{"id":936,"date":"2014-07-27T00:01:00","date_gmt":"2014-07-27T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2014\/07\/27\/weekend-scripter-authentication-silos-part-2\/"},"modified":"2014-07-27T00:01:00","modified_gmt":"2014-07-27T00:01:00","slug":"weekend-scripter-authentication-silos-part-2","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/weekend-scripter-authentication-silos-part-2\/","title":{"rendered":"Weekend Scripter: Authentication Silos Part 2"},"content":{"rendered":"<p><span style=\"font-size:12px\"><strong>Summary<\/strong>: Microsoft PFE, Ian Farr, continues his series about using Windows PowerShell to work with&nbsp;Authentication Policy Silos.<\/span><\/p>\n<p><span style=\"font-size:12px\">Microsoft Scripting Guy, Ed Wilson, is here. Welcome back today, guest blogger, Ian Farr. If you missed yesterday&#039;s post I suggest that you read it before reading todays post: <\/span><a href=\"https:\/\/devblogs.microsoft.com\/scripting\/weekend-scripter-authentication-silos-part-1\/\" target=\"_blank\">Authentication Silos: Part&nbsp;1<\/a><span style=\"font-size:12px\">.<\/span><\/p>\n<p>Yesterday, I left you by saying that we would explore a bit in my lab today. From my lab:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/wes-7-27-14-1.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/wes-7-27-14-1.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>Notice that both the <b>msDS-AuthNPolicySiloMembersBL<\/b> and <b>msDS-AssignedAuthNPolicySilo <\/b>attributes<b> <\/b>are populated with the distinguished name of the new Authentication Policy Silo for each User and Computer object returned. &nbsp;<\/p>\n<p>On each User and Computer object, the <b>AuthenticationPolicySilo<\/b> attribute is also populated. Let&rsquo;s look at a couple of accounts from the demo:<\/p>\n<p style=\"margin-left:30px\">Get-ADUser -Identity ianfarr -Properties AuthenticationPolicySilo; Get-ADComputer -Identity HALODC01 -Properties AuthenticationPolicySilo<\/p>\n<p><span style=\"font-size:12px\"><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/wes-7-27-14-2.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/wes-7-27-14-2.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><br \/><\/span><\/p>\n<h2>Sanity check two<\/h2>\n<p>We now have:<\/p>\n<ul>\n<li>All domain admins in the Protected Users group.<\/li>\n<li>An enforced Authentication Policy that restricts User TGTs to two hours and has an access control condition that only allows users to authenticate from devices within a named Authentication Policy Silo.<\/li>\n<li>An enforced Authentication Policy Silo that references the aforementioned Authentication Policy.<\/li>\n<li>All read-write domain controllers permitted to use the Authentication Policy Silo.<\/li>\n<li>All domain admins permitted to use the Authentication Policy Silo.<\/li>\n<li>The Authentication Policy Silo associated with the read-write domain controller accounts.<\/li>\n<li>The Authentication Policy Silo associated with the Domain Admin accounts.<\/li>\n<\/ul>\n<p>&nbsp;I&rsquo;m sane! Time to test.<\/p>\n<h2>Testing<\/h2>\n<p>The first thing I need to do is reboot the computer accounts within the silo to renew their TGTs. With that done, I can begin my testing!<\/p>\n<p>Here&rsquo;s what happens when I try to access a server outside of the Authentication Policy Silo with a Domain Admin account.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/wes-7-27-14-3.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/wes-7-27-14-3.png\" alt=\"Image of error message\" title=\"Image of error message\" \/><\/a><\/p>\n<p>The failed logon is also captured in a new event log called &quot;Microsoft-Windows-Authentication\/<b>AuthenticationPolicyFailures-DomainController<\/b>&quot;.&nbsp;<\/p>\n<p>Let&rsquo;s have a look:<\/p>\n<p style=\"margin-left:30px\">(Get-WinEvent -LogName &quot;Microsoft-Windows-Authentication\/AuthenticationPolicyFailures-DomainController&quot; | Select-Object -First 1).Message<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/wes-7-27-14-4.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/wes-7-27-14-4.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>Notice the <b>Authentication Policy Information<\/b> section of the event message. It has our silo name, policy name, and applicable TGT lifetime value. I can also see what device refused the logon in the <b>Device Information<\/b> section.