pworkbook directoryservices newhire week3

Readiness and Sustained Education

Released: 17 June 2005 MICROSOFT CONFIDENTIAL - For Internal Use Only

Supporting Windows Operating Systems: Directory Services New Hire Week 3

This Workbook provides reference material to accompany course presentations.

Supporting Windows Operating Systems: Directory Services New Hire Week 3 MICROSOFT CONFIDENTIAL - For Internal Use Only 2005 Microsoft Corporation. All rights reserved.

Terms of Use MICROSOFT CONFIDENTIAL - For Internal Use Only

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

For more information, see Microsoft Copyright Permissions at http://www.microsoft.com/permission

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

2005 Microsoft Corporation. All rights reserved.

The Microsoft company name and Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

THIS DOCUMENT IS FOR INFORMATIONAL AND TRAINING PURPOSES ONLY AND IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

Table of Contents

Supporting Windows Operating Systems: Directory Services New Hire Week 3 i 2005 Microsoft Corporation. All rights reserved. MICROSOFT CONFIDENTIAL - For Internal Use Only

Table of Contents About This Course Week 3 .................................................................................................... 1

Audience................................................................................................................................... 1 Before You Begin..................................................................................................................... 1 What You Will Learn ............................................................................................................... 1

Content .................................................................................................................................... 1 Document Conventions ........................................................................................................ 2

Program Code Listings and Command Syntax................................................................... 3 Notes ......................................................................................................................................... 3 Demonstrations and Labs...................................................................................................... 4 Tables and Figures .................................................................................................................. 4 Workbook Section and Slide Numbering ............................................................................ 4 Instructor Notes ....................................................................................................................... 4

1. Troubleshooting Security Problems .................................................................................... 5 Before You Begin..................................................................................................................... 5 What You Will Learn ............................................................................................................... 5

Overview of Security .............................................................................................................. 5 What Are Groups? ................................................................................................................... 7

Group Types...................................................................................................................9 AdminSDHolder and Protected Groups................................................................. 9

What Are Access Control Lists? ..........................................................................................10 What Are Access Control Entries? ......................................................................................11 Types of Permissions............................................................................................................11

Inherited Permissions ................................................................................................ 11 Explicit Permissions ................................................................................................... 13

Active Directory Permissions...............................................................................................15 Exception to the Implicit/Explicit Permissions Rules with AD Permissions ............ 15 Overview of Delegation of Control ............................................................................. 16

Registry Permissions ............................................................................................................16 NTFS Permissions and Share Permissions .......................................................................17 Moving Versus Copying Files How it Affects Permissions ...........................................17

Resetting Permissions ........................................................................................................18 Implementing Security Policies.........................................................................................19

User Right Assignments .......................................................................................................20 Audit Policies .........................................................................................................................20 Using Security Templates.....................................................................................................20 Using Secedit - Secedit.exe..................................................................................................21 Using Security and Configuration Manager.......................................................................22

Using Utilities to Troubleshoot Security Problems .........................................................22 Using Xcopy ............................................................................................................................22 Using Dsacls...........................................................................................................................23 Using Subinacl .......................................................................................................................23 Using TokenGroups.vbs ........................................................................................................24 Using ADtoken .......................................................................................................................24

Troubleshooting Security Problems..................................................................................24 Auditing...................................................................................................................................25 Common Problems with Security .......................................................................................26 How to Resolve Common Security Problems ...................................................................26

Examining Security Changes .............................................................................................26 New User Rights/Privileges .................................................................................................27

Table of Contents

ii Supporting Windows Operating Systems: Directory Services New Hire Week 3 MICROSOFT CONFIDENTIAL - For Internal Use Only 2005 Microsoft Corporation. All rights reserved.

LAB 1: Troubleshooting Security Problems..................................................................... 27 Resources............................................................................................................................. 28 Summary .............................................................................................................................. 28

2. Troubleshooting Trust Problems ....................................................................................... 29 Before You Begin...................................................................................................................29 What You Will Learn .............................................................................................................29

Reviewing Trusts ................................................................................................................. 29 Why the Need for Trust Relationships? .............................................................................30 Types of Trusts .......................................................................................................................30

Default Trusts..............................................................................................................30 Other Trusts.................................................................................................................31

Secure Channels....................................................................................................................32 Authentication Protocols......................................................................................................32

NTLM ...........................................................................................................................33 Kerberos Version 5 Protocol ......................................................................................33

Trusted Domain Object.........................................................................................................34 Creating Trust Relationships ............................................................................................. 35

Requirements for Creating Trusts ......................................................................................36 How to Create Trust Relationships between Windows Server 2003 or Windows 2000 and Windows NT 4.0.............................................................................................................36 How to Create Trust Relationships between Windows Server 2003 and Windows 2000........................................................................................................................................37 How to Create Trust Relationships between Windows Server 2003 and Windows Server 2003 ...........................................................................................................................38

Using Utilities to Troubleshoot Trust Relationships Problems ..................................... 40 Using PortQuery.....................................................................................................................40 Using Netdom ........................................................................................................................42 Using NLTest ..........................................................................................................................43 Using Netmon ........................................................................................................................43 Using ADSIEdit .......................................................................................................................44 Using Ntdsutil.........................................................................................................................44

Troubleshooting Trust Problems....................................................................................... 44 Examining Common Problems with Trusts .......................................................................44 Common Name Resolution Problems ...............................................................................45 Common Connectivity Problems ........................................................................................45 Common Security Settings Problems ................................................................................45

User Rights ..................................................................................................................47 Security Settings .........................................................................................................47

How to Resolve Trust Problems ..........................................................................................51 Additional Information ................................................................................................52

LAB 2: Troubleshooting Trust Problems .......................................................................... 53 Resources............................................................................................................................. 53 Summary .............................................................................................................................. 53

3. Troubleshooting Group Policy Problems........................................................................... 55 Before You Begin...................................................................................................................55 What You Will Learn .............................................................................................................55

