PowerShell Desired State Configuration (DSC) was introduced with Windows Management Framework (WMF) 4.0. Like group policy, it can configure settings on Windows machines. However, DSC can leverage the automation of PowerShell to configure nearly anything on the system, beyond the preconfigured choices of group policy. DSC is also built into the operating system on Windows 8.1/Windows Server 2012 R2 and above. It is available down level by downloading and installing the latest WMF update (currently 5.1). DSC does not have a graphical management interface and requires knowledge of PowerShell scripting to build out tools for administration.
How Does DSC Differ from Group Policy
Download: https://tweeat.com/2vAXGX
As you already know, Windows server 2012R2 is already being shipped with the new PowerShell feature/framework: Desired State Configuration. In this article i will list a summary of key differences between group policy and DSC, in ENGLISH.Microsoft provided us several tools to manage Windows, other than GP and DSC (e.g. SCCM DCM, InTune), but I wanted to compare those two specifically because they are free, mainly.Enough chit-chat, differences, in no particular order:
Thanks @Gary Reynolds Actually, I mistakenly provided the details in a different context. Let me rephrase. I created a DSC profile which created Registry.pol file under C:\Windows\System32\GroupPolicy\Machine folder . This gets executed by group policy client and it executes successfully. (that means, it creates all Regsitry settings in the resgistry hive).
I tested this in a stand alone VM. Next thing, I Tested the same DSC in a domain joined machine. Now the question is, if one of the domain AD GPO has any setting defined under Administrative template that will be stored in Registry.Pol file under "sysvol" in a domain controller, would that Registry.Pol file from DC SySvol folder gets downloaded to each target machine and overwrite the registry.Pol file (if it has different setting for a control) created by local DSC engine? So let's say, if I create DSC profile that affects 50 Registry settings and is stored locally under C:\Windows\System32\GroupPolicy\Machine path, and if the AD GPO has a registry.pol file that has different values for those 50 controls,
With GPO processing, the registry.pol doesn't overwrite the existing registry files, they are merged, so only the settings that are in the GPO are added to the registry. By default most GPO settings are applied to the HKLM\HKCU\Software\Polices, which is specific for GPO settings, this location is volatile and will be deleted before the GPO registry settings are applied. Settings which are out of this location are not removed, and overwrite the existing settings, these are referred to as tattoo settings. The GPO settings should be removed once the policy goes out of scope.
I wanted to ask that if I create a DSC profile which in turn creates registry.pol file under C:\Windows\System32\GroupPolicy\Machine\, which means, all the settings applied from this registry.pol file through local group policy engine works fine.
When the same set of configurations/controls are applied from AD Sysvol folder (LET us assume that the controls are same similar to contents of Registry.pol but with a different set of values for each control), will those settings from AD SYSVOL folder gets downloaded locally to C:\Windows\System32\GroupPolicy\Machine\Registry.pol file in a target machine by merging with existing settings inside this file? If I delete the registry.pol file and if I run gpupdate /force, will again registry.pol file gets recreated from AD?
The settings inside the C:\Windows\System32\GroupPolicy\Machine\Registry.Pol file represents ADMINISTRATIVE TEMPLATE section and its sub section (either in local or domain policy-that does not matter)
PART 2 Then I created a new domain GPO in AD which has same(similar) set of settings defined earlier by DSC under ADMINISTRATIVE TEMPLATE section and link to the same OU where the target VM is there. I ran GPUPDATE/FORCE and in RSOP.MSC, I see that both Local policy, created by DSC through Registry.pol and its settings are deployed and also same settings from AD GPO also get applied and based on the order of precedence, policies from AD GPO got overwritten.
For all practical purposes, the first true large scale management tool we had for Windows systems in the modern era was Group Policy, or GPO as it is commonly truncated. This stemmed from Local Security Policy, which is a fancy GUI to control system settings via special registry keys which are locked down from general user editing. Local Security Policy could be shared among systems in a Workgroup which was a big improvement from setting the same configuration on each system.
If you can think of a common factor of a group of systems or people in your firm, you can target them for applications or security policies using SCCM. Collections solve the difficult problem of assigning policy based on logical placement of computers and users within AD.
Includes a new group policy to allow non-compliant device accounts (those that use vulnerable Netlogon secure channel connections). Even when DCs are running in enforcement mode or after the Enforcement phase starts, allowed devices will not be refused connection.
Vulnerable If a non-compliant DC cannot support secure RPC with Netlogon secure channel before the DCs are in enforcement mode, add the DC using the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy described below.
Warning Allowing DCs to use vulnerable connections by the group policy will make the forest vulnerable to attack. The end goal should be to address and remove all accounts from this group policy.
Vulnerable If a non-compliant device cannot support secure RPC with Netlogon secure channel before DCs are in enforcement mode, add the device using the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy described below.
Warning Allowing device accounts to use vulnerable connections by the group policy will put these AD accounts at risk. The end goal should be to address and remove all accounts from this group policy.
Use the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy to add non-compliant accounts. This should only be considered a short-term remedy until non-compliant devices are addressed as described above. Note Allowing vulnerable connections from non-compliant devices might have unknown security impact and should be allowed with caution.
Add those machine accounts to the security group(s) as needed. Best practice Use security groups in the group policy and add accounts to the group so that membership is replicated through normal AD replication. This avoids frequent group policy updates and replication delays.
After all non-compliant devices have been addressed, either by enabling secure RPC or by allowing vulnerable connections with the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy, set the FullSecureChannelProtection registry key to 1.
Note If you are using the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy, ensure that the group policy has been replicated and applied to all DCs before setting the FullSecureChannelProtection registry key.
Deploying updates released February 9, 2021 or later will turn on DC enforcement mode. DC enforcement mode is when all Netlogon connections are either required to use secure RPC or the account must have been added to the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy. At this time, the FullSecureChannelProtection registry key is no longer needed and will no longer be supported.
Warning Enabling this policy will expose your domain-joined devices and your Active Directory forest, which could put them at to risk. This policy should be used as a temporary measure for third party devices as you deploy updates. Once a third party device is updated to support using secure RPC with Netlogon secure channels, the account should be removed from the Create Vulnerable Connections list. To better understand the risk of configuring accounts to be allowed to use vulnerable Netlogon secure channel connections, please visit =2133485.
The Netlogon service allowed a vulnerable Netlogon secure channel connection because the machine account is allowed in the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.
Warning: Using vulnerable Netlogon secure channels will expose the domain-joined devices to attack. To protect your device from attack, remove a machine account from "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy after the third-party Netlogon client has been updated. To better understand the risk of configuring machine accounts to be allowed to use vulnerable Netlogon secure channel connections, please visit =2133485.
The Netlogon service allowed a vulnerable Netlogon secure channel connection because the trust account is allowed in the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.
Warning: Using vulnerable Netlogon secure channels will expose Active Directory forests to attack. To protect your Active Directory forests from attack, all trusts must use secure RPC with Netlogon secure channel. Remove a trust account from "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy after the third-party Netlogon client on the domain controllers have been updated. To better understand the risk of configuring trust accounts to be allowed to use vulnerable Netlogon secure channel connections, please visit =2133485.
Delays in AD and Sysvol replication or group policy application failures on the authenticating DC might cause the changes to the group policy "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy to be absent and result in the account being denied. 2ff7e9595c
Comments