You can apply this workaround on earlier version of Windows, if all your computers are not up to date. The disavdantage of this method is that icon images will disappear on some of your *.lnk files. So my advice is to upgrade as soon as possible your computers to a version which is supported by MS and apply the official security patch. Use the workaround only as last resort, the purpose of this post is to show you how to deploy this workaround with a GPO and play with WMI filtering. The Group Policy Center already wrote an article on how to deploy this workaround with GPO. We will just show you in this post how to target more precisely your computers which need the workaround by using WMI filers. We will achieve this under Windows 2008 by using Group Policy Preferences and activate the GPO workaround on the computers which have not the KB2286198 security patch installed. And we will show you how to achieve the same thing under AD 2003, without using Group Policy Preferences.

First, we will show you how to apply the Group Policy Center workaround by targeting only computers which have not the security patch installed. For this we will use Item-Level targeting. If you want to use Group Policy Preferences you need at least a DC running Windows 2008 in your domain and apply this KB on all your client computers, do not forget to install XMLLite on computers running Windows 2003 and Windows XP. One of the cool features about Item-Level targeting is Targeting Collection: You can add a “IS NOT” statement in your filter (i.e. request result is FALSE). With standard WMI filtering (i.e. not using Group policy Preference) you just can filter if the request returns TRUE, so you cannot filter if a KB is not installed, just if a KB is installed. In order to deploy the workaround on computers which have not KB2286198 installed just add Item-Level targeting on the registry key update and service deactivation:

The WMI request to retrieve if KB patch is installed browses the Win32_QuickFixEngineering class by filtering on HotFixID = ‘KB2286198′.

In order to disable the workaround just use the same WMI request and use default Targeting Collection, which applies if WMI filter returns TRUE. See part “disable workaround” in the Group Policy Center post, to know which registry key and WebClient settings to edit.

If your AD is still running with just Windows 2003 DCs, you cannot use Group Policy Preferences and a WMI filter only applies if the request returns TRUE, which is the standard behaviour. In order to bypass this limitation it is a bit tricky: We will create two GPOs and we will apply them in a particular order (priority):

• First GPO (KB2286198-WOKAROUND-AD2003-Enable) which will enable the workaround on all your workstations (no filtering): It will disable the WebClient Service and edit registry keys HKCR\lnkfile\shellex\IconHandler et HKCR\piffile\shellex\IconHandler and HKCR\lnkfile\shellex\IconHandler with a void default value. When the computer processes Group Policy, KB2286198-WOKAROUND-AD2003-Enable will be applied before the second GPO, so it’s priority will be lower.
• Second GPO (KB2286198-WOKAROUND-AD2003-Disable) which will disable the workaround on workstations with KB2286198 installed, by using a standard WMI filter. This GPO enables WebClient service at startup and edit the registry default value to its original setting ({00021401-0000-0000-C000-000000000046}). This GPO will have a higher priority than the first one, it will be applied after KB2286198-WOKAROUND-AD2003-Enable during the computer’s group policy processing.

In order to push the registry values mentioned earlier, without Group Policy preference, you will need to generate a custom administrative template with Yizhar Hurwitz’s tool: Reg2adm.If you need a tutorial on how to use it you can read this post. Otherwise if you just want to download both .ADM files just click on the image below:

The WMI filter you need to apply on the second GPO KB2286198-WOKAROUND-AD2003-Disable is still the same as under Windows 2008:

SELECT * FROM Win32_QuickFixEngineering WHERE HOTFixID = ‘KB2286198′

If you still (!) have Windows 2000 workstations and servers in you domain they will ignore the WMI filter. The GPO KB2286198-WOKAROUND-AD2003-Disable will always be applied to those computers, but you need to apply the workaround to them because the security patch cannot be installed on a W2K OS.

We will create a security group called W2K-WORKSTATIONS whose members are all our Windows 2000 computers. For that we will use Quest AD CMDlets and launch the following command:

get-QADComputer -OSName 'Windows 2000*' -ldapFilter '(!(userAccountControl:1.2.840.113556.1.4.803:=2))' -Sizelimit 10000 | Add-QADMemberof -Group 'ldap389\W2K-WORKSTATIONS'

Then we will set up a group security filtering on the GPOKB2286198-WOKAROUND-AD2003-Disable in order to deny its application for the W2K-WORKSTATIONS group.

The GPO KB2286198-WOKAROUND-AD2003-Enable looks like this:

And GPO KB2286198-WOKAROUND-AD2003-Disable with an higher priority than KB2286198-WOKAROUND-AD2003-Enable looks like this (WMI + security filtering):

On the image bellow is the startup menu and the resultant set of policy on a computer with KB2286198 installed and on a computer with workaround applied:

By using GPO processing order we can achieve what we want but it is a bit makeshift… As a conclusion keep your OS updated, in the future there might be no simple workarounds to halt a critical security breach

The method we will describe to achieve practically the same result works starting Windows 2003 server and later versions. We will restore objects from the Tombstone using Quest AD Cmdlets, your administration console should be at least running Windows XP, you do not need to install the RSAT (running on Windows 7 and 2008 server). You might have noticed on the “latest AD news sidebar“ that QAD Cmdlets version 1.4 was released a few days ago. The disadvantage of the method described is that it might be not supported by MS, for best practices regarding deleted objects restore you can read this KB article, you will also need to modify your Active Directory schema. Use this method if a few accounts are deleted, if have you deleted an entire OU use a proper authoritative restore. The advantage of using the powershell script is that the restore process is really quick.

Once an object is deleted, it is moved in to the Tombstone, some of the object’s attributes are erased for good. One of those attributes is the account password, when you restore a user or computer using the tombstone reanimation you cannot by default restore its password, which can be really annoying. In order to avoid this deletion you will need to modify your schema and update the SearchFlags attribute on this object: CN=Unicode-Pwd,CN=Schema,CN=Configuration,DC=domain. You can read Michael Pietroforte’s post to have more details and to know how to set up the attributes you do not want to be erased for good when an object is moved to the tombstone.

