| GOPAS a.s. | [email protected] | ......Cert Publishers, Backup Operators, Replicator, Server...
Transcript of | GOPAS a.s. | [email protected] | ......Cert Publishers, Backup Operators, Replicator, Server...
ADVANCED TOPICS
Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CISA |[email protected] | www.sevecek.com |
SEARCHESActive Directory Troubleshooting
Search Syntax
physicalDeliveryOfficeName=C*AND NOTtelephoneNumber=20*
(&(physicalDeliveryOfficeName=C*)(!telephoneNumber=20*))
AND = &
OR = |
NOT = !
=, <=, >=, *
Searches
(objectClass=user)
(&(objectClass=user)(givenName=o*))
(mail=*)
(&(objectClass=user)(!objectClass=computer)
(|(sn=s*)(sn=d*))
(logonCount>=1)
(!telephoneNumber=+4*)
Type objectClass objectCategory sAMAccountType userAccountControlgroupType
user user person 805306368 (NORMAL_USER_ACCOUNT)
NORMAL_ACCOUNT
contact contact person - -
computer computer, user computer 805306369 (MACHINE_ACCOUNT)
WORKSTATION_TRUST_ACCOUNT
DC computer, user computer 805306369 (MACHINE_ACCOUNT)
SERVER_TRUST_ACCOUNT
RODC computer, user computer 805306369 (MACHINE_ACCOUNT)
WORKSTATION_TRUST_ACCOUNTPARTIAL_SECRETS_ACCOUNT
group group group 268435456 (GROUP_OBJECT [G, U])536870912 (ALIAS_OBJECT [DL])
dist.group (NON_SECURITY…)
SECURITY_ENABLEDUNIVERSAL_GROUPACCOUNT_GROUPRESOURCE_GROUP
trust user person TRUST_ACCOUNT805306370
INTERDOMAIN_TRUST_ACCOUNT
krbtgt(RID 502)
user person 805306368(NORMAL_USER_ACCOUNT)
NORMAL_ACCOUNT
group svc account
msDS-GroupManagedServiceAccount, user, computer
msDS-GroupManagedServiceAccount
805306369(MACHINE_ACCOUNT)
WORKSTATION_TRUST_ACCOUNT
Demo: Search tools
dsquery * OU=Company,DC=idtt,DC=local-filter “(physicalDeliveryOfficeName=c*)”
Indexed vs. non-indexed attributes
Searching non-indexed attributes requires going through all the individual database rows
unnecessary overhead on DC part
LDP, Search, Options - SearchStats
Indexed vs. non-indexed attributes
Indexed attributes
givenName, sn, physicalDeliveryOfficeName
objectCategory
objectClass with Windows 2008+ schema
Non-indexed attributes
objectClass with Windows 2003- schema
telephoneNumber, …
Advanced searches
(whenCreated>=19991122000000.0Z) (whenCreated>=19990323205258.0+1200) pwdLastSet
100 ns intervals starting 1.1.1601 (pwdLastSet>= 128962296000000000)
1.2.840.113556.1.4.803 = LDAP_MATCHING_RULE_BIT_AND
1.2.840.113556.1.4.804 = LDAP_MATCHING_RULE_BIT_OR
1.2.840.113556.1.4.1941 = LDAP_MATCHING_RULE_IN_CHAIN
Advanced searches
Boolean true, false
GUID {BF967ABA-0DE6-11D0-A285-00AA003049E2}
(objectGuid=\BA\7A\96\BF\E6\0D\D0\11\A2\85\00\AA\00\30\49\E2)
SID S-1-5-21-1935655697-308236825-1417001333
(objectSid=\01\04\00\00\00\00\00\05\15\00\00\00\11\C3\5Fs\19R\5F\12u\B9)
Advanced searches
Escaping special charracters
\\, \), \(, \/, \*, ...
