Thursday, August 21, 2014

"The following user or group can join this computer to a domain" using Powershell

 When reading the "Delegate not working" thread on the MS Technet (http://social.technet.microsoft.com/Forums/windowsserver/en-US/2b8b6afb-a712-4b4f-9613-bf8ff9330127/delegate-control-not-working?forum=winserverDS) I remembered companies I worked for in the past usually create new computer objects for the computers they bought. Computers are then installed and delivered to the user by onsite support teams that work as a local Administrator but have limited access to the Active Directory.

Even though they need to join a newly installed computer to your Directory. 

 

The process is as followed

1.       In a first step your onsite services provides a consolidated list of computer names and Ous to store the computers.

2.       Now you go and create all the computer objects and you set up the permission to join a computer to the domain by the onsite teams.
In my case we created a group called "ComputerJoinAdmins". All onsite team admin accounts are member of that group.

3.       In the final step the onsite team  can install the computer and join it to your domain.

 

You can set up the permission to join a computer to a domain via GUI when you create the computer object. When you can see the "New Computer" dialog you are able to also set a group name or user name who is allowed to join that computer to your domain. In the screenshot below you can see that a group named "ComputerJoinAdmins", including the onsite support group of our test lab, ill be allowed to join that computer to the domain.

 

 

 

Unfortunately that procedure is not very useful for your production environment where you may have hundreds of computers that are changed (replaced, re-installed, …) over the day. In that case I am asked frequently for a procedure to set up a computer object from  a script, using powershell.

 

You may have already noticed , when using the ActiveDirectory module with Windows Server 2008 or 2012, in Powershell there is a cmdlet called "new-adcomputer" , (see also http://technet.microsoft.com/en-us/library/ee617245.aspx). While the cmdlet is able to create your computer object you cannot directly set up the "that users can join that computer to the domain" setting. So you still need to setup the permission to allow a user or group to join a computer to your domain, even if you already created /pre-populated the object.

 

The difference between a computer set up with "default" permissions, so it will only inherit permissions from your OrganizationalUnit and a computer object with the join permissions is seven ACL entries.

 

ActiveDirectoryRights

ObjectType

ObjectFlags

AccessControlType

IdentityReference

DeleteTree, ExtendedRight, Delete, GenericRead

00000000-0000-0000-0000-000000000000

None

Allow

mydomain\ComputerJoinAdmins

WriteProperty

4c164200-20c0-11d0-a768-00aa006e0529

ObjectAceTypePresent

Allow

mydomain\ComputerJoinAdmins

Self

f3a64788-5306-11d1-a9c5-0000f80367c1

ObjectAceTypePresent

Allow

mydomain\ComputerJoinAdmins

Self

72e39547-7b18-11d1-adef-00c04fd8d5cd

ObjectAceTypePresent

Allow

mydomain\ComputerJoinAdmins

WriteProperty

3e0abfd0-126a-11d0-a060-00aa006c33ed

ObjectAceTypePresent

Allow

mydomain\ComputerJoinAdmins

WriteProperty

bf967953-0de6-11d0-a285-00aa003049e2

ObjectAceTypePresent

Allow

mydomain\ComputerJoinAdmins

WriteProperty

bf967950-0de6-11d0-a285-00aa003049e2

ObjectAceTypePresent

Allow

mydomain\ComputerJoinAdmins

WriteProperty

5f202010-79a5-11d0-9020-00c04fc2d4cf

ObjectAceTypePresent

Allow

mydomain\ComputerJoinAdmins

As we said before, that permissions are not inherited, so I removed the "InheritedObjectType", "InheritanceType", "InheritanceFlags" and "IsInherited" property from that table. As a computer workstation is not a container object, I also removed the PropagationFlags property.

Now we can do the required tasks

1.       Create the computer object to have an object you can grant permissions for your ComputerJoinAdmins.

2.       Add access rule entries (ACEs) to your object for the group ComputerJoinAdmins.

 

And here we go for a single computer called mobile 1000 in an example OU called "OU=JP,OU=Sites,DC=mgtest1,DC=com".

 

# Initially we set up the names for our Onsite team group 

$mycomputeradmins = "ComputerJoinAdmins"

# and our computer name

$computername     = "mobile1000"

 

# as we need the SID for the Onsite team group  instead of the name we get that on run-time from AD

# my case that is finally transferred to a variable called UserSID

$mycomputeradminssid = (Get-ADGroup $mycomputeradmins ).sid

$usersid = $mycomputeradminssid

 

# now we create the new AD computer object and receive the object in a variable  called $mycomputer

new-adcomputer -path "OU=JP,OU=Sites,DC=mgtest1,DC=com" $computername

$mycomputer           = get-adcomputer $computername

 

# from the distinguishedname we can get the ACL of the computer object.
# (in Powershell you have the syntax AD:distinguishedname to get the AD object object with get-acl)

# in the result you have a copy of the current ACL stored in $mycomputeracl

$mycomputerdn         = $mycomputer.distinguishedname

$mycomputeracl         = get-acl "AD:$mycomputerdn"

