAPPath ('CN={0},{1}' -f $AdminName, $ItAdminAccountsOuDn) ### # Configure TheGood account $params = @{ 'employeeType' = $confXML.n.NC.AdminAccSufix0 'msNpAllowDialin' = $false 'msDS-SupportedEncryptionTypes' = 24 } Set-AdUser -Identity $AdminName -TrustedForDelegation $false -AccountNotDelegated $true -Add $params |
Creating Groups
Now that we have the corresponding containers, we will start creating the corresponding groups (Global & Domain Local). Starting table contains the required Global Groups
| Security Principal | Description |
|---|---|
| SG_InfraAdmins | Full rights on all Active Directory infrastructure |
| SG_ADAdmins | Partial rights on all Active Directory infrastructure |
| SG_T0SA | Service Account for Tier 0 / Admin Area |
| SG_T1SA | Service Account for Tier 1 / Servers Area |
| SG_T2SA | Service Account for Tier 2 / Sites Area |
| SG_Tier0Admins | Administrators group for Tier 0 / Admin Area |
| SG_Tier1Admins | Administrators group for Tier 1 / Servers Area |
| SG_Tier2Admins | Administrators group for Tier 2 / Sites Area |
| SG_DfsAdmin | Full Rights to administer DFS |
| SG_GpoAdmin | Full Rights to administer GPO |
| SG_PkiAdmin | Full Rights to administer CA |
| SG_PkiTemplateAdmin | Full Rights to administer CA Templates |
| SG_AllGalAdmins | Delegated Limited general rights on all sites |
| SG_AllSiteAdmins | Limited general rights on all sites |
| SG_Operation | Limited rights on all Servers |
| SG_ServiceDesk | Password rights and AllGALAdmin rights on all sites |
| SG_ServerAdmin | Full administrative rights on servers |
| SG_GlobalGroupAdmin | Full Group administrative rights on all sites |
| SG_GlobalUserAdmin | Full user administrative rights on all sites |
| SG_GlobalPcAdmin | Full computer administrative rights on all sites |
This is the list of Domain Local required groups
| Security Principal | Description |
|---|---|
| SL_InfraRights | Delegated full rights to all AD infrastructure |
| SL_AdRights | Delegated partial rights to all AD infrastructure |
| SL_PUM | Rights for Privileged User management |
| SL_PGM | Right for Privileged Group management |
| SL_PISM | Right for Privileged Infrastructure management |
| SL_PAWM | Right for Privileged Access Workstation management |
| SL_DirReplRights | Right for Privileged Directory Replication Rights |
| SL_PkiRights | Right for Privileged Public Key Infrastructure management |
| SL_PkiTemplateRights | Right for Privileged Public Key Infrastructure Template management |
| SL_DfsRights | Right for Privileged DFS management |
| SL_GpoAdminRights | Right for Privileged GPO management |
| SL_UM | Rights for User Management |
| SL_GM | Rights for Group Management |
| SL_PSAM | Rights for Service Account Management |
| SL_InfrastructureServers | Rights for ALL Infrastructure Servers |
| SL_PAWs | Rights for ALL PAWs |
| SL_SvrAdmRight | Rights for server management |
| SL_SvrOpsRight | Rights for server operation management |
| SL_GlobalAppAccUserRight | Rights for Global Aplication Access Users |
| SL_GlobalGroupRight | Rights for Global Group Management |
Same as we did for OUs, there is a wrapper function for creating groups.
New-AdDelegatedGroup
Native New-AdGroup throws an error exception when the group already exists. This error is handled as a “correct” within this function due the fact that group might already exist and operation should continue, having the existing group modified. The function also can take care of removing unneeded groups, as Account Operators; or set the “Protect from accidental deletion” flag.
