Active Directory – Simple Tier Isolation

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory.
If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/securing-privileged-access-reference-material

1) WMI Filters

Create WMI filter that will identify devices for each tier. In the article three tiers are used, domain controllers, servers and workstations. This provides a balance between security and simplification but this can easily be extended to other devices
or server types.

 

 

 

 

2) Groups

Create a group for each tier. This will hold the members for each tier.

 

 

3) Group Policies

Create a group policy for each tier. It should filter based on the tier type and will contain the allow/deny rules.

 

 

 

 

 

 

 

4) Add members to tier groups

Finally, add your dedicated DA accounts to tier 0 group, dedicated server administrators accounts to tier 1 group. Accounts will now only be able to log in locally or via RDP if they are meant for the specific tier

 

 

How to find Active Directory Group Policy (GPO) that applies a particular setting

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.

Suppose we have a computer to which we cannot Remote Desktop to but we are unsure which policy configured this.

This article shows the method of using the Resultant Set of Policy Tool to locate these settings with ease.

1.pngStep 1) Open RSOP.msc and change query to the user and computer to which the
setting, Allow log on through Remote Desktop Services is this case, is applied to

 

From the Properties Menu on the root of the RSOP tree, select Change Query

1a.pngFrom the Resultant Set of Policy Wizard specify the computer to generate RSOP
report for. If the RSOP is for the local computer, select the This computer option and click Next

1b.pngFrom the Resultant Set of Policy Wizard specify the user to generate RSOP
report for. If the RSOP is for the current computer, select the Current user option and click Next, Next and Finish

1c.pngStep 2) From the Resultant Set of Policy Main Screen (1),
browse to the setting to which the Group Policy is unknown, Allow log on through Remote Desktop Services (2) is this case. As seen below, this setting originates from the Problematic GPO (3)

2.pngStep 3) Editing GPO Problematic GPO via Group Policy Management Editor shows that indeed, the setting is part of this policy

3.png

Configure Photo Screensaver via Active Directory Group Policy

This article explains the steps required to use the default Photos screensaver to display branding/corporate images

1) On reference computer, configure the default Photo screensaver including location. This is done because this value is stores as an encrypted value within the Registry. In the article C:\Winstoredranding\Dundermifflin is used.

1.jpg2) Open Regedit and browse to HKCU\SOFTWARE\Microsoft\Windows Photo Viewer\Slideshow\Screensaver and record value for EncryptedPIDL

2.jpg3) Store images that will be used for the screensaver in a network location The Domain DFS is perfect for small
files like these

5.jpg4) Create a new policy and add the EncrypedPIDL registry value to User Configuration > Preferences > Windows Settings > Registry
new3.png5) From the Common tab enable the Remove the item when it is no longer applied option

4.jpg6) Add the images to  User Configuration > Preferences > Windows Settings > Files. The
Source File(s) should be the network location used in Step 3.

TIP: Press F3 to open Variable Reference List

6.jpg7) For the Destination File, specify filename with location from Step 1

7.jpg8) From the Common tab enable the Remove the item when it is no longer applied option

8.jpg9) Configure the rest of the policy as per norm for screensaver.

9.jpg10) For the Force specific screen saver specify %Systemroot%\System32\PhotoScreensaver.scr

10.jpg

 

Delegation the proper way

This article describes my battle tested process for setting up delegation.
I use this process anywhere that I need to setup delegation.

In the article I will show how it applies to Active Directory

This delegation model consists of Delegation Groups and Role Groups. These groups are explained in the following sections.

delegate.pngDelegation Group

Delegation groups are named according to the permission that they grant. The permission that it grants can be, but is not limited to, AD permission to do a specific task.

 

Characteristics

  • Can only contain Role Groups
  • Cannot be members of any groups

Some examples of a built-in Delegation Group

  • Domain Administrators
  • Account Operators

Some examples of a custom Delegation Group

  • Password Reset
  • Manage Group Memberships

 

roles.pngRole Group

Role groups should be created based on a specific role that group of people fulfil.

 

These groups are used to add delegation permissions to via delegation groups.This is done by adding the Role group as a member of the delegation groups for the permissions required.

It is worth noting that this delegation is not limited to AD permissions.

 

If the Help Desk supports SharePoint environment, a delegation group with certain SharePoint rights can be created and assigned to the Help Desk role group. This way when a new Help Desk employee starts, it is only required to add a user account to the
Help Desk Role group.

