Microsoft Azure AZ-801 — Section 4: Secure a hybrid Active Directory (AD) infrastructure Part 4

Microsoft Azure AZ-801 — Section 4: Secure a hybrid Active Directory (AD) infrastructure Part 4

37. Manage AD built-in administrative groups

I want to talk now about the built in groups that we have in Active Directory. So, there’s a couple of things we want to look at here.

Number one is if we go to Server Manager and then go Tools and then open up Azure or sorry, open up Active Directory Users and Computers, that’ll bring us here and we can click on users and here are your built in groups.

Now, you may not have all the same groups as I mean there might be a couple that I don’t that I have that you don’t like laps and things like that because I’ve installed a few things in a different course, but ultimately you’ll see the same types of groups as I’m seeing here for the most part, any of the any of the objects here with the two headed people here or the two people, I should say. Those are those are your groups, right. Those are your built in groups. And of course, if you look at the groups, they have descriptions for each one. For example, the allow RODC password replication group. It tells you what that’s for. Members in this group can have passwords replicated all RODC.

If you have RODC, you have Cert publishers. Members of this group are permitted to publish certificates to the directory. You have cloneable domain controllers. Members of this group that are domain features may be cloned. You have denied the RODC replication group, the DNS admins. These people can make changes to DNS. You have DNS update proxy DNS clients who are permitted to perform dynamic updates on behalf of some other clients such as DHCP domain admins. This is designated administrators of the domain. Right. This is one of the most powerful groups you can be in domain computers. This represents all workstations and servers in the domain. And it’s going to have the general permissions that workstations and servers need based on group policy. This represents domain controllers. All domain tools will be, remember that.

So, if you needed to apply something all domain contours, you would do it to this group. You have domain guest this is a restricted group, so you’re treated as a guest, which means you can log on to a machine, but you can’t access other machines across the network. You can run apps that are on that machine. You can use a web browser, those types of things. You don’t get a user profile. The domain users. This is just the average users group. You have average permissions that a regular user gets. Enterprise admins. This arguably is the most powerful group in Active Directory. I do say arguably this group has pretty much all the power in the world to do anything across the forest, although you really need to be a member of this group and schema admins if you want all the power. Granted, if you’re an enterprise admin, you can also make yourself a schema admin.

So, I guess you could say that. Yes. This is the most powerful group in a forest environment where you have multiple domains. This group is automatically an admin all domains in the forest and you have enterprise key admins. Members of this group can perform administrative actions on key objects within the forest. You have enterprise read only domain controllers and they tell you Here members of this group are read-only domain controller in the enterprise this would be like a cross forest. Multiple domains in the forest you have group policy creator owners. Members of this group can modify group policies for the domain. You have key admins. Members of this group can perform administrative actions on key objects within the domain.

So, you start getting into keys, which I’m not getting into deep right now. Laps admin. This is a group I’ve added. In a different demonstration I did Protected Users. Members of this group are afforded additional protections against the authentication security threats. All right. RAS and IAS Servers in this group can access remote access properties of users. This is for RAZ and IAS Servers. Then you’ve got Read-Only Domain Controllers Group. Members of this group are read only domain features. In the domain, schema admins have the ability to change schema, change the schema.

So, that’s the first thing I want to point out. It is just like the built in groups that we have. The second thing is if I go to Google and I just do a quick search on built in groups Active Directory, so if you just search those keywords, they have an article right here, starts with this Appendix B privileged accounts and groups in Active Directory if we click on that. All right. It’s a pretty big article, but it takes you straight here to built-in privileged accounts. And they have a description, a more thorough description about each one of those groups. So, if you want to dig deeper into each one of those groups, you can check this out and they get into the inherited rights, which I really love about this.

If I’m looking at account operators, for example, I can see access this computer from the network ad workstations to the domain bypass traverse checking increase process, work set administrator accounts, that tells you all the privileges. So, if you really want to dig deep into every little nitpicking privilege, this is a great article to check out. All right. And I showed you how to get to it.

That is the built-in groups. And obviously, if I wanted to utilize any of the built in groups, all I’ve got to do is double click on the group and then go to members and click Add and I can add users or even groups to the group if I want.

So, you can nest groups, but that is how built-in groups function and that’s why they’re beneficial.

