Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Object Deletion/Restore’ Category

(2012-10-22) Presenting At The Experts Conference (TEC) In Barcelona (Spain)

Posted by Jorge on 2012-10-22


As we speak, I’m preparing my presentation and demo’s for tomorrow (Tuesday, October 23rd 2012) about all object recovery methods in all Windows Server versions released until now. It will cover common information related to object recovery and then I will dive in into the technical specific for each method available. This presentation will  consist of two sessions of each 75 minutes and I will also show 4 demo’s, one for each method of recovering objects.

image

Figure 1: Opening Slide Of Session

  • Location: Barcelona, Spain – Hotel Rey Juan Carlos I
  • Meeting Room: “J”
  • Time: 10:15 – 11:30 (part 1) & 11:30 – 12:45 (part 2)
  • Session Title: “The Evolution Of Object Recovery In AD – The Road To Perfection – A Technical Deep Dive (Part 1 and Part 2)”
  • Level: 400
  • Abstract: Since the beginning, when Active Directory was first released with Windows 2000 Server, the methods and means for object recovery in AD have evolved and improved each time a new version of Windows was released. In time, the technology made it more easy to recover objects and prevent the loss of data after recovery. We will start this session with an introduction to object recovery related topics, followed by an explanation of all object recovery methods in all versions of AD after an accidental (mass) deletion, including what’s new in Windows Server 2008 R2 and in Windows Server "8". The session will finish with recommendations around object recovery. This session consists of two parts (2x 75 min.) and will include multiple demos!
  • Bios (Dutch): Jorge de Almeida Pinto is Principal Consultant Infrastructure Services binnen Valid (http://www.valid.nl/). Binnen zijn functie heeft hij een sterke focus op Microsoft Identity and Access Management (IAM) technologieën. Aangezien zijn professionele passie in deze technologieën gevonden kan worden, heeft hij zich ook gespecialiseerd in Microsoft producten zoals Active Directory Domain Services (ADDS), Active Directory Lightweight Directory Services (ADLDS), Identity Lifecycle Manager (ILM), Forefront Identity Manager (FIM) en Active Directory Federation Services (ADFS) in contexten zoals analyse, ontwerpen, implementaties, migraties, troubleshooting en recovery.
    Jorge is Microsoft gecertificeerd (MCP, MCSE, MCITP, MCT) en is sinds januari 2006 MVP op het “Identity & Access – Directory Services” vlak.
    Een andere passie van Jorge is het spreken op conferenties en het schrijven van artikelen. Hij is sinds 2006 een frequente spreker op de “The Experts Conference (TEC)” van Quest en andere (Microsoft) conferenties en seminars en sinds 2005 schrijft hij artikelen in het technische blad "NetOpus/NetworkPro".
    Om voorop te blijven, participeert Jorge in beta programma’s van nieuwe Microsoft IAM gerelateerde producten en onderhoudt hij het contact met de Microsoft Product Group door het bijwonen van de jaarlijkse MVP Summit en de maandelijkse “Product Group Interaction Events”. Jorge heeft ook nog een blog welke gevonden kan worden op https://jorgequestforknowledge.wordpress.com/.
  • Bios (English): Jorge de Almeida Pinto is a Principal Consultant Infrastructure Services working for Valid (http://www.valid.nl/). Within his role he has a strong focus on Microsoft Identity and Access Management (IAM) technologies. Because his professional passion can be found in these technologies, he has specialized himself in Microsoft products such as Active Directory Domain Services (ADDS), Active Directory Lightweight Directory Services (ADLDS), Identity Lifecycle Manager (ILM), Forefront Identity Manager (FIM) and Active Directory Federation Services (ADFS) in contexts such as analysis, design, deployment, migration, troubleshooting and recovery.
    Jorge is Microsoft certified (MCP, MCSE, MCITP, MCT) and he has received the MVP Award for “Identity & Access – Directory Services” since January 2006.
    Another passion of Jorge is speaking at conferences and writing articles. He has been a frequent speaker at “The Experts Conference (TEC)” from Quest and other (Microsoft) conferences/seminars since 2006, and he has been writing articles in the Dutch technical magazine “NetOpus/NetworkPro” since 2005.
    To stay ahead, Jorge participates in beta programs of new Microsoft IAM related products and he maintains the contact with the Microsoft Product Group by attending the MVP Summit every year and by participating in the monthly “Product Group Interaction Events”. Jorge also has a blog, which can be found at
    https://jorgequestforknowledge.wordpress.com/.