 

Characteristics

  • Can only contain privileged user accounts
  • Can only be member of Delegation Groups

Some examples of a Role Group

  • Help Desk
  • Server Administrators

Benefits

  • No delegation against individual user accounts
  • Reuse of Delegation Groups
  • Easy to manage
  • Quick to determine permissions
  • Uncomplicated to assign correct permissions to an individual based on their function

 

Real world example

Typically help desks will be given delegated permissions to reset passwords. Instead of delegating permissions to various individuals or directly to the help desk group, the following should be done:

 

  1. Create an intermediate group, DG-ResetPassword in this example. This is the delegation group.
  2. Delegate the Reset Password permission to the DG-ResetPassword group.
  3. Add the help desk group role group, RG-HelpDesk in this example, to the DG-ResetPassword delegation group

1.jpg

By utilising this delegation process, all delegation done to role groups is easily visible from the Member Of tab. In the example below, it is easy to see that the role group for Help Desk, RG-HelpDesk, have join domain,
modify group and reset password rights.

 

2.jpgIt also enables the reuse of delegation groups. In the example below, the same delegation group used for Help Desk,
DG-JoinDomain, can be used to assign join domain rights to the Workstation Technician group.

 

3.jpgThe reverse is also true. It is quick to see which groups have a particular permission. In the example below, looking
at the members of the DG-JoinDomain delegation group, it shows which role groups, RG-HelpDesk and RG-WorkstationTechnician in this case, have permissions to join computers to the domain.

 

4.jpg

 

Active Directory Locked Account Investigation Process

This article outlines the process to identify and resolve account lockout in an Active Directory environment.

Process

Process1.png

1) Change lockout policy according to Microsoft Recommendation

 

The lockout policy’s ultimate goal is to protect against automated password guessing (brute-force attack) and as such, the value should be high enough so that accounts are not accidentally locked out by an end user or incorrect saved password.

 

 

 

As per the following articles, I would recommend the following lockout settings

 

  • Account lockout threshold 50
  • Reset account lockout counter after 10 minutes

 

https://technet.microsoft.com/en-us/library/cc671957(v=ws.10).aspx

https://technet.microsoft.com/en-us/library/hh994574(v=ws.11).aspx

 

Lockout-Policy.png

2) Enabling Auditing

 

Identifying the source of the account lockouts in a complex environment will be virtually impossible without auditing enabled.

 

Please note: Only events that occurred after enabling auditing will be logged. It also might be necessary to increase Security log file size

 

Audit-Policy.png

 

3) Identify source device that lockout occurred on

 

3.1) Event Comb

 

 

Part of Account Lockout and Management Tools https://www.microsoft.com/en-us/download/details.aspx?id=18465

 

Still a useful tool in a pinch.

Please note: Built-in search for account lockout is not using the newer event IDs. To search newer IDs, add 4625 4740 4771 4768 4776 to the list

 

For details on these events, see

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=529

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=644

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4740

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=675

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=676

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=681

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4776

 

EventCombMT-1.png
EventCombMT-2.png

 

All gathered events from selected domain controllers will be saved into text files in the temp folder
event.png

3.2) Lockout Status

 

 

Part of Account Lockout and Management Tools https://www.microsoft.com/en-us/download/details.aspx?id=18465

 

When you start tool you specify the user account to inspect.

 

Please note: If the lock device is a Domain Controller, you have to follow the trail until you get to the actual source device name

 

LockoutStatus.png

3.3) AD Audit

 

 

See https://www.manageengine.com/products/active-directory-audit

 

My personal favorite, AD Audit makes finding the source account that locks device super easy, just use built-in reports

 

ADAudit.jpg

 

4.1) Powershell

 

Get-LockedOutLocation

https://gallery.technet.microsoft.com/scriptcenter/Get-LockedOutLocation-b2fd0cab

 

lock1.png

4) Identify source process that locked account

 

4.1) NetWrix Account Lockout Examiner

 

 

See https://www.netwrix.com/account_lockout_examiner.html

 

Install NetWrix Account Lockout Examiner on another computer. After that run it and point to the device that generates lockouts.

 

Lockout.JPG

4.2) ADAudit

 

 

See https://www.manageengine.com/products/active-directory-audit

 

As I said before, my personal favorite. After finding source account that locks device using built-in reports, the Account Lockout Analyzer can show the source process that locks accounts

 

ADAudit3.jpg

 

5) Implement processes to prevent future lockouts

 

5.1 Windows Services, Scheduled Tasks and COM Objects

Utilize service accounts with strong non-expiring passwords or managed service accounts.

5.2 Drive Mappings

Do not map drives with explicit username and password. Utilize Group Policy User Drive Map Preference to map the drive mappings.

Drive-Map-1.png

Drive-Map-2.png5.3 Logon Sessions

Implement RDP inactive/idling session logoff.

 

 

5.4 Credential Manager

 

Disable Credential Manager service. This will prevent users from saving/using stored passwords

 

Credential-Manager.jpgTips

If your account that you are using for the investigation is locking, rename your username for the duration of the investigation

 

Add Theme to ASP.NET MVC

The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project

1) Get a Theme

a) The first step is to have an HTML theme ready to be applied to an ASP.NET MVC project. If you do not have a theme, I recommend that you look at http://wrapbootstrap.com/. WrapBootstrap have loads
of affordable themes to choose from.