1 2 3 4 5 6 7 8 9 10 | $splat = @{ Name = 'Poor Admins' GroupCategory = 'Security' GroupScope = 'DomainLocal' DisplayName = 'Poor Admins' Path = 'OU=Groups,OU=Admin,DC=EguibarIT,DC=local' Description = 'New Admin Group' ProtectFromAccidentalDeletion = $true } New-AdDelegatedGroup @Splat |
This wrapper function uses some CMDLets from EguibarIT.Delegation PowerShell Module
Used Functions:
Name | Module
————————-|————————–
Get-CurrentErrorToDisplay | EguibarIT
Remove-AccountOperator | EguibarIT.Delegation
Remove-Everyone | EguibarIT.Delegation
Remove-AuthUser | EguibarIT.Delegation
Remove-PreWin2000 | EguibarIT.Delegation
Fine Grained Password Policy
The Default Domain Policy is not enough to secure Privileged & Semi-Privileged accounts. Instead create a Fine Grained Password policy and assign it to privileged admin accounts and groups. Same will be for Service Accounts
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 | $PSOexists = $null [String]$PsoName = $confXML.n.Admin.PSOs.ItAdminsPSO.Name $PSOexists = Get-ADFineGrainedPasswordPolicy -Filter { name -eq $PsoName } if(-not($PSOexists)) { $parameters = @{ Name = $confXML.n.Admin.PSOs.ItAdminsPSO.Name Precedence = $confXML.n.Admin.PSOs.ItAdminsPSO.Precedence ComplexityEnabled = [System.Boolean]$confXML.n.Admin.PSOs.ItAdminsPSO.ComplexityEnabled Description = $confXML.n.Admin.PSOs.ItAdminsPSO.Description DisplayName = $confXML.n.Admin.PSOs.ItAdminsPSO.DisplayName LockoutDuration = $confXML.n.Admin.PSOs.ItAdminsPSO.LockoutDuration LockoutObservationWindow = $confXML.n.Admin.PSOs.ItAdminsPSO.LockoutObservationWindow LockoutThreshold = $confXML.n.Admin.PSOs.ItAdminsPSO.LockoutThreshold MaxPasswordAge = $confXML.n.Admin.PSOs.ItAdminsPSO.MaxPasswordAge MinPasswordAge = $confXML.n.Admin.PSOs.ItAdminsPSO.MinPasswordAge MinPasswordLength = $confXML.n.Admin.PSOs.ItAdminsPSO.MinPasswordLength PasswordHistoryCount = $confXML.n.Admin.PSOs.ItAdminsPSO.PasswordHistoryCount ReversibleEncryptionEnabled = [System.Boolean]$confXML.n.Admin.PSOs.ItAdminsPSO.ReversibleEncryptionEnabled } New-ADFineGrainedPasswordPolicy @parameters $PSOexists = Get-ADFineGrainedPasswordPolicy -Filter { name -eq $PsoName } } # End If PSO exists # Apply the PSO to the corresponding accounts and groups $parameters = @( $AdminName, $newAdminName, 'Domain Admins', 'Enterprise Admins', $SG_InfraAdmins.SamAccountName, $SG_AdAdmins.SamAccountName, $SG_GpoAdmins.SamAccountName, $SG_Tier0Admins.SamAccountName, $SG_Tier1Admins.SamAccountName, $SG_Tier2Admins.SamAccountName, $SG_Operations.SamAccountName, $SG_ServerAdmins.SamAccountName, $SG_AllSiteAdmins.SamAccountName, $SG_AllGALAdmins.SamAccountName, $SG_GlobalUserAdmins.SamAccountName, $SG_GlobalPcAdmins.SamAccountName, $SG_GlobalGroupAdmins.SamAccountName, $SG_ServiceDesk.SamAccountName, $SL_InfraRight.SamAccountName, $SL_AdRight.SamAccountName, $SL_UM.SamAccountName, $SL_GM.SamAccountName, $SL_PUM.SamAccountName, $SL_PGM.SamAccountName, $SL_GpoAdminRight.SamAccountName, $SL_DnsAdminRight.SamAccountName, $SL_DirReplRight.SamAccountName, $SL_PromoteDcRight.SamAccountName, $SL_TransferFSMOright.SamAccountName, $SL_PISM.SamAccountName, $SL_PAWM.SamAccountName, $SL_PSAM.SamAccountName, $SL_SvrAdmRight.SamAccountName, $SL_SvrOpsRight.SamAccountName, $SL_GlobalGroupRight.SamAccountName, $SL_GlobalAppAccUserRight.SamAccountName ) Add-ADFineGrainedPasswordPolicySubject -Identity $PSOexists -Subjects $parameters |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | $PSOexists = $null [String]$PsoName = $confXML.n.Admin.PSOs.ServiceAccountsPSO.Name $PSOexists = Get-ADFineGrainedPasswordPolicy -Filter { name -eq $PsoName } if(-not($PSOexists)) { $parameters = @{ Name = $confXML.n.Admin.PSOs.ServiceAccountsPSO.Name Precedence = $confXML.n.Admin.PSOs.ServiceAccountsPSO.Precedence ComplexityEnabled = [System.Boolean]$confXML.n.Admin.PSOs.ServiceAccountsPSO.ComplexityEnabled Description = $confXML.n.Admin.PSOs.ServiceAccountsPSO.Description DisplayName = $confXML.n.Admin.PSOs.ServiceAccountsPSO.DisplayName LockoutDuration = $confXML.n.Admin.PSOs.ServiceAccountsPSO.LockoutDuration LockoutObservationWindow = $confXML.n.Admin.PSOs.ServiceAccountsPSO.LockoutObservationWindow LockoutThreshold = $confXML.n.Admin.PSOs.ServiceAccountsPSO.LockoutThreshold MaxPasswordAge = $confXML.n.Admin.PSOs.ServiceAccountsPSO.MaxPasswordAge MinPasswordAge = $confXML.n.Admin.PSOs.ServiceAccountsPSO.MinPasswordAge MinPasswordLength = $confXML.n.Admin.PSOs.ServiceAccountsPSO.MinPasswordLength PasswordHistoryCount = $confXML.n.Admin.PSOs.ServiceAccountsPSO.PasswordHistoryCount ReversibleEncryptionEnabled = [System.Boolean]$confXML.n.Admin.PSOs.ServiceAccountsPSO.ReversibleEncryptionEnabled } New-ADFineGrainedPasswordPolicy @parameters #$PSOexists = Get-ADFineGrainedPasswordPolicy -Filter { cn -eq $PsoName } $PSOexists = Get-ADFineGrainedPasswordPolicy -Identity $PsoName } # Apply the PSO to all Tier Service Accounts $parameters = @( $SG_Tier0ServiceAccount, $SG_Tier1ServiceAccount, $SG_Tier2ServiceAccount ) Add-ADFineGrainedPasswordPolicySubject -Identity $PSOexists -Subjects $parameters #endregion |
Group Nesting
There is a lot to do when nesting groups. Instead, the following image will describe quite good the following PowerShell nesting code.
Same as other cases already mentioned, there is a wrapper function for group nesting. This is the same as Add-AdGroupMember but with error handling, managing duplicates an “already member” and logging.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 | #Nest Groups - Security for RODC # Avoid having privileged or semi-privileged groups copy to RODC Write-Verbose -Message 'Nesting groups...' $parameters = @( $AdminName, $newAdminName, 'Domain Admins', 'Enterprise Admins', $SG_InfraAdmins, $SG_AdAdmins, $SG_GpoAdmins, $SG_Tier0Admins, $SG_Tier1Admins, $SG_Tier2Admins, $SG_Tier0ServiceAccount, $SG_Tier1ServiceAccount, $SG_Tier2ServiceAccount, $SG_Operations, $SG_ServerAdmins, $SG_AllSiteAdmins, $SG_AllGALAdmins, $SG_GlobalUserAdmins, $SG_GlobalPcAdmins, $SG_GlobalGroupAdmins, $SG_ServiceDesk, $SL_InfraRight, $SL_AdRight, $SL_UM, $SL_GM, $SL_PUM, $SL_PGM, $SL_GpoAdminRight, $SL_DnsAdminRight, $SL_DirReplRight, $SL_PromoteDcRight, $SL_TransferFSMOright, $SL_PISM, $SL_PAWM, $SL_PSAM, $SL_SvrAdmRight, $SL_SvrOpsRight, $SL_GlobalGroupRight, $SL_GlobalAppAccUserRight ) Add-AdGroupNesting -Identity 'Denied RODC Password Replication Group' -Members $parameters #region Nest Groups - Delegate Rights through Builtin groups # http://blogs.technet.com/b/lrobins/archive/2011/06/23/quot-admin-free-quot-active-directory-and-windows-part-1-understanding-privileged-groups-in-ad.aspx # http://blogs.msmvps.com/acefekay/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy/ Add-AdGroupNesting -Identity 'Cryptographic Operators' -Members $SG_AdAdmins Add-AdGroupNesting -Identity 'Network Configuration Operators' -Members $SG_AdAdmins Add-AdGroupNesting -Identity DnsAdmins -Members $SG_AdAdmins Add-AdGroupNesting -Identity 'Event Log Readers' -Members $SG_AdAdmins, $SG_Operations Add-AdGroupNesting -Identity 