Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2019-10-24) Azure AD Password Protection (A.k.a. Banned Password List) – Deploy The DC Agent (Part 4)

Posted by Jorge on 2019-10-24


In addition to configure Azure AD, the Azure AD Password Protection DC Agent needs to be installed on every writable domain controller in the AD domain. As read-only domain controllers do not process passwords by themselves, there is no need to install Azure AD Password Protection DC Agent on them. The Azure AD Password Protection DC Agent is nothing more than a password filter that will evaluate the password provided by the user.

To install the Azure AD Password Protection DC Agent, you can use the following PowerShell code which will configure a log file and some nice output. For additional requirements, please see Azure AD Password Protection – Deployment Requirements. Please be aware that the following PowerShell script target RWDCs based upon the scope (forest, domain, rwdc) you define in the parameters. With the forest scope it will enumerate all AD domains in the AD forest and then for every AD domain enumerate all writable domain controllers and try to install the software on each writable domain controller. With the domain scope it will enumerate all RWDCs of the specified AD domains and try to install the software on each writable domain controller. With the rwdc scope it will target the specified RWDCs. In all cases it will if Enterprise Admin credentials are available. If will always check if an AD domain or RWDC actually exists and in the latter case it will also check if it can connect to the RWDC. Installing the DC Agent requires a restart of the targeted RWDC(s). The code DOES NOT do that. You still need to do that by yourself! As an added bonus it checks if the minimum required .NET Framework is installed or not.

To download the latest version: Azure AD Password Protection for Windows Server Active Directory

To read about the version history and release notes: Azure AD Password Protection agent version history

# For All RWDCs In The AD Forest

.\AAD-Password-Protection-Install-DC-Agent.ps1 -scope Forest -installSourceFullPath "<Full Path To AzureADPasswordProtectionDCAgentSetup.msi>"

OR

# For All RWDCs In The Specified AD Domain(s)

.\AAD-Password-Protection-Install-DC-Agent.ps1 -scope Domain -domains <FQDN Domain 1>,<FQDN Domains 2>,<FQDN Domain N> -installSourceFullPath "<Full Path To AzureADPasswordProtectionDCAgentSetup.msi>"

OR

# For All Specified RWDCs

.\AAD-Password-Protection-Install-DC-Agent.ps1 -scope RWDC -servers <FQDN RWDC 1>,<FQDN RWDC 2>,<FQDN RWDC N> -installSourceFullPath "<Full Path To AzureADPasswordProtectionDCAgentSetup.msi>"

image

image

image

Figure 1: Installing The Azure AD Password Protection DC Agent (Scope: Forest)

image

Figure 2: GridView Output

image

Figure 3: Installation Log File Sample

image

Figure 4: Installing The Azure AD Password Protection DC Agent (Scope: Domain)

image

Figure 5: Installing The Azure AD Password Protection DC Agent (Scope: RWDC)

You can download the script from here

Unlike what the version history says, Azure AD Password Protection DC Agent software still uses an MSI. Nevertheless, the PowerShell code supports both an EXE and an MSI. The Azure AD Password Protection DC Agent does not support automatic upgrade like the Azure AD Password Protection Proxy Service does. However, the Azure AD Password Protection DC Agent will log an event ID 30034 in the Azure AD Password Protection DC Agent Operational Event Log mentioning there is a newer version available. You can then use this script if you want to redeploy/upgrade the Azure AD Password Protection DC Agent.

And if you require to UNinstall the Azure AD Password Protection DC Agent, then you can use the following on a single RWDC (I only provide the code and no script. However, if you want to you can leverage the code and logic above to execute the part below instead!)

WMIC PRODUCT WHERE NAME="Azure AD Password Protection DC Agent" CALL UNINSTALL

OR

$product = Get-WmiObject -Class win32_product -Filter "Name like ‘Azure AD Password Protection DC Agent’"

$product

$product.Uninstall() # WARNING: Reboot is immediate, no mercy and no questions asked!!!

Have fun!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: