Labels

Monday, March 24, 2008

Refreshing Computer Account AD Group Membership

I've completed some testing to help identify methods of updating the group membership for a computer account without having to restart the computer. The results show that while it is possible to update the token used to authenticate external resource access, a group policy refresh does not use the updated group membership for policy processing.

Testing was completed with:

  1. Windows XP SP2 workstation joined to a Windows 2000 domain, using Kerberos authentication.
  2. A share on the DC, with access granted to Group1, but denied to Group2, making it very easy to determine whether group membership is being considered for Group2

Test steps:

  1. Add the computer account to the Group1, allowing access to the test share
  2. Start a command prompt as system (with psexec /s /i /d cmd.exe)
  3. Verify access to the test share on the DC from the computer context
  4. Add the computer account to Group2, denying access to the data in the share mount point
  5. Verify access to the test share on the DC from the computer context still works as the computer has not received an updated token
  6. Use 'klist purge' to purge all tickets
  7. Run 'nltest /dclist:%domain%' (causing a request for a Kerberos TGT)
  8. Run 'klist tgt' to verify that a new TGT has been received
  9. Verify access to the test share on the DC from the computer context is now denied.

This demonstrates that it is possible to force an update to the Kerberos tickets containing the Privilege Attribute Certificate details of computer domain account group membership, and subsequently access file based resources with the updated token. The following information is related:

  • Using the steps above updates Kerberos tickets and ensures that remote resource access is performed with a refreshed token, however, this does not help when processing Group Policy (as can be seen by 'gpresult /z /scope computer'). Running gpresult, which lists the accounts a computer is a member of, does not include the groups added to the domain computer account (this appears to be due to cached information stored during the initial computer startup sequence). Destroying 'NT Authority\System' and 'NT Authority\Network Service' tokens associated with all processes (with 'Process Explorer'), combined with restarting the WMI service causes the wmiprvse binary to reload (required for gpresult), but the re-created tokens do not contain the updated domain SIDs
  • The security principal representing the LocalSystem context (S-1-5-18) is a local identity only. The concept of using computer accounts as members of domain security groups makes use of the domain computer account (similar to drawing a parallel between same-named local user accounts and domain user accounts).
  • When examining local tokens, a computer is a member of only three groups - a hidden member of administrators, and a member of two well-known groups (Everyone and 'Authenticated Users'). When accessing remote resources with the system account, the access token passed to the remote machine contains the SIDs of groups the computer's domain account is a member of
  • The user context when clearing the Kerberos cache is important; For example, if the 'klist purge' command is executed under the interactive context instead of the system context, the TGT for the computer account (ComputerName$) is not renewed.

References:




Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.

4 comments:

Olphar said...

You said: "Using the steps above updates Kerberos tickets and ensures that remote resource access is performed with a refreshed token, however, this does not help when processing Group Policy"

I presume by that you mean neither GPRESULT nor GPUPDATE benefit from the updated ticket, without a restart. But is the updated ticket cached, so that the computer will benefit from it, on the next restart?

I ask this because we have VPN clients that need to get computer GPO changes driven by group membership, but they cannot get these because the VPN connection isn't established until after user logon. These computers never start connected to AD, so they never get updated group membership information.

I'm trying to figure out a way to update the computer group membership after logon, while connected to AD via VPN. If I can do that, I can tell the users to restart after the manual update.

Any suggestions? Thanks in advance for your time and help.

Wayne Martin said...

Hi Olphar,

I'm not sure that I can offer much, but I would go through the scenario you are talking about and run the following commands at the various stages to list the groups the computer account is a member of:

- psexec /s tokensz /dump_groups
- gpresult /z

The first will run the tokensz command in the context of the localsystem account on the local computer. The second will allow you to see the computer group membership from a group policy perspective - not necessarily the same thing as what's in the token.

The results might help identify if you can force an update, and will prove whether the domain computer account group information is cached across reboots.

There may well be a solution for this sort of VPN connectivity for computer-based GPOs (I haven't had the need to investigate).

Good luck,
Wayne.

Tokensz is a Microsoft utility, available from:
http://www.microsoft.com/downloads/details.aspx?familyid=4A303FA5-CF20-43FB-9483-0F0B0DAE265C&displaylang=en

sager said...

Nice post with awesome points! Can’t wait for the next one.

HP - EliteBook Folio Ultrabook 14" Laptop - 4GB Memory - 500GB Hard Drive - Platinum (9470m)

Anonymous said...

In my scenario, I wanted to enable a policy for a few test servers, so they would join te appropriate WSUS group (client site targeting). I made these servers member of te security group that has the read/apply permission for that policy, but the policy was disabled until I performed the steps described in your article here. I did a gpupdate /force on the test servers and, voila! they neatly joined the WSUS group.


All Posts

printQueue AD objects for 2003 ClusterVirtualCenter Physical to VirtualVirtual 2003 MSCS Cluster in ESX VI3
Finding duplicate DNS recordsCommand-line automation – Echo and macrosCommand-line automation – set
Command-line automation - errorlevels and ifCommand-line automation - find and findstrBuilding blocks of command-line automation - FOR
Useful PowerShell command-line operationsMSCS 2003 Cluster Virtual Server ComponentsServer-side process for simple file access
OpsMgr 2007 performance script - VMware datastores...Enumerating URLs in Internet ExplorerNTLM Trusts between 2003 and NT4
2003 Servers with Hibernation enabledReading Shortcuts with PowerShell and VBSModifying DLL Resources
Automatically mapping printersSimple string encryption with PowerShellUseful NTFS and security command-line operations
Useful Windows Printer command-line operationsUseful Windows MSCS Cluster command-line operation...Useful VMware ESX and VC command-line operations
Useful general command-line operationsUseful DNS, DHCP and WINS command-line operationsUseful Active Directory command-line operations
Useful command-linesCreating secedit templates with PowerShellFixing Permissions with NTFS intra-volume moves
Converting filetime with vbs and PowerShellDifference between bat and cmdReplica Domain for Authentication
Troubleshooting Windows PrintingRenaming a user account in ADOpsMgr 2007 Reports - Sorting, Filtering, Charting...
WMIC XSL CSV output formattingEnumerating File Server ResourcesWMIC Custom Alias and Format
AD site discoveryPassing Parameters between OpsMgr and SSRSAnalyzing Windows Kernel Dumps
Process list with command-line argumentsOpsMgr 2007 Customized Reporting - SQL QueriesPreventing accidental NTFS data moves
FSRM and NTFS Quotas in 2003 R2PowerShell Deleting NTFS Alternate Data StreamsNTFS links - reparse, symbolic, hard, junction
IE Warnings when files are executedPowerShell Low-level keyboard hookCross-forest authentication and GP processing
Deleting Invalid SMS 2003 Distribution PointsCross-forest authentication and site synchronizati...Determining AD attribute replication
AD Security vs Distribution GroupsTroubleshooting cross-forest trust secure channels...RIS cross-domain access
Large SMS Web Reports return Error 500Troubleshooting SMS 2003 MP and SLPRemotely determine physical memory
VMware SDK with PowershellSpinning Excel Pie ChartPoke-Info PowerShell script
Reading web content with PowerShellAutomated Cluster File Security and PurgingManaging printers at the command-line
File System Filters and minifiltersOpsMgr 2007 SSRS Reports using SQL 2005 XMLAccess Based Enumeration in 2003 and MSCS
Find VM snapshots in ESX/VCComparing MSCS/VMware/DFS File & PrintModifying Exchange mailbox permissions
Nested 'for /f' catch-allPowerShell FindFirstFileW bypassing MAX_PATHRunning PowerSell Scripts from ASP.Net
Binary <-> Hex String files with PowershellOpsMgr 2007 Current Performance InstancesImpersonating a user without passwords
Running a process in the secure winlogon desktopShadow an XP Terminal Services sessionFind where a user is logged on from
Active Directory _msdcs DNS zonesUnlocking XP/2003 without passwords2003 Cluster-enabled scheduled tasks
Purging aged files from the filesystemFinding customised ADM templates in ADDomain local security groups for cross-forest secu...
Account Management eventlog auditingVMware cluster/Virtual Center StatisticsRunning scheduled tasks as a non-administrator
Audit Windows 2003 print server usageActive Directory DiagnosticsViewing NTFS information with nfi and diskedit
Performance Tuning for 2003 File ServersChecking ESX/VC VMs for snapshotsShowing non-persistent devices in device manager
Implementing an MSCS 2003 server clusterFinding users on a subnetWMI filter for subnet filtered Group Policy
Testing DNS records for scavengingRefreshing Computer Account AD Group MembershipTesting Network Ports from Windows
Using Recovery Console with RISPAE Boot.ini Switch for DEP or 4GB+ memoryUsing 32-bit COM objects on x64 platforms
Active Directory Organizational Unit (OU) DesignTroubleshooting computer accounts in an Active Dir...260+ character MAX_PATH limitations in filenames
Create or modify a security template for NTFS perm...Find where a user is connecting from through WMISDDL syntax in secedit security templates

About Me

I’ve worked in IT for over 13 years, and I know just about enough to realise that I don’t know very much.