ADConfig Tool

  • Article

2/9/2009

The Active Directory Configuration Tool (ADConfig) is a configuration tool that you must use to configure Active Directory directory services for System Center Mobile Device Manager. With ADConfig, you can do the following:

  • Create and name different MDM instances.
  • Create the Active Directory instance structure, service connection points (SCP), Universal Security Groups (USG), organizational units (OU), and other containers for MDM.
  • Co-locate MDM instances side-by-side.
  • Install and enable certificate templates on certification authorities
  • Set security on Group Policy objects (GPOs) and the default Group Policy object.
  • Upgrade Active Directory configuration from MDM 2008 to MDM 2008 SP1.

ADConfig.exe is in the ADConfig directory of the installation disc for MDM. You can start ADConfig at a command prompt, as the following describes.

  • You must run ADConfig from a computer or server that is in the same site and domain as the MDM system servers.
  • You must not attempt to create two instances in the same domain or forest at the same time and with the same name. If two instances are given the same name, conflicts will occur.
  • You must allow for enough time for the changes to replicate across all domain controllers before you continue with the next parameter in the process.
  • You must run ADConfig from a secure local location and not from a network share.
  • You must have Domain Administrator or equivalent permissions to create MDM instances, Universal Security Groups (USGs), and service connection points (SCPs).
  • You must have Enterprise Administrator (or equivalent) credentials to create a new template in the enterprise. This is because all certificate templates are created in the Active Directory configuration container.
  • You must have Enterprise Administrator and Administrator permissions on the certification authority to enable certificate templates and grant revocation permissions on the certification authority.
  • For the /enablegpsecurity parameter, depending on the options that you select, you must have either Domain Administrator permissions, Schema Administrator permissions, or permissions on a specific GPO.
  • Do not give permissions to Group Policy objects from instances that you do not want calculating policies on behalf of devices.

Syntax

ADConfig.exe /?
ADConfig.exe /listinstance /domain:<domain name> [/quiet]
ADConfig.exe /createinstance:<instance> /domain:<domain name> [/quiet]
ADConfig.exe /enableinstance:<instance> /domain:<domain name> [/quiet]
ADConfig.exe /validateinstance:<instance> /domain:<domain name> [/quiet]
ADConfig.exe /removeinstance:<instance> /domain:<domain name> [/quiet] [/force]
ADConfig.exe /disableinstance:<instance> /domain:<domain name> [/quiet] [/force]
ADConfig.exe /createtemplates:<instance> [/quiet]
ADConfig.exe /enabletemplates:<instance> /ca:<ca server>\<ca name> [/quiet]
ADConfig.exe /disabletemplates:<instance> /ca:<ca server>\<ca name> [/quiet] [/force]
ADConfig.exe /removetemplates:<instance> [/quiet] [/force]
ADConfig.exe /enablegpsecurity:<instance> /gpo:default [/quiet]
ADConfig.exe /enablegpsecurity:<instance> /gpo:<all|GPO ID> /domain:<domain> [/quiet]
ADConfig.exe /disablegpsecurity:<instance> /gpo:default [/quiet] [/force]
ADConfig.exe /disableGPSecurity:<instance> /gpo:<all|GPO ID> /domain:<domain> [/quiet] [/force]
ADConfig.exe /upgradeinstance:<instance> [/quiet]
ADConfig.exe /upgradetemplates:<instance> [/quiet]

Primary Parameters

Actions Description

/createinstance:<instance name> /domain:<domain name>
  • Creates an MDM instance in a domain.
  • Before you can fully manage the new instance, you must log off the computer on which you run MDM Console and log on again.
  • This parameter requires Domain Administrator permissions.

/enableinstance:<instance name> /domain:<domain name>
  • Enables an MDM instance in a specified domain.
  • This parameter requires Domain Administrator permissions.

/removeinstance:<instance name> /domain:<domain name>
  • Removes an MDM instance from a domain.
  • Before running this parameter, you should first run the /disablegpsecurity parameter.
  • This parameter requires Domain Administrator permissions.

/disableinstance:<instance name> /domain:<domain name>
  • Disables an MDM instance for a specified domain.
  • This parameter requires Domain Administrator permissions.

/listinstance
  • Lists the available MDM instances.
    Dd252819.note(en-us,TechNet.10).gifNote:
    This parameter will return the instances in the specified domain, but not the instances in a child domain. For example if you run Adconfig.exe /listinstance /domain:C from a command prompt, you will be shown instances from domain ā€œCā€ but not from any child domain of ā€œC.ā€ Also, if no domain parameter is specified, the command lists the instances that exist in all domains in the Active Directory forest.
  • This parameter requires Domain User permissions.

/validateinstance
  • Checks an MDM instance to make sure that it is set up properly. This parameter validates the templates, Active Directory structure, and organizational units (OU).
  • This parameter requires Domain User permissions.

/createtemplates:<instance name>
  • Creates the MDM certificate templates in Active Directory and gives them the appropriate permissions.
  • This parameter requires Enterprise Administrator permissions.

/removetemplates:<instance name>
  • Removes the certificate templates for an MDM instance in Active Directory.
  • This parameter requires Enterprise Administrator permissions.

/enabletemplates:<instance name>/ca:<ca_server_name>\<ca_name>
  • Enables the MDM certificate templates on the specified certification authority. It also grants permissions to MDM on the certification authority. The certification authority server and certification authority name are required for this parameter. To avoid installation problems, you must make sure that the certification authority server is online.
  • This parameter requires:
    • Administrator permissions on the certification authority for setting certification authority permissions.
    • Permissions for adding the templates to the certification authority object in Active Directory. You will need Enterprise Administrator permissions for this action.

/disabletemplates:<instance name>/ca:<ca_server_name>\<ca_name>
  • Disables the templates on a certification authority for a specific MDM instance.
  • This parameter requires:
    • Administrator permissions on the certification authority for setting certification authority permissions.
    • Permissions for adding the templates to the certification authority object in Active Directory. You will need Enterprise Administrator permissions for this action.

/enableGPsecurity:<instance name> /domain:<domain name> /gpo: <all|default|GPO ID>
  • Grants the minimum required permissions to existing Group Policy objects (GPOs) in the specified domain.
  • Enables targeting of individual GPOs.
  • Modify GPO permissions to allow MDM servers to calculate policies for mobile devices.
  • The only schema changes that ADConfig makes are in the /enablegpsecurity parameter with the default parameter.
  • This parameter requires Domain Administrator permissions for the all parameter.
  • This parameter requires Schema Administrator permissions for the default parameter.
  • This parameter requires GPO permissions for the <GPO ID> parameter.

/disablegpsecurity:<instance name> /domain:<domain name> /gpo: <all|default|GPO ID>
  • Disables the permissions for MDM on the appropriate GPOs.
  • This parameter requires Domain Administrator permissions for the all parameter.
  • This parameter requires Schema Administrator permissions for the default parameter.
  • This parameter requires GPO permissions for the <GPO ID> parameter.

/upgradeinstance:<instance name>
  • Upgrades the specified MDM instance from MDM 2008 to MDM 2008 SP1.
  • This parameter requires Domain Administrator permissions.

/upgradetemplates:<instance name>
  • Updates the certificate templates for the specified MDM instance.
  • This parameter requires Administrator permissions on the certification authority and Enterprise Administrator permissions.

Additional Parameters

Parameters Description

/domain:<domain name>
  • Specifies the domain in which an ADConfig command operates.
  • Use this parameter with any of the instance and gpsecurity actions.

/ca:<ca_server_name>\<ca_name>
  • Specifies the certification authority server name and certification authority name that the ADConfig command operates on.
  • Use this parameter with the templates actions.

/gpo:<all|default|GPO ID>
  • Specifies the Group Policy that the ADConfig command operates on.
  • Use this parameter with gpsecurity actions.
  • The all parameter affects all GPOs and requires Domain Administrator permissions.
  • The default parameter affects the default GPO template for new GPOs, and requires Schema Administrator permissions.
  • The <GPO ID> parameter affects the specified GPO and requires GPO permissions to the specified GPO.

/force
  • Forces the command to run, even if there are warnings and errors.
  • Use this parameter with all remove and disable actions.

/quiet
  • Prevents the command from prompting the user for confirmation.
  • Use this parameter with any of the ADConfig actions.

Remarks

The order of the parameters is important to deploy MDM successfully.

  1. You must run the /createinstance parameter first, before you run any other parameter. Make sure that the MDM groups and containers appear in Active Directory and that they replicate to all domain controllers before you use any other parameter.
  2. Run ADConfig.exe /enableinstance on any domain where you will have devices for this particular instance.
  3. Run the /createtemplates parameter next. Verify that the certificate templates are visible in your designated certification authority before you continue with the next parameter.
  4. Run the /enabletemplates parameter next, after the /createtemplates parameter. You can run this parameter multiple times on different certification authorities.
  5. Run the /validateinstance parameter next to make sure that the certificate templates, Active Directory structure, and organizational units are set up properly.

If you remove MDM from the network, the order of the parameters is also important. You must remove them in reverse order. This requires that you run /disablegpsecurity; /disabletemplates; /removetemplates; /disableinstance and finally, /removeinstance.

The following example shows you how to create an instance named "instance1":

ADConfig.exe /createinstance:instance1 /domain:contoso

The following example shows you how to create an instance named "instance1" but not prompt for confirmation:

ADConfig.exe /createinstance:instance1 /domain:contoso /quiet

MDM Groups Created by ADConfig

ADConfig creates the USGs required by MDM for security.

ADConfig does not configure deny permissions for MDM USGs.

Note

ADConfig grants documented permissions for MDM groups explicitly, without regard to inherited behavior.

SCMDM Managed Devices (<instance name>) is the default organizational unit (OU) created during ADConfig Setup. The instance name is appended to the MDM Managed Devices OU.

MDM Infrastructure Groups

ADConfig creates the following MDM infrastructure groups:

  • SCMDMDeviceManagementServers (<instance name>)
  • SCMDMEnrollmentServers (<instance name>)
  • SCMDMEnrolledDevices (<instance name>)
  • SCMDMSelfServiceServers (<instance name>)

Universal Group for MDM Device Management Server

ADConfig creates this group for all MDM Device Management Server server accounts.

The following describes this group.

USG name

SCMDMDeviceManagementServers (<instance name>)

Control of membership

SCMDMServerAdmins

Active Directory permissions

Enables MDM Device Management Server to access global settings and servers.

Universal Group for MDM Enrollment Server

ADConfig creates this group for all MDM Enrollment Server server accounts. Members of this group can create and delete computer objects from the default MDM Devices OU and revoke certificates for devices on the certification authority.

The following describes this group.

USG name

SCMDMEnrollmentServers (<instance name>)

Control of membership

SCMDMServerAdmins

Active Directory permissions

Enables MDM Enrollment Server to access global settings and servers.

Universal Group for Managed Devices

ADConfig creates this group that includes all managed devices enrolled in MDM.

The following describes this group.

USG Name

SCMDMEnrolledDevices (<instance name>)

Control of membership

SCMDMEnrollmentServers

Active Directory permissions

None

Certification authority permissions

This group has permissions on the certification authority to renew certificates.

Universal Group for MDM Self Service Portal

ADConfig creates this group for MDM administrators to control wipe requests, enrollment requests, device history, and inventory.

The following describes this group.

USG name

SCMDMSelfServiceServers (<instance name>)

Control of membership

SCMDMServerAdmins

Active Directory permissions

Enables MDM Self Service Portal to have permissions on specific services.