<\/p>\n<p>Now, let&rsquo;s access a domain controller (HALODC02) with the same account. And, there you go&#8230;I&rsquo;m logged on! Trust me!<\/p>\n<p>For the doubters, let&rsquo;s have a look at the new &quot;Microsoft-Windows-Authentication\/<b>ProtectedUserSuccesses-DomainController<\/b>&quot; log:<\/p>\n<p style=\"margin-left:30px\">(Get-WinEvent -LogName &quot;Microsoft-Windows-Authentication\/ProtectedUserSuccesses-DomainController&quot; -FilterXPath &quot;*[System[EventID=303]]&quot; | Select-Object -First 1).Message<\/p>\n<p><span style=\"font-size:12px\"><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/wes-7-27-14-5.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/wes-7-27-14-5.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><br \/><\/span><\/p>\n<p>This is a Protected Users group-related event. The <b>FilterXPath<\/b> parameter of <b>Get-WinEvent<\/b> cmdlet is used to filter on event ID 303 (&ldquo;A Kerberos ticket-granting-ticket (TGT) was issued for a member of the Protected User group.&rdquo;) Notice the Authentication Policy information.<\/p>\n<p>Let&rsquo;s check out the logged-on user&rsquo;s TGT lifetime:<\/p>\n<p style=\"margin-left:30px\">klist tgt | Select-String &ndash;SimpleMatch time<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/wes-7-27-14-6.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/wes-7-27-14-6.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>We can see that the TGT has the expected two hour duration, as per the Authentication Policy.<\/p>\n<p>Finally (because this is all claims driven), let&rsquo;s look at the user&rsquo;s claims:<\/p>\n<p style=\"margin-left:30px\">whoami \/claims<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/wes-7-27-14-7.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/wes-7-27-14-7.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>Notice how the Claim ID and its value match the condition that we configured in the User section of the Authentication Policy.<\/p>\n<p>That&rsquo;s all folks. In my test lab, my Domain Admin accounts can only log on to my read-write domain controllers. <b><\/b><\/p>\n<p>With all of this funky credential protection stuff introduced in Active Directory in Windows Server&nbsp;2012&nbsp;R2, I suspect those elderly, bearded gentlemen are already busy writing a new chapter for the book of Active Directory wisdom&hellip;or, perhaps not!<\/p>\n<p>~Ian<\/p>\n<p>Thanks, Ian, for once again sharing your time and knowledge.<\/p>\n<p>I invite you to follow me on <a href=\"http:\/\/bit.ly\/scriptingguystwitter\" target=\"_blank\">Twitter<\/a> and <a href=\"http:\/\/bit.ly\/scriptingguysfacebook\" target=\"_blank\">Facebook<\/a>. If you have any questions, send email to me at <a href=\"mailto:scripter@microsoft.com\" target=\"_blank\">scripter@microsoft.com<\/a>, or post your questions on the <a href=\"http:\/\/bit.ly\/scriptingforum\" target=\"_blank\">Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n<p><b>Ed Wilson, Microsoft Scripting Guy<\/b><span style=\"font-size:12px\">&nbsp;<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: Microsoft PFE, Ian Farr, continues his series about using Windows PowerShell to work with&nbsp;Authentication Policy Silos. Microsoft Scripting Guy, Ed Wilson, is here. Welcome back today, guest blogger, Ian Farr. If you missed yesterday&#039;s post I suggest that you read it before reading todays post: Authentication Silos: Part&nbsp;1. Yesterday, I left you by saying [&hellip;]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[56,472,3,61,45],"class_list":["post-936","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-guest-blogger","tag-ian-farr","tag-scripting-guy","tag-weekend-scripter","tag-windows-powershell"],"acf":[],"blog_post_summary":"<p>Summary: Microsoft PFE, Ian Farr, continues his series about using Windows PowerShell to work with&nbsp;Authentication Policy Silos. Microsoft Scripting Guy, Ed Wilson, is here. Welcome back today, guest blogger, Ian Farr. If you missed yesterday&#039;s post I suggest that you read it before reading todays post: Authentication Silos: Part&nbsp;1. Yesterday, I left you by saying [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/936","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=936"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/936\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=936"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=936"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=936"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}