Question: What is an Organizational Unit (OU) and why would you create additional OUs?
Show Answer
An OU is an object in a domain that you can use to store user objects, computer objects, group objects, and other AD DS objects. You typically create additional OUs when you want to delegate control to a specific group or link a Group Policy Object to the OU.
Question: What are the five flexible single master operations (FSMO) roles and where do they exist?
Show Answer
FSMO roles are special roles within a forest and domain. There are two FSMO roles at the forest level: Schema Master and Domain Naming Master. There are three FSMO roles at the domain level: RID Master, Infrastructure Master, and PDC Emulator.
Question: What is a trust relationship and which type of trust relationship is used to improve user logon times between two domains in a forest?
Show Answer
Trust relationships are authentication pipelines between different domains. Shortcut trusts can be used to improve user logon times between two domains in an Active Directory forest.
Question: Which optional AD DS feature enables you to quickly restore objects that have been deleted?
Show Answer
The Active Directory Recycle Bin, an optional feature of AD DS, provides a simplified process for restoring deleted objects.
Question: What is Server Core and what are some advantages of using it?
Show Answer
Server Core is the default Windows Server installation option. Server Core does not have a graphical user interface. Server Core installs fewer components so fewer updates are required. Server Core removes unneeded files so disk space and memory requirements are less. Lastly, fewer files and components means less opportunity for security threats.
Question: Which feature can you use to define different password policies and account lockout settings in a domain?
Show Answer
Fine-grained password policies let you specify different password policies and account lockout policies for different groups of users. For example, executives, administrators, service accounts, or regular users.
Question: Aziz has reported he is unable to sign in to the domain. The error message is, “The trust relationship between this workstation and the primary domain failed.” What is likely the problem and how should you fix it?
Show Answer
Most likely the problem is a broken secure channel. You can use Active Directory Users and Computers or PowerShell to reset the computer account and rejoin the computer to the domain.
Question: What is the global catalog and when is it used?
Show Answer
The global catalog is a central directory of every object in the forest. The global catalog is commonly used to provide Exchange email account information and a user’s Universal group memberships.
Question: What is the global catalog and when is it used?
Show Answer
The global catalog is a central directory of every object in the forest. The global catalog is commonly used to provide Exchange email account information and a user’s Universal group memberships.
Question: What is an AD DS site and when should you consider creating a site?
Show Answer
An AD DS site represents the physical structure, or topology, of your network. There are several reasons to consider creating additional sites such as: number of users at a location, slow links between locations, service localization, and AD DS database replication.
Question: When should you use an authoritative restore?
Show Answer
An authoritative restore is necessary when a known good copy of AD DS has been restored that contains objects that must override the existing state of other objects in the AD DS database.
Question: How are Group Policy settings and a Group Policy preferences different?
Show Answer
Group policy settings and group policy preferences are different. Preferences are not enforced, can reapply automatically, and can use item-level targeting.
Showing posts with label Group Policy. Show all posts
Showing posts with label Group Policy. Show all posts
Sunday, March 29, 2020
Tuesday, February 4, 2020
Windows Server Infrastructure - Basics
Question: What is an Organizational Unit (OU) and why would you create additional OUs?
Show Answer
An OU is an object in a domain that you can use to store user objects, computer objects, group objects, and other AD DS objects. You typically create additional OUs when you want to delegate control to a specific group or link a Group Policy Object to the OU.
Question: What are the five flexible single master operations (FSMO) roles and where do they exist?
Show Answer
FSMO roles are special roles within a forest and domain. There are two FSMO roles at the forest level: Schema Master and Domain Naming Master. There are three FSMO roles at the domain level: RID Master, Infrastructure Master, and PDC Emulator.
Question: What is a trust relationship and which type of trust relationship is used to improve user logon times between two domains in a forest?
Show Answer
Trust relationships are authentication pipelines between different domains. Shortcut trusts can be used to improve user logon times between two domains in an Active Directory forest.
Question: Which optional AD DS feature enables you to quickly restore objects that have been deleted?
Show Answer
The Active Directory Recycle Bin, an optional feature of AD DS, provides a simplified process for restoring deleted objects.
Question: What is Server Core and what are some advantages of using it?
Show Answer
Server Core is the default Windows Server installation option. Server Core does not have a graphical user interface. Server Core installs fewer components so fewer updates are required. Server Core removes unneeded files so disk space and memory requirements are less. Lastly, fewer files and components means less opportunity for security threats.
Question: Which feature can you use to define different password policies and account lockout settings in a domain?
Show Answer
Fine-grained password policies let you specify different password policies and account lockout policies for different groups of users. For example, executives, administrators, service accounts, or regular users.
Question: Aziz has reported he is unable to sign in to the domain. The error message is, “The trust relationship between this workstation and the primary domain failed.” What is likely the problem and how should you fix it?