What Is a Group Policy? ..................................................................................................... 55 What Is a Local Group Policy?.............................................................................................56 Differences Between Windows NT 4.0 Policy and Windows Server 2000 Group Policy .......................................................................................................................................56

Disadvantages of System Policies .............................................................................56

Table of Contents

Supporting Windows Operating Systems: Directory Services New Hire Week 3 iii 2005 Microsoft Corporation. All rights reserved. MICROSOFT CONFIDENTIAL - For Internal Use Only

Advantages of Windows 2000 Group Policies.......................................................... 56 Active Directory Structure and Group Policy .....................................................................57 What Is the Order of Group Policy Application? ...............................................................57 Where Are GPOs Stored? .....................................................................................................59

Group Policy Container .............................................................................................. 59 Group Policy Template ............................................................................................... 60

What Are Client-Side Extensions?.......................................................................................60 Creating Group Policy..........................................................................................................61

Creating a Group Policy Object (GPO) ................................................................................61 Editing a GPO.........................................................................................................................62 Linking a GPO ........................................................................................................................62 What Is User Group Policy Loopback Mode? ....................................................................63

Using Group Policy Core Troubleshooting Tools..............................................................63 Using Resultant GP Tools.....................................................................................................64

GPResult.exe .............................................................................................................. 64 Interpreting GPResult Output............................................................................... 64

User Output ..................................................................................................... 64 Administrative Templates (Registry-Based Policy) ........................................ 65 Folder Redirection .......................................................................................... 67 Scripts.............................................................................................................. 68 Application Management ............................................................................... 68 Other Group Policy Extensions ....................................................................... 70 Computer Output ............................................................................................ 70

Security Privileges ................................................................................................ 72 GPResult Win2K Reskit .................................................................................... 73 Win2K GPResult - Syntax ..................................................................................... 73 WinXP GPResult Syntax .................................................................................... 73

Using Help and Support Center (HSC) RSoP Report ................................................ 74 Using RSoP Snap-in.................................................................................................... 75

Using Group Policy Verification Tool...................................................................................78 Using User Environment Debug Logging ...........................................................................79 Using Group Policy Editor Debug Logging .........................................................................79 Using GPText Debug Logging ..............................................................................................80

Considerations for Group Policy Core Troubleshooting .................................................81 Troubleshooting Group Policy Settings Problems............................................................81

Identifying and Resolving Group Policy Settings Problems...................................... 81 Were You Authenticated by a DC?....................................................................... 81 Can You Access Sysvol? ....................................................................................... 82 Check ACLs on GPO.............................................................................................. 83 Check GPO and OU Properties............................................................................. 83 What Is the Replication Status of the GPO? ....................................................... 83

Troubleshooting Client Side Extension Problems ............................................................84 Registry-Based Settings in Windows 2000 Policy .................................................... 84 Troubleshooting the Registry Client-Side Extension................................................. 84 Troubleshooting Scripts CSE ..................................................................................... 85

Script Storage - SYSVOL ....................................................................................... 85 Script Storage - Local GPO ................................................................................... 86 Typical Scripts CSE Process Errors ...................................................................... 86

Hung Scripts.................................................................................................... 86 Troubleshooting Security CSE Issues........................................................................ 87

Enabling SCECLI Debug Logging.......................................................................... 87 Security CSE Process ........................................................................................... 88

Table of Contents

iv Supporting Windows Operating Systems: Directory Services New Hire Week 3 MICROSOFT CONFIDENTIAL - For Internal Use Only 2005 Microsoft Corporation. All rights reserved.

Common Security CSE Events ..............................................................................88 Troubleshooting Folder Redirection CSE...................................................................89

Troubleshooting Common Folder Redirection Issues .........................................89 Troubleshooting Software Installation CSE ...............................................................89

Gathering Troubleshooting Information...............................................................90 Verbose Logging ..............................................................................................90 Windows Installer Verbose Logging................................................................90

Repairing Default Policies ................................................................................................. 91 Recreating Default Policies .................................................................................................92

LAB 3: Troubleshooting Group Policy Problems............................................................. 92 Resources............................................................................................................................. 93 Summary .............................................................................................................................. 93

4. Troubleshooting User Profile Problems............................................................................ 95 Before You Begin...................................................................................................................95 What You Will Learn .............................................................................................................95

User Profile Overview.......................................................................................................... 95 User Profile Options ..............................................................................................................95 Settings Saved in a User Profile..........................................................................................96 Advantages of User Profiles ................................................................................................97

Types of User Profiles ......................................................................................................... 97 Local Profiles .........................................................................................................................97

Stored Location of Local Profiles ...............................................................................98 New Users ...................................................................................................................98 To Copy a User Profile.................................................................................................99 To Delete a User Profile..............................................................................................99

Roaming Profiles...................................................................................................................99 Computer Configuration for Profiles in Group Policy ............................................. 100

Delete Cached Copies of Roaming Profiles ...................................................... 100 Do Not Detect Slow Network Connections ....................................................... 101 Slow Network Connection Timeout for User Profiles........................................ 101 Wait for Remote User Profile ............................................................................. 101 Prompt User When Slow Link Is Detected ........................................................ 101 Log Users Off When Roaming Profile Fails ....................................................... 102

User Configuration for Profiles in Group Policy ...................................................... 102 Connect Home Directory to Root of the Share ................................................. 102 Exclude Directories in Roaming Profile............................................................. 103 Limiting Profile Size............................................................................................ 103

Slow Link Effects on Roaming User Profiles........................................................... 104 Profile Availability..................................................................................................... 105

Multiple User Accounts ...................................................................................... 105 Creating a Roaming Profile................................................................................ 106 Switching Between Roaming and Local User Profile ....................................... 108 Add a Home Directory to a User Profile ............................................................ 108

Mandatory Profiles............................................................................................................. 108 Mandatory Profile Benefits...................................................................................... 109 Creating a Mandatory User Profile.......................................................................... 109 Assigning a Roaming Mandatory User Profile ........................................................ 109 NTUser.dat / NTUser.man ....................................................................................... 110

