Delgating ADCS PKI management to non domain admin

There is Microsoft official documentation on how to do delegate Active Directory Certificate Service (Public Key Infrastructure) management to non domain admin, I used this procedure to delegate CA management on windows server 2019 so it's still relevant

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786430(v=ws.11)

That's what I followed but what it doesn't tell you is what happen if after the delegation has been done the delegated users are unable to publish  new certificate template to issue. Well the answer is that the problem doesn't come from the delegation, it comes from the GUI, so you just need to use the Certutil command line tool to publish the new template. 

Built-in certutil.exe tool can be used to manage certificate templates on CA server locally or remotely:

1. Log on to CA server or computer with Remote Server Administration Tools installed with CA Administrator permissions;
2. Open elevated Command Prompt;
3. If you are logged on CA server, type:

   certutil -SetCaTemplates +<TemplateCommonName>

   Replace <TemplateCommonName> with actual template’s common name. 

 certutil -setcatemplates +WebServerwithClientAuth
0: WebServerwithClientAuth: Adding
CertUtil: -SetCATemplates command completed successfully.

 I found the solution came on Greig Sheridan blog 

https://greiginsydney.com/

The specific topic is here: 

https://greiginsydney.com/server-2016-unable-to-set-certificate-to-issue/?unapproved=34677&moderation-hash=f8f7e9758fa7c079b382568dcb0aee87

Change Vsphere 6.7 VCSA vcenter web client timeout

We recently upgraded from vmware 6.0 to vmware 6.7 and moved to the VCSA and are now forced to use the web client and the interface timeout is very short at 15 min for a multitasking admin that does not manage only vmware. We wanted to change our interface timeout to be much longer since anyway our computer are locked when we move away from it. This procedure works for both Vsphere web client and Vpshere client (HTML5 or Flex) but the change must be done under the "old" Flex client.

1-      Log into the vsphere web client (Flex)

2-      Go into “host and cluster” view

3-      Select the vcenter server

4-      In the right pane, choose “Configure”

5-      Choose advanced vCenter Server Settings

6-      Choose edit

7-      In the edit box, search for “timeout”

8-      Edit the “vpxd.http.clientIdleTimeout” value 

8-      We set it at 32400 (value is in second and equal to 9h) so you login once a day into it.

9-      Click “Ok”

Off topic - Chevrolet 2018 TPMS relearn

Off topic according to the rest of my blog but I need to write this information down to be able to find it back easily...

To relearn the TPMS position after rotating the tire on a chevrolet 2018 (Cruze 2018 but probably works for other chevrolet also)
1- Press and hold the start button for 5-6 Seconds without pressing the brake pedal, this will put your car into service mode
2- Go into the tire pressure menu in between the Speed and RPM counter
3- Press and hold the "checkmark" button in the steering wheel for about 5 seconds,
4- Your car will ask if you want to go into relearn mode, choose yes, the horn will ring twice.
5- Use the TPMS relearn tool (EL-50448) on the tire near the valve, (start with the front left, front right, rear right, rear left, the turning light is on to signal you which tire you need to do) the car will horn once when the signal is received correctly telling you to go to the next tire.
6- Your car will horn twice confirming the end of the relearn process.

Ref: https://youtu.be/ifr6D1Md9Dg
 

Delegate reset Active Directory password

Step 1: Start the Delegation of Control Wizard, select your user or group to delegate

Open the ADUC, find your domain tree and browse to the topmost level that you wish to apply user permissions (for example, 'Domain users' at my workplace), right-click > 'Delegate Control'.

At the Welcome dialog, click 'Next'.

At the Users or Groups dialog, click the 'Add...' button. You will be prompted to add a user or group to which you will apply delegated rights.

At the Select Users, Computers, or Groups dialog, either type the name of the object (use domain\username or domain\groupname for best results) or click 'Advanced'> 'Find' to locate your resource you wish to apply permissions to.

Once you've selected your resource(s), click 'OK' at the Select Users, Computers, or Groups dialog, then click 'Next' at the Users or Groups dialog.

Step 2: Delegate your task(s)

At the Tasks to Delegate dialog, you can select from a wide assortment of tasks to assign to your users.

***** If you ONLY want to delegate the reset password task ****
Verify that 'Delegate the following common tasks' radio button is ticked and select 'Reset user passwords and force password change at logon' and click the 'Next' button.

Continue to step 3.

**** If you additionally want to delegate the ability to enable/disable user accounts ****
Tic the 'Create a custom task to delegate' radio button and click the 'Next' button.

Tic the 'Only the following objects in the folder' radio button, and select 'User objects' and click the 'Next' button.

At the 'Permissions' dialog, select the 'General' and 'Property-specific' checkboxes and in the list below, check the following permissions:

Change Password
Reset Password
Read userAccountControl
Write userAccountControl

Click the 'Next' button.