MDM Security Groups

ADConfig creates the following MDM security groups:

  • SCMDMSecurityAdmins (<instance name>)
  • SCMDMServerAdmins (<instance name>)
  • SCMDMDeviceAdmins (<instance name>)
  • SCMDMDeviceSupport (<instance name>)
  • SCMDMHelpdeskOperator (<instance name>)
  • SCMDMReadOnlyUsers (<instance name>)
  • SCMDMAuthorizedUsers (<instance name>)

To read more on MDM Security Groups, see Security and Protection for Mobile Device Manager.

Universal Group for Security Administrators

ADConfig creates this group for MDM security administrators to manage group membership to other MDM groups.

The SCMDMSecurityAdmins group has control over membership of all user-based USGs:

  • SCMDMServerAdmins (<instance name>)
  • SCMDMDeviceAdmins (<instance name>)
  • SCMDMDeviceSupport (<instance name>)
  • SCMDMHelpdeskOperator (<instance name>)
  • SCMDMAuthorizedUsers (<instance name>)
  • SCMDMReadOnlyUsers (<instance name>)

The following describes this group:

USG name

SCMDMSecurityAdmins (<instance name>)

Control of membership

DomainAdmins

Active Directory permissions

The SCMDMSecurityAdmins group enables enterprise-level administrators to control all MDM user-based USGs.

Universal Group for MDM Server Administrators

ADConfig creates this group for MDM administrators to manage and set up computers to run the MDM system. Members can add or remove members from all other groups and implicitly have complete management abilities over managed devices.

The following describes this group.

USG name

SCMDMServerAdmins (<instance name>)

Control of membership

SCMDMSecurityAdmins (<instance name>)

Active Directory permissions

The SCMDMServerAdmins group must have access and credentials to create databases on the computer that is running Microsoft SQL Server. The SQL administrator adds this group to the system access control list (SACL) manually.

The SCMDMServerAdmins group Active Directory credentials enable the enterprise-level administrator to control all global settings and any computer that is running MDM.

The SCMDMServerAdmins group provides the following:

  • Read permissions on SCMDMServerAdmins group
  • Read/write permissions on attributes for Active Directory SCP
  • Add/remove membership permissions on the SCMDMDeviceManagementServers, SCMDMEnrollmentServers, and SCMDMSelfServiceServers groups

Universal Group for Managed Device Administrators

ADConfig creates this group for enterprise-level administrators to control global settings on any managed device that is connected to the MDM system.

This group provides the following:

  • Ability for enterprise-level administrators to control all MDM configuration settings for any computer that is running the MDM system
  • Read permission on all global settings
  • Read permission on server and instance settings

The following describes this group:

USG name

SCMDMDeviceAdmins (<instance name>)

Control of membership

SCMDMSecurityAdmins (<instance name>)

Active Directory permissions

Device administrators for MDM have access to device management functions.

A universal security group for MDM device administrators to manage devices and perform device operations.

Universal Group for Managed Device Support

ADConfig creates this group for enterprise-level administrators to control global settings for any computer that is running the MDM system.

This group provides the following:

  • Read permission on all global settings
  • Read permission on all users and computers in the MDM system
  • Read permission on server and instance settings
  • Read permission on all users in the MDM system

The following describes this group:

USG name

SCMDMDeviceSupport (<instance name>)

Control of membership

SCMDMSecurityAdmins (<instance name>)

Active Directory permissions

Second-tier senior Helpdesk device support

A universal security group for MDM Device Support to provide device support for MDM managed devices

Universal Group for Helpdesk Operator

ADConfig creates this group for enterprise-level administrators to control global settings for any computer that is running the MDM system.

This group provides the following:

  • Read permission on all global settings
  • Read permission on all users and computers in the MDM domain
  • Read permission on server and instance settings
  • Read permission on all user settings in the MDM domain

The following describes this group.

USG name

SCMDMHelpdeskOperator (<instance name>)

Control of membership

SCMDMSecurityAdmins (<instance name>)

Active Directory permissions

First-tier Helpdesk support

A universal security group for Helpdesk operators to provide device support for MDM-managed devices

Universal Group for Read-Only Users

ADConfig creates this group for read-only permissions on an instance. This group provides device support for MDM-managed devices. This group cannot create tasks or modify any settings in the MDM system.

