Entries tagged with active directory - TechNet Edge

Active Directory Group Policy Object (GPO) Delegation and Approval Workflow With AGPM 3.0 in MDOP 2008 R2

yung — Mon, 01 Dec 2008 08:01:00 GMT

In the TechNet Webcast: Microsoft Solutions for Windows Vista Management (Level 300), I will demo a number of capabilities includnig Microsoft Advanced Group Policy Management (AGPM) 3.0 for managing Vista desktops and Windows environment in general. AGPM 3.0 is one of the 5 components in Microsoft Desktop Optimization Pack for Software Assurance (MDOP) 2008 R2. AGPM enables the change-approval workflow of Group Policy Objects (GPOs) and is something I thought worth a special introduction here. Meanwhile I am also developing a screencast and will publish it here soon.

AGPM is to help customers better manage GPOs, particularly those with complex information technology (IT) environments. A robust delegation model, role-based administration, and change-request approval provide granular administrative control as described in the overview whitepaper and shown below.

For example, you can delegate Reviewer, Editor, and Approver roles to other administrators — even administrators who do not have access to production GPOs. The Editor role can edit GPOs but not deploy them; the Approver role can deploy GPO changes. AGPM also helps reduce the risk of widespread failures. You can use AGPM to edit GPOs offline, outside of the production environment, and then audit changes and easily find differences between GPO versions. In addition, AGPM supports effective change control by providing version tracking, history capture, and quick rollback of deployed GPO changes. It also supports a management workflow by allowing you to create GPO template libraries and send GPO change e-mail notifications. Step-by-Step and Operations Guides of AGM 3.0 are also readily available.

For those who are interested in finding more, MDOP 2008 R2 was RTM in September of 2008. Here are demos, more demos, and FAQ. Subscribers can download MDOP 2008 R2 from the TechNet and MSDN subscription sites. The availability of the components is as follows through Microsoft Volume Licensing Service (MVLS):

The official MDOP blog is the channel to get the latest.

Server 2008 - AD Backup and Restore PM interview

extreme — Fri, 11 Apr 2008 06:59:00 GMT

I met up with Stephanie Cheung, the program manager for active directory backup and recovery and we discuss:

What restartable AD is and when it is appropriate to use it
- Good for usage when you want to recover deleted objects without rebooting
- Bad for when you need to do a "bare metal" restore or have database corruption
Thoughts around when to do a "Dcpromo /forceremoval" versus restoring from backup. This includes discussion of restoring using install from media (IFM) and IFM for an RODC.
What the database mounting tool (DMT - old name "snapshot" tool) does and some ideas on what we're going to do to make recovery of deleted objects easier using DMT.
A best practice around preventing deletion of objects in AD (including the new "Protect object from accidental deletion" checkbox for objects).
Future thoughts for AD backup and restore, such as reducing forest recovery time
General disaster recovery tips

Active Directory Database Mounting Tool Screencast

Joey — Fri, 07 Mar 2008 07:59:00 GMT

Corey Hynes a Microsoft MVP has provided us with a six minute screencast demonstrating the new Active Directory Database Mounting technology in Windows Server 2008. In this screencast he demonstrates how to create a snapshot and connect and browse the snapshot in Active Directory Users and Computers. For more details on the AD Database Mounting Tool, head over to TechNet.

Windows Server 2008 - Active Directory Auditing Enhancements

extreme — Thu, 29 Nov 2007 01:00:00 GMT

I hope this post will act as a good reference point to be able to quickly understand the good and bad about new AD auditing enhancements and then enable you to dive deeper at will using the links in this article.

There’s nothing more exciting than auditing right? Well, check this out and hopefully it will spark some interest.

In Windows Server 2003 R2 and prior, the auditing of active directory certainly has not been a strong point. You would enable or disable global AD auditing for success or failures, set a SACL on the objects you wanted to monitor, and then typically one or both of the following would happen:

Your security event log fills up with way more security events than you’d ever hoped for, possibly wrapping or ballooning the size of the security log.
Auditing doesn’t actually provide enough information for you to make any use of the events which are recorded in the security event log. i.e. it only says who was successful at modifying the object, but nothing on the details of the value(s) which were changed.

In Server 2008, we are on a good path to fix this pain. Some of the key improvements to AD auditing are as follows:

You can limit the number of attributes which are audited for object types. For instance, you only want to know if the Employee’s Pay Level attribute is modified for all user accounts and nothing else.
Auditing is now broken into four categories: Access (same as 2000/2003), Changes, Replication, and Detailed Replication. The most interesting come from the new changes category:
- AD DS logs the previous and current values of the attribute. If the attribute has more than one value, only the values that change as a result of the modify operation are logged.
- If a new object is created, values of the attributes that are populated at the time of creation are logged.
- If an object is moved, the previous and new location (distinguished name) is logged for moves within the domain. When an object is moved to a different domain, a create event is generated on the domain controller in the target domain.
- If an object is undeleted, the location where the object is moved to is logged.

What are the downfalls?

You have to modify the schema in order to limit the number of attributes which are audited per object type. This isn’t really difficult, but it would be nice if there were some friendlier type way to do it.
You cannot view or modify the audit policy subcategories with the Local Group Policy Editor (GPedit.msc). You can only do this with the command-line tool Auditpol.exe.
As far as I can tell, you can’t limit auditing to different specific attributes for a subset of the same type of object. For instance, you would like to audit attributes X, Y, Z for all admin user accounts, but only attribute X for all regular user accounts. Of course you have some control over this with your SACLs…

Get Started:

A screencast on How to enable granular AD auditing in WS08 (coming in the future from me)
Windows Server 2008 Auditing AD DS Changes Step-by-Step Guide
TechNet - AD DS: Auditing
Windows Networking Site AD enhancements overview
MS Directory Services Team Blog Post on WS08 Auditing Enhancements

Microsoft IT Active Directory Interview with Brian Puhl

extreme — Wed, 28 Nov 2007 00:00:00 GMT

We sat down with Brian Puhl who has been working for Microsoft IT (MSIT) on the deployment, maintenance, planning of their active directory infrastructure since around Windows Server 2000. Learn about how Microsoft does AD from the source and also the projects they're working on. A seamless experience for your corporate users inside the corporate network and out on the internet, without using a VPN? Smartcard login/authentication for all MS employees? Average of 1 Schema change every 4 months?

Ulf B. on AD

AdamBomb — Tue, 20 Nov 2007 22:42:00 GMT

While attending TechEd IT Forum in Barcelona, I was introduced to Ulf B. Simon-Weidner, an MVP for Active Directory based in Germany. He was presenting at IT Forum this year, so I grabbed a few minutes of his time to talk about what's new in AD in Server 2008, and some of his experiences as an AD consultant.
(note to self: remember to turn off my mobile phone before beginning the interview next time)