Common Causes of User Profile Problems...................................................................110 Troubleshooting User Profile Loading and Unloading Problems ...............................111

Table of Contents

Supporting Windows Operating Systems: Directory Services New Hire Week 3 v 2005 Microsoft Corporation. All rights reserved. MICROSOFT CONFIDENTIAL - For Internal Use Only

Using Utilities for Troubleshooting Problems with User Profiles................................. 111 Userenv Logging .......................................................................................................111 UPHclean ..................................................................................................................112 Leaktrackdump and DBGview .................................................................................113

LAB 4: Troubleshooting Common Problems with User Profiles .................................113 Resources ...........................................................................................................................114 Summary.............................................................................................................................114

5. Troubleshooting Account Lockout Problems .................................................................115 Before You Begin................................................................................................................ 115 What You Will Learn .......................................................................................................... 115

Examining Password Policies ..........................................................................................115 Enforce Password History ................................................................................................. 116 Maximum Password Age .................................................................................................. 116

Common Issue with Maximum Password Age........................................................116 Minimum Password Age ................................................................................................... 117 Minimum Password Length.............................................................................................. 117 Password Must Meet Complexity Requirements .......................................................... 117 Store Passwords Using Reversible Encryption............................................................... 118

Examining Account Lockout Policy.................................................................................118 Account Lockout Duration ................................................................................................ 118 Account Lockout Threshold .............................................................................................. 119 Reset Account Lockout Counter ...................................................................................... 119

Examining Types of Attacks on a Domain .....................................................................119 Dictionary Versus Brute Force .......................................................................................... 120

Examining Domain Controller Behavior .........................................................................120 How Domain Controllers Verify Passwords .................................................................... 120 Replication Triggers ........................................................................................................... 121 Kerberos Negative Caching .............................................................................................. 121 New Features in the Windows Server 2003 Family...................................................... 121

Computers Running Windows Server 2003 that Act as Network Servers as well as 2000 SP 4 ................................................................................................................121

Troubleshooting Account Lockout Problems ................................................................121 Recommended Service Packs and Hotfixes .................................................................. 121 Common Causes for Account Lockouts.......................................................................... 121 Other Potential Issues ....................................................................................................... 121 Maintaining and Monitoring Account Lockout............................................................... 121

Enable Auditing at the Domain Level and Domain Controllers OU........................121 Windows 2000 and Windows Server 2003 Domains ......................................121

Netlogon Logging......................................................................................................121 Kerberos Logging .....................................................................................................121 Event and Netlogon Log Retrieval ...........................................................................121 Analyzing Log File Information.................................................................................121

Analyzing Netlogon Log Files .............................................................................121 Transitive Network Logon (Pass-Through Authentication)..........................121 Netlogon Log File Error Codes......................................................................121

Analyzing Event Logs ..........................................................................................121 Using Account Lockout Tools ...........................................................................................121

The Lockoutstatus.exe Tool .............................................................................................. 121 The Alockout.dll Tool.......................................................................................................... 121 The Aloinfo.exe Tool........................................................................................................... 121 The Acctinfo.dll Tool........................................................................................................... 121

Table of Contents

vi Supporting Windows Operating Systems: Directory Services New Hire Week 3 MICROSOFT CONFIDENTIAL - For Internal Use Only 2005 Microsoft Corporation. All rights reserved.

The EventcombMT.exe Tool .............................................................................................. 121 The Nlparse.exe Tool.......................................................................................................... 121 The Findstr.exe Tool ........................................................................................................... 121 The Windows Logon Monitor V1.0 Tool .......................................................................... 121

Event Log Samples .................................................................................................. 121 Using Excel to Go Through Logs ....................................................................................... 121

LAB 5: Troubleshooting Account Lockout Problems ...................................................121 Resources...........................................................................................................................121 Summary ............................................................................................................................121

6. Troubleshooting Logon Failures...................................................................................... 121 Before You Begin................................................................................................................ 121 What You Will Learn .......................................................................................................... 121

Differences Between Logon Failures and Account Lockouts .....................................121 The Logon Process ............................................................................................................121

Finding a Domain Controller Required for Logon ......................................................... 121 Cross Forest Logon .................................................................................................. 121 WINS Records .......................................................................................................... 121 DNS SRV Records .................................................................................................... 121

Domain Controller from Last Validation Cached by Netlogon .................................... 121 Cached Credentials ............................................................................................................ 121

Examining Error Messages ..............................................................................................121 Examining General Causes of Logon Failures ..............................................................121

Lack of Name Resolution to Resolve a Domain Controller ......................................... 121 Connectivity Issues............................................................................................................. 121 Third Party Applications or Services................................................................................ 121 Other Possible Causes....................................................................................................... 121

Examining Security Causes of Logon Failures..............................................................121 GPO Settings ....................................................................................................................... 121 SMB Signing ........................................................................................................................ 121 Crashonauditfail ................................................................................................................. 121 Restrictanonymous............................................................................................................ 121 Lmcompatibilitylevel ......................................................................................................... 121 Pre-Windows 2000 Compatible Permissions................................................................ 121

Troubleshooting Logon Failures......................................................................................121 Gathering Information ....................................................................................................... 121

What Does the Error Message Point To?................................................................ 121 What Is Common Among Affected Users?.............................................................. 121 Is the Problem Computer or User Specific? ........................................................... 121 What Are the Recent Changes to a Network?........................................................ 121 What Are the Service Pack Levels on Domain Controllers and Clients? .............. 121

Analyzing Gathered Information...................................................................................... 121 Using Utilities for Troubleshooting Logon Failures.......................................................121

Using Runas ........................................................................................................................ 121 Using Kerbtray and Klist.................................................................................................... 121 Taking Traces...................................................................................................................... 121

