Wednesday, July 23, 2014

Create Custom RBAC roles with quick powerfull cmdlets.

Here are some handy RBAC cmdlets to help you build your own custom Role Groups, role assignments etc. When you design RBAC Groups , you need to pay attention to your name convention to make sure , Groups, role assignments etc. makes sense, each Role Group created will be located on Microsoft Exchange Security Groups on the root of the forest/Domain , adding members to these security groups also possible using active directors users snap in, so you need to have plan to secure these groups. it might be good idea to tick the box “protect object from accidental deletion” for these groups.

image

image

image

#List all Management Roles

Get-ManagementRole

clip_image001

#List all role entries within given Management Role

Get-ManagementRoleEntry "View-Only Recipients\*"

clip_image002

Note: as you have noticed, all these cmdlet's , user can run if the user is assigned to a Role Group = Assigned Role = ManagementRoleEntry

Here is simple snapshot to digest the relationship

clip_image003

image

image

#Create new Role from existing Parent Role

New-ManagementRole "HelpDesk Permissions" -Parent "View-Only Recipients"

clip_image004

#Remove all Role Entries , except selected one

Get-ManagementRoleEntry “HelpDesk Permissions\*” | Where {$_.name -ne “Get-User”} | Remove-ManagementRoleEntry -Confirm:$False

image

#Locate managementRole

Get-ManagementRoleEntry “HelpDesk Permissions\*”

clip_image006

#Add additional CMDLET if needed to management Role

Add-ManagementRoleEntry “HelpDesk Permissions\Get-MailboxPermission”

clip_image007

#Locate ManagementRole to verify desired cmdlet is assigned to it

Get-ManagementRoleEntry “HelpDesk Permissions\*”

clip_image008

#Create New Role Group

New-RoleGroup "HelpDesk 1.5"

clip_image009

#Add Role assignment to Role Group

New-ManagementRoleAssignment -SecurityGroup "HelpDesk 1.5" -Role "HelpDesk Permissions"

clip_image010

#add member to Role Group

Add-RoleGroupMember “HelpDesk 1.5” –Member C-Ron.Buzon

clip_image011

#locate members

Get-ManagementRoleEntry “HelpDesk Permissions\*”

clip_image012

#remove Members from desired Role Group

Remove-RoleGroupMember “HelpDesk 1.5” –Member C-Ron.Buzon

clip_image013

# Find desired user, List all the Roles

Get-ManagementRoleAssignment -GetEffectiveUsers | ?{$_.EffectiveUserName -eq “Administrator”} | select Role

clip_image014

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Tuesday, July 15, 2014

How To Create CUSTOM RBAC ROLE Exchange 2010 & 2013

We would like to utilize RBAC Role model and create custom RBAC Role for specific needs for a business. These needs could be different from one environment to another. This article will be good reference for you to get your customization. Having said that, first thing to understand is the RBAC Layers.

There are 6 Layers which make up the Role Group Model

  • Role group member
  • Management role group
  • Management role assignment
  • Management role scope
  • Management role
  • Management role entries

clip_image001[4]

Goal:

  1. Create Custom Role Group
  2. Create Custom RBAC Role Entry with desired cmdlet's
  3. Add Custom Role entry to Role
  4. Add role to Custom Role Group
  5. Add Members to Custom Role Group

In this example we will use following template

image

Note: You can build your own management Role , and modify management role entries same way in this article. The process is pretty straight forward.

Task#1

Figure out all role entry contains set-mailbox (set-mailbox is one of the cmdlet we have as our requirement)

Get-ManagementRoleEntry *\Set-Mailbox

clip_image002[4]

 

Task#2

Create the management role with related parent Role

New-ManagementRole -Name “Assign Mailbox Access” -Parent “Mail Recipients”

clip_image003[4]

Task#3

Get-ManagementRoleEntry "Assign Mailbox Access\*"

Verify all cmdlet assign to newly created management role, as you can see we have many cmdlet we don’t want, therefore we will need to remove most of them and only keep what we need.

clip_image004[4]

Task#4

Remove what you don’t need

Get-ManagementRoleEntry “Assign Mailbox Access\*” | Where {$_.name -ne “Add-MailboxPermission”} | Remove-ManagementRoleEntry -Confirm:$False

clip_image005[4]

Task#5

Verify the Role entry , minimum cmdlet is assigned.

clip_image006[4]

Task#6

Add additional cmdlet

  • Add-ManagementRoleEntry "Assign Mailbox Access\get-mailbox"
  • Add-ManagementRoleEntry "Assign Mailbox Access\get-mailboxPermission"
  • Add-ManagementRoleEntry "Assign Mailbox Access\remove-mailboxPermission"
  • Add-ManagementRoleEntry "Assign Mailbox Access\set-mailbox"

clip_image007[4]

Task#7

Add remove any role entries if desired

Verify one more time to make sure we have all we wanted. If required continue to add by using same one liner cmdlet