Unfortunately you cannot modify the Active Directory schema in order to store the group membership of a tombstone object, that is why you need a lag site to retrieve groups membership of an object. On this site the replication schedule is different: For example replication is only allowed once a day between 0h and 0h30, as a consequence an object deletion is not replicated immediately to the DC in this site. If the deletion occurred during the day you will be able to read the object group membership till midnight, then you can import the groups membership you just retrieved on the lag site into the reanimated object.

The Quest AD command to restore a deleted user object and then activate the user account is:

Get-QADUser -SamAccountName $AccountRestore | Restore-QADDeletedObject | Enable-QADUser   .......

$AccountRestore is the user account SamAccountName you need to restore from the tombstone. In order to restore a computer account just use Get-QADComputer instead. For a group you do not need to activate it… just use the Get-QADGroup Cmdlet.

Once user the account is restored we need to read its groups membership on the lag site and import this information into the freshly restored account:

.... | Get-QADMemberof -service $DC_LAG_FQDN | foreach { if($_.name -ne "Domain Users"){Add-QADGroupMember -service $DC_FQDN $_ -Member $AccountRestore}}

$DC_LAG_FQDN is the Domain Controller name located in the lag site, then you connect back to $DC_FQDN (DC were object was restored) and add group membership you just read. You import all groups except “Domain users” because the restored account is already member of this group. Use the same method for a computer object but this time just exclude “Domain computers”.

Restoring group objects is a bit more tricky: Because a group has members and can also be member of other groups. So you need to process first the members part and then the member of part, to achieve this use the following command:

.... | %{Get-QADMemberof -service $DC_LAG_FQDN $_ | foreach { Add-QADGroupMember -service $DC_FQDN -Member $AccountRestore} ; {Get-QADGroupMember -service $DC_LAG_FQDN $_ | Add-QADMemberOf -service $DC_FQDN -Group $AccountRestore}

As you can see, restoring an object with group membership can be done in Powershell with a one liner. You can download the .ps1 script bellow, which performs the restore of the three kind of objects: users, computers and groups.

You just need to edit the following variables:

• $Domain: Your domain NetBios name.
• $DC_FQDN: Domain Controller FQDN where the object is deleted.
• $DC_LAG_FQDN: Domain Controller FQDN located in your lag site.
• $AdminAD: Your admin account.

Once you launched the script just input the kind of object you need to restore: 1 for user, 2 for computer and 3 for group. Then enter your admin account password, and finally the account name you want to restore.

This script can be improved by adding new features: For example if you have no lag site, you could query all the DCs in your domain in order to get one DC where the deletion was not replicated yet, suspend inbound replication on this DC by using repadmin.exe, read group membership of the account which was deleted on other DCs, restore the object with group membership and turn back on inbound replication once restoration is completed.

There was no problem with GPOs in our domain: Replication was ok and GPOs were applied correctly on our computers/users objects. But we could not edit anymore GPOs connected to this DC. While the GPMC was hanging there was a lsass.exe CPU overload on the DC until the console was killed. Therefore we had to edit GPOs connected to any other DC, so the production environment was working near normal during the resolution of the incident.

The first thing we did was to launch an analysis with Server Performance Advisor on the DC while the GPMC was hanging, here is the result:

Apparently the DC has a problem performing an LDAP request initiated by the GPMC, and that is why the lsass.exe process on the DC consumes so much CPU time. In order to confirm this we will do two network packets captures with WireShark on our admin workstation, we will perform the same manipulations under GPMC, clicking on an OU to display GPOs linked to it: First with the GPMC connected to the problematic DC, console frozen after clicking on the OU. Second with the GPMC connected to another DC, where GPOs display and edition works fine:

On the first capture you can see that the LDAP request returns no result after two minutes, then we decided to kill the console. On the second one the LDAP request returns a result (a GPO DistinguishedName) after a few seconds.

We need now to identify what kind of LDAP request the DC could not perform, because all other LDAP requests were performed by the DC, for example searching for computers under the DSA console connected to this DC worked fine. For that we need to turn on Active Directory diagnostic event logging, especially Field Engineering , Event ID 1644 will be written in the event log when the LDAP request initiated by the GPMC will be performed, this event ID tells us that an inefficient LDAP query was performed and gives us the following information:

Results returned by the query should be the attributes GPLink and GPOptions, exactly what we expect, because by clicking on an OU under GPMC you want to display the GPOs linked to it (by the way that’s the result returned by the second network capture).
The attribute used as a filter for the LDAP query is ObjectCategory which is an indexed attribute of the AD Database. As a consequence the LDAP request should be performed quickly, which is not our case at all. We tried to launch the same request with ldp.exe tool, here the result:

———–
***Searching…
ldap_search_ext_s(ld, “DC=ldap389,DC=info”
, 2, “( | (objectCategory=CN=Domain-DNS,CN=Schema,CN=Configuration,DC=ldap389,DC=info) (objectCategory=CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=ldap389,DC=info) )”, attrList, 0, svrCtrls, ClntCtrls, 10, 0 ,&msg)
Error: Search: Timeout. <85>
Server error:
Error<94>: ldap_parse_result failed: No result present in message
Getting 0 entries:
———–

We have a TimeOut, we tried the same request on other DCs and got no TimeOut at all. As a first step we decided to increase the value of the parameter MaxQueryDuration of the DC LDAP policy, and also increase the TimeOut parameter of ldp.exe, but with no significant results.

After some research on the web I stumbled on this very interesting article written by Tim Springston. It says that:

“if the attribute(s) which are showing as taking an extended amount of time to search for are already indexed then the lack of an index is clearly not your problem. Sometimes indices, perhaps through frequent changes or other reasons, need to be re-indexed to remove “whitespace” or other problems. So checking the integrity of the database or doing an offline defrag may be the way to go.”

So let’s do a semantic analysis of the DC’s ntds.dit file:

Inconsistent refcounts were detected: We launch this time the same analysis but in “fix mode” (KB’s step 11). Finally we proceed with an offline defragmentation of the database and exit DSRM mode.

Once the DC restarted we can use GPMC again connected to it: No more hanging when displaying GPOs and no more lsass.exe process CPU overconsumption.

If you want more details about restricted group policies and can understand French I suggest you read Jonathan’s post on the Portail MCSE blog. If you only understand English you will find a description here. You can use the “Members” portion of restricted group policy, which we will call “replace mode restricted group policy” or the “Member Of” portion of restricted group policy, which we will call “add mode restricted group policy”. This feature is supported on Windows 2000 SP4 and later versions.