'Performance Log Users' -Members $SG_AdAdmins, $SG_Operations Add-AdGroupNesting -Identity 'Performance Monitor Users' -Members $SG_AdAdmins, $SG_Operations Add-AdGroupNesting -Identity 'Remote Desktop Users' -Members $SG_AdAdmins # https://technet.microsoft.com/en-us/library/dn466518(v=ws.11).aspx $parameters = @($AdminName, $NewAdminName, $SG_InfraAdmins, $SG_AdAdmins, $SG_GpoAdmins, $SG_Tier0Admins, $SG_Tier1Admins, $SG_Tier2Admins, $SG_Operations, $SG_ServerAdmins, $SG_AllSiteAdmins, $SG_AllGALAdmins, $SG_GlobalUserAdmins, $SG_GlobalPcAdmins, $SG_GlobalGroupAdmins, $SG_ServiceDesk ) Add-AdGroupNesting -Identity 'Protected Users' -Members $parameters #endregion #region Nest Groups - Extend Rights through delegation model groups # http://blogs.msmvps.com/acefekay/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy/ # InfraAdmins as member of InfraRight $parameters = @{ Identity = $SL_InfraRight Members = $SG_InfraAdmins } Add-AdGroupNesting @parameters # InfraAdmins as member of PUM $parameters = @{ Identity = $SL_PUM Members = $SG_InfraAdmins } Add-AdGroupNesting @parameters # InfraAdmins as member of PGM $parameters = @{ Identity = $SL_PGM Members = $SG_InfraAdmins } Add-AdGroupNesting @parameters # InfraAdmins as member of PISM $parameters = @{ Identity = $SL_PISM Members = $SG_InfraAdmins } Add-AdGroupNesting @parameters # InfraAdmins as member of PAWM $parameters = @{ Identity = $SL_PAWM Members = $SG_InfraAdmins } Add-AdGroupNesting @parameters # InfraAdmins as member of PSAM $parameters = @{ Identity = $SL_PSAM Members = $SG_InfraAdmins.SamAccountName } Add-AdGroupNesting @parameters # InfraAdmins as member of Tier0Admins $parameters = @{ Identity = $SG_Tier0Admins.SamAccountName Members = $SG_InfraAdmins.SamAccountName } Add-AdGroupNesting @parameters # InfraAdmins as member of DirReplRight $parameters = @{ Identity = $SL_DirReplRight.SamAccountName Members = $SG_InfraAdmins.SamAccountName } Add-AdGroupNesting @parameters # InfraAdmins as member of AdAdmins $parameters = @{ Identity = $SG_AdAdmins Members = $SG_InfraAdmins } Add-AdGroupNesting @parameters # AdAdmins as member of AdRight $parameters = @{ Identity = $SL_AdRight Members = $SG_AdAdmins } Add-AdGroupNesting @parameters # AdAdmins as member of UM $parameters = @{ Identity = $SL_UM Members = $SG_AdAdmins } Add-AdGroupNesting @parameters # AdAdmins as member of GM $parameters = @{ Identity = $SL_GM Members = $SG_AdAdmins } Add-AdGroupNesting @parameters # AdAdmins as member of GpoAdmins $parameters = @{ Identity = $SG_GpoAdmins Members = $SG_AdAdmins } Add-AdGroupNesting @parameters # AdAdmins as member of AllSiteAdmins $parameters = @{ Identity = $SG_AllSiteAdmins Members = $SG_AdAdmins } Add-AdGroupNesting @parameters # AdAdmins as member of ServerAdmins $parameters = @{ Identity = $SG_ServerAdmins Members = $SG_AdAdmins } Add-AdGroupNesting @parameters # GpoAdmins as member of GpoAdminRight $parameters = @{ Identity = $SL_GpoAdminRight Members = $SG_GpoAdmins } Add-AdGroupNesting @parameters # AllSiteAdmins as member of AllGalAdmins $parameters = @{ Identity = $SG_AllGALAdmins Members = $SG_AllSiteAdmins } Add-AdGroupNesting @parameters # AllGalAdmins as member of ServiceDesk $parameters = @{ Identity = $SG_ServiceDesk Members = $SG_AllGALAdmins } Add-AdGroupNesting @parameters # ServerAdmins as member of SvrAdmRight $parameters = @{ Identity = $SL_SvrAdmRight Members = $SG_ServerAdmins } Add-AdGroupNesting @parameters # Operations as member of SvrOpsRight $parameters = @{ Identity = $SL_SvrOpsRight Members = $SG_Operations } Add-AdGroupNesting @parameters # ServerAdmins as member of Operations $parameters = @{ Identity = $SG_Operations Members = $SG_ServerAdmins } Add-AdGroupNesting @parameters |
