Automation of NT Domain Christian Trachimow 5/27/2016 The DESY WindowsNT Group
Download
Report
Transcript Automation of NT Domain Christian Trachimow 5/27/2016 The DESY WindowsNT Group
Automation of NT Domain
Christian Trachimow
5/27/2016
The DESY WindowsNT Group
1
Domain administration tasks
Domain data
TEM
1000 PCs / 1500 Users
50 groups
4 central home directory servers, 2 home directory servers in
groups
MS Dfs server
user / group management
Administrative tasks:
5/27/2016
users: create, move, delete, archive, rename
groups: ...
The DESY WindowsNT Group
DESY
2
General problems
Impersonation
Authentication
who wants to execute a script
Security control / delegation
Run scripts with administrative rights (in domain)
allow execution to a group of users
Secure networking
Easy invocation
Logging
Prevent misuse (check parameters)
5/27/2016
The DESY WindowsNT Group
DESY
3
Solution: Transaction Server
Impersonation
Authentication
Security control
Secure networking
Invocation
Logging
Check parameters
Execute script
MTX
NTLM (DCOM)
MTX (“Roles”)
DCOM (“packet privacy”)
DCOM
COM module
COM module
COM module
DESY
5/27/2016
The DESY WindowsNT Group
4
Transaction Server
Connection pooling, thread pooling, transaction
support
GetConnectingUser
Impersonation
COM dll
Transaction support
Network security
Script
IsCallerInRole ?
Roles
Roles: list of users or groups
DESY
5/27/2016
The DESY WindowsNT Group
5
Inside the COM object
%WINDIR%\system32\DomainAuto.cfg
#comment
#format: (separator = tab)
#ScriptName Script Role Flag0/1
DeleteComputer C:\scripts\dc.bat
#
DeleteUser
C:\scripts\du.bat
Roles
RoleDC
0
Admins
1
RoleDC:
GroupAdm
usg_
Admins:
DomainAdmins
Set obj = CreateObject(“DomainAuto.DomainAuto”)
.
obj.InvokeScript(“DeleteUser”, ”param1 ..”)
c:\scripts\du.bat
username param1
DESY
5/27/2016
The DESY WindowsNT Group
6
Scripting Host Usage
1. Write script
2. Configure script
put it on MTX server
define “role”
change .cfg
Common script name
Script location
Role name
1 / 0 : if name of the connecting user should be passed to script
3. Write Web interface / client script
5/27/2016
MTX automatically creates client setup script
easy to deploy
The DESY WindowsNT Group
DESY
7
Web Interface
Separate Web (IIS) accessible via SSL
User has to authenticate
Challenge / Response does not allow to pass authentication to another server
Basic authentication gets password
DCOM interface is used to execute the script on transaction
server
Web is configured to run .asp as user (impersonation)
Packet privacy is used for DCOM security
Write asp and establish DCOM connection:
Set obj = CreateObject(“DomainAuto.DomainAuto”)
strResult = obj.InvokeScriptWithReturn (“scripname”,
“param1 param2”)
DESY
5/27/2016
The DESY WindowsNT Group
8
Web example
<html>
<% ' get variables from form
strUserName = Request.Form("UserName")
strNewComment = Request.Form("NewComment")
' call script
On Error Resume Next
Set Dobj = CreateObject("DomainAuto.DomainAuto")
strRet = Dobj.InvokeScriptWithReturn("ChangeUserComment",
strUserName & " """ & strNewComment & """")
%>
<h2>Result</h2>
<% If not Err Then %>
<p>The user status has been changed successfully!!! </p>
<% Else %>
<p>Error occurred, the comment could not be changed!!!</p>
<p>Error message: <br>
<% =Err.Description %></p>
<% End If %>
</html>
5/27/2016
The DESY WindowsNT Group
DESY
9
Domain automation - scheme
Client indirect - via SSL
.DLL
Script / Program
Execution
IIS
ASP
Transaction
Server
DomainAuto.cfg
Configuration
File
Client direct
Roles
DESY
5/27/2016
The DESY WindowsNT Group
10
User and Group Management
A managing user wants to change some user attributs
or add users to special groups
Management Group
Rights
Groups
sys
USER
*
cadadmin
GROUP
cad
Extend the script attributes to the new rights
USER/GROUP
Automatically check if connecting user is allowed to
change
DESY
5/27/2016
The DESY WindowsNT Group
11