LAB 6: Troubleshooting Logon Failures .........................................................................121 Resources...........................................................................................................................121 Summary ............................................................................................................................121

7. Troubleshooting EFS Problems ....................................................................................... 121 Before You Begin................................................................................................................ 121 What You Will Learn .......................................................................................................... 121

Table of Contents

Supporting Windows Operating Systems: Directory Services New Hire Week 3 vii 2005 Microsoft Corporation. All rights reserved. MICROSOFT CONFIDENTIAL - For Internal Use Only

Overview of EFS..................................................................................................................121 What Is EFS? ....................................................................................................................... 121 The Encryption Process ..................................................................................................... 121

Structure of an Encrypted File .................................................................................121 The Encryption Process............................................................................................121

The Decryption Process..................................................................................................... 121 The Recovery Process........................................................................................................ 121

Examining Results of Selecting Different Options .......................................................121 Results of Apply Changes to this folder only versus Apply Changes to this folder, subfolders and files .......................................................................................................... 121 Adding Additional Users .................................................................................................... 121

Examining Public and Private Keys ................................................................................121 Moving and Copying Encrypted Files and Folders ........................................................121 Examining Local Encryption and Encryption on Remote Servers ..............................121

Trusted for Delegation....................................................................................................... 121 Certificates Available......................................................................................................... 121

Is the Certificate Valid?............................................................................................121 Recovery Agents................................................................................................................. 121

Using Available Recovery Agents.............................................................................121 Adding New Recovery Agents ..................................................................................121

Examining EFS Limitations ..............................................................................................121 Recommended Practices .................................................................................................121 Using Utilities for Troubleshooting EFS Problems ........................................................121

Using Efsinfo ....................................................................................................................... 121 Using SecPol.msc............................................................................................................... 121 Using Cipher ........................................................................................................................ 121

Troubleshooting EFS Problems .......................................................................................121 Common Problems with EFS............................................................................................ 121 How to Resolve Common EFS Problems?...................................................................... 121

New Features in Windows 2003 .....................................................................................121 LAB 7: Troubleshooting EFS Problems...........................................................................121 Resources ...........................................................................................................................121 Summary.............................................................................................................................121

Appendix A: Privileges and Logon Rights ...........................................................................121 Privileges.............................................................................................................................121 Logon Rights.......................................................................................................................121

Tables Table 1. Note Icons ................................................................................................................................................. 3 Table 2. Demonstration and Lab Icons.................................................................................................................. 4 Table 3. Group Scopes - Behaviors ........................................................................................................................ 8 Table 4. Default Trusts ......................................................................................................................................... 31 Table 5. Other Trusts ............................................................................................................................................ 31 Table 6. Ports Required for Trusts ....................................................................................................................... 40 Table 7. Client Side Extensions............................................................................................................................ 61 Table 8. User Profile Settings ............................................................................................................................... 96 Table 9. Netlogon Log Error Codes ....................................................................................................................121 Table 10. Group Policy Settings Associated with Interactive Logon ................................................................121 Table 11. RestrictAnonymous Settings..............................................................................................................121 Table 12. Tickets.................................................................................................................................................121

Table of Contents

viii Supporting Windows Operating Systems: Directory Services New Hire Week 3 MICROSOFT CONFIDENTIAL - For Internal Use Only 2005 Microsoft Corporation. All rights reserved.

Table 13. TGT...................................................................................................................................................... 121 Table 14. User Privileges.................................................................................................................................... 121 Table 15. Logon Rights....................................................................................................................................... 121 Table 16. Default Settings for Security Options Policies.................................................................................. 121

Figures Figure 1. Slide Number Paragraphs .......................................................................................................................4 Figure 2. Relationship of Security Descriptors and ACLs to Authorization and Access Control Components....6 Figure 3. Permission Entries on Public Folder (Owner: Administrators).............................................................12 Figure 4. Permission Entries on Engineering Data Folder (Owner: Alice)...........................................................13 Figure 5. Modified Permission Entries on Engineering Data Folder ...................................................................14 Figure 6. The Delegation of Control Wizard .........................................................................................................16 Figure 7. External Trust Between a Windows NT 4.0 Domain and a Windows Server 2003 Forest Child

Domain .............................................................................................................................................................36 Figure 8. External trusts Between a Windows Server 2003 Forest and a Windows 2000 Forest....................37 Figure 9. Two Forest Trusts Between Three Windows Server 2003 Forests .....................................................39 Figure 10. Group Policy Inheritance .....................................................................................................................57 Figure 11. Policy Filtering Using Security Groups ................................................................................................58 Figure 12. GPO Storage Locations........................................................................................................................59 Figure 13. Extensible Group Policy Framework ...................................................................................................60 Figure 14. Group Policy Object Editor...................................................................................................................62 Figure 15. RSoP Results .......................................................................................................................................75 Figure 16. Choosing a Target User in the RSoP Wizard ......................................................................................76 Figure 17. RSoP Results .......................................................................................................................................77 Figure 18. Viewing Enabled Policies in RSoP Results .........................................................................................77 Figure 19. RSoP Snap-In User Interface...............................................................................................................78 Figure 20. Local Profile .........................................................................................................................................97 Figure 21. Roaming Profile ................................................................................................................................ 100 Figure 22. Group Policy Dialog Box.................................................................................................................... 100 Figure 23. Group Policy Dialog Box.................................................................................................................... 102 Figure 24. Link Effects on Roaming User Profiles ............................................................................................ 104 Figure 25. Profile Tab ......................................................................................................................................... 106 Figure 26. User Profiles Tab............................................................................................................................... 107 Figure 27. Mandatory Profile ............................................................................................................................. 109 Figure 28. Steps That Occur When a Logon Does not Work ............................................................................ 120 Figure 29. DCs Having badpwdcount ............................................................................................................... 121 Figure 30. user1 Properties Dialog Box ............................................................................................................ 121 Figure 31. EventCombMT Tool........................................................................................................................... 121 Figure 32. Nlparse.exe Tool ............................................................................................................................... 121 Figure 33. Event logged When Using MMC to Check Services on Remote Computer.................................... 121 Figure 34. Event Logged When Using Telnet Connect to a Server That Requires NTLM Authentication ...... 121 Figure 35. Sorted by the Event 681, a User Named jz9nz1 With the Error Code Event 3221225578 ........ 121 Figure 36. The Logon Process ........................................................................................................................... 121 Figure 37. Structure of an Encrypted File ......................................................................................................... 121 Figure 38. EFS Encryption with a DRA............................................................................................................... 121 Figure 39. EFS Decryption.................................................................................................................................. 121 Figure 40. EFS File Recovery ............................................................................................................................. 121 Figure 41. Confirm Attribute Changes Dialog Box ............................................................................................ 121 Figure 42. Encryption Details Dialog Box .......................................................................................................... 121 Figure 43. The Certificates Console .................................................................................................................. 121 Figure 44. The Certificates Console .................................................................................................................. 121

