Administration

In any Microsoft Active Directory forest, a user can only a member of 1024 groups but after allowing for up to 9 well known SIDS this number is actually 1015.
See KB http://support.microsoft.com/kb/328889

If a user exceeds the hard limit of 1015 group memberships they probably will not be able to logon.

  • What do you do to rectify the issue?
  • How do you find out what changed and caused a tipping point?

A quick visual method to see a user’s nested group memberships expanded, is to run the command:

dsget user “CN=Mark Parris,OU=Administration,DC=clickclicknext,DC=com” -memberof -expand

If this command returns a short list of groups then the membership of too many groups is probably not an issue, but if the command returns a scrolling list of group memberships then we need to utilise NTDSUTIL. NTDSUTIL has within it a command that you may not even know is there, unless you have this specific issue.

The command is group membership evaluation

At an elevated command prompt.

Type

ntdsutil

group membership evaluation

set account DC nameOfDC

set global catalog nameOfDC

set resource dc nameOfDC

run clickclicknext.com mark.parris

clickclicknext.com is the fqdn of your domain and mark.parris is the username.

The output of this command is a .tsv file and will be found in the path of the prompt (run it from C:\Temp it will be in C:\Temp), this file can be renamed to a .csv.
The report produces a lot of interesting information in a tabular format.

The report will have these column headings.

SID in token
SID type
SID History Count
Distinguished Name
SamAccountName
Active Directory Domain Controller Queried
Group Owner
Group Owner SID
WhenCreated (UTC)
WhenChanged (UTC)
Member WhenChanged (UTC)
GroupType WhenChanged (UTC)
One Level MemberOf Count
Total MemberOf Count
Group Type
Depth From User
Closest Parent OU

From the column heading, there are specific columns with timestamps, if these are then sorted upon, it will tell you what group or groups were modified most recently, these changes then need to be understood and reversed or perhaps other legacy group memberships identified and removed.

2014-07-31_17-41-38

 

As I review and update my old consulting notes I have decided to publishing them.
These are by no means definitive and are intended as an ‘aide memoire’.

Comments welcome.

Associated Post: MaxTokenSize – Change of recommendation from Microsoft

 

 

 

Microsoft have released the Remote Server Administration Tools (RSAT) for Windows 7 with Service Pack 1 (SP1):

Remote Server Administration Tools for Windows® 7 with SP1 enables IT administrators to manage roles and features that are installed on computers that are running Windows Server® 2008 R2, Windows Server® 2008, or Windows Server® 2003, from a remote computer that is running Windows 7 or Windows 7 with SP1.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d

Note that it is important to remove all versions of Administration Tools Pack or Remote Server Administration Tools from the computer before installing Remote Server Administration Tools for Windows 7 with SP1.

Last year at TechED Berlin, I was complaining to the MDOP team that the backspace did not work in the GPMC when AGPM was installed.  It transpires the issue is not with AGPM per se, but with the GPMC.

Yesterday, whilst looking through the new KB’s I discovered this one: BACKSPACE or arrow keys do not work in MMC on a computer that is running Windows 7 or Windows Server 2008 R2 (KB 2466373)

On closer inspection the article is specifically targeting the GPMC

  • You have a computer that is running Windows 7 or Windows Server 2008 R2.
  • You customize a Microsoft Management Console (MMC) that has the Group Policy Management Console (GPMC) snap-in.
  • You select any Group Policy object (GPO), and then you click the Settings tab in the details pane.
  • You select another node in the console tree, and then you use the BACKSPACE or arrow keys to perform some operations.

In this scenario, the BACKSPACE or arrow keys do not work. You have to use the mouse to perform operations.

To resolve the issue a Hotfix is needed which is not included in Service Pack 1.

KB Article is Here.

All though Active Directory has been available for over ten years, one question that comes up time and time again at customer sites is “What do the Forest and Domain Functional Levels do and should I set them?”  After validating their Active Directory my answer is usually yes,  but what do these levels enable within Active Directory?

Domain functional levels

There are six domain functional levels:

The functional level for a domain enables features that affect the only that domain.

Windows 2000 mixed (the default in Windows Server 2003) DFL 0
Windows 2000 native DFL 0
Windows Server 2003 interim DFL 1
Windows Server 2003 DFL 2
Windows Server 2008 DFL 3
Windows Server 2008 R2 DFL 4
Windows Server 2012  DFL 5
Windows Server 2012 R2 DFL 6

Forest functional levels

There are five forest functional levels:

The functional level for a forest enables features in all domains within a forest.