With this I would like to thank:

imageimage

  • and of course,last but not least, “Valid” my employer (http://www.valid.nl/) for making this possible

image

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Company/Employer Stuff, Conferences, Object Deletion/Restore | 1 Comment »

(2012-03-28) Managing The ‘Protect From Accidental Deletion’ Option On AD Objects Through PowerShell

Posted by Jorge on 2012-03-28


In this post I explain the “Protect From Accidental Deletion” feature that is made accessible through both “Active Directory Users And Computers” and “Active Directory Administrative Center”. Under the hood that feature in reality is implemented through a combination of ACEs on objects. If you wanted to script the addition or removal of the protection you had to screw with ACEs and that was not always a fun thing to do as it could be quite complex to achieve a simple configuration.

Let’s say you want to create and protect the OU "OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB". The OU "OU=TOPLevel,DC=ADCORP,DC=LAB" already exists and is already protected!

[1] Using ADMOD and DSACLS

Creating the OU:

  • ADMOD -sc adaou:1;OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB

Adding the protection:

  • DSACLS "OU=TOPLevel,DC=ADCORP,DC=LAB" /D "EVERYONE:DC" (DENY ACE for Everyone to DELETE CHILD with the This object only scope)
  • DSACLS "OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB" /D "EVERYONE:SDDT" (DENY ACE for Everyone to DELETE and DELETE TREE with the This object only scope)

[2] Using the Microsoft AD PowerShell CMDlets And Configuring The Correct ACEs

Creating the OU (I know I could use the CMDlet “New-ADOrganizationalUnit”…):

  • $objParent = [ADSI]"LDAP://ADCORP.LAB/OU=TOPLevel,DC=ADCORP,DC=LAB"
  • $objOU = $objParent.Create("organizationalUnit","OU=MyProtectedOU")
  • $objOU.SetInfo()

Adding the protection:

  • Import-Module ActiveDirectory
  • $sidEVERYONE = [System.Security.Principal.SecurityIdentifier]’S-1-1-0′
  • $ACLParent = Get-Acl "AD:\OU=TOPLevel,DC=ADCORP,DC=LAB"
  • $ACEParent = $sidEVERYONE,"DeleteChild","Deny"
  • $AccessRuleParent = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $ACEParent
  • $ACLParent.AddAccessRule($AccessRuleParent)
  • Set-Acl -ACLObject $ACLParent -Path "AD:\OU=TOPLevel,DC=ADCORP,DC=LAB"
  • $ACLOU = Get-Acl "AD:\OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB"
  • $ACEOU = $sidEVERYONE,"Delete,DeleteTree","Deny"
  • $AccessRuleOU = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $ACEOU
  • $ACLOU.AddAccessRule($AccessRuleOU)
  • Set-Acl -ACLObject $ACLOU -Path "AD:\OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB"

Removing the protection:

  • Import-Module ActiveDirectory
  • $sidEVERYONE = [System.Security.Principal.SecurityIdentifier]’S-1-1-0′
  • $ACLOU = Get-Acl "AD:\OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB"
  • $ACEOU = $sidEVERYONE,"Delete,DeleteTree","Deny"
  • $AccessRuleOU = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $ACEOU
  • $ACLOU.RemoveAccessRule($AccessRuleOU)
  • Set-Acl -ACLObject $ACLOU -Path "AD:\OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB"

[3] Using the Microsoft AD PowerShell CMDlets And Using The Exposed Property

Creating the OU:

  • Import-Module ActiveDirectory
  • New-ADOrganizationalUnit -Name ‘MyProtectedOU’ -Path ‘OU=TOPLevel,DC=ADCORP,DC=LAB’

REMARK: when using this CMDlet, the default behavior is to protect the created OU

Adding the protection:

  • Import-Module ActiveDirectory
  • Set-ADOrganizationalUnit "OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB" -ProtectedFromAccidentalDeletion:$true

Removing the protection:

  • Import-Module ActiveDirectory
  • Set-ADOrganizationalUnit "OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB" -ProtectedFromAccidentalDeletion:$false

[4] Using the Quest AD PowerShell CMDlets

Creating the OU:

  • Add-PSSnapin Quest.ActiveRoles.ADManagement
  • New-ADOrganizationalUnit -Name ‘MyProtectedOU’ -Path ‘OU=TOPLevel,DC=ADCORP,DC=LAB’