In this article we will focus on setting up a replace mode restricted group policy that modifies the local administrator and power users group on our workstations.

Setting up this kind of GPO requires making an inventory of your computers: You have to know precisely which users have elevated rights on their PCs. Taking away these rights overnight might cause tension, in addition to technical problems that will occur… In order to retrieve users with those privileges you can use the trial version of Exporter Pro for 30 days, you can also use the command line freeware version, or you can set up your own inventory script.

Once you have a complete list of the domain users which have local administrator or power user privileges on their workstation you have to know why:

• Political reasons: That’s the way it is and it won’t change… You will not apply the replace mode restricted group policy on his workstation, you will apply the add mode restricted group policy.
• A Software installed on the PC needs elevated rights to run correctly.
• No particular reason : The replace mode restricted group policy will be applied on this workstation.

The second scenario is the one that needs an investigation: Usually an application does not need to have elevated rights to run properly, you just need to grant write permission on some folders, files and registry keys.

Our job will be to identify objects on which you need to grant write permissions for our application to run: The first thing to do is ask the software company, they certainly have this kind of information. Otherwise we will have to track files and registry keys our program tries to access by using Process Monitor. We will show how to perform this operation by studying Tun Plus 10.0.1 developed by Esker.

This application runs after the user logs on, the command “C:\Program Files\TUN\tcpw\walld32.exe -h” is launched. When you log on with a standard user account you have this error message:

We will identify what folders, files and registry keys the walld32.exe needs to have write access on. In your standard user session runas a local administrator the procmon.exe program. Start the capture, launch the walld32.exe -h and the error message should be displayed, stop the Process Monitor capture. Create a filter in order to retrieve denied access of the process walld32.exe:

Our standard user account is trying to write on the following registry keys and folders:

On the workstations where the Tun Plus software is installed you have to grant standard users the appropriate rights on the registry keys and folder. Before applying the replace mode restricted group policy you have to create a GPO that grants standard users the necessary rights on their computers. If your Tun Plus computers are located in the same OU as other computer objects you will need to apply security filtering so as not to grant the privileges on other workstations.

Rather than granting rights on the file system or registry to a user, you can also elevate privileges for an application (i.e. one or more processes) by using Privilege Authority edited by ScriptLogic.

Once you are done with this application inventory you can apply the replace mode restricted groups policy to almost all your computers. However you must ensure one last thing: That your users are owners of their profile. If the local administrators group owns the profile, former members of the administrator group downgraded to standard users may be surprised, as described in Jonathan’s post.

For the users that will retain elevated privileges on their workstations we will apply the add mode restricted group policy. Here is a screenshot of the replace and add mode GPOs:

You can change these GPOs to match your needs, you can add some local groups (e.g. Print Operators…), and choose the GPO mode you want to apply.

The autologon workstation uses a service user account to open a windows session, the most obvious way to set up an autologon on a workstation is to edit registry keys. This method is not secure because the account credentials appear in clear text in the registry, meaning that the account can easily be used for other purpose.

In order to hide the password we will use the Autologon.exe tool developed by Sysinternals. This program uses the LSAStorePrivateData function in order to protect the password. This solution is less vulnerable than others, though not perfect. Have a look at this article which lists the free autologon solutions available.

We will now describe how to set up and automate the deployment of such workstations by following these steps: Create and configure service user and computer accounts in AD, customize service user accounts profiles, join workstations to the domain, apply restrictive GPOs to our computers and service user accounts and finally activate autologon on the workstations.

To achieve the first step we will use a script, fill in the file input.txt by writing on each line the name of the computer accounts to create. The service user account name will be prefixed with “s-” then the computer account name. You will need to change values at the beginning of the script in order to suit your environment:

• OUComputers: The Organizational Unit Distinguished Name where you want to create your computer accounts. Put these accounts in a dedicated OU because we will apply a very restrictive GPO on these workstations. If you don’t want to or cannot isolate these accounts you will need to apply a security filter to the GPO in order not to impact other workstations or servers inside the OU. You can set up security filtering by creating a group of computer accounts and apply the GPO to this group only.
• OUUsers: The OU Distinguished Name where you want to create your service user accounts.
• DomainFQDN: Your domain FQDN.
• DomainName: Your domain NetBios Name .
• DNGroup: Group Distinguished Name your service user accounts should be members of. You can adapt the script to put service user accounts in several groups or none. Or change it in order to put the computer accounts into a group in order to achieve a group policy security filtering.
• ProfileServerPath: Service user accounts will have roaming profiles that will also become mandatory via GPO. We will edit the profilepath account value in order to host the profiles on a network share

Here is the script:

'## debut script###
OUComputers = "OU=Autologon-Computers,DC=ldap389,DC=info"
OUUsers = "OU=Users-Autologon,DC=ldap389,DC=info"
DomainFQDN = "ldap389.info"
DomainName = "ldap389"
DNGroup = "CN=GroupAutologon,OU=Groups,DC=ldap389,DC=info"
ProfileServerPath = "ServerNameProfiles"
 
Const ForReading = 1
Const ADS_PROPERTY_APPEND = 3
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1
Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
 
Set fso = CreateObject("Scripting.FileSystemObject")
sCurPath = fso.GetAbsolutePathName(".")
Input = sCurPath&"input.txt"
Output = sCurPath&"output.txt"
 
Set df1 = fso.OpenTextFile(Input,ForReading,True)
Set FLog = fso.CreateTextFile(Output)
 
Do while Not df1.AtEndOfStream
	varLigne = df1.readline()
'Create service account to use for autologon
	Login = "s-"&varLigne
	Set objOU = GetObject("LDAP://"&OUUsers)
	Set objUser = objOU.Create("User", "cn="&Login)
	objUser.Put "sAMAccountName", ""&Login
	objUser.Put "UserPrincipalName", ""& Login &"@"&DomainFQDN
	objUser.Put "sn", ""&Login
	objUser.Put "givenname", ""&Login
	objUser.Put "description", "Autologon account: "&varLigne
	objUser.Put "Profilepath", ProfileServerPath&""&Login
	objUser.SetInfo
'Generate password, use function of your choice, you can use http://www.tek-tips.com/faqs.cfm?fid=5340 by Mark D. MacLachlan
	pwd = generatePassword(15)
	objuser.SetPassword ""& pwd
	objUser.AccountDisabled=False
	objUser.SetInfo
 