\5C, \29, \28, \2F, \2A
Search examples
Disabled account userAccountControl = 2
Locked account (until unlocked or tried again) lockoutTime msDS-User-Account-Control-Computed = 16
Last password change/reset pwdLastSet
Cannot change password permissions: Deny – Self – Change password
Must change password at next logon pwdLastSet = 0 msDS-User-Account-Control-Computed = 8 388 608
Search examples
Domain Admins (&(objectClass=user)(|(memberOf:
1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=idtt,DC=local)(primaryGroupID=512)))
Computer or member server objectClass = computer userAccountControl =
WORKSTATION_TRUST_ACCOUNT
Domain Controller objectClass = computer userAccountControl = SERVER_TRUST_ACCOUNT
Search examples
Inactive computers
(&(objectClass=computer)(lastLogonTimestamp<=129274916816708588)(!userAccountControl: 1.2.840.113556.1.4.1941 :=2))
Confidential attributes
dsquery * CN=schema,CN=configuration,DC=idtt,DC=local-filter (searchFlags:1.2.840.113556.1.4.803:=128)
ADSI Schema Cache
Client’s ADSI client caches the whole schema
re-cache per DC! on every schema change
schema about 1,5 MB
Not important with local DCs
Worse with WAN clients without a local DC
HKLM\SOFTWARE\Microsoft\ADs\Providers\LDAP\schemaContainerDN
Time of last update
File that stores the cache
ACCESS CONTROLActive Directory Troubleshooting
Security permissions
Everything requires authentication
except for RootDSE
Delegate Control wizard
DELEGWIZ.INF
Security tab
DSA.MSC and ADSI Edit
Never use DSA or ADSI Edit to check permissions
example - mail attribute
Use either DSACLS or LDP
LDP and permissions
Default Security Descriptor
User class example
Windows 2000
Windows 2003 added 2 new permission ACEs
Windows Authorization Access Group
Terminal Server Licensing Servers
Windows 2003 R2 no change
Windows 2008 added 1 new permission ACE
Terminal Server Licensing Servers
Not changed on existing objects!
Property sets
Grouping of several attributes for simpler permission assignment
Google: Active Directory Property Sets
http://technet.microsoft.com/en-us/library/cc755430(WS.10).aspx
User DSD
Self Read all Write Personal Information Write Private Information Write Phone and Mail Options Write Web Information
Authenticated Users Read General Information Read Public Information Read Personal Information Read Web Information Read Permissions
Account Operators Full Control
Domain Admins Full Control
Group DSD
Authenticated Users
Read all
Account Operators
Full Control
Domain Admins
Full Control
Pre-Windows 2000 Compatible Access
By default contains Authenticated Users
should be removed
Inherited from domain level
not part of the default security descriptor
Assigned
List (all sub-objects)
Read (all User objects)
Read (all Group objects)
Read (all OUs)
Pre-Windows 2000 Compatible Access on Windows 2003-
Administrators and Deny
Inherited Deny is overwritten by explicit Allow
Default Security Descriptor in schema
To prevent Domain Admins and Account Operators to do something, use explicit Denyon the objects
Authenticated Users and Deny
Read cannot be limited by inheritance
Default Security Descriptor in schema
Confidential attributes
would require Full Control
Scripts must be used to define individual Deny
Change Password vs. Reset Password
Change Password
Everyone
must know current password
Reset Password
admins only
Anonymous Access
CN=Directory Services,CN=Services,CN=Configuration,...
