windows-nt/Source/XPSP1/NT/admin/admt/updateacl.txt

98 lines
5.7 KiB
Plaintext
Raw Normal View History

2020-09-26 03:20:57 -05:00
Overview
========
In Whistler, the default security descriptors of various objects were adjusted to tighten domain and forest security. By default, domain controllers that were upgraded to Whistler do not receive all of these security enhancements and the access control entries of existing objects are not changed.
Run this script on domain controllers that have been upgraded to Whistler to ensure that an upgraded domain and all objects in the domain will have the same level of security as a freshly installed Whistler domain.
Domain Security Improvements
----------------------------
One example of domain security improvements in Whistler is that the Anonymous Logon token was removed from the Everyone group, so, by default, only authenticated users are be members of the Everyone group. This change improves security because, when members of the Everyone group are granted access to a resource, only authenticated users will have access to this resource.
If the upgraded domain is configured to allow pre-Windows 2000 compatible access, the script will add the Anonymous Logon group to the Pre-Windows 2000 Compatible Access group. To determine if a particular domain allows pre-Windows 2000 compatible access, check the membership of the Pre-Windows 2000 Compatible Access group. If the Everyone group is member of the Pre-Windows 2000 Compatible Access group, the domain allows Pre-Windows 2000 compatible access. Running the script on this domain will add the Anonymous Logon group to the Pre-Windows 2000 Compatible Access group.
For a list of the domain security changes made, see the Domain Component Output section of this document. For a list of the objects to which additional access control entries were added, see the Details section of this document. For descriptions of each of the new access control entries, see the comments in the script.
Forest Security Improvements
----------------------------
Active Directory stores forest configuration information in the Configuration container. The Configuration container is replicated to all domain controllers in the forest. This script will add Whistler access control entries to existing objects in the configuration container.
For a list of the forest security changes made, see the Forest Component Output section below. For a list of the objects to which additional access control entries were added, see the Details section of this document. For descriptions of each of the new access control entries, see the comments in the script.
Usage
=====
The script has two components: a domain component, and a forest component. A command line parameter specifies which component to execute.
To run the domain component, you must have Global Admin rights in the domain, local Administrator rights are not sufficient for some changes. To run the forest component, you must have Enterprise Administrator rights.
Run the domain component on only one domain controller that has been upgraded to Whistler in each domain in your forest. The changes will replicate to the other domain controllers in the domain.
Run the forest component on only one domain controller that has been upgraded to Whistler. The changes will replicate to all of the domain controllers in the forest.
You need to specify the name of the domain. The domain controller where you run the script must be a domain controller in this domain.
To run the script:
1. Open a command window.
2. Type
cscript UpdateDomainACL.vbs [ /Domain | /Forest ] [Domainname]
Troubleshooting
===============
If the upgrade of one or more access control entries fails, make sure that you are running the script with sufficient privileges. You must have Domain Administrator rights to run the domain component and Enterprise Administrator rights to run the forest component.
The script will fail single updates if the sAMAccount names of the following groups were changed:
- Pre-Windows 2000 Compatible Access
- Cert Publishers
To solve the problem, either rename the groups to their original sAMAccountName, or adjust the trustee names used in the script to the new sAMAccountNames.
Script Output
=============
Domain Component Output
-----------------------
If all domain access control list updates succeed, you will see the following output:
C:\>cscript UpdateDomainACL.vbs /Domain example.microsoft.com
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2000. All rights reserved.
Anonymous Logon to Pre-Windows 2000 Compatible Access Group added
Domain Password Property Set ACE set for RU
Domain Other Parameters ACE set for RU
Inheritable rights on Organizational Units set on Domain Object for RU
Domain policy ACE for Enterprise Domain Controllers set
Domain Controller policy ACE for ED set
Policy Container ACE for Enterprise Domain Controllers set
AdminSDHolder ACEs set
ACE for Enterprise Domain Controllers on user domain policy set
ACE for Enterprise Domain Controllers on user DC policy set
ACE for Enterprise Domain Controllers on machine domain policy set
ACE for Enterprise Domain Controllers on machine DC policy set
Forest Component Output
-----------------------
If all forest access control list updates succeed, you will see the following output:
C:\>cscript UpdateDomainACL.vbs /Forest example.microsoft.com
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2000. All rights reserved.
Inherited ACE for Enterprise Domain Controllers on Sites container set
Details
=======
The script creates additional access control entries on the following objects:
Domain Component:
- Domain-DNS (or the domain)
- Default Domain Policy
- Default Domain Controllers Policy
- AdminSDHolder
- Existing group policies (user and machine policies)
Forest Component:
- The sites container