Show Answer
Most likely the problem is a broken secure channel. You can use Active Directory Users and Computers or PowerShell to reset the computer account and rejoin the computer to the domain.
Question: What is the global catalog and when is it used?
Show Answer
The global catalog is a central directory of every object in the forest. The global catalog is commonly used to provide Exchange email account information and a user’s Universal group memberships.
Question: What is the global catalog and when is it used?
Show Answer
The global catalog is a central directory of every object in the forest. The global catalog is commonly used to provide Exchange email account information and a user’s Universal group memberships.
Question: What is an AD DS site and when should you consider creating a site?
Show Answer
An AD DS site represents the physical structure, or topology, of your network. There are several reasons to consider creating additional sites such as: number of users at a location, slow links between locations, service localization, and AD DS database replication.
Question: When should you use an authoritative restore?
Show Answer
An authoritative restore is necessary when a known good copy of AD DS has been restored that contains objects that must override the existing state of other objects in the AD DS database.
Question: How are Group Policy settings and a Group Policy preferences different?
Show Answer
Group policy settings and group policy preferences are different. Preferences are not enforced, can reapply automatically, and can use item-level targeting.
Show Answer
An OU is an object in a domain that you can use to store user objects, computer objects, group objects, and other AD DS objects. You typically create additional OUs when you want to delegate control to a specific group or link a Group Policy Object to the OU.
Question: What are the five flexible single master operations (FSMO) roles and where do they exist?
Show Answer
FSMO roles are special roles within a forest and domain. There are two FSMO roles at the forest level: Schema Master and Domain Naming Master. There are three FSMO roles at the domain level: RID Master, Infrastructure Master, and PDC Emulator.
Question: What is a trust relationship and which type of trust relationship is used to improve user logon times between two domains in a forest?
Show Answer
Trust relationships are authentication pipelines between different domains. Shortcut trusts can be used to improve user logon times between two domains in an Active Directory forest.
Question: Which optional AD DS feature enables you to quickly restore objects that have been deleted?
Show Answer
The Active Directory Recycle Bin, an optional feature of AD DS, provides a simplified process for restoring deleted objects.
Question: What is Server Core and what are some advantages of using it?
Show Answer
Server Core is the default Windows Server installation option. Server Core does not have a graphical user interface. Server Core installs fewer components so fewer updates are required. Server Core removes unneeded files so disk space and memory requirements are less. Lastly, fewer files and components means less opportunity for security threats.
Question: Which feature can you use to define different password policies and account lockout settings in a domain?
Show Answer
Fine-grained password policies let you specify different password policies and account lockout policies for different groups of users. For example, executives, administrators, service accounts, or regular users.
Question: Aziz has reported he is unable to sign in to the domain. The error message is, “The trust relationship between this workstation and the primary domain failed.” What is likely the problem and how should you fix it?
Show Answer
Most likely the problem is a broken secure channel. You can use Active Directory Users and Computers or PowerShell to reset the computer account and rejoin the computer to the domain.
Show Answer
The global catalog is a central directory of every object in the forest. The global catalog is commonly used to provide Exchange email account information and a user’s Universal group memberships.
Question: What is the global catalog and when is it used?
Show Answer
The global catalog is a central directory of every object in the forest. The global catalog is commonly used to provide Exchange email account information and a user’s Universal group memberships.
Question: What is an AD DS site and when should you consider creating a site?
Show Answer
An AD DS site represents the physical structure, or topology, of your network. There are several reasons to consider creating additional sites such as: number of users at a location, slow links between locations, service localization, and AD DS database replication.
Question: When should you use an authoritative restore?
Show Answer
An authoritative restore is necessary when a known good copy of AD DS has been restored that contains objects that must override the existing state of other objects in the AD DS database.
Question: How are Group Policy settings and a Group Policy preferences different?
Show Answer
Group policy settings and group policy preferences are different. Preferences are not enforced, can reapply automatically, and can use item-level targeting.
Thursday, January 23, 2020
Windows Server - Group Policy Setting
Group Policy Settings
Understanding GPO settings
Most policy settings have three states:
- Not Configured. Default. The GPO does not modify the existing configuration of the particular setting for the user or computer.
- Enabled. The policy setting is applied.
- Disabled. The policy setting is reversed.
Read the setting carefully
The effect of a configuration change depends on the policy setting. For example, if you enable the Prohibit Access to Control Panel policy setting, users cannot open the Control Panel. If you disable the policy setting, you ensure that users can open Control Panel. Notice the double negative in this policy setting. You disable a policy that prevents an action, thereby allowing the action.