dsHeuristics
7th possition character = 2 to enable anonymousbind (0000002)
Anonymous Access and LDP
Simple Bind: empty password = ANONYMOUS
anonymous simple bind does not receive Pre-Windows 2000 Compatible Access membership
it does not receive access token at all
Bind with Credentials: empty/empty = ANONYMOUS
tokenGroups
Some applications require reading the group membership of user accounts either memberOf or tokenGroups and
tokenGroupsGlobalAndUniversal
Required by Kerberos protocol transition
ISA/TMG smart card authentication required Kerberos protocol transition
IAS/NPS RADIUS user authentication
SCOM 2007 to be able to Push Agent installations
tokenGroups
Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
added in 2003 SP1 to replace the Pre-Windows 2000 Compatible Access
modified in schema in Default Security Descriptor
not modified on existing objects
Windows Authorization Access Group required on users
Windows Authorization Access Group not required on groups
WAAG
Kerberos Protocol Transition
AD CS and Constrained Enrollment Agent
SQL Server for logins
IAS/NPS/TS Gateway with certificate logon
TS Licensing
Demo: TGGAU and WAA group
Check membership of the Pre-Windows 2000 Compatible Access
possibly remove all the members
Check membership of the Windows Authorization Access Group
Check Effective Permission on a user account for Authenticated Users
AdminSDHolder
Resets permissions for security principals who are members of administrative groups
Enterprise Admins, Schema Admins
Domain Admins, Administrators
Domain Controllers
Cert Publishers, Backup Operators, Replicator, Server Operators, Account Operators, Print Operators
CN=AdminSDHolder,CN=System,DC=idtt,DC=local
AdminCount = 1
AdminSDHolder
Done by PDC FSMO
Triggered by
runProtectAdminGroupsTask in 2008 R2+
fixUpInheritance in 2008 and older
needs appropriate control access right on DC=domain,DC=virtual
dsquery * domainroot -filter “(adminCount>=1)”
Orphaned AdminSDHolder objects
Remain with adminCount = 1
Remain with inheritance protection
Lab: AdminSDHolder
dsHeuristics
CN=Directory Services,CN=Services,CN=Configuration,...
dsHeuristics
16th possition character can exclude groups
Group Bit Value
Account Operators 0001 1
Server Operators 0010 2
Print Operators 0100 4
Backup Operators 1000 8
Permission-based settings
Common permissionsOperation Permissions
Rename object(only by using DSMOVE)
write cnwrite name
Reset password reset passwordwrite pwdLastSet
NETDOM RESETPWD reset passwordwrite pwdLastSet
Join computer write servicePrincipalNamewrite dnsHostNamewrite sAMAccountNamewrite displayNamewrite descriptionwrite Account Restrictionswrite Logon Informationdeletedelete treelist, list objects, read all properties, read permissionscontrol access rights
Common permissionsOperation Permissions
Move object between OUs(DSMOVE)
same as rename
Move object between OUs(DSA console)
delete on sourcecreate on target
Rename object(DSA console)
same as move between OUs in DSA console
Delete object(which does not have any sub-objects)
deleteordelete [objectType] on parentordelete subtree (if Delete Subtree Server Control being used)
Delete object(which does have some sob-objects
delete on all the objectsordelete [all-the-specific-objectTypes] on parent/sordelete subtree (if Delete Subtree Server Control being used)
Common permissionsOperation Permissions
Protect against accidental deletion
deny deletedeny delete tree(this object only)
Install subdomain Enterprise Admins to write to Sites/Servers and Partitionsparent domain Domain Admins to initially replicate from
forest trust Domain Admins of the trusting root domainIncoming Forest Trust Builders in trusted domain
external trust trusting/trusted domain Domain Admins
Search and permissions
LDAP search results are trimmed according to the permissions on the objects
cannot search for attributes that I cannot Read
cannot find objects if I cannot List parent
dSHeuristics, 3rd character = 1
If I cannot read an object, I cannot find it
hidden accounts with SYSTEM allowed to Read
Example: Hidden account
PSEXEC -s -d -i cmd.exe
DSA.MSC, ADSIEDIT.MSC
Create container in Program Data/Microsoft