 
'Set password never expires
intUAC = objUser.Get("userAccountControl")
 
If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
    Wscript.Echo "Already enabled"
Else
    objUser.Put "userAccountControl", intUAC XOR _
        ADS_UF_DONT_EXPIRE_PASSWD
    objUser.SetInfo
 
End If
 
' Set user cannot change password
Set objSD = objUser.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryAcl
arrTrustees = array("nt authorityself", "EVERYONE")
 
For Each strTrustee in arrTrustees
    Set objACE = CreateObject("AccessControlEntry")
    objACE.Trustee = strTrustee
    objACE.AceFlags = 0
    objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
    objACE.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
    objACE.ObjectType = CHANGE_PASSWORD_GUID
    objACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
    objDACL.AddAce objACE
Next
 
objSD.DiscretionaryAcl = objDACL
objUser.Put "nTSecurityDescriptor", objSD
objUser. SetInfo
 
 
 
'Generate command to run autogon.exe on workstation	

	Flog.writeline("autologon.exe "&Login&" "&DomainName&" "&pwd)
 
'Add user created to the group DNGroup

	Set objGroup1 = GetObject("LDAP://"&DNGroup)
	objGroup1.PutEx ADS_PROPERTY_APPEND, "member", Array("cn="&Login&","&OUUsers)
	objGroup1.SetInfo
 
'Create computer account
	Set objOU2 = GetObject("LDAP://"&OUComputers)
	Set objCpu = objOU2.Create("Computer", "cn="&varLigne)
	objCpu.Put "sAMAccountName", varLigne & "$"
	objCpu.Put "userAccountControl", 4096
	objCpu.Put "description", "Autologon workstation"
	objCpu.Setinfo
	Loop
 
df1.close
 
msgbox "OK"
WScript.Quit
 
Function generatePassword(PASSWORD_LENGTH)
'......................
End Function
 
'## fin script###

Download script here:

Pour télécharger le script c’est ici:

In order to randomize the service user account password we use Mark D. MacLachlan’s function the same way as in my previous post. You can also decide to input the same password for each account. The accounts are flagged “User cannot change password” and “The password never expires” because if the password changes you will need to configure your workstation again with the autologon.exe program. The output.txt file contains command line instructions you should run on your workstations to set up autologon with Sysinternals tool. We will use this file later.

Now you need to configure your user accounts roaming profiles by copying it from an existing profile template.

Then, having created computer accounts with the above script, join your workstations to the domain.

Create and Link a GPO to the OU where are located the computer accounts, if necessary apply group policy security filtering. On those workstations we need to modify the user environment in order to secure them. In order to apply user settings on a computer object we use the Group Policy loopback feature.

Under Active Directory 2003 some registry settings cannot be edited through default administrative templates, therefore you have to create custom ADM files, I suggest you read this document, which explains all of the details for registry-based Group Policy. You can also use the reg2adm tool embedded in the Network UTilities Suite developed by Yizhar Hurwitz.

Under Active Directory 2008 thanks to Group Policy Preferences editing a registry key is more simple (read page 10 of the whitepaper).

We will use Simon Geary’s custom administrative template in order to disable USB, CD drives on the autologon workstations.

In order to make preconfigured roaming profiles mandatory we will enable this setting on the GPO:“Prevent Roaming Profile changes from being propagated to the server”.

Several restrictive settings are applied to the GPO, this list is not exhaustive, you can add or delete settings at your convenience:

Finally in order to activate the autologon on the workstations, you need to run the appropriate command line which is provided in the output.txt file on each computer.

We will implement a scheduled task, launched with a service account that is granted the sufficient permissions to change our generic account password, that will proceed to change the password and notify the users that are entitled to use the account. This task will run monthly if you want to change the password every month.

First we have to make some modifications on the generic account:

• Leave the flag “passsword never expires”: The password will be changed when our task runs and not when our Default Domain Password Policy (under Windows 2003) or our “Fine Grained Password Policies” (under Windows 2008) requires it.
• Enable the flag “User cannot change password”: Password will only be changed by our service account running the scheduled task or by AD administrators.
• Allow the service account to change the generic account’s password.

Have a look at the following screenshots, s-pwd-supervision is the service account that will run the scheduled task and g-generic is the generic account.

We need to create the scheduled task: The script changepass.vbs will be launched every 1st of the month at 5 am by our service account s-pwd-supervision:

We will now show what is in the script changepass.vbs, first we need to generate a random password and then attribute it to the generic account g-generic. The password generator function was copied from this page,the author is Mark D. MacLachlan, You can find some other functions on the Web. You have to change the DNg-generic value that is the generic account Distinguished Name. “GeneratePassword” function is set up to generate an 8 character long password, you can change this value, as long as you meet your password length policy requirements.

DNg-generic = "CN=g-generic,OU=users,DC=ldap389,DC=info"
 
pwd = generatePassword(8)
 
Set objUser = GetObject("LDAP://"&DNg-generic)
 
objUser.SetPassword pwd
 
Function generatePassword(PASSWORD_LENGTH)
 
Dim NUMLOWER, NUMUPPER, LOWERBOUND, UPPERBOUND, LOWERBOUND1, UPPERBOUND1, SYMLOWER, SYMUPPER
Dim newPassword, count, pwd
Dim pCheckComplex, pCheckComplexUp, pCheckComplexLow, pCheckComplexNum, pCheckComplexSym, pCheckAnswer
 
 NUMLOWER    = 48  ' 48 = 0
 NUMUPPER    = 57  ' 57 = 9
 LOWERBOUND  = 65  ' 65 = A
 UPPERBOUND  = 90  ' 90 = Z
 LOWERBOUND1 = 97  ' 97 = a
 UPPERBOUND1 = 122 ' 122 = z
 SYMLOWER    = 33  ' 33 = !a
 SYMUPPER    = 46  ' 46 = .
 pCheckComplexUp  = 0 ' used later to check number of character types in password
 pCheckComplexLow = 0 ' used later to check number of character types in password
 pCheckComplexNum = 0 ' used later to check number of character types in password
 pCheckComplexSym = 0 ' used later to check number of character types in password