Modify AdminSdHolder
Delegation Model defines 2 “Privileged” groups which can modify privileged users and privileged groups respectively. In other word, a “Privileged User Manager (PUM)” group that its members cam change Domain Administrators (DA) without being members of the group. Same way, “Privileged Group Management (PGM) can change “Domain Admins”, “Enterprise Admins”, etc. without being a DA. EguibarIT.Delegation PowerShell Module provides 2 CMDLets for these purposes.
1 2 3 4 5 6 7 | #Enabling Management Accounts to Modify the Membership of Protected Groups # Enable PUM to manage Privileged Accounts (Reset PWD, enable/disable Administrator built-in account) Set-AdAclMngPrivilegedAccounts -Group $SL_PUM.SamAccountName # Enable PGM to manage Privileged Groups (Administrators, Domain Admins...) Set-AdAclMngPrivilegedGroups -Group $SL_PGM.SamAccountName |
Default Container Redirection
Default location for computers and users in AD is a simple folder; in other words, no specific GPO can be linked to these containers… something not good. This configuration section will create 2 OUs (Quarantine-Users & Quarantine-PCs), set the corresponding LOKDOWN GPO’s and have redirected the default location for each. Final result is that whenever a computer is domain joined without pre-staging the computer object (or without providing LDAP path destination while joining), it will end up in these new container; similar will happen to users.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 | #redirect Users & Computers containers New-DelegateAdOU -ouName $ItQuarantineOu -ouPath $AdDn -ouDescription $confXML.n.Admin.OUs.ItNewComputersOU.description -RemoveAuthenticatedUsers New-DelegateAdOU -ouName $confXML.n.Admin.OUs.ItNewUsersOU.Name -ouPath $AdDn -ouDescription $confXML.n.Admin.OUs.ItNewUsersOU.description -RemoveAuthenticatedUsers # START Remove Delegation to BuiltIn groups BEFORE REDIRECTION $parameters = @{ Group = 'Account Operators' LDAPPath = 'CN=Computers,{0}' -f $AdDn RemoveRule = $True } ### COMPUTERS # Remove the Account Operators group from ACL to Create/Delete Users Set-AdAclCreateDeleteUser @parameters # Remove the Account Operators group from ACL to Create/Delete Computers Set-AdAclCreateDeleteComputer @parameters # Remove the Account Operators group from ACL to Create/Delete Groups Set-AdAclCreateDeleteGroup @parameters # Remove the Account Operators group from ACL to Create/Delete Contacts Set-AdAclCreateDeleteContact @parameters # Remove the Account Operators group from ACL to Create/Delete inetOrgPerson Set-CreateDeleteInetOrgPerson @parameters # Remove the Account Operators group from ACL to Create/Delete inetOrgPerson Set-AdAclCreateDeletePrintQueue @parameters $parameters = @{ Group = 'Account Operators' LDAPPath = 'CN=Users,{0}' -f $AdDn RemoveRule = $True } ### USERS # Remove the Account Operators group from ACL to Create/Delete Users Set-AdAclCreateDeleteUser @parameters # Remove the Account Operators group from ACL to Create/Delete Computers Set-AdAclCreateDeleteComputer @parameters # Remove the Account Operators group from ACL to Create/Delete Groups Set-AdAclCreateDeleteGroup @parameters # Remove the Account Operators group from ACL to Create/Delete Contacts Set-AdAclCreateDeleteContact @parameters # Remove the Account Operators group from ACL to Create/Delete inetOrgPerson Set-CreateDeleteInetOrgPerson @parameters # Remove the Print Operators group from ACL to Create/Delete PrintQueues Set-AdAclCreateDeletePrintQueue @parameters ############################################################################### # Redirect Default USER & COMPUTERS Containers redircmp.exe ('OU={0},{1}' -f $ItQuarantineOu, $AdDn) redirusr.exe ('OU={0},{1}' -f $confXML.n.Admin.OUs.ItNewUsersOU.Name, $AdDn) |
