OpenVPN + PAM + SSSD + Active Directory

OpenVPN伺服器:

系統: Centos8
IP: 10.0.0.10/24

AD驗證伺服器(dc):
Windows 2012 DC (網域功能等級 2003)
網域: mydomain.com
主機FQDN: dc.mydomain.com

憑證伺服器(caserver):
Windows 2003 CA 加密方式SHA1
主機FQDN: caserver.mydomain.com
1. 安裝OpenVPN , 使用路由模式(原生android client不支援 TAP橋接模式)

# 安裝EPEL軟體庫 dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm dnf config-manager --set-enabled PowerTools dnf repolist epel # 安裝 git dnf -y install git cd ~ # 從github下載安裝命令檔 git clone https://github.com/Nyr/openvpn-install.git cd openvpn-install/ chmod +x openvpn-install.sh # 執行安裝檔 ./openvpn-install.sh

接下來依指示輸入你的設定值, 完成後自動產生設定檔 修改 /etc/openvpn/server/server.conf 讓OpenVPN支援PAM

local 10.0.0.10 #主機IP port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-crypt tc.key topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 10.0.0.1" keepalive 10 120 cipher AES-256-CBC user nobody group nobody persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem explicit-exit-notify plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login #啟用PAM驗證, 使用預設設定檔/etc/pam.d/login

重新啟動openvpn

systemctl restart openvpn-server@server

修改Client 端的預設值, 由於用戶端要使用與主機不同網段10.1.0.0/24的資源故需要增加路由 /etc/openvpn/server/client-common.txt

client dev tun proto udp remote 1.2.3.4 1194 # 外部實體IP resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA512 cipher AES-256-CBC ignore-unknown-option block-outside-dns block-outside-dns auth-user-pass # 除了openvpn本身的金鑰驗證, 另外開啟AD使用者帳號密碼驗證 verb 3 route 10.1.0.0 255.255.255.0 10.0.0.253 # 增加通往10.1.0.0/24網斷路由, 網關為10.0.0.253

更改完成後重新執行安裝命令產生新的client端 .ovpn 設定檔

./openvpn-install.sh

過程中選 Add a new user, 至於第一次產生的user設定可以選擇 Revoke an existing user 移除掉. 產生的 .ovpn 檔會在/root資料夾下 2. 取得網域憑證伺服器的Public key ,通常會在以下位址且檔名類似 \\caserver\CertEnroll\caserver_MYDOMAIN Root Certification Authority.crt 使用cifs工具掛載目錄後 下載到centos8上並轉為PEM格式

# 掛載cifs, server2003使用smb1.0所以參數須加上vers=1.0 mount.cifs //ca_server/CertEnroll /mnt/cifs -o user=administrator,pass=password,dom=mydomain,vers=1.0 cp /mnt/cifs/xxxx.crt xxxx.crt # 將der 轉換為 pem openssl x509 -inform der -in xxxx.crt -out xxxx.pem # 搬移到 trust資料夾 mv xxxx.pem /etc/pki/ca-trust/source/anchors # 將憑證更新至主機信任憑證裡 update-ca-trust

3. 設定sssd 連接 Active Directory 修改/etc/sssd/sssd.conf

[sssd] services = nss, pam, ssh config_file_version = 2 domains = mydomain [sudo] [nss] [pam] offline_credentials_expiration = 60 [domain/mydomain] cache_credentials = True ldap_search_base = dc=mydomain,dc=com id_provider = ldap ldap_uri = ldaps://dc.mydomain.com:636 #AD主機, 使用ssl協定連線 ldap_schema = AD ldap_default_bind_dn = cn=administrator,cn=users,dc= mydomain,dc=com # 這裡為了方便使用管理員帳號, 為安全起見可以使用唯讀的網域帳號 ldap_default_authtok = password_for_administrator # 管理員密碼 ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt ldap_tls_cacertdir = /etc/pki/tls/certs ldap_search_timeout = 50 ldap_network_timeout = 60 ldap_id_mapping = True ldap_referrals = false enumerate = False fallback_homedir = /home/%u default_shell = /bin/bash

修改 /etc/openlap/ldap.conf

URI ldaps://dc.mydomain.com:636 base dc=mydomain,dc=com TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt SASL_NOCANON on