About This Course Week 3

Supporting Windows Operating Systems: Directory Services New Hire Week 3 1 2005 Microsoft Corporation. All rights reserved. MICROSOFT CONFIDENTIAL - For Internal Use Only


This weeks content continues to focus on the core components: security, trusts, group policy, profiles, logons, and EFS. A good working knowledge in these areas is expected from every Support Engineer.

Audience This course is intended for Microsoft Support Professionals.

Before You Begin

1

Before starting this course, you should:

Have successfully completed the previous modules in this course.

Understand the concepts discussed and examined in the previous modules.

What You Will Learn

2

After completing this course, you will be able to understand and troubleshoot problems related to:

Security

Trusts

Group Policy

User Profiles

Account Lockouts

Logon Failures

EFS

Content

3

Course materials include the following presentations, a Workbook that contains supplemental reference information, :

1. Troubleshooting Security Problems The Microsoft Windows 2000 operating system protects files, applications, and other resources from unauthorized use. Although you might already know how to use tools to assign privileges or set permissions, understanding what privileges and permissions really are, why they are necessary, and how they function can help you manage shared resources effectively. Understanding these processes can also help you avoid unnecessary risks and troubleshoot any problems you might encounter.


2 Supporting Windows Operating Systems: Directory Services New Hire Week 3 MICROSOFT CONFIDENTIAL - For Internal Use Only 2005 Microsoft Corporation. All rights reserved.

2. Troubleshooting Trust Problems Trust technology is the foundation for the security architecture in Microsoft Windows 2000 and Windows Server 2003 networks using the Active Directory service. Trusts enable network administrators to implement an authentication and authorization strategy for sharing resources across domains or forests and provide a mechanism for centralizing management of multiple domains and forests.

3. Troubleshooting Group Policy Problems This session discusses how to troubleshoot group policy problems. To begin with, you will learn about the purposes and components of Group Policy. Next, you will learn how to create, edit, and link Group Policy. In addition, you will learn about the core Group Policy troubleshooting tools and considerations for Group Policy core troubleshooting. Then, you will learn how to troubleshoot problems with GP Settings and Client Side Extensions. Finally, you will learn how to repair default the two default policies.

4. Troubleshooting User Profile Problems This session explains what user profiles are and their problems loading and unloading. It also explains how to troubleshoot user profile problems.

5. Troubleshooting Account Lockout Problems Account lockout policy disables users accounts if an incorrect password is entered a specified number of times over a specified period. These policy settings help you to prevent attackers from guessing users passwords, and they decrease the likelihood of successful attacks on a network. Before enabling an account lockout policy, it is important to realize that there is a risk of unintentionally locking authorized users out of their accounts.

6. Troubleshooting Logon Failures Troubleshooting logon failures comes down to troubleshooting authentication. This session explains how to troubleshoot logon failures.

7. Troubleshooting EFS Problems EFS provides the core file encryption technology for storing files on NTFS file system volumes. When files are encrypted, data in them is protected even if an attacker has full access to the data storage system on the computer. This session explains how to troubleshoot EFS problems.

Document Conventions The following conventions are used in all course materials:

Acronyms appear in all uppercase letters.

Names of files appear in all uppercase letters, except when you are to type them directly in a command statement. Unless otherwise indicated, you can use all lowercase letters when you type a filename in a dialog or at a command prompt.

Filename extensions without a filename appear in all lower-case letters.

Book titles appear in Italic.

Other document conventions are described below.



Program Code Listings and Command Syntax Program code listings, entries typed at a command prompt or in scripts or initialization files, and text mode or command output text appear in Monospace type. Program code listings and descriptive comments are formatted as shown in the following example. The ellipsis (...) on the last line indicates a partial listing.

C:\%systemroot%>dir /ad The variable %systemroot% refers to the drive and directory where the Microsoft Windows operating system is installed.

Volume in drive C is Main Volume Serial Number is 000A-BCDE Directory of C:\%systemroot% 12/19/2004 11:56 AM . 12/19/2004 11:56 AM .. 07/07/2003 06:57 AM addins 11/17/2004 02:45 PM Application Compatibility Scripts 11/17/2004 02:47 PM AppPatch 11/17/2004 02:42 PM Cache ...

Command syntax statements are formatted as shown below:

command {parameter1, parameter2, title} [option1 | option2]

Type command statement elements that appear in Bold exactly as they appear in the example, including quotation marks.

Italic in command syntax statements indicates placeholders for variable information.

Braces ({ }) enclose required items as shown by {parameter1, parameter2, title} in the example. Commas separate multiple items. Do not type the braces.

Square brackets ([ ]) enclose optional items as shown by [option1 | option2] in the example. Pipe symbols (|) indicate alternate choices. Do not type the brackets.

Notes Left margin icons and labels call attention to key information as described in Table 1.

Table 1. Note Icons

Icon Label Description

Note Provides supplemental information such as related actions or results

Tip Suggests alternate methods of performing tasks

Important Provides information that is essential to completing a task

CAUTION Warns about possible loss of data or other undesirable results



Demonstrations and Labs Header icons call attention to demonstrations and lab exercises as shown in Table 2.