Initial setup of Servers Area (Tier1)
Create Servers (or other previously defined name) OU subtree. If any sub-OU already exists, just proceed to clean it up (The CMDlet Start-AdCleanOU from module EguibarIT can be used for this propose). As we are creating OUs, we will follow the same approach as we did on Organizational Units needed to build Admin Area (Tier0). This area/tier will only contain computer objects representing servers; any other related object should go into Sites Area (Tier2) or Admin Area (Tier0).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | # SERVERS OU (area) Write-Verbose -Message 'Creating Servers Area...' ############################################################################### # Create Servers and Sub OUs New-DelegateAdOU -ouName $ServersOu -ouPath $AdDn -ouDescription $confXML.n.Servers.OUs.ServersOU.Description # Create Sub-OUs for Servers New-DelegateAdOU -ouName $confXML.n.Servers.OUs.SqlOU.Name -ouPath $ServersOuDn -ouDescription $confXML.n.Servers.OUs.SqlOU.Description New-DelegateAdOU -ouName $confXML.n.Servers.OUs.WebOU.Name -ouPath $ServersOuDn -ouDescription $confXML.n.Servers.OUs.WebOU.Description New-DelegateAdOU -ouName $confXML.n.Servers.OUs.FileOU.Name -ouPath $ServersOuDn -ouDescription $confXML.n.Servers.OUs.FileOU.Description New-DelegateAdOU -ouName $confXML.n.Servers.OUs.ApplicationOU.Name -ouPath $ServersOuDn -ouDescription $confXML.n.Servers.OUs.ApplicationOU.Description New-DelegateAdOU -ouName $confXML.n.Servers.OUs.HypervOU.Name -ouPath $ServersOuDn -ouDescription $confXML.n.Servers.OUs.HypervOU.Description New-DelegateAdOU -ouName $confXML.n.Servers.OUs.RemoteDesktopOU.Name -ouPath $ServersOuDn -ouDescription $confXML.n.Servers.OUs.RemoteDesktopOU.Description |
Create the required management groups (SG_SvrAdmin, SL_SvrServerRiht, SG_Operations & SL_SvrOpsRight) as defined on the Delegation Model.
Initial setup of Sites Area (Tier2)
Create Sites (or other previously defined name) OU subtree. If any sub-OU already exists, just proceed to clean it up (The CMDlet Start-AdCleanOU from module EguibarIT can be used for this propose). As we are creating OUs, we will follow the same approach as we did on Organizational Units needed to build Admin Area (Tier0). This area/tier will contain all remaining objects, meaning anything apart from Tier0 used for administration of the environment, and servers; any other related object should go into Servers Area (Tier1) or Admin Area (Tier0).
1 2 3 4 5 | # Create Sites OUs (Area) Write-Verbose -Message 'Creating Sites Area...' New-DelegateAdOU -ouName $SitesOu -ouPath $AdDn -ouDescription $confXML.n.Sites.OUs.SitesOU.Description |
As each and every site will be created individually, based on requirements, there is no need to create such administrative groups in advance.
Start with Delegations
Now that we have the right taxonomy & containers, and that we have the corresponding groups, we are ready to start delegating permissions and rights to these groups. We are halve the way on building our Admin Area (Tier0). Go to Delegating Admin Area (Tier0) page
Social network sharing