Windows 2000 (the default in Windows Server 2003 and Windows Server 2008) FFL 0
Windows Server 2003 interim FFL 1
Windows Server 2003 (the default in Windows Server 2008 R2) FFL 2
Windows Server 2008 FFL 3
Windows Server 2008 R2 FFL 4
Windows Server 2012  FFL 5
Windows Server 2012 R2 FFL 6

Domain Functional Level

Windows 2000 native

All default Active Directory features and the following features:

Universal groups are enabled for both distribution groups and security groups.

Group nesting.

Group conversion is enabled, which makes conversion possible between security groups and distribution groups.

Security Identifier (SID) history

Supported Domain Controllers

Windows 2000 Server
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2

Windows Server 2003

All default Active Directory features,

All features from the Windows 2000 native domain functional level, plus the following features:

The availability of the domain management tool, Netdom.exe, to prepare for domain controller rename.

Update of the logon time stamp. The lastLogonTimestamp attribute is updated with the last logon time of the user or computer. This attribute is replicated within the domain.

The ability to set the userPassword attribute as the effective password on the inetOrgPerson object and user objects.

The ability to redirect Users and Computers containers. By default, two well-known containers are provided for housing computer and user/group accounts: cn=Computers,<domain root> and cn=Users,<domain root>. This feature makes it possible to define a new well-known location for these accounts.

Authorization Manager can store its authorization policies in AD DS.

Constrained delegation is included, which makes it possible for applications to take advantage of the secure delegation of user credentials by means of the Kerberos authentication protocol. You can configure delegation to be allowed only to specific destination services.

Selective authentication is supported, which makes it possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.

Supported Domain Controllers

Windows Server 2003
Windows Server 2008
Windows Server 2008 R2

Windows Server 2008

All default Active Directory features, all features from the Windows Server 2003 domain functional level, plus the following features:

Distributed File System Replication support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents.

Advanced Encryption Services (AES 128 and 256) support for the Kerberos authentication protocol.

Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.

Fine-grained password policies, which make it possible for password policies and account lockout policies to be specified for users and global security groups in a domain.

Supported Domain Controllers

Windows Server 2008
Windows Server 2008 R2

Windows Server 2008 R2

All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus the following features:

Authentication mechanism assurance, which packages information about the type of logon method (smart card or user name/password) that is used to authenticate domain users inside each user’s Kerberos token. When this feature is enabled in a network environment that has deployed a federated identity management infrastructure, such as Active Directory Federation Services (AD FS), the information in the token can then be extracted whenever a user attempts to access any claims-aware application that has been developed to determine authorization based on a user’s logon method.

Supported Domain Controllers

Windows Server 2008 R2

Windows Server 2012

All default Active Directory features, all features from the Windows Server 2008 R2 domain functional level, plus the following features:

The KDC support for claims, compound authentication, and Kerberos armoring.

Supported Domain Controllers

Windows Server 2012
Windows Server 2012 R2

Windows Server 2012 R2

All default Active Directory features, all features from the Windows Server 2012 domain functional level, plus the following features:

DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:

  • Authenticate with NTLM authentication
  • Use DES or RC4 cipher suites in Kerberos pre-authentication
  • Be delegated with unconstrained or constrained delegation
  • Renew user tickets (TGTs) beyond the initial 4 hour lifetime

Authentication Policies

New forest-based Active Directory policies which can be applied to accounts in Windows Server 2012 R2 domains to control which hosts an account can sign-on from and apply access control conditions for authentication to services running as an account.

Authentication Policy Silos

New forest-based Active Directory object, which can create a relationship between user, managed service and computer, accounts to be used to classify accounts for authentication policies or for authentication isolation.

 

Supported Domain Controllers

Windows Server 2012 R2

Forest Functional Level

Windows 2000 ServerAll default Active Directory features, plus the following features:

Supported Domain Controllers

Windows NT 4.0
Windows 2000
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2

Windows Server 2003

All default Active Directory features, plus the following features:

Forest trust

Domain rename

Linked-value replication (Changes in group membership store and replicate values for individual members instead of replicating the entire membership as a single unit.) This results in lower network bandwidth and processor usage during replication and eliminates the possibility of lost updates when different members are added or removed concurrently at different domain controllers.

The ability to deploy a read-only domain controller (RODC) that runs Windows Server 2008.

Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The intersite topology generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than can be supported at the Windows 2000 forest functional level.

The ability to create instances of the dynamic auxiliary class called dynamicObject in a domain directory partition.

The ability to convert an inetOrgPerson object instance into a User object instance, and the reverse.

The ability to create instances of the new group types, called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups, to support role-based authorization.

Deactivation and redefinition of attributes and classes in the schema.