Add-ManagementRoleEntry "Assign Mailbox Access\set-mailbox" ---------------> you can replace set-mailbox

If you need to remove use

Remove-ManagementRoleEntry "Assign Mailbox Access\set-mailbox"

clip_image008[4]

Task#8

Create new Role Group

New-RoleGroup “Audit Team”

clip_image009[4]

Task#9

Let's put them together

New-ManagementRoleAssignment -SecurityGroup "Audit Team" -Role "Assign Mailbox Access"

clip_image010[4]

Task#10

Add-RoleGroupMember “Audit Team” –Member C-Ron.Buzon

clip_image011[4]

We are done lets look at this from ECP

clip_image012[4]

clip_image013[4]

Now if c-ron.Buzon logs in, he will only get the cmdlets assigned to him via RBAC Role. As you can see RBAC permissions model is very efficient and effective. When creating Roles, group and Role entries, you may want to think about unifying name convention and plan this out before start implementing it into production environment.

TechNet:

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Wednesday, July 9, 2014

Recovering from Accidentally Deleted AD objects with PowerShell , AD Recycle BIN , Windows 2012 Active Directory.

We will recovery accidently deleted user account via PS in windows 2012 domain environment. To prepare the scenario we will fist delete the user and recovery it.

Log onto  Windows 2012 DC with administrator privileges.Open PS with administrator privileges

Type following.

Get-ADUser -Filter 'Name -like "*C-Ron Buzon"'

image

image

We will delete the user

Get-ADUser -Filter 'Name -like "*C-Ron Buzon"' | Remove-ADUser -Confirm:$false

image

user has been deleted

image

we can see user within the Deleted Objects container in ADAC

image

Get-ADobject -Filter 'Name -like "*C-Ron*"' -IncludeDeletedObjects

image

we will restore this user

Get-ADobject -Filter 'Name -like "*C-Ron*"' -IncludeDeletedObjects | Restore-ADObject

image

if I check to see user is back to ADDS

image

image

Read more

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

 

Installing First Windows 2012 Domain Controller into Existing Forest/Domain via PowerShell

 

Task: Introducing first Windows 2012 domain controller into Existing Forest /Domain. As you already  notices with Windows 2012 , promoting server to be additional domain controller is changed a lot. There is no more DCpromo instead we use GUI or PowerShell to get the work done.

High Level Steps :

  • Install Windows 2012 Server
  • Configure , Server name, IP address
  • Add Server into existing domain as member server ( preferred )
  • Use PS to promote the server to be additional domain controller and modify the DCpromo.ps1 Script

Step# 1

First task is to add the windows 2012 server into existing domain. Adding server into existing domain  before promoting to be domain controller is a good old habit ,  which allows A record to be created  within the existing DNS Forward lookup  zone and helps also ensures correct DNS settings has been configured.

Log into Server

Open PowerShell and type following command.

Install-WindowsFeature -Name Ad-Domain-Services | Install-WindowsFeature

clip_image001

Step# 2

Now copy and paste the , below PowerShell command into notepad , and save it as DCpromo.ps1 ( we use this name to honor DCPromo we have used ages (-:   , you can name it anything you like.

image

You will need to change  “-DomainName "ZtekZone.com"  and if you like any additional customization , such as changing the defaults , SYSLOG, DatabasePath, LogPath etc.

Download the script from here

Run PS Command against pre-defied PS Script

#Installing Domain Controller

Write-Host "................................"

Write-Host "Please modify pre defined Script "

Write-Host "To Make sure it fits into your Environment"

Write-Host "................................"

Import-Module ADDSDeployment

Install-ADDSDomainController `

-NoGlobalCatalog:$false `

-CreateDnsDelegation:$false `

-CriticalReplicationOnly:$false `

# Change the DatabasePath if desired

-DatabasePath "C:\Windows\NTDS" `

# Change the Domain name if desired

-DomainName "ZtekZone.com"

-InstallDns:$true `

# Change the LogPath if desired

-LogPath "C:\Windows\NTDS" `

-NoRebootOnCompletion:$false `

# Change the AD Site Name if necessary

-SiteName "Default-First-Site-Name" `

# Change the SYSVOL if necessary.

-SysvolPath "C:\Windows\SYSVOL" `

-Force:$true

Now after modifying the script save it onto server into temp Directory

image

From PowerShell Run it

clip_image002

clip_image003

clip_image004

After server reboot if we open Site and Services we will see the additional domain controller

clip_image005

Now couple additional Configuration we will perform on the new domain controller

Add-WindowsFeature RSAT-AD-PowerShell, RSAT-AD-AdminCenter

clip_image006

Now you can open ADAC from GUI

clip_image007

Or you can open it from PowerShell

clip_image008

clip_image009

You can also open Site and Services

dssite.msc

clip_image010

You can open ADUC

Dsa.msc

clip_image011

More to read… AD Team

http://blogs.technet.com/b/askpfeplat/archive/2012/09/06/introducing-the-first-windows-server-2012-domain-controller-part-2-of-2.aspx

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)