Create user account in the new container
Allow only SYSTEM to FULL CONTROLL
Allow Domain Admins only READ ATTRIBUTES and READ PERMISSIONS but not LIST
Make the account member of Domain Admins as the only (primary) group
LDAP Simple Bind
Clear text authentication
the same as HTTP/SMTP/POP3 Basic
used by VPN gateways, RADIUS servers, proxy servers, third party integrations
Enabled by default
AD accepts simple binds with
distinguishedName
userPrincipalName (non standard)
sAMAccountName (non standard)
Password trials (lib-utils.ps1)
function global:Try-LdapPassword ([string] $path, [string] $login, [string] $pwd, [string]
$security) {
$ErrorActionPreference = 'SilentlyContinue'
$error.Clear()
$domain = New-Object DirectoryServices.DirectoryEntry $path, $login, $pwd, $security
$domain.RefreshCache('name')
$worked = $error.Count -eq 0
$ErrorActionPreference = 'Continue'
return $worked
}
function global:Try-LdapAllPasswords ([string] $path, [string] $login, [int] $pwdChars,
[string] $security, [byte[]] $charSet = ((48..57) + (65..90) + (97..122)))
{
<#
.DESCRIPTION
security: AuthenticationTypes enumeration = None (simple bind), Singing, Sealing,
SecureSocketsLayer
charSet: (48..57) + (65..90) + (97..122)) = 0-9, A-Z, a-z
(32..126) = !"# ... xyz{|}~
#>
Enforce SSL for Simple Bind
Domain Controller: LDAP Server Signing Requirements
require GSSAPI signing for LDAP
require LDAPS for Simple Bind
Requires TLS Server Authentication certificate
Enforce LDAPS for Simple Bind
LDAP TLS Server Authentication Certificate
Extension Value
Subject DNS
SAN DNS
Exporatable Key no
Archive Key no, transport encryption only
Key Type Encryption (+ Signature must be included illogically)
Key Usage Key Encipherment + Digital Signature
CSP/CNG Microsoft RSA SChannel Cryptographic ProviderMicrosoft Software Key Storage Provider
EKU Server Authentication1.3.6.1.5.5.7.3.1
Autoenrollment yes
Publish in AD no
Store LocalComputer\My (Personal)
Domain Controller Certificates
Template Issued Certificates Availability and Enrollment
Domain Controllerv1
Subject = dc1.idtt.localSAN = GUID&dns=dc1.idtt.localEKU = client / server
Windows 2000 CAWindows 2000+ DCsmanually
Domain Controller Authentictaionv2
Subject =SAN = dns=dc1.idtt.localEKU = client / server / sc
Windows 2003 CAWindows 2003+ DCsautoenrollment
Kerberos Authenticationv2
Subject =SAN = dns=idtt.local&dns=IDTTEKU = client / server / sc / kdc
Windows 2008 CAWindows 2003+ DCsautoenrollment
AD LDS TLS Server Authentication Certificate
Extension Value
Subject DNS
SAN DNS
Exporatable Key no
Archive Key no, transport encryption only
Key Type Encryption
Key Usage Key Encipherment
CSP/CNG Microsoft RSA SChannel Cryptographic ProviderMicrosoft Software Key Storage Provider
EKU Server Authentication1.3.6.1.5.5.7.3.1
Autoenrollment yes
Publish in AD no
Store ADLDSService\My (Personal) or allow Read to the service account
AD LDS SECURITY
Active Directory Troubleshooting
User Accounts
User class
userPrincipalName or distinguishedName
objectSID, displayName, …
msDS-UserAccountDisabled
MD4/MD5 password
UserProxy
objectSID, displayName
UserProxyFull
objectSID, displayName, …
Authentication
Windows authentication with outside principals NTLM and Kerberos (SPN automatically registered)
LDAP simple bind with AD LDS accounts distinguishedName or userPrincipalName
LDAP simple bind with proxy authentication does not store password
Account Logon Auditing for simple binds AD LDS service account must have SeAuditPrivilege
(Generate Security Audits)
Credential Validation
AD LDS Simple Bind
Does not require TLS by default
Supports DN and userPrincipalName binds
does not support sAMAccountName binds
CN=Directory Services,CN=Windows NT,CN=Services,CN=Config…
msDS-Other-Settings
RequireSecureSimpleBind = 0/1
TLS
TLS certificate must be placed in service store
does not accept Local Machine certificates
Proxy authentication requires TLS by default
Anonymous access disabled by default
Proxy authentication
TLS requirement
CN=Directory Services,CN=Windows NT,CN=Services,CN=Config…
msDS-Other-Settings
RequireSecureProxyBind = 0/1
Cannot define external SID if not valid/existing