Some settings are multivalued or have text string values, and you can use them to provide specific configuration details to apps or operating-system components. For example, a setting might provide the URL of the home page that Windows Internet Explorer uses or provides the path to blocked apps.
|
Monday, September 2, 2019
Group Policy in Windows System
When it comes to auditing changes made to a GPO settings, there is, nothing available in the box. That is, there is no native way of determining what that change was in any meaningful way. You’ll be able to tell that "something" has changed, but not what the changed setting was, nor its before or after values. However, a product like Group Policy Audition and Attestation (GPAA) comes into play in this situation. GPAA can show you, not only who made the change and when, but also what the actual setting change was.
Windows Auditing Options
- Legacy Auditing
- Advanced Auditing
Legacy auditing has existed since Windows 2000, and contains a set of coarse-grained audit categories that you can enable, as shown in this figure of audit configuration within a Group Policy Object:
The downside to using these audit categories, is that they are pretty darn noisy. That is, if enabled even a few of them on AD domain controllers, you are likely to get your security logs rolling over pretty quickly in a reasonably large environment because there are a number of sub-category event types that are audited. So unless you have a really good event log collection system, you may end up missing events as the logs roll over.
Fortunately, Microsoft introduced “Advanced Audit Configuration” that gives the ability to turn on and off, all of those sub-categories within the legacy audit categories.
For each major category on the left, in the screenshot above, there are sub-categories that can be enabled or disabled for auditing.
The one thing to note about enabling these advanced audit configuration categories, is to also tell AD to ignore the legacy auditing categories, if you plan to keep them enabled as well. You can do that by enabling the policy on your DCs, within a GPO under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings. Once that policy is enabled, then all legacy events categories will be ignored and only advanced audit categories will be logged to the DC’s security event logs.
Configuring AD for Group Policy Change Auditing
- Enable auditing for AD changes
- Enable auditing for System Access Control Lists (SACLs) on AD objects that you're interested in auditing changes against.
Once the Directory Service Changes auditing sub-category is enabled on your DCs, and SACLs are configured, then you can start to look at all of the changes that occur in AD related to Group Policy management. AD change events generated by this sub-category generally fall into one of three event IDs:
- 5136- Changes to AD objects
- 5137- Creation of new AD objects
- 5141- Deletion of existing AD objects
And since GPOs are just a special kind of AD object, it follows that creation, deletion and modification of GPOs also generate events of these event IDs. There’s a few things to keep in mind about GPO change events. First, all changes related to GPOs (e.g. creation, deletion, modification) happen within the CN=Policies, CN=System container under a given AD domain.
So when it comes to auditing changes to GPOs, it all happens within this container. The container holds a set of GUID-named GPO containers (of AD object class groupPolicyContainer) that represent each GPO in the domain. Now, creating, deleting or changing GPOs is not the only GP management operation you will be interested in auditing.
You will also want to know when GPOs are linked or unlinked from a site, domain or OU. Those actions require auditing of changes (i.e. writes) to the GPLink attribute on those container objects (which is also a default SACL in newer versions of Windows) . In addition, you may want to know when WMI filters are created, modified or deleted. Those occur as creation modification or deletion events against objects under the CN=SOM, CN=WMI Policy,CN=System container within a given AD domain, which is where WMI filters are stored
Auditing Group Policy Changes
| Event | Event ID | Sample Event |
| Create GPO | 5137 | A directory service object was created.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: CN={F5FEDDD2},CN=Policies,CN=System,DC=cpandl,DC=com GUID: CN={F5FEDD2},CN=Policies,CN=System,DC=cpandl,DC=com Class: groupPolicyContainer
Operation:
Correlation ID: {ac790c0f-49df-4e58-86d8-79ee040ae082} Application Correlation ID: – |
| Change GPO | 5136 | A directory service object was modified.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: CN={3C-8F3-47-9-2},CN=POLICIES,CN=SYSTEM,DC=CPANDL,DC=COM GUID: CN={33B8},CN=Policies,CN=System,DC=cpandl,DC=com Class: groupPolicyContainer