This group provides the following:

  • Read permission on all global settings
  • Read permission on all users and computers in the MDM domain
  • Read permission on server and instance settings
  • Read permission on all user settings in the MDM domain
  • Read permissions on device objects

The following describes this group:

USG name

SCMDMReadOnlyUsers (<instance name>)

Control of membership

SCMDMSecurityAdmins (<instance name>)

Active Directory permissions

Read-only administrators for MDM have access to device support functions.

A universal security group for MDM device support administrators to view device settings and information.

Universal Group for Instance Authorized Users

ADConfig creates this group for authorized users to access MDM Self Service Portal and other portions of the instance. Users of this group can access any MDM Self Service Portals associated with the instance, as well as other instance resources.

The following describes this group:

USG name

SCMDMAuthorizedUsers (<instance name>)

Control of membership

SCMDMSecurityAdmins (<instance name>)

Active Directory permissions

By default, all domain users are added to this group. To restrict access to MDM Self Service Portal, limit this group membership. To grant access to MDM Self Service Portal, add members to this group.

MDM Self Service Portal applies access control lists (ACLs) to this group to restrict access to MDM Self Service Portal based on the membership of this group. Administrators can remove members from the group to restrict access.

ADConfig Operations

When you run ADConfig, MDM performs certain operations based on the parameters that you use. The following provides details about the operations that MDM performs when you run ADConfig.

Note

By default, ADConfig writes a log file to the current directory, or the Temp directory, depending on where it has permissions. You should back up these log files to persistent storage and periodically remove extraneous log files to save hard disk space.

ADConfig-Created Domain Objects

When you run ADConfig by using the /createinstance parameter, MDM creates objects in Active Directory to contain elements of MDM. The following shows the structure of these objects.

DefaultNamingContext
 CN=System
   CN= SCMDM
      <instance name> [SCP]

SCMDM Managed Devices (<instance name>) [OU]
  (The devices OU where all MDM devices are created by default)

CN=Users and Computers [container or Users Redirect OU]
  SCMDMSecurityAdmins (<instance name>) [USG]
  SCMDMServerAdmins (<instance name>) [USG]
  SCMDMDeviceAdmins (<instance name>) [USG]
  SCMDMDeviceSupport (<instance name>) [USG]
  SCMDMHelpdeskOperator (<instance name>) [USG]
  SCMDMAuthorizedUsers (<instance name>) [USG]
  SCMDMReadOnlyUsers (<instance name>) [USG]

CN= SCMDM Infrastructure Groups (<instance name>) [OU]
  SCMDMDeviceManagementServers (<instance name>) [USG]
  SCMDMEnrollmentServers (<instance name>) [USG]
  SCMDMEnrolledDevices (<instance name>) [USG]
  SCMDMSelfServiceServers (<instance name>) [USG]

  • Under CN=System, MDM creates the following container structure in the specified domain. This example is shown by using the default naming context:

    CN=SCMDM
  <instance name> [SCP]

  • Under CN=Users and Computers, MDM creates the following container in the specified domain. This example is shown by using the default naming context:

    - USG: SCMDMSecurityAdmins (<instance name>)
- USG: SCMDMServerAdmins (<instance name>)
- USG: SCMDMDeviceAdmins (<instance name>)
- USG: SCMDMDeviceSupport (<instance name>)
- USG: SCMDMHelpdeskOperator (<instance name>)
- USG: SCMDMAuthorizedUsers (<instance name>)
- USG: SCMDMReadOnlyUsers (<instance name>)

  • As a sibling of CN=Users, MDM creates the following OU in the specified domain. This example is shown by using the default naming context:

    OU=SCMDMInfrastructure Groups (<instance name>)
- USG: SCMDMDeviceManagementServers (<instance name>)
- USG: SCMDMEnrollmentServers (<instance name>)
- USG: SCMDMEnrolledDevices (<instance name>)
- USG: SCMDMSelfServiceServers (<instance name>)

  • At the root level, MDM creates the following OU:

     OU=  SCMDM Managed Devices (<instance name>) (default OU for enrolled devices)

  • MDM adds members of the Domain Administrators group of the specified domain to the SCMDMServerAdmins (<instance name>) group.