 

1.JPGFor this article, I will be using the Unify theme

 

2.JPGb) These themes are downloaded as a ZIP file, extract it to a convenient

 

6.jpgMost themes have multiple different pages, browse theme from the Index.html page and find one to use

 

7.jpgc) Open the page in a text editor and copy content to clipboard

 

8.jpg2) Create ASP.NET MVC project

a) Open Visual Studio. From the “New Project” windows, select “Web” then “ASP.NET Web Application” and click “OK”

 

3.JPGb) In the “New ASP.NET Project” windows, select MVC and click “OK”

 

4.JPGc) Open the “_Layout.cshtml” file from the “Views”, “Shared” folder in the “Solution
Explorer”

 

5.JPG3) Integrate Theme

a) Paste the content from the HTML theme page below the last line of the “_Layout.cshtml” file

 

9.jpgb) Most themes have a folder that contains all the resources used by the HTML page. In the case of the Unity
theme, the folder is called “assets”. Copy this folder.

 

10.jpgc) From within Visual Studio, past the “assets” folder to the “Content” folder

 

11.jpgd) Notice that the “asset” folder references in the “_Layout.cshtml” page incorrectly
points to “assets/plugins/…” for example

 

12.jpge) Press “CTRL+H” to open the replace toolbar. In this example, the resources that start with “assets/”
should be changed to start with “~/Content/assets/”

 

13.jpg4) Rendering links

a) The “_Layout.cshtml” file contains a series of rendering links. These are entries that start with @ for example “@ViewBag.Title – My ASP.NET Application”. These links have to be moved to the correct location in the copied text from
the theme HTML. Below shows where to copy the “@ViewBag.Title – My ASP.NET Application” value.

 

14.jpgb) HTML themes have a content section, copy the “@RenderBody()” value to this part in HTML text,
replacing all demo content

 

15.jpgc) Below shows where to copy the ‘@Styles.Render(“~/Content/css”)’ and ‘@Scripts.Render(“~/bundles/modernizr”)’
values

 

16.jpgd) Below shows where to copy the ‘@Styles.Render(“~/bundles/jquery”)’ and ‘@Scripts.Render(“~/bundles/bootstrap”)’
values, directly above the “</body>” tag

 

17.jpge) Find an appropriate location for the login partial view. In the example below the ‘@Html.Partial(“_LoginPartial”)’
value is added to the top bar, overwriting all existing values

 

18.jpgf) Copy the ActionLinks from the “_Layout.cshtml” file into the navigation section of the HTML
theme.

Note that themes use different navigations but you will have a few example menu items to work from

 

19.jpgg) The final step is to delete the original text from the “_Layout.cshtml” file. The project should
be ready to run

 

5) The Result

Even though other changes are required to get this page to the ideal state, this should at least provide a good starting point for your projects.

 

20.jpg

 

 

CircularLogArchiver v2.0

Usage : CircularLogArchiver.exe GO [/LP:LogPath] [/LE:LogExtention] [/AI:ArchiveInterval] [/AOT:ArchiveOlderThan] [/DAOT:DontArchiveOlderThan] [/DOT:DeleteOlderThan]
Example : CircularLogArchiver.exe GO /LP:”C:\Logs” /LE:”*.log” /AI:”M” /AOT:”1″ /DAOT:”3″ /DOT:”3″
Example above will archive all files in “C:\Logs” with *.log extention that are between one and three months old and delete files older than three months

Attachment(s):

Before

clbefore

After

clafter

How to apply a dynamic background via Active Directory GPP

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display

Step 1 – Creating Backgrounds

Designing backgrounds are out of scope for this article but a few guidelines are listed below

 

Using information from https://en.wikipedia.org/wiki/Display_resolution we can conclude that we mainly need to cater for 16:9, 16:10, 4:3 and 5:4 aspect ratios with a maximum width of 7680px.

 

If the required background is mainly horizontal, use this guide to create four different versions of background image

ScreenResolutions.jpgAlternatively, if the image is mainly vertical, start with a 10 924px x 6144px
image and crop to create four different versions of background image

ScreenRatios.png

 

Step 2 – User Environmental Variables

After creating the four different versions of the background, we need a way to control which version of background is pushed to the computers.