38. Manage AD delegation

Let’s talk about Active Directory delegation now, so obviously I can go to Server Manager or go Tools and open up Active Directory Users and Computers. Now, when I do that, I could give somebody, make them a domain admin and give them all this power over the domain. But, maybe, I don’t want to do that., maybe, I have admins for different offices and I want to give them rights over, maybe, just that office, the container of that office.

For example, I could create an OU, I’m going to right click my domain, go new and we’ll say organizational unit. I’ll call this container New York. All right, we’ll click Okay to that and then I’m going to right click and we’ll go with another one, you will call this Dallas. All right.

So, we’ve got two different containers here. And, of course, we could have we can have users that are in that container, like I could say, maybe, I’ve got Jane Doe who is part of that New York. Location. All right. And, maybe, I’ve got a workstation, so we’ll say new. Let’s just create a new computer account, and I’ll just call this and we’ll say nyc-cl10 or something and we’ll click Okay. And then in Dallas, let’s just create a user in Dallas. We’ll say, this user’s name is Bob Jones. Password. Set the password or whatever we want., maybe, we’ve got a computer in. We’ll call this dl-cl15. All right. Click. Okay. All right.

Then, we’ve got, maybe, an admin that is going to control New York and the admin is going to control Dallas. We’ll say that, maybe, John Smith is going to be our admin that’s going to control New York. So, what I can do is I can right click New York and I can say delegate control, next click Add, and then we’ll say John, Add John Smith. All right. And then here’s all the privileges that we could give. John Smith Right. Create and delete, manage user accounts, reset, read all user information, delete., maybe, I don’t want John Smith messing with group policies, right? So I can give all these privileges right to John Smith, then I can click Next. And then finish. And I’ve now given John Smith the authority over just New York. I did not make John Smith a domain admin, but John Smith now has control. He has the ability to create users and all that inside New York if he wants. But he can’t control Dallas right now., maybe, I’ve got another user. Let’s just create another user. We’ll call this user, Greg. Greg Johnson. Okay. Create some password. Type it. All right. And we want to give Greg Johnson access over Dallas so we can do the same thing with Dallas. Right. Add Greg. And give the privileges we want to give. Right., maybe, not. Group policy control. The next finish and I’ve done that.

Now, you might say, “Well, what if I want to alter those privileges? Well, altering the privileges is a little different. It’s not as easy. When you want to alter the privilege, you can right click. If you say delegate control, you would think, oh, well, it would show up right here, but it doesn’t. What you actually have to do is you have to turn on advanced features.

So, you have to go to the View menu, turn on advanced features. Then you can right click let’s say I want to do this with Dallas, I’m going right click Dallas, go to properties and then go to the security Tab and then I can. Find Greg Johnson, go to Advanced and we’ll look at Greg Johnson. We can edit, we can edit the privileges he has right here, and that’s how you’re going to do that.

If you want to remove privileges, then that’s the way to. Me, personally, you, me tell you a little secret. This is the way I do it in the real world. I don’t ever go to advanced. I would just if you needed to change Greg Johnson’s permissions, the easiest way to me to do it is just remove Greg Johnson off this access control list. Click Okay and then re delegate because it’s just easier. It’s easier than going to advanced.

If I wanted to change his permissions, I would just remove him off the ACL and then re-add him like this and then set the permissions the way I want it. And that to me is the easiest way to do it. All right.

So, that is how delegation is going to work. That’s how you’re going to be able to delegate control over this object.

Now, is it okay for could I put Greg Johnson in Dallas and John Smith or whatever in the New York City? Sure. You could totally do that. It’s not going to make a big difference. Although if you had a GPO that was like really restricting the user, you might not want to do that because it could be restricting that admin. But you can get around that too. You can filter the GPO so it’s not restricting that admin.

So, there’s various ways you can do it. Right now, I have my users inside this user container, but I could just as easily, if I want, just drag and drop, right? Drag and drop. I’ll just move Greg Johnson into Dallas and then I could move… Let’s find John Smith. We’ll pull John Smith over into New York. And there you go. All right.

That’s how delegation works in Active Directory.

39. Implement and manage Microsoft Defender for Identity

Let’s talk now about the concept of Microsoft Defender for Identity.

So, Microsoft Defender for Identity is a service that is managed through the Microsoft 365 Defender Dashboard, which is the portal with your Microsoft 365 account. And what this is going to allow you to do is it’s going to monitor for identity authentication and all of that between your on-premises domain as well as the Azure AD environment. And it’s going to be it’s going to take advantage of artificial intelligence and machine learning to watch the times of day. Your users log on when where IP address information they’re logging on and authenticating from. And it’s going to also be monitoring utilizes Microsoft’s Threat management team, which is constantly monitoring the dark web for password breaches.

So, a lot of times when hackers get access to people’s passwords, a lot of times it’ll go into a list that shows up on the dark web and that can then be reported. And that, of course, reports back to us. We find we get alerts and things like that as admins and we know if a user’s accounts have been breached. But this is also going to be used once it’s installed on a server in our environment, it’s also going to be used for network sniffing. It’s going to be sniffing the network as a behavioral sensor and it’s going to be looking for different types of attacks that hackers would use on a network to try to breach somebody’s account, brute force attacks and things like that. That is the idea.

But the first thing we got to do, of course, is we have to actually connect a server that’s part of our domain. We have to connect it to the defender for identity. You can do this on your domain controller. I’m going to do it on NYC-SVR1 in my case, but you can do it on any server really, as long as it’s part of the domain.

Now, I’m going to open up my web browser and you’re just going to go to and I’m going to scroll down here and go with go down here to Settings. All right. Once you get into settings, there’s an area called identities. We’re going to click on that. And of course, you’re going to start out on this area called sensors, which of course, is where you would be wanting to make your server a sensor. So, from there, we’ll scroll down and we’re going to click to add a sensor. All right. Then you’ll get an access key. So, I’m just going to copy that clipboard, and I’m also just going to throw that into a notepad file. All right. So, I’m going to pop up Notepad.

Servers moving a bit slow because it’s only got like three gigs of RAM. So, you’re noticing a little bit of delay. That’s why when you have a lot of virtual machines, you’ve got to you’ve got to make do with a little bit of memory you can give them. Then I’m going to click download installer here. All right. And so we’ll go ahead and do that. Give that just a moment. Once that’s done, here is the little zip file you’ll notice. It says Azure HTTP. That’s because this used to be called the Azure Threat Protection Agent, and they’ve changed the name of it. Keep in mind, it may by the time you do this, they might change the name again to Defender for Identity. But this is what it was called when I made this video.

Now, I’m just going to copy this and I’m just going to create a folder on my C drive here. We’ll just call it dfi. And paste that in. Okay, so there’s the files being pasted in from the zip file. And at that point, I’m going to double click on this Azure ATP sensor setup. So, we’ll double click on that. All right. Just waiting on that to get started here. Now, I’m going to click Next. This is going to be a standalone sensor. I’m not using Active Directory Federated Services right now, so I’m going to standalone censor. I’m going to click Next and this is where I got to have that access key. Here is the access key. Oops, let’s do that again. There we go. We’re going to copy that and we’re just going to paste it in there. We’re going to click Install. And now is going to begin installing. That just takes a minute or two and then I’m going to click Finish and I’m going to go back over here and just refresh let’s just refresh the web browser here. And it should reflect that the server is now showing up in the portal. All right. All right.

So, we can now see that NYC-SVR1 is showing up. All right. Which means it can now act as a sensor. It’s going to be sniffing and analyzing the network and looking for threats. But we would like the sensor to be able to communicate with Active Directory and report any types of threats that might happen against Active Directory. But to do that, we’re going to need to go over here to directory service accounts. All right. And then what we’re going to do is scroll down and we’re going to click Add credentials. So, we need to add some admin credentials that have that authority. All right. So, give the account a name. We’ll say administrator. I’m just going to put my admin credentials in there. Right. And then the domain and then whatever the password is for that account, you can also do a group manage service account, which is a great way. If you want the service bill to change the password, it will and all that you could do that. But I’m going to click Save and that is now established. All right. This will take some time, but it will now be able to start pulling information from Active Directory and any threats that occur against Active Directory. We’ll now be able to show up on Microsoft Defender for Identity.

This is a really-really neat feature that’s going to allow me to grab information. I can view health information, health, any health issues, maybe, that might appear and any types of notifications, alert notifications. It’s also going to be able to pull syslog data and report syslog data if you want to associate this with like a SIEM server or something like that, you can have an email recipient. And from there, with the help of that, that’s going to now be able to pull all of this in. And I’m now going to be able to do investigations and look for threats, threat tracking, which I’m not getting into all these blades right now in this lecture. But now that I’ve linked all that together, we’re now ready to go with Defender for Identity.