  • MDM adds the SCMDMDeviceManagementServers (<instance name>) group to the Windows Authorization Access (WAA) group of the specified domain.

  • MDM gives Add/Remove Members permissions on all other MDM groups to the SCMDMServerAdmins (<instance name>) group.

  • MDM gives Add/Remove Members permissions on the SCMDMEnrolledDevices (<instance name>) group to the SCMDMEnrollmentServers (<instance name>) group.

  • MDM gives Create/Delete computer objects permissions on the MDM Devices OU to the SCMDMEnrollmentServers (<instance name>) group.

  • MDM gives read/write permissions on the keywords attribute of the SCMDM SCP to the SCMDMServerAdmins (<instance name>) and Enterprise Administrators groups.

  • When you run MDM in successive domains, it adds the SCMDMDeviceManagementServers (<instance name>) group to the Windows Authorization Access (WAA) group of the specified domain. To run MDM in successive domains, you must use the /enableinstance parameter.

Enable Certificate Templates on the Certification Authority

When you run ADConfig by using the /enabletemplates parameter, MDM enables the certificate templates on the certification authority specified by <CA server>\<CA name> and grants permissions to users and USGs on the certification authority. It also sets certificate enroll permissions and certificate restrictions on the certification authority.

For information about the three certificate templates that MDM creates with the /createtemplates parameter, see Manual Certificate Procedures.

Modify Permissions on Group Policy Objects

When you run ADConfig by using the /enablegpsecurity parameter, MDM modifies permissions on certain Group Policy objects (GPOs).

  • /enablegpsecurity:< instance name > /gpo:default
    • Modifies permissions on the default GPO security descriptor for MDM
    • Requires permissions on the default GPO security descriptor. Generally, these are schema administrator credentials
  • /enablegpsecurity:< instance name > /domain:< instance name > /gpo:<GPO ID>
    • Modifies permissions on the specified GPO in the specified domain
    • Requires permissions on the GPO object
  • /enablegpsecurity:< instance name > /domain:< instance name > /gpo:all
    • Modifies permissions on all existing GPOs in the specified domain
    • Requires permissions on all existing GPOs in the specified domain

Modifying an MDM Instance Friendly Name

After you install MDM or make modifications to the MDM system, you may want to change the instance friendly name. You cannot change the immutable instance name. However, you can change the friendly name by following the steps below.

If you modify the SCPs, you must restart all administration consoles or any open MDM Shell to show the change. These restarts are necessary to correctly detect the new SCPs.

Important

If you modify Active Directory with a low-level editor such as ADSIEdit, you could cause problems with your Active Directory structure or environment. Any changes you make to Active Directory could cause serious system errors. We cannot guarantee that these errors can be resolved. Modify Active Directory at your own risk.

To modify an instance friendly name

  1. Start ADSIEdit.

  2. Expand the domain in which you first ran ADConfig.

  3. Expand CN=System.

  4. Expand CN=SCMDM. The list of instance SCPs is shown.

  5. Right-click the SCP for the instance that you want to modify. For example, CN=<Instance Name SCP>.

  6. Select Properties.

  7. In the CN=<Instance Name SCP> Properties dialog box, select Show only attributes that have values.

  8. Locate and then select the keywords attribute.

  9. Choose Edit to view the current values for that instance.

  10. In the Multi-valued String Editor dialog box, select the value "friendlyname=<name>," and then choose Remove. The value appears in the Value to add box.

  11. Modify the entry but do not change the friendlyname= in front of the newly modified Value to add entry.

  12. Choose Add. The modified entry appears in the Values list.

  13. Choose OK two times to close the editor.