archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 75c48ba87f
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '75c48ba87f'
${ noResults }
windows-xp/Source/XPSP1/NT/admin/admt/updateacl.txt

97 lines
5.7 KiB
Raw Normal View History

Add source files
4 years ago
  1. Overview
  2. ========
  3. In Whistler, the default security descriptors of various objects were adjusted to tighten domain and forest security. By default, domain controllers that were upgraded to Whistler do not receive all of these security enhancements and the access control entries of existing objects are not changed.
  5. Run this script on domain controllers that have been upgraded to Whistler to ensure that an upgraded domain and all objects in the domain will have the same level of security as a freshly installed Whistler domain.
  7. Domain Security Improvements
  8. ----------------------------
  9. One example of domain security improvements in Whistler is that the Anonymous Logon token was removed from the Everyone group, so, by default, only authenticated users are be members of the Everyone group. This change improves security because, when members of the Everyone group are granted access to a resource, only authenticated users will have access to this resource.
  11. If the upgraded domain is configured to allow pre-Windows 2000 compatible access, the script will add the Anonymous Logon group to the Pre-Windows 2000 Compatible Access group. To determine if a particular domain allows pre-Windows 2000 compatible access, check the membership of the Pre-Windows 2000 Compatible Access group. If the Everyone group is member of the Pre-Windows 2000 Compatible Access group, the domain allows Pre-Windows 2000 compatible access. Running the script on this domain will add the Anonymous Logon group to the Pre-Windows 2000 Compatible Access group.
  13. For a list of the domain security changes made, see the Domain Component Output section of this document. For a list of the objects to which additional access control entries were added, see the Details section of this document. For descriptions of each of the new access control entries, see the comments in the script.
  15. Forest Security Improvements
  16. ----------------------------
  17. Active Directory stores forest configuration information in the Configuration container. The Configuration container is replicated to all domain controllers in the forest. This script will add Whistler access control entries to existing objects in the configuration container.
  19. For a list of the forest security changes made, see the Forest Component Output section below. For a list of the objects to which additional access control entries were added, see the Details section of this document. For descriptions of each of the new access control entries, see the comments in the script.
  21. Usage
  22. =====
  23. The script has two components: a domain component, and a forest component. A command line parameter specifies which component to execute.
  25. To run the domain component, you must have Global Admin rights in the domain, local Administrator rights are not sufficient for some changes. To run the forest component, you must have Enterprise Administrator rights.
  27. Run the domain component on only one domain controller that has been upgraded to Whistler in each domain in your forest. The changes will replicate to the other domain controllers in the domain.
  29. Run the forest component on only one domain controller that has been upgraded to Whistler. The changes will replicate to all of the domain controllers in the forest.
  31. You need to specify the name of the domain. The domain controller where you run the script must be a domain controller in this domain.
  33. To run the script:
  35. 1. Open a command window.
  36. 2. Type
  38. cscript UpdateDomainACL.vbs [ /Domain | /Forest ] [Domainname]
  40. Troubleshooting
  41. ===============
  42. If the upgrade of one or more access control entries fails, make sure that you are running the script with sufficient privileges. You must have Domain Administrator rights to run the domain component and Enterprise Administrator rights to run the forest component.
  44. The script will fail single updates if the sAMAccount names of the following groups were changed:
  45. - Pre-Windows 2000 Compatible Access
  46. - Cert Publishers
  48. To solve the problem, either rename the groups to their original sAMAccountName, or adjust the trustee names used in the script to the new sAMAccountNames.
  50. Script Output
  51. =============
  53. Domain Component Output
  54. -----------------------
  55. If all domain access control list updates succeed, you will see the following output:
  57. C:\>cscript UpdateDomainACL.vbs /Domain example.microsoft.com
  58. Microsoft (R) Windows Script Host Version 5.6
  59. Copyright (C) Microsoft Corporation 1996-2000. All rights reserved.
  61. Anonymous Logon to Pre-Windows 2000 Compatible Access Group added
  62. Domain Password Property Set ACE set for RU
  63. Domain Other Parameters ACE set for RU
  64. Inheritable rights on Organizational Units set on Domain Object for RU
  65. Domain policy ACE for Enterprise Domain Controllers set
  66. Domain Controller policy ACE for ED set
  67. Policy Container ACE for Enterprise Domain Controllers set
  68. AdminSDHolder ACEs set
  69. ACE for Enterprise Domain Controllers on user domain policy set
  70. ACE for Enterprise Domain Controllers on user DC policy set
  71. ACE for Enterprise Domain Controllers on machine domain policy set
  72. ACE for Enterprise Domain Controllers on machine DC policy set
  74. Forest Component Output
  75. -----------------------
  76. If all forest access control list updates succeed, you will see the following output:
  78. C:\>cscript UpdateDomainACL.vbs /Forest example.microsoft.com
  79. Microsoft (R) Windows Script Host Version 5.6
  80. Copyright (C) Microsoft Corporation 1996-2000. All rights reserved.
  82. Inherited ACE for Enterprise Domain Controllers on Sites container set
  84. Details
  85. =======
  86. The script creates additional access control entries on the following objects:
  88. Domain Component:
  89. - Domain-DNS (or the domain)
  90. - Default Domain Policy
  91. - Default Domain Controllers Policy
  92. - AdminSDHolder
  93. - Existing group policies (user and machine policies)
  95. Forest Component:
  96. - The sites container