Table 2. Demonstration and Lab Icons

Icon Description

Indicates a demonstration to be performed by the Instructor or presented in multimedia format

Indicates lab exercises to be performed by the Participant using detailed instructions in Lab Manual

Tables and Figures To help you find key information quickly, each table and figure is preceded by Caption. Captions are numbered sequentially throughout course documents and are listed in the Tables and Figures sections of the course document Table of Contents.

Workbook Section and Slide Numbering Course module titles are numbered sequentially (i.e. 1. Session Title). Presentation slides are numbered in the lower left corner. The first slide and last slide do not display slide numbers.

Workbook sections include two types of slide number paragraphs as shown in Figure 1 to identify corresponding slides in the presentation.

Figure 1. Slide Number Paragraphs

Note Each presentation slide corresponds to a workbook section. However, workbook sections that include supplemental information may not be referenced on corresponding presentation slides.

Instructor Notes Superscript numbers in workbook and lab manual paragraphs reference numbered paragraphs in the Instructor Notes section that contain information to assist in course delivery. This section is only included in the Instructor versions of the Workbook and Lab Manual.

1. Troubleshooting Security Problems



The Microsoft Windows 2000 operating system protects files, applications, and other resources from unauthorized use. Although you might already know how to use tools to assign privileges or set permissions, understanding what privileges and permissions really are, why they are necessary, and how they function can help you manage shared resources effectively. Understanding these processes can also help you avoid unnecessary risks and troubleshoot any problems you might encounter.

Before You Begin

1

Before starting this session, you should be familiar with:

Using Active Directory Users and Computers for viewing Active Directory objects.

The general concept of groups for managing users.

The GUI for setting permissions on Files and Folders.

What You Will Learn

2

After completing this session, you will be able to:

Explain the basic concepts related to Security.

Explain how to reset permissions.

Explain the different utilities used to implement and troubleshoot security policies.

Explain how to troubleshoot common problems with security.

Identify the security changes from Windows NT 4.0 to Windows Server 2003.

Overview of Security

3

The details of how access control works are quite complex, but the big picture is fairly simple: Subjects act on objects. In the sentence, "Alice opens the file," Alice is the subject, or the agent of an action; opens is the action; and the file is the object. The grammar is similar in Windows 2000.

However, there are some important differences. When you say, "Alice opens the file," you know that it is not really Alice who opens the file; it is done by a program. To be more precise, the program runs as a process with threads of execution. It is actually one of those threads that opens the file. Threads are the only real agents of action on a computer. In the grammar of access control, the subject is always a thread.



In order for a thread to gain access to an object, it must identify itself to the operating system's security subsystem. A thread does not have a security identity, so it must borrow one from a security principal, such as Alice. When Alice logs on, her security identity is encapsulated in an access token that is associated with her logon session. When Alice starts an application, it runs as a process within her logon session. The application process and each of its threads of execution receive copies of Alice's access token. When one of the application's threads needs to open a file, the thread identifies itself as Alice's agent by presenting her access token. Thus, responsibility for anything that the thread does to the file on Alice's behalf is charged to Alice. This is the same behavior as if a user was accessing a service or file remotely, the token is built for that user and attached to the users actions for the duration of their session.

Before allowing the thread of execution to proceed, the operating system performs an access check to determine whether the security principal associated with the thread is authorized the level of access that the thread has requested. An access check compares information in the thread's access token with information in the object's security descriptor:

The access token contains a SID that identifies the user and SIDs that identify the groups whose members include the user.

The objects security descriptor contains a list of access control entries (ACEs) that specify the access rights that are allowed or denied to particular users or groups SIDs.

The security subsystem checks the objects security descriptor, looking for ACEs that apply to the user and group SIDs in the subjects access token. The system examines each ACE in order until it finds one that either allows or denies access to the user or one of the users groups, or until there are no more ACEs to check. If there is more than one ACE that applies to the user, the result is cumulative. If the access check reaches the end of the DACL and the desired access is still not explicitly allowed or denied, the security subsystem denies access.

Figure 2. Relationship of Security Descriptors and ACLs to Authorization and Access Control Components



4

The Windows Server 2000 and 2003 security infrastructure consists of the following components:

Logon and Authentication Technologies Logon and authentication technologies include a variety of protocols, including Kerberos version 5 authentication, NTLM, Secure Sockets Layer/Transport Layer Security (SSL/TLS), and Digest; as well as features such as Stored User Names and Passwords that enable single sign-on (SSO) and reduced sign-on (RSO).

Authorization and Access Control Technologies The ACL-based impersonation model and a new roles-based protected subsystem model enable extremely flexible and manageable authorization and access control strategies.

Data Security Technologies Encrypting File System (EFS), Internet Protocol security (IPSec), system key utility (Syskey), and Routing and Remote Access Services (RRAS) provide additional security for data under a variety of special circumstances.

Group Policy Technologies Group Policy options that can enhance security management include security policy and software restriction policies.

Trust Technologies Trusts can be established between domains and across forests to improve security and business processes for complex organizations.

Public Key Infrastructure (PKI) Technologies Certificates, Certificate Services, and certificate policy-enabled qualified subordination can be used to support a variety of application-specific security solutions.

Each of these sets of technologies can be used in conjunction with the other sets of technologies, such as networking and storage, to enable secure network-enabled business processes.

This session focuses on access control technologies.

What Are Groups?

5

Group accounts are used to manage privileges for multiple users. Global group accounts, for domain use, are created in Active Directory Users and Computers, while local group accounts, for local system use, are created in Local Users and Groups. Generally, group accounts are created to facilitate the management of similar types of users in accessing objects.

Each security and distribution group has a scope that identifies the extent to which the group is applied in the domain tree or forest. There are three different scopes: universal, global, and domain local.