 ' initialize the random number generator
 Randomize()
 
 newPassword = ""
 count = 0
 DO UNTIL count = PASSWORD_LENGTH
   ' generate a num between 2 and 10

 ' if num <= 2 create a symbol
   If Int( ( 10 - 2 + 1 ) * Rnd + 2 ) <= 2 Then     pwd = Int( ( SYMUPPER - SYMLOWER + 1 ) * Rnd + SYMLOWER )    ' if num is between 3 and 5 create a lowercase    Elseif Int( ( 10 - 2 + 1 ) * Rnd + 2 ) > 2 And  Int( ( 10 - 2 + 1 ) * Rnd + 2 ) <= 5 Then     pwd = Int( ( UPPERBOUND1 - LOWERBOUND1 + 1 ) * Rnd + LOWERBOUND1 )     ' if num is 6 or 7 generate an uppercase    Elseif Int( ( 10 - 2 + 1 ) * Rnd + 2 ) > 5 And  Int( ( 10 - 2 + 1 ) * Rnd + 2 ) <= 7 Then     pwd = Int( ( UPPERBOUND - LOWERBOUND + 1 ) * Rnd + LOWERBOUND )    Else        pwd = Int( ( NUMUPPER - NUMLOWER + 1 ) * Rnd + NUMLOWER )    End If   newPassword = newPassword + Chr( pwd )      count = count + 1      'Check to make sure that a proper mix of characters has been created.  If not discard the password.   If count = (PASSWORD_LENGTH) Then       For pCheckComplex = 1 To PASSWORD_LENGTH           'Check for uppercase           If Asc(Mid(newPassword,pCheckComplex,1)) >64 And Asc(Mid(newPassword,pCheckComplex,1))< 90 Then                   pCheckComplexUp = 1           'Check for lowercase           ElseIf Asc(Mid(newPassword,pCheckComplex,1)) >96 And Asc(Mid(newPassword,pCheckComplex,1))< 123 Then                   pCheckComplexLow = 1           'Check for numbers           ElseIf Asc(Mid(newPassword,pCheckComplex,1)) >47 And Asc(Mid(newPassword,pCheckComplex,1))< 58 Then                   pCheckComplexNum = 1           'Check for symbols           ElseIf Asc(Mid(newPassword,pCheckComplex,1)) >32 And Asc(Mid(newPassword,pCheckComplex,1))< 47 Then
                  pCheckComplexSym = 1
          End If
      Next
 
      'Add up the number of character sets.  We require 3 or 4 for a complex password.
      pCheckAnswer = pCheckComplexUp+pCheckComplexLow+pCheckComplexNum+pCheckComplexSym
 
      If pCheckAnswer < 3 Then
          newPassword = ""
          count = 0
      End If
  End If
 Loop
'The password is good so return it
 generatePassword = newPassword
 
End Function

We are not done yet, we need to notify the users that are entitled to use the account. For this you can use two methods:

The first is to notify users via Email, for that you can use Blat, Bmail or use the CDO object in your script. You just need to input SMTP server, recipients and the password in the text body of your Email.

The second one is to publish the password on a Web page with an IIS server. Once the password is generated and attributed to our generic account, it will be written in an HTML file located in a folder on our IIS server. You should restrict access to this folder, therefore to this Web page, to nominative accounts that are entitled to use this generic account. For that you just need to set up NTFS rights on this folder:

• Service account running the scheduled task should be granted the write access.
• Nominative accounts that are entitled to use this generic account should be able to read the folder content, we will grant read access to a group containing the nominative accounts that should be aware of the password change. If a non-authorized person tries to access the page they will receive a 401.3 HTTP error.

Security can be further increased on this page: When authorised persons access it, the page remains blank. The user must place the cursor on a particular point on the page for the password to show up. This is done using the Javascript function OnMouseOver. Once your password has been generated by the script, simply add the following lines to your code:

 
'PathIISHTML is the path of your HTML file on your IIS Server
PathIISHTML = "IISserverShareNameFile.html"
Const ForWriting = 2
Set FSO = CreateObject("Scripting.FileSystemObject")
Set f3 = fso.OpenTextFile(PathIISHTML,ForWriting,1)
 
f3.writeline("<div id='myText' style='visibility: hidden'>"&pwd&"</div>")
f3.writeline("<p onMouseOver="&chr(34)&"myText.style.visibility = 'visible'"&chr(34))
f3.writeline("onMouseOut="&chr(34)&"myText.style.visibility = 'hidden'"&chr(34)&">")
f3.writeline("<BR>")
f3.writeline("</p>")
f3.close

Download the full sample script here:

You will notice that with this type of code it is very simple to generate a HTML page. It can be used in other scripts to present reports a little more clearly than with simple text files.
A final remark: Before setting up a change of password for a generic account, ensure that it is not being used by a scheduled task, autologon workstation or windows service.

In order to analyze in real time the security log of all your DCs you need to pay for a Syslog solution, like Snare or Kiwi. Or you can try to setup an eventlog forwarding solution if you are under Windows 2008, you can also try to run a script that catches security log events, but you might encounter some performance issues.

We noticed in last post that the GPLink attribute was already set up in default audit settings. We will have a closer look at this attribute with adsiedit.msc:

GPLink has the following structure [LDAP://CN={31F5F311-013D-11D2-125F-00D04F0E84F9},CN=Policies,CN=System,DC=ldap389,DC=info;0][LDAP://CN={31F5F311-0187-EFD2-345F-BED04F1284F9},CN=Policies,CN=System,DC=ldap389,DC=info;2], each GPO linked to the OU/Site/Domain is separated with “[]“, between the brackets there are two data that are separated with a ; : The GPO Distinguished Name and how this GPO is applied, a number between 0 and 3:

• 0: GPO enabled, not enforced
• 1: GPO disabled, not enforced
• 2: GPO enabled and enforced
• 3: GPO disabled and enforced

You can retrieve GPLink information described above by using the following script. We now need to monitor the security log to catch GPLink modifications in real time:

Under Windows 2003 Event ID 566 is created in security log when you modify an audited attribute. The problem is that you do not have information about the value of the attribute before and after the modification.

,

You have the following information: Who modified the GPO link, on which DC and the Distinguished Name of the OU/Site/Domain modified. If you want to get the GPLink value after modification, you just need to do an LDAP query on the DC where the modification occurred. To retrieve the GPLink value before modification you need a lag site, Microsoft does not support delayed replication DC if you use it for a disaster recovery plan, but you can use a lag site in this context: We just use it to retrieve information before modification. Then we just need to compare data after and before modification to know which GPO link was modified.

Under Windows 2008 you do not need a lag site, you have the before and after value of the modified attribute in the security log, you just need to activate AD auditing on your DC. Event ID is 5136, value before modification is in the event where operation equals value deleted, value after modification is in the event where operation equals value added

If you create your first GPO Link on an object (e.g. OU/Site/Domain) value before modification will be void, value after modification equals the new GPlink. If you delete the last GPLink on an object value before modification equals the single GPLink and value after modification is void. If you are monitoring GPO Links on a Windows 2003 environment it will be a bit more complex: If you create you first GPO Link on a object, the LDAP request on the lag site will return an error code, because value doesn’t exist, so you have to handle error codes in your LDAP requests. It’s the same when you delete last GPLink, you have to handle the error code returned by your LDAP request made on the DC where the deletion occurred.

Depending on the OS version of your DC you need to set up your Snare Agents in order to catch event IDs 566 or 5136 in security log, you can of course use other Syslog Softwares. In our infrastructure the application collecting Snare agents data is Kiwi. We noticed that some values were not logged with friendly names, especially the Distinguished Name of the OU/Site/Domain on which the modification happened. This information was logged with the GUID string value of the object, if you want to get the friendly name (DN) you need to use this script provided by MS. There is a little error in this KB article, the function name is not correct, you should replace the penultimate line by “ConvertStringGUIDToHexStringGUID = octetStr”.

We will now show how to compare GPLink value before modification and after modification in order to be aware of GPO Links modifications. As already discussed a GPLink has two parts: Distinguished Name of GPO, and a numeric value that tells us how GPO is applied. Here are the differents cases:

• GPLink value before [DNGPO1;0][DNGPO2;3] and GPLink value after [DNGPO1;0][DNGPO2;3][DNGPO3;2] a new enforced link was created.
• GPLink value before [DNGPO1;0][DNGPO2;3] and GPLink value after [DNGPO1;0] Link of DNGPO2 has been deleted on our OU/Site/Domain.
• GPLink value before [DNGPO1;0][DNGPO2;3] and GPLink value after [DNGPO1;1][DNGPO2;3] Link of DNGPO1 was disabled (but not deleted).
• GPLink value before [DNGPO1;0][DNGPO2;3] and GPLink value after [DNGPO1;0][DNGPO2;2] Link of DNGPO2 was enabled and is still enforced.
• etc…

In order to compare data before and after we will use dictionary objects. We create two dictionaries, one with data before modification and a second with data after modification. The dictionaries keys will be the GPOs Distinguished Names and dictionaries values will be the numeric values between 0 and 3. Here is how two create both dictionaries:

'After modification GPLink dicitonnary
Set GPLinkdict = CreateObject("Scripting.Dictionary")
'Before modification GPLink dicitonnary
Set GPLinkdictLAG = CreateObject("Scripting.Dictionary")
 
'strGPLinkAfter is the GPLink value after modification, you retrieved it with the event log
'under Windows 2008 and with an LDAP request on the where DC the modification occurred under Windows 2003

if instr(strGPLinkAfter,"]") <> 0 then
OUModifiedGPLINK = split(strGPLinkAfter,"]")
For i = UBound(OUModifiedGPLINK) -1 to LBound(OUModifiedGPLINK) Step -1
GPOLinkstatus = split(OUModifiedGPLINK(i),";")
GPLinkdict.add GPOLinkstatus(0),GPOLinkstatus(1)
Next
End if
 
 
'strGPLink before is the GPLink value before modification, you retrieved it with the event log
'under Windows 2008 and with an LDAP request on the LAG DC under Windows 2003

 
if instr(strGPLinkBefore,"]") <> 0 then
OUModifiedGPLINKLAG = split(strGPLinkBefore,"]")
For j = UBound(OUModifiedGPLINKLAG)-1 to LBound(OUModifiedGPLINKLAG) Step -1
GPOLinkstatusLAG = split(OUModifiedGPLINKLAG(j),";")
GPLinkdictLAG.add GPOLinkstatusLAG(0),GPOLinkstatusLAG(1)
Next
End if

Click here to download sample script:

Now we will read through GPLinkdict dictionary, containing keys and values after modification and compare them to keys and values of the other dictionary. If a key doesn’t exist in the GPLinkdictLag dictionary, containing keys and values before modification, this means that a GPO Link was just created. If for the same key in both dictionaries the value is different, then the GPO Link was enabled/disabled or the enforce parameter was changed. With this script you can find out when GPO Linkq are created or wether the state of an existing GPO Link has changed:

 
'The DC where the modification was recorded, retrieved with eventlog
dcsource = "DCSOURCENAME"
 
'OU/Site/Domain name where GPO Link was modified, retrieved with eventlog
OUName = "OUName"
 
'User who made the modication, retrieved with eventlog
Username = "UsernName"
 
For Each oGPLinkdict in GPLinkdict
	If Not GPLinkdictLAG.Exists(oGPLinkdict) Then
 
	Set objGPOd = GetObject(split(replace(oGPLinkdict,"LDAP://","LDAP://"&dcsource&"/"),"[")(1))
	DNobjGPOd = objGPOd.Get("DisplayName")
	Msgbox Username&" created a link on this object: "& OUName &"  / GPOName: "&DNobjGPOd & "  / Link Value: "&GPLinkdict.Item(oGPLinkdict)
 
	Else 
		If GPLinkdictLAG.Item(oGPLinkdict) <> GPLinkdict.Item(oGPLinkdict) then
 
			if (GPLinkdictLAG.Item(oGPLinkdict) = 0 OR GPLinkdictLAG.Item(oGPLinkdict) = 2) AND (GPLinkdict.Item(oGPLinkdict) =1 OR GPLinkdict.Item(oGPLinkdict) = 3) then
 
			Set objGPOd = GetObject(split(replace(oGPLinkdict,"LDAP://","LDAP://"&dcsource&"/"),"[")(1))
			DNobjGPOd = objGPOd.Get("DisplayName")
			Msgbox Username&" disabled a link on this object: "& OUName &"  / GPOName: "&DNobjGPOd & "  / Link Value Before: "&GPLinkdictLAG.Item(oGPLinkdict)&"  / Link Value After: "&GPLinkdict.Item(oGPLinkdict)
 
			Else
 
			Set objGPOd = GetObject(split(replace(oGPLinkdict,"LDAP://","LDAP://"&dcsource&"/"),"[")(1))
			DNobjGPOd = objGPOd.Get("DisplayName")
			Msgbox Username&" enabled a link on this object: "& OUName &"  / GPOName: "&DNobjGPOd & "  / Link Value Before: "&GPLinkdictLAG.Item(oGPLinkdict)&"  / Link Value After: "&GPLinkdict.Item(oGPLinkdict)
 
			End if
 
 
		End if 
	End if
Next

Click here to download sample script:

Finally we need to get GPO links that were deleted, for this we will read through the GPLinkdictLag dictionary. If a key doesn’t exists in the GPLinkdict dictionary then the GPO Link was deleted:

'Enter LAGDC if you have one, it will be useful only in this case : if a Link is deleted and the GPO is deleted from the domain as well at the same time
'In that case we cannot retrieve GPO Display Name if we do not have lag site.
'If no lag site then LAGDC = ""
LAGDC = "LAGDCNAME"
 
For Each oGPLinkdictLAG in GPLinkdictLAG
  If Not GPLinkdict.Exists(oGPLinkdictLAG) Then
	err.clear
	Set objGPOd = GetObject(split(replace(oGPLinkdictLAG,"LDAP://","LDAP://"&dcsource&"/"),"[")(1))
	if err.number <> 0 then
		if LAGDC <> "" then
		Set objGPOd = GetObject(split(replace(oGPLinkdict,"LDAP://","LDAP://"&dcsource&"/"),"[")(1))
		DNobjGPOd = objGPOd.Get("DisplayName")
		Else
		DNobjGPOd = split(oGPLinkdictLAG,"[")(1)
	Else 
	DNobjGPOd = objGPOd.Get("DisplayName")
	End if
	Msgbox Username&" deleted a link on this object: "& OUName &"  / GPOName: "&DNobjGPOd & "  / Link Value was: "&GPLinkdictLAG.Item(oGPLinkdict)
  End if
Next

Click here to download sample script:

By following the guidelines described in this post and the previous one you can build your own GPO monitoring tool. In addition to creating reports you can launch a backup when a GPO is modified as well, by using sample scripts shipped with the GPMC.

When you create/delete a GPO a folder named \\domainname\sysvol\domainfqdn\Policies\{%GPO_GUID%} is created/deleted. When you modify the computer/user configuration of a GPO the file \\domainname\sysvol\domainfqdn\Policies\{%GPO_GUID%}\gpt.ini is modified, for more information, read this post. The purpose of our script will be to notify us in quasi real time of modifications occuring on those files and folders.

What are the pros and cons of our method in comparison to the eventlog monitoring method?

• Cons: You should expect a CPU load on the DC where you run the script. You need a lag site if you want to retrieve accurate information when a GPO deletion occurs. You cannot get the username of the person who made the modification. You are notified of GPO modification when the SYSVOL replication occurs on the DC where you run the script.
• Pros: If you want to track in real time the security log of your DCs you need a Syslog software (like Kiwi or Snare), but you need to pay for that. You need to activate auditing and install a Snare service on every DC, our script runs on just one DC.

So, how do you create a service (script) that will monitor GPO changes on your domain? For this you will need WMI code creator, this tool will help to create a script that tracks {%GPO_GUID%} folder creation/deletion and {%GPO_GUID%}gpt.ini file modification on the sysvol share.

We will use WMI asynchronous event monitoring. You just need to follow those steps to monitor the creation of {%GPO_GUID%}: folders.

During step 5 you need to input the name of the root folder you are monitoring :‘Win32_Directory.Name=”"F:\WINDOWS\SYSVOL\domain\Policies”"‘”, that contains all the subfolders {%GPO_GUID%} created.

And here we have our WMI asynchronous event query:

For more information about this method you can browse this webpage.
Now we can monitor {%GPO_GUID%} folder creation/deletion, we just need to retrieve the GPO display name with an LDAP query by using this script:

On error resume next
strComputer = "."
DomainDN = "DC=ldap389,DC=info"
DomainDNSFQDN = "ldap389.info"
LAGDC = "LAG_DC"
BackupLocationTool = "G:Tool"
Const ForAppending = 8
Set FSO = CreateObject("Scripting.FileSystemObject")
 
Set objWMIService = GetObject("winmgmts:" & strComputer & "rootCIMV2")
Set MySink = WScript.CreateObject( _
    "WbemScripting.SWbemSink","SINK_")
 
Set MySink2 = WScript.CreateObject( _
    "WbemScripting.SWbemSink","SINK2_")
 
objWMIservice.ExecNotificationQueryAsync MySink, _
    "SELECT * FROM __InstanceCreationEvent WITHIN 60 WHERE " & _
                    "TargetInstance ISA 'Win32_SubDirectory'" & _
                    " AND TargetInstance.GroupComponent = 'Win32_Directory.Name=""F:\WINDOWS\SYSVOL\domain\Policies""'"
 
objWMIservice.ExecNotificationQueryAsync MySink2, _
    "SELECT * FROM __InstanceDeletionEvent WITHIN 60 WHERE " & _
                    "TargetInstance ISA 'Win32_SubDirectory'" & _
                    " AND TargetInstance.GroupComponent = 'Win32_Directory.Name=""F:\WINDOWS\SYSVOL\domain\Policies""'
 