Adding the protection:

  • Add-PSSnapin Quest.ActiveRoles.ADManagement
  • Add-QADPermission -identity ‘OU=TOPLevel,DC=ADCORP,DC=LAB’ -Deny -Account ‘EVERYONE’ -Right ‘DeleteChild’ -ApplyTo ThisObjectOnly
  • Add-QADPermission -identity ‘OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB’ -Deny -Account ‘EVERYONE’ -Right ‘Delete,DeleteTree’ -ApplyTo ThisObjectOnly

Removing the protection:

  • Add-PSSnapin Quest.ActiveRoles.ADManagement
  • Get-QADPermission -identity ‘OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB’ -Deny -Account ‘EVERYONE’ -Right ‘Delete,DeleteTree’ -ApplyTo ThisObjectOnly | Remove-QADPermission

[5] Adjusting the default security descriptor for OUs

When you create any object, that object will receive the default explicit permissions as configured in the AD schema. So, by adjusting the default explicit permissions (a.k.a. the default Security Descriptor) for the organizationalUnit objectClass any newly created organizational unit from that point on will receive the new default security descriptor. The change to the default security descriptor can be undone if you desire so! However, just making the change is not enough as the schema is cached for performance reasons. Therefore any changes to the AD schema will be refreshed into the cache within five minutes after the change has been committed into the database. If you cannot wait and you want to reload the schema right away you can follow either of the following procedures:

  1. Start the Active Directory Schema MMC, right-click “Active Directory Schema” and then click “Reload the Schema”
    OR
  2. Add the “schemaUpdateNow” operational attribute to rootDSE with a value of 1

For more detailed information about the schema please see: How the Active Directory Schema Works

To adjust the default security descriptor for the organizationalUnit objectClass perform the following steps:

  1. Open ADSIEDIT.MSC and connect to the SCHEMA naming context
  2. Find the object “CN=Organizatinal-Unit” and adjust the value of the “defaultSecurityDescriptor” property
    1. From the default value:
      1. D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(A;;RPLCLORC;;;AU)(A;;LCRPLORC;;;ED)(OA;;CCDC;4828CC14-1437-45bc-9B07-AD6F015E5F28;;AO)
    2. To the custom value (difference with the default has been highlighted in red):
      1. D:(D;;DCDTSD;;;WD)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(A;;RPLCLORC;;;AU)(A;;LCRPLORC;;;ED)(OA;;CCDC;4828CC14-1437-45bc-9B07-AD6F015E5F28;;AO)

clip_image001

Figure 1: Adjusting The Default Security Descriptor Of The ObjectClass OrganizationalUnit

REMARK: During my testing with Windows Server “8” Beta, I discovered that there is a difference in behavior between ADUC and ADAC if you select to NOT protect the if the above custom configuration for the default security descriptor is in place. In ADAC, after the new object has been created/instantiated it will in addition remove the protection as expected. However, in ADUC it will not be removed as requested. I’m not sure if Microsoft will change this unexpected behavior for ADUC in the official release of Windows Server “8”. Just be aware of this!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Delegation Of Control, Object Deletion/Restore, PowerShell | 5 Comments »

(2008-03-26) Free AD Objects Recovery Tools

Posted by Jorge on 2008-03-26


UPDATED: 09-10-2010

A while ago, I wrote about the new feature within Windows Server 2008 to reanimate and populate the attributes from a snapshot backup. That post can be found here. I thought it would be interesting to summarize the tools available that can help you recover deleted objects for free. Some of the tools are CLI based and some are GUI based. Again, some provide basic functionality (hey, it’s free!) and some provide advanced functionality (hey, it’s still free you lucky…).

Tools available to save the day for free:

A tool should not only be able to restore one or a few objects, but it should also be able to restore a complete OU structure with all kinds of objects in that OU structure. It should also be possible to filter objects based upon time. What I mean with the last remark is that until the major accidental deletion, you may have deleted all kinds of objects intentionally, which you may not want to restore. Your best bet to filter on time, is by using the whenChanged attribute, and preferably determine the very first object that was deleted as the deletion occurs from the bottom to the OU that was selected to be (accidentally) deleted. Be careful though with just using the whenChanged attribute. That attribute does not replicate between DCs, so before using any RWDC for the undeletion, make sure to determine the RWDC where the deletion occurred!!!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Object Deletion/Restore, Tooling/Scripting | 2 Comments »

 
%d bloggers like this: