The SysAdmin Network

No more hiding in the server room

Add a new computer object and secure it using a dedicated GPO

There are still many server environments around where it seems to be normal that each and everyone from the IT department acts as a domain administrator. Mostly this is tolerated because of the simplicity of server management. The same is true for a lot of service accounts which are being used on server side.This way the application administrator doesn't have to worry about any access rights locally and within the Active Directory infrastructure.

The easiest way to reduce the domain rights is to add the accounts of the server administrator or the application administrator to the local security group of Local Adminstrators. The same can be done for service accounts being used by installed applications. This manual and local apporach isn't really fail-safe and tends to be time consuming.

A much easier approach is the use of domain security groups which have the required administrative accounts as members. The following article describes how to utilize GPOs and Powershell to use domain security groups for local administrators and remote desktop users and to remove manually added accounts from the local security groups on the server. Using this approach the local administrators can be managed with from Active Directory and locallay added accounts aren't a security risk anymore.

As mentioned above the GPO configures the security group of remote desktop users as well. Employees responsible for application management need the possibility to connect to a server using RDP, but do not need administrarive permissions on ther server implicitly.

The following steps are needed, if you want to create new computer objects:

  1. Add two new security groups
    We will create two new security groups in Active Directory, which will be used as a group placeholder in the GPO template.
  2. Add a new Group Policy Object
    We will create a new GPO, which will be the base template and copy source for each server specific GPO.
  3. Powershell Script Add-Computer.ps1
    The script will create a new organizational unit, creates a new computer object, creates two new security groups, copies the GPO template and links the GPO to the newly created OU.

The modified script for creating the required objects for exisiting computer objects will be described in a second article.

 

Note:
The Powershell script requires the ActiveRoles Management Shell for Active Directory from Quest.

 

Use the Active Directory Users and Computers MMC to create two new domain local security groups within an OU container of your choice:

  • Name: ADM_RemoteDesktopUsersTemplate
    Group Scope: Domain Local
    Group Type: Security
  • Name: ADM_LocalAdministratorsTemplate
    Group Scope: Domain Local
    Group Type: Security

The two security groups will be used as a placeholder only. Therefore they should be disabled after the GPO template has been created. When the template is being copied (backed up and restored, to be exact), the groups will be replace by the correct security groups for the server.

 

Create a new GPO

Open the Group Policy Management Console and create a new GPO:

  • GPO Name: ADM Server Master Template 

Edit the just created GPO and open the node Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups:

Add a new local group using the nodes context menu:

Configure the new local group for Administrators:

  • Action: Update
    Group Name: Administrators (built-in)
    Delete all member users: Aktivated
    Members: ADM_LocalAdministratorsTemplate (use the Add button to add the security group)

Click OK and add a new local group for remote desktop users:

  • Action: Update
    Group Name: Remote Desktop Users (built-in)
    Delete all member uses: Aktiv 
    Members: ADM_RemoteDesktopUsersTemplate (use the Add button to add the security group)

That's all for the GPO template. Just close the Group Policy Management Console.