Groups with universal scope can have as their members groups and accounts from any Windows 2000/2003 domain in the domain tree or forest and can be granted permissions in any domain in the domain tree or forest. Groups with universal scope are referred to as universal groups.

Groups with global scope can have as their members groups and accounts only from the domain in which the group is defined and can be granted permissions in any domain in the forest. Groups with a global scope are referred to as global groups.



Groups with domain local scope can have as their members groups and accounts from a Windows 2000/2003 or Windows NT domain and can be used to grant permissions only within a domain. Groups with a domain local scope are referred to as domain local groups.

In the case of multiple forests, users defined in only one forest cannot be placed into groups defined in another forest, and groups defined in only one forest cannot be assigned permissions in another forest.

The following table summarizes the behaviors of the different group scopes.

Table 3. Group Scopes - Behaviors

Universal Scope Global Scope Domain Local Scope

In native-mode domains, can have as their members accounts from any domain, global groups from any domain and universal groups from any domain.

In native-mode domains, can have as their members accounts from the same domain and global groups from the same domain.

In native-mode domains, can have as their members accounts, global groups, and universal groups from any domain, as well as domain local groups from the same domain.

In mixed-mode domains, security groups with universal scope cannot be created.

In native-mode domains, can have as their members accounts from the same domain.

In native-mode domains, can have as their members accounts and global groups from any domain.

Groups can be put into other groups (when the domain is in native-mode) and assigned permissions in any domain.

Groups can be put into other groups and assigned permissions in any domain.

Groups can be put into other domain local groups and assigned permissions only in the same domain.

Cannot be converted to any other group scope.

Can be converted to universal scope, as long as it is not a member of any other group having global scope.

Can be converted to universal scope, as long as it does not have as its member another group having domain local scope.

When creating a new group, by default, the new group is configured as a security group with global scope regardless of the current domain mode. Changing a group scope can be accomplished by the following allowed conversions:

Global to Universal This is only allowed if the group is not a member of another group having global scope.

Domain Local to Universal The group being converted cannot have as its member another group having domain local scope.

Note Changing a group scope is not allowed in mixed-mode domains. Note that mixed-mode domains are not part of the evaluated configuration.



Group Types

6

There are two types of groups in Windows 2000:

Security Groups Security groups are listed in discretionary access control lists (DACLs) that define permissions on resources and objects. Security groups can also be used as an e-mail entity. Sending an e-mail message to the group sends the message to all the members of the group.

Distribution Groups Distribution groups are not security-enabled. They cannot be listed in DACLs. Distribution groups can be used only with e-mail applications (such as Exchange), to send e-mail to collections of users.

Note Although a contact can be added to a security group as well as to a distribution group, contacts cannot be assigned rights and permissions. Contacts in a group can be sent e-mail.

Experience shows that using the approach described below will help you achieve maximum flexibility, scalability, and ease of administration when managing security groups. Using Account (global) groups and Resource (local) groups in the way described here lets you use groups to mirror your organization's functional structure.

Put users into security groups with global scope. A global group can usually be thought of as an Accounts group, that is, a group that contains user accounts.

Put resources into security groups with domain local (or machine local) scope. A local group can usually be thought of as a Resource group, that is, a group to which you assign permissions to access a resource.

Put a global group into any domain local (or machine local) group in the forest (this is especially efficient when more than one domain is involved).

Assign permissions for accessing resources to the domain local (or machine local) groups that contain them.

Delegate administration of groups to the appropriate manager or group leader.

AdminSDHolder and Protected Groups Active Directory uses a protection mechanism to make sure that ACLs are set correctly for members of sensitive groups. The mechanism runs once an hour on the PDC Emulator Operations Master. The operations master compares the ACL on the user accounts that are members of protected groups against the ACL on the following object, where DC=,DC= in this path with the distinguished name (also known as DN) of your domain:

CN=AdminSDHolder,CN=System,DC=,DC=



If the ACL is different, the ACL on the user object is overwritten to reflect the security settings of the adminSDHolder object (and ACL inheritance is disabled). This process protects these accounts from being modified by unauthorized users if the accounts are moved to a container or organizational unit where a malicious user has been delegated administrative credentials to modify user accounts. Note that when a user is removed from the administrative group, the process is not reversed and must be manually changed.

The following list describes the protected groups in Windows 2000:

Enterprise Admins

Schema Admins

Domain Admins

Administrators

The following list describes the protected groups in Windows Server 2003 and in Windows 2000 Service Pack 4 or after you apply the 327825 hotfix:

Administrators

Account Operators

Server Operators

Print Operators

Backup Operators

Domain Admins

Schema Admins

Enterprise Admins

Cert Publishers

Additionally the following users are also considered protected:

Administrator

Krbtgt

What Are Access Control Lists?

7

An access control list (ACL) is an ordered list of access control entries (ACEs) that define the protections that apply to an object and its properties. Each ACE identifies a security principal and specifies a set of access rights allowed, denied, or audited for that security principal.

An object's security descriptor can contain two ACLs:

A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access

A system access control list (SACL) that controls how access is audited



You can use this access control model to individually secure objects such as files and folders on NTFS, Active Directory objects, registry keys, and printers, as well as devices, ports, services, processes, and threads. Because of this individual control, you can adjust the security of objects to meet the needs of your organization, delegate authority over objects or attributes, and create custom objects or attributes that require unique security protections to be defined.

What Are Access Control Entries?

8

All ACEs include the following access control information:

A SID that identifies a user or group

An access mask that specifies access rights

A set of bit flags that determine whether child objects can inherit the ACE

A flag that indicates the type of ACE

Types of Permissions

9

A permission is authorization to perform an operation on a specific object, such as a file. Permissions are granted by owners. If you own an object, you can grant any user or security group permission to do whatever you are authorized to do with it. This includes granting permission to take ownership.

Tip Although you can give permissions to individual users, it is more efficient to give them to a security group. That way you can grant permission once to the group rather than several times to each individual. Every user added to a security group receives the permissions defined for that group.