強制啟用sssd

authselect select sssd –force systemctl enable --now sssd systemctl restart sssd

由於Windows 2003 CA仍使用舊版SHA1, 因此需要改crypto政策

update-crypto-policies --set LEGACY

完成後重新開機 4. 防火牆上設定允許連向1.2.3.4 UDP1194的流量並引導至內部10.0.0.10 5. 用戶端安裝OpenVPN Client軟體後匯入.ovpn檔 Windows7/8/10 Client: OpenVPN-GUI (嘗試過OpenVPN Connect for Windows無法匯入.ovpn) iOS/Android Client: OpenVPN Connect 參考資料: https://computingforgeeks.com/install-and-configure-openvpn-server-on-rhel-centos-8/ https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8 https://medium.com/jerrynotes/linux-authentication-windows-ad-without-join-domain-7963c3fd44c5

Samba4 AD DC + DHCPD + BIND (Dynamic DNS)

Samba 4 已經釋出很長一段時間了 因此趁著升級電腦與 centos 6 順便將 Samba 3 AD DC + dhcpd + bind 更新為 Samba 4 + bind 9 dlz 模組 + dhcpd

DC DQDN名稱 : samba4dc

DC IP : 192.168.0.1/24

  1. 首先到 https://portal.enterprisesamba.com/users/sign_up 註冊. 方便使用 yum 升級 samba , 如果使用 source 安裝就不需申請. 登入後把給 centos6 用的 sernet-samba-4.1.repo 檔下載回來並修改檔案中 USERNAME:ACCESSKEY 的部分.
  2. 升級前先備份 /etc/samba, /var/lib/samba, /etc/dhcp, /etc/named.conf, /var/named, /var/cache/samba 等目錄
  3. 安裝 samba 4
    # yum install sernet-samba -y
  4. 升級 Samba AD 網域
    移動設定檔

    mv /etc/smb.conf /etc/smb.PDC.conf

    將舊資料庫等檔案移到其他位置

    # mv /var/lib/samba/ /var/lib/samba.PDC/
    # mv /var/cache/samba/ /var/cache/samba.PDC/

    新增資料夾. 並將升級時會用到的資料庫檔案複製到該目錄

    # mkdir /var/lib/samba.PDC/dbdir/
    # cp -p /var/lib/samba.PDC/private/secrets.tdb /var/lib/samba.PDC/dbdir/
    # cp -p /var/lib/samba.PDC/private/schannel_store.tdb /var/lib/samba.PDC/dbdir/
    # cp -p /var/lib/samba.PDC/private/passdb.tdb /var/lib/samba.PDC/dbdir/
    # cp -p /var/cache/samba.PDC/gencache_notrans.tdb /var/lib/samba.PDC/dbdir/
    # cp -p /var/cache/samba.PDC/group_mapping.tdb /var/lib/samba.PDC/dbdir/
    # cp -p /var/cache/samba.PDC/account_policy.tdb /var/lib/samba.PDC/dbdir/

    升級資料庫以及使用 bind_dlz 模組

    # samba-tool domain classicupgrade --dbdir=/var/lib/samba.PDC/dbdir/ --use-xattrs=yes --realm=home.com --dns-backend=BIND9_DLZ /etc/smb.PDC.conf --option="interfaces=lo eth0" --option="bind interfaces only=yes"
    PS: --option="interfaces=lo eth0" --option="bind interfaces only=yes" 這是限定 samba 只作用在網卡 loopback 及 eth0
  5. 調整產生的 samba 設定即啟動檔
    /etc/samba/smb.conf

    [global]
            workgroup = HOME
            realm = home.com
            netbios name = SAMBA4DC
            interfaces = lo, eth0
            bind interfaces only = Yes
            server role = active directory domain controller
            server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
            idmap_ldb:use rfc2307 = yes
            log level = 2
            log file = /var/log/samba/log.%m
            max log size = 50
            wins support = yes
            syslog = 0
            username map = /etc/samba/smbusers
            domain master = yes
            domain logons = yes
            local master = yes
            preferred master = yes
    
    [netlogon]
            path = /var/lib/samba/sysvol/home.com/scripts
            read only = No
    
    [sysvol]
            path = /var/lib/samba/sysvol
            read only = No
    
    [homes]
            comment = Home Directories
            browseable = no
            read only = No
            valid users = %S
            create mask = 0700
            directory mask = 0700
    
    [nas]
            comment = storage
            path = /home/data
            public = yes
            writable = yes
            printable = no
            write list = +adm

    因為是作為 dc , 只要開啟 sernet-samba-ad 服務. 其餘 sernet-samba-nmbd, sernet-samba-smbd, sernet-samba-winbindd 不須啟動.