Powershell Script Add-Computer.ps1

Usage: Add-Computer.ps1 SERVERNAME



  1. # Add-Computer.ps1  
  2. # -----------------------------------------------  
  3. # Create a new computer object in a new computer specific  
  4. # OU which will be created as a child of a configured base OU.  
  5. # Two new security groups will be created and added to the newly created OU.  
  6. # A new GPO will be created from a GPO template and linked to the new computer OU.  
  7.   
  8. # Fetch comand line parameters first  
  9. Param([string]$servername="")  
  10.   
  11. # Get date and time for script start  
  12. $dateScriptStart = Get-Date -Format "yyyy-MM-dd HH:mm:ss"  
  13.   
  14. # Configuration settings  
  15. # ====================== MAKE CHANGES HERE  
  16. $ouPrefix = "OU_"                                           # Prefix for new created OUs  
  17. $groupPrefixAdm = "ADM_"                                    # Groupname prefix for admin users  
  18. $groupPrefixRdp = "RDP_"                                    # Groupname prefix for RDP users  
  19. $ouBaseDN = "OU=Test,OU=ICC IT, DC=ICOMCEPT, DC=DE"         # Base OU for computer specific OU  
  20.   
  21. $gpoTemplateName = "ADM Server Master Template"             # Name of the gpo template  
  22. $admGroupTemplateName = "ADM_LocalAdministratorsTemplate"   # Name of the admin group name template  
  23. $rdpGroupTemplateName = "ADM_RemoteDesktopUsersTemplate"    # Name of the remote desktop template  
  24. $gpoTargetNamePrefix = "ADM Server Admin "                  # GPO name prefix, server name will be added      
  25.   
  26. # Local GPO export path, will be created automatically  
  27. $gpoExportPath = "c:\GPOExport"                               
  28. # Folder path to groups settings  
  29. $gpoGroupsSettingsPath = "\DomainSysvol\GPO\Machine\Preferences\Groups\Groups.xml"   
  30. # ======================  
  31.   
  32. # Decription for new OU, security groups and computer objects  
  33. $ouDescription = "OU automatically generated " + $dateScriptStart  
  34. $groupDescription = "Group automatically generated " + $dateScriptStart  
  35. $computerDescription = "Computer account generated " + $dateScriptStart  
  36.   
  37. # Add Quest AD Management Snapin  
  38. if ( (Get-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue) -eq $null )  
  39. {  
  40.     Add-PsSnapin Quest.ActiveRoles.ADManagement  
  41. }  
  42. # Import active directory powershell module  
  43. Import-Module grouppolicy  
  44.   
  45. If($servername -eq "")  
  46. {  
  47.     Write-Host "Did you forget the servername?"  
  48.     $servername = Read-Host -Prompt "Severname: "  
  49. }  
  50.   
  51. # Fetch base OU first  
  52. $baseOU = Get-QADObject -Type organizationalUnit -Identity $ouBaseDN  
  53.   
  54. # Check if base object has been found  
  55. if(($baseOU.ParentContainerDN -ne "") -and ($servername -ne ""))  
  56. {  
  57.     Write-Host "Base OU found: " $baseOU.DN  
  58.       
  59.     $servernameUpper = $servername.ToUpper()  
  60.     Write-Host "Create new Server: " $servernameUpper  
  61.   
  62.     # Build new OU name  
  63.     $ouNew = $ouPrefix + $servernameUpper  
  64.     Write-Host "  New OU Name:   " $ouNew  
  65.       
  66.     # Add new OU and use computer account container as parent container  
  67.     New-QADObject -Type organizationalUnit -ParentContainer $baseOU.DN -Name $ouNew -Description $ouDescription  
  68.       
  69.     # Fetch new OU object from ad  
  70.     $ouGenerated = Get-QADObject -Type organizationalUnit -Name $ouNew  
  71.       
  72.     # Check if new OU exists  
  73.     if($ouGenerated.ParentContainerDN -ne "")  
  74.     {  
  75.         # Add new computer object in new computer OU  
  76.         New-QADComputer -Name $servernameUpper -ParentContainer $ouGenerated.CanonicalName -Description $computerDescription  
  77.   
  78.         # build new group names  
  79.         $newAdmGroup = $groupPrefixAdm + $servernameUpper  
  80.         $newRdpGroup = $groupPrefixRdp + $servernameUpper  
  81.         Write-Host "  New ADM Group: " $newAdmGroup  
  82.         Write-Host "  New RDP Group: " $newRdpGroup  
  83.           
  84.         # Create new adm group in new OU  
  85.         New-QADGroup -ParentContainer $ouGenerated.CanonicalName -Name $newAdmGroup -Description $groupDescription -GroupScope DomainLocal -SamAccountName $newAdmGroup  
  86.           
  87.         # Create new rdp group in new OU              
  88.         New-QADGroup -ParentContainer $ouGenerated.CanonicalName -Name $newRdpGroup -Description $groupDescription -GroupScope DomainLocal -SamAccountName $newRdpGroup  
  89.           
  90.         # Copy GPO template and   
  91.         # Check if GPO Export folder exists, otherwise create  
  92.         if (Test-Path $gpoExportPath)  
  93.         {   # Nothing to do }  
  94.         else  
  95.         {  
  96.             Write-Host "Create GPO export folder " $gpoExportPath  
  97.             MD $gpoExportPath  
  98.         }  
  99.           
  100.         # Perform export tasks only, if GPO export path is present  
  101.         if (Test-Path $gpoExportPath)  
  102.         {  
  103.             # Export GPO template to export folder  
  104.             $gpoBackup = Backup-GPO $gpoTemplateName -Path $gpoExportPath  