Attribute:
LDAP Display Name: versionNumber Syntax (OID): 2.5.5.9 Value: 65538
Operation:
Type: Value Added Correlation ID: {167f4140-a0d9-4ec7-b938-46447b8c932c} Application Correlation ID: – |
| Delete GPO | 5141 | A directory service object was deleted.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: CN=Machine,CN={79f3f},CN=Policies,CN=System,DC=cpandl,DC=com GUID: CN=Machine\0ADEL:f79f3f,CN=Deleted Objects,DC=cpandl,DC=com Class: container
Operation:
Tree Delete: No Correlation ID: {1cc87a40-58c0-42f6-8f85-167bb6e42f8f} Application Correlation ID: – |
| Change GPO Permission | 5136 | A directory service object was modified.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: cn={33B82},cn=policies,cn=system,DC=cpandl,DC=com GUID: CN={33B2},CN=Policies,CN=System,DC=cpandl,DC=com Class: groupPolicyContainer
Attribute:
LDAP Display Name: nTSecurityDescriptor Syntax (OID): 2.5.5.15 Value: O:DAG:DAD:PAI(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
Operation:
Type: Value Added Correlation ID: {5d0497d2-8c7e-4543-861f-cac543cde7eb} Application Correlation ID: – |
| Change GPO Status | 5136 | A directory service object was modified.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: cn={33BB2},cn=policies,cn=system,DC=cpandl,DC=com GUID: CN={33B2},CN=Policies,CN=System,DC=cpandl,DC=com Class: groupPolicyContainer
Attribute:
LDAP Display Name: flags Syntax (OID): 2.5.5.9 Value: 2
Operation:
Type: Value Added Correlation ID: {ade7ee5a-64a5-4c43-b0ae-d9697ca427e4} Application Correlation ID: – |
| Change GPO WMI Filter | 5136 | A directory service object was modified.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: cn={33B82},cn=policies,cn=system,DC=cpandl,DC=com GUID: CN={33B2},CN=Policies,CN=System,DC=cpandl,DC=com Class: groupPolicyContainer
Attribute:
LDAP Display Name: gPCWQLFilter Syntax (OID): 2.5.5.12 Value: [cpandl.com;{65E2FC2F-55C4-4810-92E3-64BF1000F7DD};0]
Operation:
Type: Value Added Correlation ID: {90b34980-ee07-4a69-a8b4-768482a015bb} Application Correlation ID: – |
| Create WMI Filter | 5137 | A directory service object was created.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: CN={9CC840D2},CN=SOM,CN=WMIPolicy,CN=System,DC=cpandl,DC=com GUID: CN={9CC0D2},CN=SOM,CN=WMIPolicy,CN=System,DC=cpandl,DC=com Class: msWMI-Som
Operation:
Correlation ID: {e3fbe963-c2b7-4209-a73c-5d4529abd43d} Application Correlation ID: – |
| Delete WMI Filter | 5141 | A directory service object was deleted.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: CN={9D8D},CN=SOM,CN=WMIPolicy,CN=System,DC=cpandl,DC=com GUID: CN={8D}\01,CN=Deleted Objects,DC=cpandl,DC=com Class: msWMI-Som
Operation:
Tree Delete: No Correlation ID: {ffac999b-f1f9-4c1e-967a-5e82fed2285b} Application Correlation ID: – |
| Change Link Enforced Flag | 5136 | A directory service object was modified.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: OU=DPM,DC=cpandl,DC=com GUID: OU=DPM,DC=cpandl,DC=com Class: organizationalUnit
Attribute:
LDAP Display Name: gPLink Syntax (OID): 2.5.5.12 Value: [LDAP://cn={97F8},cn=policies,cn=system,DC=cpandl,DC=com;0] [LDAP://cn={4388FA},cn=policies,cn=system,DC=cpandl,DC=com;0]
Operation:
Type: Value Deleted Correlation ID: {91cc8727-3ed7-4254-8baa-0534a6155809} Application Correlation ID: – |
| Change SOM Block Inheritance Flag | 5136 | A directory service object was modified.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: OU=DPM,DC=cpandl,DC=com GUID: OU=DPM,DC=cpandl,DC=com Class: organizationalUnit
Attribute:
LDAP Display Name: gPOptions Syntax (OID): 2.5.5.9 Value: 1
Operation:
Type: Value Added Correlation ID: {09b0e4e8-a95c-4475-aa74-aaea2fb128b6} Application Correlation ID: – |
| Unlink GPO | 5136 | A directory service object was modified.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: OU=Test,OU=Office Deploy,OU=EastCoast,DC=cpandl,DC=com GUID: OU=Test,OU=Office Deploy,OU=EastCoast,DC=cpandl,DC=com Class: organizationalUnit
Attribute:
LDAP Display Name: gPLink Syntax (OID): 2.5.5.12 Value:
Operation:
Type: Value Added Correlation ID: {696218a2-80e9-4757-8066-7b270b4d1e93} Application Correlation ID: – |
| Link GPO | 5136 | A directory service object was modified.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: OU=Test,OU=Office Deploy,OU=EastCoast,DC=cpandl,DC=com GUID: OU=Test,OU=Office Deploy,OU=EastCoast,DC=cpandl,DC=com Class: organizationalUnit
Attribute:
LDAP Display Name: gPLink Syntax (OID): 2.5.5.12 Value: [LDAP://cn={33B8CE9C-87F3-4712-94CDDEB2}, cn=policies,cn=system,DC=cpandl,DC=com;0]
Operation:
Type: Value Added Correlation ID: {47e0444f-82d3-4065-8b5f-b502eee366f7} Application Correlation ID: – |
Source: Understanding Group Policy Change Auditing by
Subscribe to:
Posts (Atom)