When permission to perform an operation is not explicitly granted, it is implicitly denied. For example, if Alice allows the Marketing group, and only the Marketing group, permission to read her file, users who are not members of the Marketing group are implicitly denied access. The operating system will not allow users who are not members of the Marketing group to read the file.

Inherited Permissions Some objects can contain other objects. For example, an NTFS folder object can contain file objects and other folder objects. A registry key object can contain subkey objects. An Active Directory organizational unit (OU) object can contain other OU objects as well as user objects, group objects, and computer objects. Terminal objects contain Window Station objects that contain Desktop objects that contain Window objects. Any object that is contained by another object is called a child object. A child objects container is its parent object.

Child objects can inherit access control information from their parent object. For example, suppose that the administrator for a server creates a file share with one folder, Public$. The administrator creates this folder so that users can have a place to store information that they want to share.



With this purpose in mind, the administrator sets the permissions, which are implemented as ACEs, as shown in the following figure:

Figure 3. Permission Entries on Public Folder (Owner: Administrators)

None of the permissions that are listed in this figure were acquired through inheritance. This is because the administrator cleared the Inherit from parent the permission entries that apply to child objects check box. Clearing the check box sets the security descriptor control flag SE_DACL_PROTECTED, which protects a child objects DACL by blocking inheritance from the parent objects DACL.

Permissions that are acquired through inheritance are called inherited permissions. Permissions that are not inherited, but are instead defined directly on an object, are called explicit permissions. One way to tell an explicit permission from an inherited permission is to select an entry in the Permission Entries list and read the text that is displayed after the list. In this figure, the second entry is selected, and the text after the list says This permission is defined directly on this object. In other words, the permission is explicit, not inherited.

The text in this figure also says This permission is inherited by child objects. Permissions on a parent object that apply to child objects are called inheritable permissions. To see which of the permissions that are set on a parent object are inheritable, examine the Apply to column of Permission Entries. If Apply to says This object only (or, for folder objects, This folder only), the permission is not inherited by child objects. Of the four permissions that are shown in Figure 4, three are inheritable and one is not.



To see how inheritable permissions become inherited permissions, suppose that Alice creates a subfolder in Public$. Alice is an engineer, so she names her folder Engineering Data. Because this new object is a child of Public$, its DACL inherits permissions from the DACL on Public$. The new objects permissions are shown in the following figure.

Figure 4. Permission Entries on Engineering Data Folder (Owner: Alice)

Note that Alice has not cleared the Inherit from parent the permission entries that apply to child objects check box, so inheritable permissions in the parent objects DACL are inherited by the child objects DACL. Inherited permissions are indicated in Permission Entries by a disabled (unavailable) symbol at the beginning of each entry. The permission is still effective; all that is disabled is the ability to modify the entry. Because inherited permissions are defined on a parent object, they can be changed only by modifying the parent objects DACL.

Explicit Permissions Even though inherited permissions cannot be changed, the owner of a child object can add explicit permissions to the objects DACL. For example, suppose Alice decides that inherited permissions that are given to Creator Owner are too restrictive because they allow only the user who creates a file to make changes to the file. She wants all members of the Engineering group to be able to edit and add information to the Engineering Data folder, so she explicitly gives this group Modify permission for all objects in the folder. Alice also feels that people in her companys marketing department will misuse information in Engineering Data, so she decides to explicitly deny the Marketing group full control of (and therefore all access to) the folder, subfolders, and files.



The results of Alices changes to the access control settings are shown in the following figure.

Figure 5. Modified Permission Entries on Engineering Data Folder

The list of permission entries in this figure now includes two explicit permissions, both with enabled symbols indicating that the entries can be edited. Note that explicit permissions appear at the top of the list. Permissions are listed in the order in which they will be processed during an access check. Because explicit permissions are listed before inherited permissions, they are processed first. The assumption is that the owner of a child object adds explicit permissions in order to qualify inherited permissions. For example, in this figure, an inherited permission allows Everyone to read the folder, subfolders, and files. Alice has added an explicit permission that denies all access to a subset of the group Everyone the Marketing group. The explicit deny entry is placed before any inherited entries; therefore, it is processed before any inherited entries.

What is new in Windows 2000 and later is inheritance after the time of creation. New or changed inheritable permissions in the DACL on a parent object are automatically propagated to existing child objects every time the DACL on the parent object changes. If Alices folder were on a system running Windows 2000 or later, the entry denying Marketing permission to access the Engineering Data folder would be propagated to subfolders as soon as Alice clicked Apply in the Advanced Security Settings dialog box.

Automatic propagation of inheritable permissions is a powerful capability because you can use it to change permissions on an entire tree of objects by changing permissions on the top-level object in the tree.



The owner of a parent object can choose to overwrite explicit permissions that are defined on child objects. This is done by selecting the Replace permission entries on all child objects with entries shown here that apply to child objects check box in the Advanced Security Settings dialog box. When the owner of a parent object chooses this option, the propagation process removes explicit permissions from the DACLs on all child objects. It also sets the option Inherit from parent the permission entries that apply to child objects on all child objects, removing any protection from inheritance that might have been set by the objects owners.

Active Directory Permissions

10

Now that the general concepts of security have been introduced, you will learn to apply them to specific object types. Open the security page for any Active Directory object and you should see the following standard object access rights or permissions:

Full Control Has full control of the object.

Read Can read the properties of the object.

Write Can modify the properties of the object.

Create All Child Objects This permission is necessary on the object type of the parent container. A security principal, could, for example, have the right to create users, but not computers within a given OU.

Delete All Child Objects This permission is necessary on the object type of the parent container.

These standard permissions are fairly straightforward. One exception is the intended functioning of Write when you attempt to modify several properties of the object and do not have Write permission on all

pworkbook directoryservices newhire week3

Documents

microsoft products

microsoft company

internal use

windows operating systems

course week

registered trademarks

intellectual property

domain names