  105.               
  106.             # We do get a new id with each backup, so we have to remind it  
  107.             Write-Host "GPO template backed up as Id: " $gpoBackup.Id  
  108.               
  109.             $groupFile = $gpoExportPath + "\{" + $gpoBackup.Id + "}\" + $gpoGroupsSettingsPath 
  110.             Write-Host "Modifing GPO settings in" $groupFile 
  111.              
  112.             # Prepare gpo settings 
  113.             $gpoAdminGroupName = $groupPrefixAdm + $servername 
  114.             $gpoRdpGroupName = $groupPrefixRdp + $servername 
  115.              
  116.             # Get admin groups from ad 
  117.             Write-Host "Fetching Server Admin group: " $gpoAdminGroupName 
  118.             $serverAdminGroup = Get-QADGroup $gpoAdminGroupName 
  119.             $admGroupTemplate = Get-QADGroup $admGroupTemplateName 
  120.              
  121.             # Get rdp groups from ad 
  122.             Write-Host "Fetching Server RDP group  : " $gpoRdpGroupName 
  123.             $serverRdpGroup = Get-QADGroup $gpoRdpGroupName 
  124.             $rdpGroupTemplate = Get-QADGroup $rdpGroupTemplateName 
  125.              
  126.             # Check if we have found the servers administrators and the admin template groups 
  127.             if(($serverAdminGroup -ne $null) -and ($admGroupTemplate -ne $null) -and ($serverRdpGroup -ne $null) -and ($rdpGroupTemplate -ne $null))  
  128.             { 
  129.                 # Replace local administrators group name 
  130.                 Write-Host "Replacing [" $admGroupTemplateName "] with [" $gpoAdminGroupName "]" 
  131.                 $r = (Get-Content $groupFile) -replace $admGroupTemplateName, $gpoAdminGroupName 
  132.                 Set-Content $groupFile $r 
  133.                  
  134.                 # Replace local administrators group SID 
  135.                 Write-Host "Replacing [" $admGroupTemplate.SID "] with [" $serverAdminGroup.SID "]" 
  136.                 $r = (Get-Content $groupFile) -replace $admGroupTemplate.SID, $serverAdminGroup.SID 
  137.                 Set-Content $groupFile $r 
  138.                  
  139.                 # Now we try to replace the local rdp group members 
  140.                 # Replace local rdp group name 
  141.                 Write-Host "Replacing [" $rdpGroupTemplateName "] with [" $gpoRdpGroupName "]" 
  142.                 $r = (Get-Content $groupFile) -replace $rdpGroupTemplateName, $gpoRdpGroupName 
  143.                 Set-Content $groupFile $r 
  144.                  
  145.                 # Replace local rdp group SID 
  146.                 Write-Host "Replacing [" $rdpGroupTemplate.SID "] with [" $serverRdpGroup.SID "]" 
  147.                 $r = (Get-Content $groupFile) -replace $rdpGroupTemplate.SID, $serverRdpGroup.SID 
  148.                 Set-Content $groupFile $r 
  149.                  
  150.                 # Now, that we've modified the gpo, lets import the group and link it to the servers ou 
  151.                 $newGpoName = $gpoTargetNamePrefix + $servername 
  152.                 Write-Host "Importing modified GPO: " $newGpoName 
  153.                 Import-GPO -BackupId $gpoBackup.Id -TargetName $newGpoName -Path $gpoExportPath -CreateIfNeeded 
  154.                  
  155.                 $serverOU = $ouPrefix + $servername 
  156.                  
  157.                 # Find server OU 
  158.                 Write-Host "Linking GPO to OU     : " $serverOU 
  159.                 $ou = Get-QADObject $serverOU -Type organizationalUnit 
  160.                  
  161.                 Get-GPO $newGpoName | New-GPLink -target $ou.DN -LinkEnabled Yes 
  162.                  
  163.                 # Rename GUID named GPO backup file to a more readable one (server name) 
  164.                 $source = $gpoExportPath + "\{" + $gpoBackup.ID + "}" 
  165.                 $target = $gpoExportPath + "\" + $servername 
  166.                 Move-Item $source $target 
  167.                  
  168.                 Write-Host $servernameUpper " account is ready to use." 
  169.             } 
  170.             else 
  171.             { 
  172.                 Write-Host 
  173.                 Write-Host "!!!WARNING!!!" 
  174.                 Write-Host "One of the following groups were *NOT* found in Active Directory" 
  175.                 Write-Host "Admin Group         : " $gpoAdminGroupName 
  176.                 Write-Host "Admin Template Group: " $admGroupTemplateName 
  177.                 Write-Host "RDP Group           : " $gpoRdpGroupName 
  178.                 Write-Host "RDP Template Group  : " $rdpGroupTemplateName 
  179.             } 
  180.         } 
  181.         else 
  182.         { 
  183.             Write-Host "GPO export path could not be created!" 
  184.             Write-Host "Please check configuration"  
  185.         }  
  186.     }  
  187. }  
  188.   
  189. Write-Host  

Download: Add-Computer.zip

Links: Quest ActiveRoles Managementshell for Active Directory

 

Views: 1363

Tags: Powershell, Security

Comment

You need to be a member of The SysAdmin Network to add comments!

Join The SysAdmin Network

© 2012   Created by Elizabeth Ayer and Michael Francis.   Powered by

Badges  |  Report an Issue  |  Terms of Service

Sign in to chat!