Step 3: Complete the Delegation of Control Wizard

Once you've finished delegating your tasks, you can click the 'Finish' button at the Completing the Delegation of Control Wizard dialog.

Now the users you delegated these tasks to should be able to reset passwords (or perform other actions you specified) on the objects in the OU where you set up the delegated permissions.




Reference: https://community.spiceworks.com/how_to/1464-how-to-delegate-password-reset-permissions-for-your-it-staff

Powershell + DSACLS reset password

I used DSACLS inside powershell (I used  powershell V4)
I read from this blog post https://vbzine.wordpress.com/2011/05/14/dsacls-command-to-grant-domain-groups-password-reset-and-unlock-account-rights-to-specific-org-unit-ou/#comment-768
how to grant reset password rights for some specific OU using DSACLS but the syntax is wrong as the Write Property and Read Property are case sensitive and must be capitalized and the last quote need to be placed after the ;user and not before. Here is the correct syntax:

dsacls “OU=TeamA,dc=SWUG,dc=com,dc=sg” /I:S /G “swug\groupA:CA;Reset Password;user”
dsacls “OU=TeamA,dc=SWUG,dc=com,dc=sg” /I:S /G “swug\groupA:RPWP;PwdlastSet;user”
dsacls “OU=TeamA,dc=SWUG,dc=com,dc=sg” /I:S /G “swug\groupA:RPWP;lockoutTime;user”

strong private key protection for code signing certificate

When working with powershell script it is a good idea to sign your script if you plan on using them in your production environment. You can easily get a code signing script from your enterprise ca (active directory certificate service) or generate a self sign. There are multiple place explaining that and I got my basic stuff from here:

https://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html

What is not mentioned is that you should protect your code signing certificate with "strong private key protection". To do that you have to export your current code signing certificate in PFX with the private key and then import it back (it can be done on the same computer) using the "strong private key protection" check box in the import option as shown in the picture below. At the end of the import process you will have an additionnal prompt to enter the password used to protect your private key. Obviously if you plan on protecting your private key with a password it's a good idea to NOT mark it as exportable...

Here is the password prompt for the private key protection.

 

Now each time you will try to use this certificate you will be prompted to enter this password.

My first Powershell funciton... Sign-Script

I'm starting to play more with powershell and for some need that we have I had to start signing script. I found many place on the internet  that explain how to get the code signing certificate from our corporate CA and then sign the script using timestamp so that script still works when the certificate expire as the timestamp certify that the certificate was valid at the time it was signed. This generates a pretty long command so I wrote my first powershell function... Sign-Script to leverage this, you can place this in your powershell profile (profile.ps1) to have it available each time you run powershell
profile.ps1

Powershell profile ref: https://technet.microsoft.com/en-us/library/2008.10.windowspowershell.aspx 

Code signing ref: https://www.darkoperator.com/blog/2013/3/5/powershell-basics-execution-policy-part-1.html

So without further delay here it comes...

#Begin copy after this line
#----------------------------------------------------------------------------------------------------

 <#
.Synopsis
   Sign the specified script with the first code signing certificate of the current user
   and with a default TimeStamping URL.

.DESCRIPTION
   This function allow you so sign a script with a timestamp so that your script will be
   valid even when the signing certificate expire. It also allow you to not have to type
   the full path to the signing certificate since it will use the first
   "Code Signing Certificate" available in the local User certificate store. This funciton
   also use a default "time stamping URL" so that you don't need to

.PARAMETER scriptname
    The script name including the full path that you want to sign

.PARAMETER cert
    A path to a code signing certificate.  The default is the first code signing script of
    the local user.
   
.PARAMETER TimeStampingServer
    URL to a time stamping server. The default is "http://timestamp.comodoca.com/authenticode".
   
.EXAMPLE
   Sign-cert c:\script\test.ps1

.EXAMPLE
   Sign-cert -scriptname c:\script\test.ps1 -cert gci cert:\CurrentUser\My -codesigning | where -Filter {$_.FriendlyName -eq "Thawte Code Signing"} -IncludeChain All -TimeStampServer "http://timestamp.verisign.com/scripts/timstamp.dll"
#>
function Sign-Script
{
    [CmdletBinding()]
    [Alias("Sign")]
    Param
    (
       # Description d’aide param1
       [Parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   ValueFromPipelineByPropertyName=$true,
                   ValueFromRemainingArguments=$false,
                   Position=0,
                   ParameterSetName='Script name')]
        [ValidateNotNull()]
        [ValidateNotNullOrEmpty()]
        [Alias()]
        $scriptname,

        # Description d’aide param2
        $cert=(GCI cert:currentuser\my\ -CodeSigningCert)[0],
       
        # Description d’aide param3
        $TimeStampingServer="http://timestamp.comodoca.com/authenticode"
    )

    Process
    {
    Set-AuthenticodeSignature $scriptname $cert -TimestampServer $TimeStampingServer
    }
 }

#---------------------------------------------------------------------------------
#End copy above this line