Monday, August 26, 2013

Three hints for Active Directory

1: How to get distinguished name through powershell from a computer without using Active Directory module

$filter = "(&(objectCategory=computer)(objectClass=computer)(cn=$env:COMPUTERNAME))"

Compliments to Shay:

2: How to get Domain controller to see Security Policies.

Apparently, as part of the design, AD will not see security properties from it's own GPO unless they are defined at the global scope.

Which mean, if you're trying to lock down AD to some security spec, such as CIS, you'll have to define hardened policies at the global scope. If you dont want your nodes to be as locked down as the AD, you'll have to enforce the GPO with relaxed settings at the node OU to overwrite global.

A bit of a headache if you ask me.... especially since it took me nearly a day and a half to find an answer.

3:  Exposing MSS settings (some hardening specs such as CIS calls for it)

Note: You can edit GPO from any server where GPMC is installed, so this tool can be installed on any 2k8 server in the domain (no reason to clutter up the AD).

* Install Security Compliance Management Toolkit.
-- the installer will probably fail to's probably by design.

* Install SQL express manually. Use any version.
* Re-run Security Compliance Management Toolkit installer.
* Click the Start, click All Programs, Microsoft Security Compliance Manager, Local GPO.
* Install LocalGPO.MSI
* Go to the folder where you installed the MSI (default is C:\Program Files (x86)\LocalGPO) and
* From Administrative command prompt run: cscript LocalGPO.wsf /ConfigSCE and then press ENTER.
* Open GPO editor
* Navigate to Computer Config -> Policies -> Windows settings -> Security Settings -> Local Policies -> Security Options

BOOM MSS is now visible.

No comments:

Post a Comment

Comments are welcomed and appreciated.