Supported Domain Controllers

Windows Server 2003
Windows Server 2008
Windows Server 2008 R2

Windows Server 2008

This functional level provides all of the features that are available at the Windows Server 2003 forest functional level, but no additional features.

Supported Domain Controllers

Windows Server 2008
Windows Server 2008 R2

Windows Server 2008 R2

All of the features that are available at the Windows Server 2008 forest functional level, plus the following features:

Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running.

Supported Domain Controllers

Windows Server 2008 R2

Windows Server 2012

All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.

All domains that are subsequently added to the forest will operate at the Windows Server 2012 domain functional level by default.

Supported Domain Controllers

Windows Server 2012
Windows Server 2012 R2

Windows Server 2012 R2

All of the features that are available at the Windows Server 2012 forest functional level, but no additional features.

All domains that are subsequently added to the forest will operate at the Windows Server 2012 R2 domain functional level by default.

Supported Domain Controllers

Windows Server 2012 R2

Yesterday (12th July 2010) at the Microsoft Partner Convention, Microsoft made publically available the beta of Service Pack 1 for Windows Server 2008 R2 and Windows 7 (in English, French, German, Japanese and in Spanish).

Service Pack 1 Beta Information.

Microsoft for sometime have stated that the only major new features in Service Pack 1 are Dynamic Memory and RemoteFX

Dynamic Memory

Dynamic Memory allows for memory on a host machine to be pooled and dynamically distributed to virtual machines as necessary. Memory is dynamically added or removed based on current workloads, and is done so without service interruption.

RemoteFX

Microsoft RemoteFX in Windows Server 2008 R2 SP1, a new set of remote user experience capabilities that enable a media-rich user environment for virtual desktops, session-based desktops and remote applications is introduced.

This document published on Microsoft.com details the other changes.

Documentation for Windows 7 and Windows Server 2008 R2 Service Pack 1 Beta (KB976932)

These include:

Windows Server 2008 R2

Enhancements to scalability and high availability when using DirectAccess

Support for Managed Service Accounts (MSAs) in secure branch office scenarios

Support for increased volume of authentication traffic on domain controllers connected to high-latency networks

Enhancements to Failover Clustering with Storage

Windows 7

Additional support for communication with third-party federation services

Improved HDMI audio device performance

Corrected behaviour when printing mixed-orientation XPS documents

Both Windows Server 2008 R2 and Windows 7

Change to behaviour of “Restore previous folders at logon” functionality

Enhanced support for additional identities in RRAS and IPsec

Support for Advanced Vector Extensions (AVX)

Updates Remote Desktop Protocol (RDP) to version 7.1

——————————–

The Service Pack also includes 473 Updates for Windows Server 2008 R2 and Windows 7 of which only 17 are security updates.

These are detailed in full in the spreadsheet 

Hot fixes and Security Updates included in Windows 7 and Windows Server 2008 R2 Service Pack 1 Beta

which is located in the Documentation for Windows 7 and Windows Server 2008 R2 Service Pack 1 Beta (KB976932) that was mentioned earlier.

Recently I had a couple of issues with Resultant Set of Policy (RSOP) and enabling it to work for IT teams who were not Administrators.

One issue I had was that every time Resultant Set of Policy was run for users with delegated permissions (and on further testing “Domain Admins” too) they all received an error message stating “provider not loaded“.

This transpired to be a relatively simple fix and was nothing to do with delegated permissions.

The Resultant Set of Policy service had been disabled on all domain controllers and to resolve this issue I enabled the Resultant Set of Policy service on all the domain controllers.

The other issue I had was “Access Denied” when selecting the Domain Controller to run the Resultant Set of Policy against, when in planning mode for users with delegated RSOP rights – Administrators functioned correctly.

After some research I discovered Resultant Set of Policy in Planning mode needs some additional DCOM permissions set in order for it to work remotely when not an Administrator.

To enable delegated groups to run Resultant Set of Policy in Planning mode remotely, DCOM permissions on all Domain Controllers need to be amended, this group policy setting needs to be configured and applied to all domain controllers.

DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax

By default the Everyone group only had the permission to execute and activate DCOM locally, where as Domain Admins had local and remote execute and activate permissions.

By adding the group that had the delegation RSOP permissions set and adding to their default permissions the “Remote Activation” right resolved the issue and Resultant Set of Policy (Planning Mode) now functioned remotely for the teams that needed the functionality but are not administrators.

Microsoft have released ADMT 3.2  and this guide details how to use the Active Directory Migration tool to migrate users, groups, managed service accounts and computers between Active Directory domains in different forests (interforest migration) or between Active Directory domains in the same forest (intraforest migration).

It also shows how to use ADMT to perform security translation between different Active Directory forests.

Download Documentation