 

# now we can create a new ruleset for the AD access rules (one rule set is one permission entry in the objects ACL you can see with the GUI) …

 

$rule1 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($usersid,'DeleteTree, ExtendedRight, Delete, GenericRead', 'Allow', [GUID]'00000000-0000-0000-0000-000000000000')

$rule2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($usersid,'WriteProperty', 'Allow', [GUID]'4c164200-20c0-11d0-a768-00aa006e0529')

$rule3 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($usersid,'Self', 'Allow', [GUID]'f3a64788-5306-11d1-a9c5-0000f80367c1')

$rule4 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($usersid,'Self', 'Allow', [GUID]'72e39547-7b18-11d1-adef-00c04fd8d5cd')

$rule5 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($usersid,'WriteProperty', 'Allow', [GUID]'3e0abfd0-126a-11d0-a060-00aa006c33ed')

$rule6 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($usersid,'WriteProperty', 'Allow', [GUID]'bf967953-0de6-11d0-a285-00aa003049e2')

$rule7 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($usersid,'Extendedright', 'Allow', [GUID]'5f202010-79a5-11d0-9020-00c04fc2d4cf')

$rule8 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($usersid,'WriteProperty', 'Allow', [GUID]'bf967953-0de6-11d0-a285-00aa003049e2')

 

# … and add it to the already present ACL

 

$mycomputeracl.AddAccessRule($rule1)

$mycomputeracl.AddAccessRule($rule2)

$mycomputeracl.AddAccessRule($rule3)

$mycomputeracl.AddAccessRule($rule4)

$mycomputeracl.AddAccessRule($rule5)

$mycomputeracl.AddAccessRule($rule6)

$mycomputeracl.AddAccessRule($rule7)

$mycomputeracl.AddAccessRule($rule8)

 

# now we have still a current ACL with the object while we have the ACL we need in $mycomputeracl.

# finally we apply the new ACL to the computer object using set-acl.

 

$mycomputeracl | set-acl "AD:$mycomputerdn"

 

Now we are finished with that computer and you can create a loop to go through your list of computers.

 

 

 

Sunday, August 10, 2014

How to change the Exchange 2010 Management Console language with Windows Server 2008

If you run Exchange in a multi language environment your local administrator may need to have the Management Console in their regional language.

In my case usually you need to have an English version oft the Windows Server operating system running while you need an additional German GUI.

 

I just found an article at the Technet forum on

http://social.technet.microsoft.com/Forums/exchange/en-US/82f1b07e-e134-40d0-ae52-0871214202bc/how-to-change-the-language-ogf-emc?forum=exchangesvrgenerallegacy dealing with the same question. So I decided to write a short article how to do this with Windows Server 2008 R2 SP1 having Exchange Server 2010 SP3 installed.

 

Our initial setup looked like this:

·         We have an English Windows Server 2008 R2 operating system installed

·         The Exchange Server 2010 SP3 is installed using the English pack

 

So up to now we had a user interface completely in English and we got more and more complaints from our German collegues as they need to have a German GUI for the Exchange Management Console (EMC).

Luckyly this can be easily done by just installing the Language Interface pack.

 

Please note:

·         There is a „Language pack“ available as well as there is a „Multilingual User Interface Language Packs“. To use the „Language pack“ there may be additional requirements, depending on your OS version. Please use  the „Multilingual User Interface Language Packs“.

·         When you try to install the „Multilingual User Interface Language Packs“ you may experience a message „This language cannot be installed on your computer“. If so, please use the corresponding version oft the interface language pack to your system. In my case I used Windows Server 2008 R2 SP1 , so „Windows Server 2008 R2 Service Pack 1 Multilingual User Interface Language Packs“ did not work while „Windows Server 2008 R2 Service Pack 1 Multilingual User Interface Language Packs SP1“ did work.

 

Please find more information about Multilingual User Interface Language Packs at http://www.microsoft.com/en-us/download/details.aspx?id=2634 . Please choose the language you need.

 

You just download the Multilingual User Interface Language Pack and copy it to any location at your Exchange management server or Exchange server . Please run the EXE file so it will extract the file lp.cap.

 

Please go to Control Panel to check if you already installed any other languages.

Control Panel à Clock, Language, Region.

 

 

Please change to the „Keyboards and Languages“ tab and choose „install / uninstall languages …“

 

 

In the next step a wizard appears. Please choose „Install“ and browse to your lp.cab location.

When the wizard sees you are able to install that language pack, it will be installed automatically. This may take a while.

 

 

Now you returned to the „Keyboards and Languages“ tab, and an additional language selector is shown below the „install / uninstall languages …“ button.

Please choose „German“ now.

 

 

As the interface language needs to be changed you need to logoff / logon the user for the change to take affect.

 

 

 

Please logoff and logon again. Next time you log on to the system please note the interface has changed to German.

Please run EMC.

 

 

Now you can see that the whole Management Console changed to German

 

 

Now you are ready to switch each users interface language to the language he/she needs.

 

Good luck!