Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DFSNamespaceRoot: Configure Delegation #104

Open
randomnote1 opened this issue Jun 10, 2020 · 3 comments
Open

DFSNamespaceRoot: Configure Delegation #104

randomnote1 opened this issue Jun 10, 2020 · 3 comments
Labels
enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community.

Comments

@randomnote1
Copy link

Details of the scenario you tried and the problem that is occurring

I need to be able to configure the users in the Delegation tab. I think this is the most appropriate resource for this feature to be added.

Suggested solution to the issue

Use the Set-DfsnRoot cmdlet with the -GrantAdminAccounts parameter.

Delegate management permissions for DFS Namespaces

Version of the DSC module that was used ('dev' if using current dev branch)

4.4.0.0
@PlagueHO PlagueHO added enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community. labels Sep 28, 2020
@PlagueHO
Copy link
Member

Hi @randomnote1 - this seems like a good feature to add.

This feature is non-trivial however, because the Get-DfsnRoot cmdlet doesn't return the list of AD groups granted Admin credentials. So determining if the resource is in state would be difficult or have a significant performance implication (e.g. scanning a large AD to determine if permissions were set on which accounts would be expensive).

If the above problem could be solved then we could add the following parameters:

    [Write, Description("Specifies an array of accounts to grant admin permissions on.")] String GrantAdminAccounts[];
    [Write, Description("Specifies an array of accounts to revoke admin permissions on.")] String RevokeAdminAccounts[];

@Borgquite
Copy link
Contributor

If anyone's trying to do this, it should be possible to do this using the ActiveDirectoryDsc module's ADObjectPermissionEntry resource

https://github.com/dsccommunity/ActiveDirectoryDsc/wiki/ADObjectPermissionEntry

To modify Delegate Management Permissions for all DFS Namespaces, you need to set permissions on

CN=DFS-Configuration,CN=System=DC=domain,DC=goes,DC=here

On a single namespace:

CN=NamespaceName,CN=DFS-Configuration,CN=System=DC=domain,DC=goes,DC=here

For all DFS Replication Groups:

CN=DFSR-GlobalSettings,CN=System=DC=domain,DC=goes,DC=here

For a single replication group:

CN=ReplicationGroupName,CN=DFSR-GlobalSettings,CN=System=DC=domain,DC=goes,DC=here

I hope this helps anyone else who wants to achieve this!

https://mskb.pkisolutions.com/kb/258992

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/delegating-dfs-replication

@Borgquite
Copy link
Contributor

For example, the following ActiveDirectoryDsc configuration will replicate the 'Delegate Management Permissions...' options within the DFS Management Console for both the Namespaces and Replication nodes:

# Create groups for Delegate Administration permissions for DFS Namespaces and DFS Replication Groups
ADGroup "DFSN Admins"
{
    GroupName = "DFSN Admins"
    GroupScope = "DomainLocal"
    Path = "CN=Users,DC=contoso,DC=com"
    Description = "Members of this group can create new DFS Namespaces within the domain"
    Ensure = "Present"
}
ADObjectPermissionEntry "DFSN Admins"
{
    Path = "CN=Dfs-Configuration,CN=System,DC=contoso,DC=com"
    IdentityReference = "CONTOSO\DFSN Admins"
    ActiveDirectoryRights = "CreateChild" # Create all child objects
    AccessControlType = "Allow"
    ObjectType = "00000000-0000-0000-0000-000000000000" # All object types
    ActiveDirectorySecurityInheritance = "None"
    InheritedObjectType = "00000000-0000-0000-0000-000000000000" # This object only
    Ensure = "Present"
    DependsOn = 
    @(
        "[ADGroup]DFSN Admins"
    )
}
ADGroup "DFSR Admins"
{
    GroupName = "DFSR Admins"
    GroupScope = "DomainLocal"
    Path = "CN=Users,DC=contoso,DC=com"
    Description = "Members of this group can create new DFS Replication Groups within the domain"
    Ensure = "Present"
}
ADObjectPermissionEntry "DFSR Admins"
{
    Path = "CN=DFSR-GlobalSettings,CN=System,DC=contoso,DC=com"
    IdentityReference = "CONTOSO\DFSR Admins"
    ActiveDirectoryRights = "CreateChild" # Create all child objects
    AccessControlType = "Allow"
    ObjectType = "00000000-0000-0000-0000-000000000000" # All object types
    ActiveDirectorySecurityInheritance = "None"
    InheritedObjectType = "00000000-0000-0000-0000-000000000000" # This object only
    Ensure = "Present"
    DependsOn = 
    @(
        "[ADGroup]DFSR Admins"
    )
}

https://regularsysadmin.wordpress.com/2015/02/01/delegating-dfs-to-non-domain-admins/
https://www.itprotoday.com/windows-78/jsi-tip-6319-how-do-i-delegate-ability-create-dfs-shares-windows-2000-server
https://mskb.pkisolutions.com/kb/258992
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/delegating-dfs-replication
https://learn.microsoft.com/en-us/windows-server/storage/dfs-namespaces/delegate-management-permissions-for-dfs-namespaces

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@PlagueHO @randomnote1 @Borgquite