 

Create four user environmental variable objects using GPO User Environmental Preferences

 

1.png
2.png
3.png
4.pngHere is the values required to create the four entries

  • 16:9 – PrimaryScreenAspectRatio = 1.778
    • Select * from Win32_DesktopMonitor where ScreenWidth=’1280′ and ScreenHeight=’720′
    • Select * from Win32_DesktopMonitor where ScreenWidth=’1600′ and ScreenHeight=’900′
    • Select * from Win32_DesktopMonitor where ScreenWidth=’1920′ and ScreenHeight=’1080′
    • Select * from Win32_DesktopMonitor where ScreenWidth=’2560′ and ScreenHeight=’1440′
    • Select * from Win32_DesktopMonitor where ScreenWidth=’3840′ and ScreenHeight=’2160′
    • Select * from Win32_DesktopMonitor where ScreenWidth=’7680′ and ScreenHeight=’4320′
  • 16:10 PrimaryScreenAspectRatio = 1.6
    • Select * from Win32_DesktopMonitor where ScreenWidth=’1280′ and ScreenHeight=’800′
    • Select * from Win32_DesktopMonitor where ScreenWidth=’1440′ and ScreenHeight=’900′
    • Select * from Win32_DesktopMonitor where ScreenWidth=’1680′ and ScreenHeight=’1050′
    • Select * from Win32_DesktopMonitor where ScreenWidth=’1920′ and ScreenHeight=’1200′
    • Select * from Win32_DesktopMonitor where ScreenWidth=’2560′ and ScreenHeight=’1600′
  • 4:3 PrimaryScreenAspectRatio = 1.333
    • Select * from Win32_DesktopMonitor where ScreenWidth=’320′ and ScreenHeight=’200′
    • Select * from Win32_DesktopMonitor where ScreenWidth=’640′ and ScreenHeight=’480′
    • Select * from Win32_DesktopMonitor where ScreenWidth=’800′ and ScreenHeight=’600′
    • Select * from Win32_DesktopMonitor where ScreenWidth=’1024′ and ScreenHeight=’768′
    • Select * from Win32_DesktopMonitor where ScreenWidth=’1152′ and ScreenHeight=’864′
    • Select * from Win32_DesktopMonitor where ScreenWidth=’1600′ and ScreenHeight=’1200′
  • 5:4 PrimaryScreenAspectRatio = 1.25
    • Select * from Win32_DesktopMonitor where ScreenWidth=’1280′ and ScreenHeight=’1024

A C# application can be deployed as an addition to the GPO User Environmental Variables Preference Items as a GPO User File Preference. This is useful on RDP sessions and Hyper-V consoles where the WMI objects are not populated properly.

 

using Microsoft.Win32;
using System;
using System.Collections.Generic;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;

namespace SetXRes
{
    class Program
    {
        static void Main(string[] args)
        {

            double primaryScreenAspectRatio;
            Rectangle resolution = Screen.PrimaryScreen.Bounds;
            primaryScreenAspectRatio = Math.Round(((double)resolution.Width / (double)resolution.Height), 3);

            Console.WriteLine(resolution.Width);
            Console.WriteLine(resolution.Height);
            Console.WriteLine(primaryScreenAspectRatio.ToString().Replace(',', '.'));

            Environment.SetEnvironmentVariable("PrimaryScreenAspectRatio", primaryScreenAspectRatio.ToString().Replace(',','.'), EnvironmentVariableTarget.User);
        }
    }
}

 

 

Step 3 – Background File Deployment

Create four file objects using GPO User Files Preferences

 

Based on the User Environmental Variable set in the previous step, an appropriately ratioed background file will be pushed to computers

5.png
6.png
7.png
8.pngHere is the values required to create the four entries

  • 16:9 – Source file(s) \\YOURDOMAIN.com\NETLOGON\Backgrounds\16-9.PNG
    • the environment variable %PrimaryScreenAspectRatio% is 1.778
  • 16:10 Source file(s) \\YOURDOMAIN.com\NETLOGON\Backgrounds\16-10.PNG
    • the environment variable %PrimaryScreenAspectRatio% is 1.6
  • 4:3 16:10 Source file(s) \\YOURDOMAIN.com\NETLOGON\Backgrounds\4-3.PNG
    • the environment variable %PrimaryScreenAspectRatio% is 1.333
  • 5:4 16:10 Source file(s) \\YOURDOMAIN.com\NETLOGON\Backgrounds\5-4.PNG
    • the environment variable %PrimaryScreenAspectRatio% is 1.25

The target file for all of these entries is %AppDataDir%\Branding\Background\Background.png

Step 4 – Applying Background

Now for the easy bit, just configure the background %AppData%\Branding\Background\Background.png.

Because the background is dynamically assigned, it will always have the same path on the computers

 

9.png
10.png

Windows 10 1607 Build 14939 Error “This app can’t open”

On most installations of Windows 10 the 1607 update installs without a problem. It just happens to be that my laptop is not most installations. For one, I am using deduplication which is a server feature not to mention all my developer tools.

After installation, my deduplication stopped working which I fixed with new 14939 packages and none of my store apps worked. I fact my store didn’t even open.

thisappcantopen
Error “This app can’t open”

Managed to fix store by running wsreset.exe after which I could repair all my apps