Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘ADSIEDIT’ Category

(2019-10-12) Gradually Or Specifically Configuring Your Windows Machines For Hybrid Azure AD Join

Posted by Jorge on 2019-10-12


If you have read this blog post, at some point you will need to create a Service Connection Point (SCP), so that your clients know where to find the Azure AD Tenant those clients should register in. In that blog post, and that was the only possibility since the beginning, you create the SCP in the configuration partition of the AD forest.

If your AD forest had to be serviced by just a single Azure AD tenant, you were good to go. If not, you would have a problem.

If you wanted to have all your Windows clients register at at once in the Azure AD tenant you were good to go. If you wanted to deploy in a phased manner, you would have a problem!

Therefore if you need to deploy different Hybrid Azure AD Join settings to your Windows clients, and/or you need to deploy in a phased manner, you can provide the SCP settings in a GPO to configure the required REGISTRY settings.

Clear the SCP from AD

Use the Active Directory Services Interfaces Editor (ADSI Edit) to modify the SCP objects in AD.

  1. Launch the ADSI Edit desktop application from and administrative workstation or a domain controller as an Enterprise Administrator.
  2. Connect to the Configuration Naming Context of your domain.
  3. Browse to CN=Configuration,DC=contoso,DC=com > CN=Services > CN=Device Registration Configuration
  4. Right click on the leaf object under CN=Device Registration Configuration and select Properties
    1. Select keywords from the Attribute Editor window and click Edit
    2. Select the values of azureADId and azureADName (one at a time) and click Remove
  5. Close ADSI Edit

Configure client-side registry setting for SCP

Use the following example to create a Group Policy Object (GPO) to deploy a registry setting configuring an SCP entry in the registry of your devices.

  1. Open a Group Policy Management console and create a new Group Policy Object in your domain.
    1. Provide your newly created GPO a name (for example, ClientSideSCP).
  2. Edit the GPO and locate the following path: Computer Configuration > Preferences > Windows Settings > Registry
  3. Right-click on the Registry and select New > Registry Item
    1. On the General tab, configure the following
      1. Action: Update
      2. Hive: HKEY_LOCAL_MACHINE
      3. Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD
      4. Value name: TenantId
      5. Value type: REG_SZ
      6. Value data: The GUID or Directory ID of your Azure AD instance (This value can be found in the Azure portal > Azure Active Directory > Properties > Directory ID)
    2. Click OK
  4. Right-click on the Registry and select New > Registry Item
    1. On the General tab, configure the following
      1. Action: Update
      2. Hive: HKEY_LOCAL_MACHINE
      3. Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD
      4. Value name: TenantName
      5. Value type: REG_SZ
      6. Value data: Your verified domain name if you are using federated environment such as AD FS. Your verified domain name or your onmicrosoft.com domain name for example, contoso.onmicrosoft.com if you are using managed environment (in case of PHS or PTA as the primary Auth)
    2. Click OK
  5. Close the editor for the newly created GPO
  6. Link the newly created GPO to the desired OU containing domain-joined computers that belong to your controlled rollout population

PS: if you are using ADFS, that same GPO must ALSO target the ADFS Servers!

More information: Controlled validation of hybrid Azure AD join

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Advertisement

Posted in Active Directory Domain Services (ADDS), ADSIEDIT, Azure AD Join, Windows Azure Active Directory, Windows Client, Windows Server | Leave a Comment »

(2014-08-04) Incorrectly Ordered Permissions After Removing ACE With LDP

Posted by Jorge on 2014-08-04


I was testing something in my test environment, based upon W2K12R2, regarding the confidentiality bit and the required permissions. I had created a PowerShell script to apply the required permissions on every OU in scope for the assigned trustee. The PowerShell script works great. As you may know both DSACLS and LDP are other tools that can be used to configure the required CONTROL_ACCESS extended right. After configuring the permissions through the PowerShell, I then used LDP to remove the ACE that was configured. Rerunning the PowerShell script resulted in the error as shown below.

image

Figure 1: Error Thrown By PowerShell Because Of Incorrectly Ordered Permissions

Exception calling "SetAccessRule" with "1" argument(s): "This access control list is not in canonical form and therefore cannot be modified."
At line:8 char:1
+ $aclOU.SetAccessRule($AccessRule)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : InvalidOperationException

That was weird, the script just worked correctly in the previous run. After checking the permissions with ADUC or ADSIEDIT, I got the following message: "The permissions on Users are incorrectly ordered, which may cause some entries to be ineffective"

image

Figure 2: Warning Thrown By Active Directory Users And Computers (ADUC) Because Of Incorrectly Ordered Permissions

If CANCEL is clicked, nothing is changed and you will be able to view the permissions in read-only mode. You will not be able to change anything.

If REORDER is clicked, the permissions are reordered and reapplied correctly. You will now be able to change anything you like.

Funny enough if you use LDP to add an ACE, the issue does not occur. Removing an existing ACE results in this error/warning. After some testing I also found out it does not occur on every OU. Even some more testing proved this to occur when having a large number of explicit ACEs on an OU.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Active Directory Users And Computers, ADSIEDIT, Delegation Of Control, LDP, PowerShell | 3 Comments »

 
%d bloggers like this: