question

MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 asked MikhailFirsov-1277 commented

Problem after applying the Deny Log on locally GPO setting

Hello!
While testing tiered AD infrastructer I was greatly suprised to see how one of the key gpo parameters is working.
Suppose there's a domain controller - DC - which belongs to Tier0 OU (with no gpo applied except the Default Domain Policy) and a number of servers in the SERVERS OU (Tier1) to which the gpo with the following setting is applied:
114134-q01.png

The most important idea in the tiered AD model is preventing the cross-tier logons - in other words, you should not be able to log on to Tier1 servers under Tier0 accounts - in my case it means I shouldn't be able to use any domain/enterprise admin accounts (which are Tier0 accounts) for logging onto Tier1 servers (in the SERVERS OU), and the aforementioned Deny log on locally policy setting is the setting that is supposed to do exactly that.

And it really does what I expect it to do - any domain/enterprise-wide administrative accounts can no longer log on to Tier1 servers - so far so good, but... either I'm missing something or enabling this option may lead to other - rather weird - consequences.

Once again: here's the MS's explanation of the Deny log on locally parameter:
114153-q02.png

As far as I understand this text it means that the ONLY goal of this parameter is to deny log on locally TO THIS COMPUTER for the defined accounts.

Why in this case I'm loosing the ability to connect to DC right after the policy gets applied?

For example, when I try to access \\dc as Domain\AdminT1 I see this:

114109-q03.png


ANY domain user can access ANY domain computer by default so what is preventing Domain\AdminT1 from accessing \\DC AFTER applying the policy ???


There're other gpo settings being applied but they do not have any effect on the possibility to connect to \\dc - as soon as I delete the domain admins/enterprise admins accounts from the policy \\dc gets accessible again:

114193-q04.png

114155-q06.png


???

windows-serverwindows-server-2019windows-server-2016windows-server-securitywindows-server-management
q01.png (101.8 KiB)
q02.png (16.7 KiB)
q03.png (37.7 KiB)
q04.png (97.7 KiB)
q06.png (25.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,
Based on my understanding, the domain controllers are in the default domain controller OU, and only the domain admins can logon locally.

The member servers are in the server OU, the admins can't logon to (deny logon locally policy GPO was linked on the server OU), but other users can.

When logon to the servers with admin 1, DCs can't be accessed.

If i misunderstand you, feel free to let me know.

I also did a test in my lab, define the policy: deny logon locally with the domain admins.
But the DCs was not impacted from the policy on the servers.

It is suggested confirming the group policy on the servers and DCs by the command:
Gpresult /h report.html.

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 answered FanFan-MSFT commented

Hi FanFan-MSFT,

"Based on my understanding, the domain controllers are in the default domain controller OU, and only the domain admins can logon locally.
The member servers are in the server OU, the admins can't logon to (deny logon locally policy GPO was linked on the server OU), but other users can.

*When logon to the servers with admin 1, DCs can't be accessed." - yes, you are right!



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

It is suggested confirming the group policy on the servers and DCs by the command:
Gpresult /h report.html
If possible, please share a screenshot here!
Best Regards,

0 Votes 0 ·

Hi,
 
Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.

Best Regards,

0 Votes 0 ·
MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 answered FanFan-MSFT commented

Sorry for the delay...

DC:
115343-527.png

Server:
115362-526.png



527.png (51.9 KiB)
526.png (62.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

On the DCs, i can only see there are default domain GPO and default domain controller GPO, can you check the settings on the 2 GPOs?

On the servers, are there any other GPOs and settings?
Did you try logon the server with other users?

Best Regards,

0 Votes 0 ·
MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 answered FanFan-MSFT commented

"Did you try logon the server with other users?" - no, I didn't, there's only one administrative account for the tier1.

"can you check the settings on the 2 GPOs?" - sorry, I just don't understand what should I be looking for... I already know that it is the Deny Log on policy that prevents AdminT1 from making NETWORK connections to \\DC (and yes, there're no any additional GPOs applied to DC except the defaults ones).

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Check if there are following settings configured on the DCs:

116094-image.png

Best Regards,

0 Votes 0 ·
image.png (94.2 KiB)
MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 answered FanFan-MSFT edited

"Check if there are following settings configured on the DCs:" - no, they are not configured.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

If there are no settings mentioned above, may be more deep logs are needed. We may try to use the network monitor and process monitor to get more details.
For the security reason, logs analyze was not supported here.

From my side, i will also try to logon the server with another user or create a new user to testing and check if have the same issue.

Best Regards,

0 Votes 0 ·
MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 answered FanFan-MSFT commented

...have run two more tests (with removing and re-adding domain admins to Deny Log on Locally policy setting) - now it works flawlessly... weird...

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Glad that it works now.
If there's anything you'd like to know, don't hesitate to ask.

Best Regards,

0 Votes 0 ·

Thank you very much for your help, FanFan-MSFT!

Regards,
Michael

0 Votes 0 ·

Hi,

My pleasure!

0 Votes 0 ·
piaudonn avatar image
0 Votes"
piaudonn answered MikhailFirsov-1277 commented

I suggest you look at the Authentication Policies and Authentication Policy Silos. Those features came with WIni Server 2012 R2 and they make the isolation of admintrative zone easier (because no GPO are involved) more robust (because local admins can't override them).

You could create a Silo called Tier-0 on which you add your domain admin account, the machine account of their dedicate workstations as well as the computer account of your domain controllers. Then you apply an authentication policy is such a way that the domain admins account can only log-in on machine of the sale silo as theirs.

Here is an example. I have Pierre member of the domain admins group. Pierre's workstation is wks1 and he needs to be able to administrate DC1 (a domain controller). You enable claim support in your environment and run the following:

 #Create a new policy
 New-ADAuthenticationPolicy -Name "Tier-0_TGT_120mins" -Description "Authentication policy for Tier-0 (120 minutes TGT)." -UserTGTLifetimeMins 120 -Enforce -ProtectedFromAccidentalDeletion $True
    
 #Create a new silo
 New-ADAuthenticationPolicySilo -Name "Tier-0" -Description "Authentication policy silo to control the scope of logon for administrators" -UserAuthenticationPolicy "Tier-0_TGT_120mins" -ComputerAuthenticationPolicy "Tier-0_TGT_120mins" -ServiceAuthenticationPolicy "Tier-0_TGT_120mins" -Enforce -ProtectedFromAccidentalDeletion $True
    
 #Modify the policy to allow TGT issuance only if the silo is a match
 Set-ADAuthenticationPolicy -Identity "Tier-0_TGT_120mins" -UserAllowedToAuthenticateFrom "O:SYG:SYD:(XA;OICI;CR;;;WD; (@USER.ad://ext/AuthenticationSilo == 'Tier-0'))"
    
 #Grant access to the silo to the admins and their systems
 Grant-ADAuthenticationPolicySiloAccess -Identity "Tier-0" -Account "CN=Pierre,OU=_Admins,DC=contoso,DC=com"
 Grant-ADAuthenticationPolicySiloAccess -Identity "Tier-0" -Account "CN=WKS1,OU=_Admins,DC=contoso,DC=com"
 Grant-ADAuthenticationPolicySiloAccess -Identity "Tier-0" -Account "CN=DC1,OU=Domain Controllers,DC=contoso,DC=com"
    
 #Assign the silo to the admins and their systems
 Get-ADUser -Identity Pierre | Set-ADAccountAuthenticationPolicySilo –AuthenticationPolicySilo "Tier-0"
 Get-ADComputer -Identity WKS1$ | Set-ADAccountAuthenticationPolicySilo –AuthenticationPolicySilo "Tier-0"
 Get-ADComputer -Identity DC1$ | Set-ADAccountAuthenticationPolicySilo –AuthenticationPolicySilo "Tier-0"

Then Pierre can only log on WKS1 and DC1. If Piere tries to log in on a system which is not a member of the silo, he gets the following error message:

118009-image.png

Let me know if you want to know more about this. If so, I would suggest you create a new thread.


image.png (134.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

piaudonn, thank you very much for the step-by-step guide on silo - it's very interesting!

Regards,
Michael

0 Votes 0 ·