must be also unique in the AD LDS instance
Other LDS settings
ADAMDisableLogonAuditing
ADAMDisablePasswordPolicies
ADAMDisableSPNRegistration
ADAMAllowADAMSecurityPrincipalsInConfigPartition
ADAMLastLogonTimestampWindow ~ msDS-LogonTimeSyncInterval
SelfReferralsOnly, MaxReferrals
ADAMDisableSSI disables DIGEST-MD5 authentication
Chasing referrals
By default automatic DN<>DNS mapping Original request: cn=jinde,dc=sevecek,dc=test
Referral: LDAP://sevecek.test/cn=jinde,dc=sevecek,dc=test
Or create explicit crossRef object dnsRoot = sevecek.testing.local:30000
DNS SRV _ldap._tcp.sevecek.testing.local = dc3.gopas.virtual:30000
DNS SRV _ldap._udp.sevecek.testing.local = dc3.gopas.virtual:30000
dnsRoot = lds5.gopas.virtual:50000
ADSI authentication for referrals
Windows re-authentication automatic
SPN ldap/dc3.gopas.virtual obtained from RootDSE's dNSHostName attribute
With simple bind referrals are chased anonymously
DELETE OPERATIONSActive Directory Troubleshooting
Delete operations
Delete only removes most attributes from an object
tombstone
Replicates as normal object change/move
Deleted by individual DCs after tombstoneLifetime
CN=Directory Services,CN=Services,CN=Configuration,...
Search options to return deleted objects
Tombstones
isDeleted: true
isRecycled: true
name
objectSID, objectGUID
sIDHistory
laskKnownParent
Others are configured by searchFlags = 8 in the attributeSchema
Lab: Reanimating objects
LDP
Options – Search
Extended
Return deleted objects
View – Tree
CN=Deleted Objects
Tombstone lifetime
Windows 2000
60 days
Windows 2003 SP1+
180 days
upgrade keeps the 60 days from previous version
Tombstone lifetime
CN=Directory Services,CN=Windows NT,CN=Services,CN=Configuration,DC=idtt,DC=local tombstoneLifetime
garbageCollPeriod (12 hours by default)
Garbage collection does not delete white space from the database only offline defragmentation
the amount can be logged by setting HKLM\System\CCS\Services\NTDS\Diagnostics6 Garbage Collection = 1
Lab: Optional: Garbage Collection Decrease tombstone lifetime to 2 days
Delete user Leo
Using LDP tool confirm its tombstone remained in the database
On the Hyper-V host move the date 1 day forward wait until the date is adjusted automatically on the DC you MUST NOT move by more than 1 day!
Replicate all DCs and check it went without errors REPADMIN /replsummary
Move the date once again and repeat the replication
Using LDP issue doGarbageCollection=1 operational attribute write and confirm the tombstones got removed
AD Recycle bin
Optional feature with Windows 2008 R2 forest level
cannot be disabled
Preserves all attributes on deleted objects for the tombstone lifetime
after that, the object becomes normal tombstone for another lifetime
Does not preserve attribute changes
recovery site still useful
Enabling AD Recycle Bin
Raise forest functional level to at least Windows 2008 R2
On Naming FSMO Enable-ADOptionalFeature 'Recycle Bin Feature' -
Scope ForestOrConfigurationSet -Target 'gopas.virtual'
On AD LDS instance … -Target 'CN=Configuration,CN={…}' -Server
adldsSrv:50001
Or from the Active Directory Administrative Center since Windows 2012
TSL and 2008 R2 Schema Update Updating schema to 2008 R2 includes
isRecycled attribute
Attribute is added to existing tombstones which then replicate not an important traffic
If some DC has already deleted the tombstones on a verge of their TSL, it will not replicate with Strict Replication Consistency
repadmin /SetAttr * “” doGarbageCollection Add 1
AD LDS Recycle Bin
Update schema to 2008 R2
MS-ADAM-Upgrade-2.ldf - schema
MS-ADAM-Upgrade-1.ldf - configuration
Remove all older replicas
Upgrade FFL to 2008 R2
msDS-Behavior-Version = 4
Enable recycle bin with PowerShell
EXPIRING OBJECTSActive Directory Troubleshooting
Expiring objects
$domain = 'DC=ad,DC=sevecek,DC=com'
$ou = [ADSI] "LDAP://OU=TRAINING,$domain"
[int] $ttl = 20
[int] $userTTL = 37
$user = $ou.Create('user', 'CN=Josef')
$user.PutEx(2, 'objectClass', @('dynamicObject',
'user'))
$user.Put('entryTTL', ($userTTL * 60))
$user.Put('sAMAccountName', 'josef')
$user.SetInfo()
$user.SetPassword('Pa$$w0rd')
$user.Put('userAccountControl', 512)
$user.SetInfo()
