Professional Documents
Culture Documents
Sysadmin Magazine July 2023
Sysadmin Magazine July 2023
Mastering AD
Management Secrets
Contents SysAdmin Magazine July 2023
SysAdmin
Magazine Contents
75
3 How to Back Up and Restore Group Policy Objects (GPOs)
№ July ‘23
2
Contents SysAdmin Magazine July 2023
Up and Restore
Before we dive into Group Policy object backup and recovery, let’s review some important details about how GPOs are created
and used.
Objects (GPOs) When a new Group Policy object is created, it is assigned a unique identifier called a GUID. Each GPO has two parts:
▪ Group Policy template (GPT) — The GPT comprises a set of folders in the SYSVOL file share (“C:\\WindowsSYSVOL\domain\
Policies\{GUID}”). These folders are used to store the majority of the content of a Group Policy object, including the templates,
Joe Dibley settings, scripts and details about MSI packages. The GPT is replicated to every DC in the domain by File Replication Services
Security Researcher at Netwrix (FRS) or Distributed File System Replication (DFSR), depending on the version of Windows. In fact, GPOs are effectively domain-
specific because SYSVOL is replicated only within a domain.
3
Contents SysAdmin Magazine July 2023
▪ Group Policy container (GPC) — The GPC is a groupPolicyContainer object located in the domain naming context under GPO Associations
CN=System,CN=Policies. This AD object’s attributes are used to store referential information related to the GPO. Significantly,
Once a GPO has been created, it can be associated with
this includes the gPCFileSysPath attribute, which contains the path to the GPO’s GPT in SYSVOL. Unlike the GPT, the GPC is
one or more Active Directory objects: organizational units
replicated by Active Directory Domain Services according to the configured replication cost, schedule and interval.
(OUs), domains and the sites. This association is not main-
tained by the GPO but by each of the associated AD ob-
jects, in its gPLink attribute. The value of an object’s gPLink
attribute is a list of the GPC paths of each GPO that the
object has been associated with. When a GPO’s associa-
tion to an object is created or deleted, only the value of the
affected object’s gPLink attribute is modified.
4
Contents SysAdmin Magazine July 2023
User and computer configurations ▪ Backup-GPO — This cmdlet makes it very easy to take
Group policy processing One last thing to note is that GPOs contain both a Computer
a snapshot of all of a domain’s Group Policy objects or a
5
Contents SysAdmin Magazine July 2023
The output of the Backup-GPO cmdlet consists of a separate subfolder for each GPO’s backup information and a manifest.xml Backup version control
file that contains the information necessary to associate each of the subfolders to their respective GPO:
Repeatedly backing up Group Policy objects to a single
location is supported, but each execution of this script
creates a unique subfolder for its output. The subfolders
are named using backup-specific GUIDs generated during
cmdlet execution, which all but eliminates the chance
of naming collisions with repeated backups to a single
location.
Looking inside one of the subfolders, we find that each backup consists of a folder and three XML files: folders is not strictly necessary, but the behavior of the
Restore-GPO cmdlet creates a benefit for doing so. The
Restore-GPO cmdlet will allow you to restore all GPOs
at once, but it will use the most recent backup of each
Group Policy object as identified within the manifest.xml.
By separating each set of backups into its own folder, you
ensure that each set of backups gets its own manifest.
xml. This allows the restoration of all of the GPOs in any of
these backup sets in a single operation.
6
Contents SysAdmin Magazine July 2023
$BackupPathTracker = "$BackupPath\Last- While this approach will save space by limiting unnecessary if((Test-Path "$BackupPathTracker")) {
Backup.txt" backups, the backups it does make all end up in the same $LastBackup = Get-Content -Path
folder, which makes it difficult to restore Group Policy "$BackupPathTracker"
-Path "$BackupPathTracker") Combining the approaches taken in each of the two scripts $GPOs = Get-GPO -All -Domain $Domain
Set-Content -Path "$BackupPath- would solve all of our problems, right? -Server $DomainController
ject { $BackupFolder
$BackupPath
7
Contents SysAdmin Magazine July 2023
8
Contents SysAdmin Magazine July 2023
All of this is necessary because, as discussed above, a Group Policy object’s GPT and GPC are replicated separately by different While this process can recover a deleted GPO, it cannot
services, which can result in the version numbers of a GPO’s GPT and GPC on any specific domain controller being out of sync restore the gPLink values that existed prior to the GPO’s
— which will prevent it from being processed. deletion. This is because those values existed only on the
linked objects. The only safe way around this limitation is to
leverage external backups of Active Directory that contain
the gPLink values.