While (True)
    Wscript.Sleep(1000)
Wend
 
Sub SINK_OnObjectReady(objObject, objAsyncContext)
	gpofullpath = objObject.TargetInstance.Properties_.item("PartComponent").value
	gpoid1 = split(lcase(gpofullpath),"policies")
	gpouid = replace(gpoid1(1),chr(34),"")
 
	strGPODN = "CN="&gpouid&",CN=Policies,CN=System,"&DomainDN
 
		Set objGPO = GetObject("LDAP://" & strGPODN)
		StrGPOName = objGPO.DisplayName
 
	Set df80 = FSO.OpenTextFile(BackupLocationTool&"GPM-Modified.log",ForAppending)
	df80.writeline(now&";CREATED;"&gpouid&";"&StrGPOName)
	df80.close
End Sub
 
Sub SINK2_OnObjectReady(objObject, objAsyncContext)
    gpofullpath = objObject.TargetInstance.Properties_.item("PartComponent").value
StrGPOName = "N/A"
	gpoid1 = split(lcase(gpofullpath),"policies")
	gpouid = replace(gpoid1(1),chr(34),"")
		if LAGDC <> "" then
		strGPODN = "CN="&gpouid&",CN=Policies,CN=System,"&DomainDN
		err.clear
		Set objGPO = GetObject("LDAP://" &LAGDC&"/"&strGPODN)
		if err.number <> 0 then
		StrGPOName = "N/A"
		else
		StrGPOName = objGPO.DisplayName
		End if
		End if
	Set df80 = FSO.OpenTextFile(BackupLocationTool&"GPM-Modified.log",ForAppending)
df80.writeline(now&";DELETED;"&gpouid&";"&StrGPOName)
df80.close
End Sub
 
Sub SINK_OnCompleted(objObject, objAsyncContext)
End Sub

Download vbs script here (recomanded):

You will need to change the following values on the script:

• DomainDN = “DC=ldap389,DC=info”, Your domain Distinguished Name.
• DomainDNSFQDN = “ldap389.info”, fully qualified domain name
• BackupLocationTool = “G:Tool”, Folder where the script runs.
• LAGDC = “LAG_DC”, If you want to get GPO friendly name and not GUID when a deletion occurs you will need a Lag site, the DC with delayed replication will help you to get deleted GPO displayname, because attribute might be already deleted on other DCs.If you do not have a lag site just input LAGDC = “”

We now want to monitor modifications happening on GPT.INI files that are located on the SYSVOL share, we will use the following script:

objWMIservice.ExecNotificationQueryAsync MySink3, _
    "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE " & _
                    "TargetInstance ISA 'CIM_DataFile'" & _
                    " AND TargetInstance.Drive = 'F:'" & _
                    " AND TargetInstance.Extension = 'ini'" & _
                    " AND TargetInstance.FileName = 'gpt'"
 
Sub SINK3_OnObjectReady(objObject, objAsyncContext)
 
if objObject.TargetInstance.Properties_.item("LastModified").value <> objObject.PreviousInstance.Properties_.item("LastModified").value then
	gpofullpath = objObject.TargetInstance.Properties_.item("Name").value
 
	if instr(gpofullpath,DomainDNSFQDN) = 0 then
 
		gpoid1 = split(lcase(gpofullpath),"policies")
 
		gpoid2 = split(lcase(gpoid1(1)),"gpt.in")
		gpouid = gpoid2(0)
 
		strGPODN = "CN="&gpouid&",CN=Policies,CN=System,"&DomainDN
		Set objGPO = GetObject("LDAP://" & strGPODN)
		StrGPOName = objGPO.DisplayName
 
	End if
End if
 
End Sub

Download vbs script here (recomanded for syntax problem in plug-in):

If you want to know more on how to monitor changes on the file system you can read this post. Once you have adapted the script to your needs it will run on a SYSVOL that is not too big otherwise you might encounter performance problems.

If you have thousands of GPOs in your domain, your script has to monitor loads of folders and files and you might reach a WMI quota. You will get this kind of error message: wmi quota violation 0x8004106C (check WMI error codes here). When monitoring 3500 GPOs our script crashed with this error after a few minutes. We used wbemtest.exe to change some values in the __ArbitratorConfiguration super class. We used the following rule: %Total = %PerUser. This way the account running the service (script) will not be limited by a user quota, the quota limitation will just be the total. In that case you should expect an additional CPU/Memory load on your DC. Here is a CPU Graph (dual core 2,5Ghz) monitoring 3500 GPOs.

We will now need to create a Windows service from a script: Just read this tutorial which is really well explained. We just followed the different steps explained in the post.

You can also add a dependence on the WMI service. Your service will not start until WMI is ready:

That’s it, your service can monitor SYSVOL changes. You can be aware of GPT changes occurring in your domain. Next post will show how to monitor Group Policy Links, for this we will use the GPLink attribute which is enabled in default audit settings. Just see this tab:

Once you can monitor GPLinks changes on a OU/site/domain you will be able, in combination with GPT modification information, to get all major changes on your GPOs:

• GPO creations
• GPO deletions
• User/Computer settings modifications
• GPO Link modification

We can see that CPU is really busy during office hours, an application used by client computers might be a good lead for explaining this phenomenon. So we proceed with an anlysis of the DC with SPA and here are the results:

There is a SamEnumUsersInDomain request that consumes 42% of CPU load. Unfortunatly we cannot identify clearly the clients with SPA, so we will use WireShark to monitor DC’s network activity.

After analysing the data we can deduce that communication protocol used by client’s request is MS-SAMR. So we just need to use the appropriate filter (SAMR) with Wireshark to identify the clients. We sent the computers list to the local IT support of the site impacted and it revealed that those clients were laptops with HP ProtectTools security manager installed. This application was uninstalled on most of them because we do not use SMART cards and we could see the results on CPU Load almost immedialty:

If you want to identify the application causing trouble on client’s side by filtering which process uses a particular protocol or sends a request to a particular machine you use can TCPview or CurrPorts, if you want more information on the second application you can read an article of my colleague on CTXBlog (it’s in french).

The issue concerning the HProtectTools application was discussed on this forum. You need to upgrade to Sp41408 to get rid of the problem if you decide to keep the application on your laptops.