Expiring objects
# ...
$baseGroup = $ou.Create('group', 'CN=IS Access')
$baseGroup.Put('sAMAccountName', 'IS Access')
$baseGroup.SetInfo()
$expiringGroup = $ou.Create('group', "CN=IS Access Expiring in $ttl
minutes")
$expiringGroup.PutEx(2, 'objectClass', @('dynamicObject', 'group'))
$expiringGroup.Put('entryTTL', ($ttl * 60))
$expiringGroup.Put('sAMAccountName', "IS Access Expiring in $ttl
minutes")
$expiringGroup.SetInfo()
$baseGroup.Add($expiringGroup.Path)
$expiringGroup.Add($user.Path)
Privileged Access Management Feature (PAM)
TTL on links
Requires FFL 2016
Enable-ADOptionalFeature
Add-ADGroupMember -Identity Group -Members Member
Get-ADGroup -Properties member -ShowMemberTimeToLive
SCRIPTINGActive Directory Troubleshooting
Scripting tools
LDIFDE attribute/value pairs
CSVDE comma separated values (table)
DSxxx DSADD, DSRM, DSMOD, DSQUERY, DSGET
VBScript (ADSI COM)
PowerShell (ADSI COM, PowerShell v2)
.NET (System.DirectoryServices)
DSACLS
Exports vs. Imports
Export
does not export passwords nor hashes
Import
cannot import GUIDs, SIDs etc.
can import/change/reset passwords
LDP files
Can contain ADD, DELETE, REPLACE operations
Sometimes can be used to change/reset passwords
unicodePwd
must be surrounded by “” and UTF-16/Base-64 encoded
Pa$$w0rd – “Pa$$w0rd” – 0x22 0x00 0x50 0x00 0x64 ...
userPassword
not encoded
requires 2003 domain level and dsHeuristics with fUserPwdSupport
Reset password with .LDP
dn: CN=Joe,OU=Company,DC=idtt,DC=local
changetype: modify
replace: unicodePwd
unicodePwd::IgBuAGUAdwBQAGEAcwBzAHcAbwByAGQAIgA=
Reset password with .LDP
dn: CN=John Smith, OU=Users,DC=Fabrikam,DC=com
changetype: modify
replace: userPassword
userPassword: newPassword
Change password with .LDP
dn: CN=John, OU=Company,DC=idtt,DC=local
changetype: modify
delete: userPassword
userPassword: oldPassword
-
add: userPassword
userPassword: newPassword
DSACLS
DSACLS \\dc1\CN=Kamil,OU=London,.../G sales:RPWP;telephoneNumber
DSACLS OU=London,OU=Company,.../I:S /G sales:RPWP;telephoneNumber;user
S – subobjects only
T – this object and subobjects
P – only direct child objects (one level only)
Restore default security
DSACLS \\dc1\OU=London,DC=... /S /T
Security with DSQUERY
FOR /F “tokens=1” %i IN (‘DSQUERY * “DC=idtt,DC=local” –filter “(mail=*)”
‘) DO (DSACLS %i /Gsales:RPWP;telephoneNumber
)
In .BAT files, you need to replace %i with %%i
-limit is by default 100
Query more DCs with REPADMIN
repadmin/showattr *dc=idtt,dc=local/subtree/filter:"(lastLogon<=129254820280000000)" /attrs:lastLogon
LDIFDE
Exporting/Importing tombstones
-X
Changing DN references
-C
DC=idtt,DC=local DC=gopas,DC=cz
DC=idtt,DC=local #defaultNamingContext
read from actual RootDSE
Ticks in VBScript (.VBS)function D2T ( byVal dateString )
secDiff = DateDiff("s", "1601-01-01 00:00:00", dateString)
ticksDiff = CStr(secDiff) & "0000000"
D2T = ticksDiff