Restoring a deleted GPO
A documented limitation of the Restore-GPO cmdlet is that it cannot be used to recover a Group Policy object that has been
deleted, because it will be unable to find the GPC piece of the GPO in Active Directory. Attempting to recover a deleted GPO will
result in an error that looks like this:
Using GPMC and AGPM for
GPO backup and restore
Group Policy PowerShell cmdlets are not your only option
for GPO backup and restore. Microsoft also provides the
Group Policy Management Console (GPMC), an MMC snap-
in that can be used to back up and restore Group Policy
Objects. Like the Backup-GPO cmdlet, it can back up either
However, if you are able to recover the GPC first, Restore-GPO can be used to recover the deleted GPO. To do so, we can use the a single specified GPO or all of a domain’s GPOs. Unlike
Restore-ADObject cmdlet to fully recover the Active Directory piece of the GPO from the Active Directory Recycle Bin, and then the the Restore-GPO cmdlet, it is limited to restoring a single
Restore-GPO cmdlet is able to restore the GPO: GPO at a time.
9
Contents SysAdmin Magazine July 2023
Group Policy PowerShell cmdlets are not your only option managed GPO outside of AGPM can result in corruption of
for GPO backup and restore. Microsoft also provides the the AGPM database). That said, it’s not necessarily a bad
Group Policy Management Console (GPMC), an MMC snap- tool; I just suggest you mess around with it quite a bit it
in that can be used to back up and restore Group Policy in a lab environment before attempting to deploy it into
Objects. Like the Backup-GPO cmdlet, it can back up either production.
a single specified GPO or all of a domain’s GPOs. Unlike the
Restore-GPO cmdlet, it is limited to restoring a single GPO
at a time.
from backup, but it doesn’t actually recover the deleted Netwrix Recovery for Active Directory provides a unified
GPO; it actually just creates a new GPO and populates it
using the information in the backup.
web interface that enables you to back up both Active
Directory objects and Group Policy objects in a single
Active Directory
Another benefit of the GPMC is improved visibility into the
snapshot, search and manage backups, roll back attribute
changes to live objects, and even recover deleted GPOs
Group Management
contents of the GPO backups, though it remains difficult to
compare the settings in a backup to the current settings of
and their associated gPLinks.
Best Practices
the live GPO.
Free Download
Microsoft’s Advanced Group Policy Management (AGPM)
tool, which is available as part of the Microsoft Desktop
Optimization Pack, extends the GPMC with version control
functionality that helps you view and understand the
contents of your backups. However, the benefits of AGPM
tend to be outweighed by two factors: It doesn’t seem to
be very well maintained, and it has a reputation for not
playing well with others (for example, modifying an AGPM-
10
Contents SysAdmin Magazine July 2023
Credentials with a
(DLL) involved in security-related operations, including
authentication. Microsoft provides a number of SSPs,
Security Support
including packages for Kerberos and NTLM. Let’s look at
some of the reasons an attacker might want to register a
malicious SSP on a computer:
11
Contents SysAdmin Magazine July 2023
Prevention
Since SSP attacks on DCs require an attacker to have compromised the DC as a Domain Admin or Administrator, the best
prevention is to keep those accounts from being compromised by strictly limiting membership in those groups, enforcing strong
account governance and monitoring the activity of privileged accounts.
Detection ▪ Uncover security risks in Active Directory and prioritize your mitigation efforts.
