Automation of NT Domain Christian Trachimow 5/27/2016 The DESY WindowsNT Group

Download Report

Transcript Automation of NT Domain Christian Trachimow 5/27/2016 The DESY WindowsNT Group 

Automation of NT Domain
Christian Trachimow
5/27/2016
The DESY WindowsNT Group
1
Domain administration tasks

Domain data





TEM


1000 PCs / 1500 Users
50 groups
4 central home directory servers, 2 home directory servers in
groups
MS Dfs server
user / group management
Administrative tasks:


5/27/2016
users: create, move, delete, archive, rename
groups: ...
The DESY WindowsNT Group
DESY
2
General problems

Impersonation


Authentication





who wants to execute a script
Security control / delegation


Run scripts with administrative rights (in domain)
allow execution to a group of users
Secure networking
Easy invocation
Logging
Prevent misuse (check parameters)
5/27/2016
The DESY WindowsNT Group
DESY
3
Solution: Transaction Server








Impersonation
Authentication
Security control
Secure networking
Invocation
Logging
Check parameters
Execute script
MTX
NTLM (DCOM)
MTX (“Roles”)
DCOM (“packet privacy”)
DCOM
COM module
COM module
COM module
DESY
5/27/2016
The DESY WindowsNT Group
4
Transaction Server

Connection pooling, thread pooling, transaction
support
GetConnectingUser
Impersonation
COM dll
Transaction support
Network security
Script
IsCallerInRole ?
Roles
Roles: list of users or groups
DESY
5/27/2016
The DESY WindowsNT Group
5
Inside the COM object
%WINDIR%\system32\DomainAuto.cfg
#comment
#format: (separator = tab)
#ScriptName Script Role Flag0/1
DeleteComputer C:\scripts\dc.bat
#
DeleteUser
C:\scripts\du.bat
Roles
RoleDC
0
Admins
1
RoleDC:
GroupAdm
usg_
Admins:
DomainAdmins
Set obj = CreateObject(“DomainAuto.DomainAuto”)
.
obj.InvokeScript(“DeleteUser”, ”param1 ..”)
c:\scripts\du.bat
username param1
DESY
5/27/2016
The DESY WindowsNT Group
6
Scripting Host Usage


1. Write script
2. Configure script



put it on MTX server
define “role”
change .cfg
Common script name
 Script location
 Role name
 1 / 0 : if name of the connecting user should be passed to script


3. Write Web interface / client script


5/27/2016
MTX automatically creates client setup script
easy to deploy
The DESY WindowsNT Group
DESY
7
Web Interface

Separate Web (IIS) accessible via SSL

User has to authenticate



Challenge / Response does not allow to pass authentication to another server
Basic authentication gets password
DCOM interface is used to execute the script on transaction
server



Web is configured to run .asp as user (impersonation)
Packet privacy is used for DCOM security
Write asp and establish DCOM connection:
Set obj = CreateObject(“DomainAuto.DomainAuto”)
strResult = obj.InvokeScriptWithReturn (“scripname”,
“param1 param2”)
DESY
5/27/2016
The DESY WindowsNT Group
8
Web example
<html>
<% ' get variables from form
strUserName = Request.Form("UserName")
strNewComment = Request.Form("NewComment")
' call script
On Error Resume Next
Set Dobj = CreateObject("DomainAuto.DomainAuto")
strRet = Dobj.InvokeScriptWithReturn("ChangeUserComment",
strUserName & " """ & strNewComment & """")
%>
<h2>Result</h2>
<% If not Err Then %>
<p>The user status has been changed successfully!!! </p>
<% Else %>
<p>Error occurred, the comment could not be changed!!!</p>
<p>Error message: <br>
<% =Err.Description %></p>
<% End If %>
</html>
5/27/2016
The DESY WindowsNT Group
DESY
9
Domain automation - scheme
Client indirect - via SSL
.DLL
Script / Program
Execution
IIS
ASP
Transaction
Server
DomainAuto.cfg
Configuration
File
Client direct
Roles
DESY
5/27/2016
The DESY WindowsNT Group
10
User and Group Management
A managing user wants to change some user attributs
or add users to special groups
Management Group
Rights
Groups
sys
USER
*
cadadmin
GROUP
cad



Extend the script attributes to the new rights
USER/GROUP
Automatically check if connecting user is allowed to
change
DESY
5/27/2016
The DESY WindowsNT Group
11