end function
function T2D ( byVal ticksString )
ticksDbl = CDbl(ticksString)
secDbl = ticksDbl / CDbl(10) / CDbl(1000) / CDbl(1000)
daysDbl = secDbl / CDbl(3600) / CDbl(24)
days = Round(daysDbl)
secRemainder = Round(secDbl - CDbl(days) * CDbl(3600) * CDbl(24))
T2D = DateAdd("s", secRemainder, DateAdd("d", days, "1601-01-01 00:00:00"))
end function
Ticks in PowerShell (.PS1)
[DateTime]::Now
[DateTime]::Parse(“1601-01-01”)
[DateTime]::Now.AddDays(-30)
([DateTime]::Now – [DateTime]::Parse(“1601-01-01”)).Ticks
EXCHANGE CHANGESActive Directory Troubleshooting
Exchange 2010
Extends schema with new object classes and attributes
Does not touch default security descriptor
Changes AdminSDHolder partially
Creates Security Groups
Changes permissions on domain root
User Accounts which InheritOrganzation Management (INHERITED)Exchange Trusted Subsystem (INHERITED)
FULL CONTROL msExchDynamicDistributionList WRITE Exchange Personal InformationWRITE Exchange InformationWRITE Personal InformationWRITE Public InformationWRITE proxyAddressesWRITE showInAddressBookWRITE adminDisplayNameWRITE displayNameWRITE displayNamePrintableWRITE mailWRITE textEncodedORAddressWRITE publicDelegatesWRITE garbageCollPeriodWRITE legacyExchangeDN
Exchange Servers (INHERITED)CREATE/DELETE msExchActiveSyncDevicesWRITE groupTypeWRITE msExchMailboxSecurityDescriptorWRITE msExchUserCultureWRITE msExchMobileMailboxFlagsWRITE msExchSafeRecipientsHashWRITE userCertificateWRITE msExchBlockedSendersHashWRITE publicDelegatesWRITE msExchSafeSendersHashWRITE msExchUMServerWritableFlags WRITE msExchUMDtmfMapWRITE msExchUMSpokenNameWRITE msExchUMPinChecksum
Exchange Windows Permissions (EXPLICIT)WRITE PERMISSIONSDELETE TREEDELETE
Exchange Windows Permissions (INHERITED)CREATE inetOrgPersonCREATE computerCREATE groupCREATE organizationalUnitCREATE userCREATE contactReset PasswordWRITE Add/Remove self as memberWRITE sAMAccountNameWRITE pwdLastSetWRITE managedByWRITE userAccountControlWRITE countryCodeWRITE wWWHomePage
User Accounts with AdminSDHolder Organzation Management (INHERITED)
Exchange Trusted Subsystem (INHERITED)FULL CONTROL msExchDynamicDistributionList WRITE Exchange Personal InformationWRITE Exchange InformationWRITE Personal InformationWRITE Public InformationWRITE proxyAddressesWRITE showInAddressBookWRITE adminDisplayNameWRITE displayNameWRITE displayNamePrintableWRITE mailWRITE textEncodedORAddressWRITE publicDelegatesWRITE garbageCollPeriodWRITE legacyExchangeDN
Exchange Servers (INHERITED)Replication SynchronizationWRITE groupTypeWRITE msExchMailboxSecurityDescriptorWRITE msExchUserCultureWRITE msExchMobileMailboxFlagsWRITE msExchSafeRecipientsHashWRITE userCertificateWRITE msExchBlockedSendersHashWRITE publicDelegatesWRITE msExchSafeSendersHashWRITE msExchUMServerWritableFlags WRITE msExchUMDtmfMapWRITE msExchUMSpokenNameWRITE msExchUMPinChecksum