▪ Harden security configurations across your IT infrastructure.
SSP attacks can be difficult to detect. To see whether any
▪ Promptly detect and contain even advanced threats, such as DCSync and Golden Ticket attacks.
of your DCs have already been compromised, you can run
▪ Respond to known threats instantly with automated response options.
the following PowerShell command to check each DC in the
▪ Minimize business disruptions with fast Active Directory recovery.
domain for the existence of the mimilsa.log file. Hopefully,
the results come back empty.
12
Contents SysAdmin Magazine July 2023
How to Clean
tion achieve and prove compliance with these provisions.
Benefits of a Clean Active ▪ IT operations — A cluttered AD makes management
Directory
Up Your Active
much harder for administrators. By cleaning it, you can
reduce the time they have to spend supporting it, giv-
Active Directory is the central repository for user accounts, ing them more time for strategic initiatives.
13
Contents SysAdmin Magazine July 2023
▪ Inability to determine ownership of objects and groups than just deleting objects. It’s also about ensuring that up to date. Make sure your solution can identify these
▪ Inaccurate or incomplete object attribute details your AD objects are properly populated with all the in- groups and help you clean them up.
formation required for proper account management.
▪ Ensure each group has an owner and require reg-
Be sure to perform metadata cleanup as well.
ular attestation — Each group should have an own-
How to Clean Up Active ▪ Leverage historical SIDS — Eliminate token bloat and
broken access control by identifying and cleaning up
er who is required to regularly attest that the group is
still needed and that it has the correct permissions and
Directory historical SIDS to improve performance. membership.
The following best practices can help you clean up you ▪ Identify expired passwords — Identify Active Directo-
Active Directory: ry accounts with expired passwords, since they can in-
dicate that the account is infrequently used or inactive.
▪ Regularly identify stale, disabled, inactive and or-
phaned user accounts — Adversaries look for unused
Settings. How Netwrix Can Help
Active Directory user accounts they can compromise in ▪ Find empty, duplicate and circularly nested groups Using native tools like PowerShell to clean up your AD is
order to gain access to sensitive data. Some AD man- — Identify and remove empty or duplicate AD groups time-consuming, and writing and maintaining scripts re-
agement products not only identify risky AD user ac- that serve no purpose. Solutions like Netwrix Active Di- quires expertise. But the Netwrix Active Directory Security
counts but provide customizable workflows that can rectory Security Solution can also identify and help you Solution enables you to easily query, analyze, report on
automatically move them to a staging OU so you can re- remediate circularly nested groups that hinder AD per- and remediate unwanted objects in your Active Directory
view the impact of deleting them individually or in bulk. formance. and file systems so you can finally bring Active Directory
under control. As a result, you can strengthen security,
▪ Identify duplicate user accounts — Users can end ▪ Review security groups with large membership —
achieve and prove compliance, make your IT teams more
up with multiple accounts after changing roles with- While some security groups, such as Everyone, are
efficient, and improve business agility.
in the organization, especially if you have multiple AD meant to be large, most security groups should be much
domains. Cleaning up these duplicate accounts can re- smaller. Make sure each group includes only the users
duce complexity and confusion that can lead to security who need the resource access that the group provides.
risks associated with overprovisioning.
▪ Clean up mail-enabled groups — Distribution lists
▪ Ensure user account attributes are complete and and mail-enabled security groups often become bloat-
accurate — Active Directory cleanup is about more ed over time because their owners fail to keep them
14
Contents SysAdmin Magazine July 2023
Top Strategies
However, with an enterprise password management solu-
Tip #1: Clean up stale objects
tion, you can make it easy for users to create unique and
highly secure passwords and manage them effectively,
to Harden Your
Active Directory includes thousands of items and many
so you do not have to compromise on strong password
moving elements to safeguard. A core method for in-
requirements. A user needs to memorize just one strong
creasing security is to decrease clutter by removing un-
Active Directory
password, and the tool manages all the others for them.
used users, groups and machines. Stale AD objects may
be abused by attackers, so deleting them reduces your
Infrastructure
attack surface.
You may also find seldom-used items. Use HR data and Tip #3: Don’t let employees
work with business stakeholders to determine their sta- have admin privileges on their
tus; for example, for user accounts, determine the user’s workstations
manager. While this takes time, you’ll appreciate having it
Joe Dibley
Security Researcher at Netwrix
done during your next audit or compliance review. If an attacker gains control of a user account (which we all
know happens quite a bit), their next step is often to install
hacking software on the user’s workstation to help them
move laterally and take over other accounts. If the com-
Microsoft Active Directory (AD) is the central credential Tip #2: Make it easy for users to promised account has local admin rights, that task is easy.
store for 90% of organizations worldwide. As the gate- choose secure passwords
keeper to business applications and data, it’s not just ev- But most business users do not actually need to install
To prevent adversaries from compromising user creden-
erywhere, it’s everything! Managing AD is a never-ending software or change settings very often, so you can reduce
tials to enter your network and move laterally, passwords
task, and securing it is even harder. At Netwrix, we talk to your risk by not giving them admin permissions. If they do
need to be hard to crack. But users simply cannot remem-
a lot of customers who are using our tools to manage and need an additional application, they can ask the helpdesk
ber and manage multiple complex passwords on their
secure AD, and over the years, key strategies for tightening to install it. Don’t forget to use Microsoft LAPS ensure all
own, so they resort to practices that weaken security, such
security and hardening AD to resist attacks have emerged. remaining local admin accounts have strong passwords
as writing their passwords on sticky notes or simply incre-
Here are 10 Active Directory security hardening tips that and change them on a regular schedule.
menting a number at the end when they need to change
you can use in your environment:
them. That led security experts to weaken their recom-
mendations concerning password complexity and resets.
15
Contents SysAdmin Magazine July 2023
16
Contents SysAdmin Magazine July 2023
Conclusion
Active Directory is an amazing system for controlling access.
However, it’s only secure when it’s clean, understood,
properly configured, closely monitored and tightly
controlled. These tips are practical ways that you can tighten
security and harden your Active Directory.
17
Contents SysAdmin Magazine July 2023
18
Contents SysAdmin Magazine July 2023
ц Swiftly restore Active Directory (AD) objects or specific Restore accounts and permissions quickly — without
attributes to a trusted, pristine state — right from your having to reboot a single domain controller.
browser and without any downtime. Netwrix Recovery
TOOL OF THE MONTH
for Active Directory empowers you to easily back up
and restore your critical AD users, computers, security
groups, DNS entries, Group Policy objects (GPOs), organi-
zational units (OUs), domain controllers (DCs) and more,
overcoming the myriad limitations of the AD Recycle Bin.
With its unparalleled flexibility and control, you can help
Netwrix
ensure your organization remains resilient against secu-
rity breaches and business disruptions.
19
Contents SysAdmin Magazine July 2023
[On-Demand Webinar]
Netwrix solutions are the Force that will give you the power to secure AD from end to end and
Join our own AD Jedi Master, Anthony Moillic, as he explains how you can:
▪ Gain Deep Insight: identify and mitigate security risks in your AD environment before
Anthony Moillic
attackers exploit them
Field CISO EMEA & APAC
▪ Fight the Dark Side: thwart clever foes by promptly detecting and containing even advanced
threats
▪ Be the Hero: recover from improper Active Directory changes quickly to ensure business
continuity
Watch Now
20
About Netwrix
What did you think
Netwrix is a software company that enables information security and governance professionals to reclaim control over
of this issue? sensitive, regulated and business-critical data, regardless of where it resides.
Over 11500 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of
enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and
knowledge workers.
300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608 Switzerland: +41 43 508 3472 Hong Kong: +852 5808 1306
Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Italy: +39 02 947 53539
Netherlands: +31 858 887 804 France: +33 9 75 18 11 19
5 New Street Square +44 (0) 203 588 3023 SOCIAL: netwrix.com/social
London EC4A 3TW