    # chkconfig --level 2345 sernet-samba-ad on
  6. 調整 bind9 & kerberos 設定
    /etc/named.conf

    options {
            listen-on port 53 { 127.0.0.1; };
            listen-on-v6 port 53 { ::1; };
            directory       "/var/named";
            dump-file       "/var/named/data/cache_dump.db";
            statistics-file "/var/named/data/named_stats.txt";
            memstatistics-file "/var/named/data/named_mem_stats.txt";
    
            forwarders {
                    168.95.1.1;
                    };
            forward first;
            listen-on {
                    home;
            };
            allow-recursion {home;};
            allow-update { home; };
            allow-query { home; };
            allow-transfer { home;};
            listen-on-v6 { none; };
            tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; #加入這行
            auth-nxdomain yes;
            empty-zones-enable no;
            version none;
            hostname none;
            server-id none;
    };
    
    logging {
            channel Named_log {
                file "data/named.run";# versions 5 size 5m;
                severity dynamic;
                print-severity  yes;
                print-time yes; };
            category default {Named_log; };
            category xfer-out {Named_log; };
            category queries {Named_log; };
    };
    
    acl "home" { 192.168.0.0/24; 127.0.0.1;};
    
    controls {
            inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
    };
    
    zone "." IN {
            type hint;
            file "named.ca";
    };
    
    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";
    include "/etc/rndc.key";
    include "/var/lib/samba/private/named.conf";   #加入這行

    /var/lib/samba/private/named.conf

    lz "AD DNS Zone" {
        # For BIND 9.8.0
        database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so"; #選擇對應的 bind 版本
    
        # For BIND 9.9.0
        # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";
    };

    修改 keytab 檔案權限讓 bind 可以用其來動態更新 zone

    # chgrp named /var/lib/samba/private
    # chgrp named /var/lib/samba/private/dns.keytab
    # chmod g+r /var/lib/samba/private/dns.keytab

    連結 kerberos 設定檔到 /etc 下

    # ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf

    重啟 named

    # service named restart

    增加反解析區域

    # samba-tool dns zonecreate samba4dc.home.com 0.168.192.in-addr.arpa

    將 DC 的 PTR 加入反解區域

    # samba-tool dns add samba4dc.home.com 0.168.192.in-addr.arpa 1 PTR samba4dc.home.com

    如果有設定 ntpd (選擇性) 請修改 socket 的位址讓 samba 可以讀取

    driftfile /var/lib/ntp/drift
    logfile         /var/log/ntp
    ntpsigndsocket  /var/lib/samba/ntp_signd
    
    restrict default kod nomodify notrap nopeer mssntp noquery
    restrict -6 default kod nomodify notrap nopeer noquery
    
    restrict 127.0.0.1
    restrict -6 ::1
    
    restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap
    
    server 0.centos.pool.ntp.org iburst
    server 1.centos.pool.ntp.org iburst
    server 2.centos.pool.ntp.org iburst
    server 3.centos.pool.ntp.org iburst
    
    includefile /etc/ntp/crypto/pw
    
    keys /etc/ntp/keys

    修改權限及重啟 ntpd

    # chown root:ntp /var/lib/samba/ntp_signd
    # chmod 750 /var/lib/samba/ntp_signd
    # service ntpd restart

    重啟 samba

    # service smbd stop
    # service nmbd stop
    # service sernet-samba-ad start
  7. DHCPD 設定
    在 AD 裡新增 dhcp 這個使用者並給予權限讓它可以動態更新 DNS(也可以使用 Windows 遠端伺服器管理工具 RSAT 來新增)

    # samba-tool user create dhcp --description="Unprivileged user for DNS updates via DHCP server"
    # samba-tool group addmembers DnsAdmins dhcp

    將該使用者憑證匯出成 keytab 檔

    # cd /etc/dhcp
    # samba-tool domain exportkeytab --principal=dhcp@HOME.COM dhcpd.keytab
    # chown root:dhcpd /etc/dhcp/dhcpd.keytab
    # chmod 440 /etc/dhcp/dhcpd.keytab
    # chgrp dhcpd /etc/dhcp

    新增以下兩個執行檔
    /usr/local/sbin/dhcp-dyndns.sh

    #!/bin/bash
    $(dirname $0)/dns-krbnsupdate.sh $@ 2>&1 | logger &

    /usr/local/sbin/dns-krbnsupdate.sh

    #!/bin/bash
    
    # This script is for secure DDNS updates using GSS/TSIG
    # Version: 0.1
    
    ## CONFIGURATION ##
    # Kerberos realm
    realm="HOME.COM"
    # Kerberos principal
    principal="dhcp@$realm"
    # Kerberos keytab
    keytab="/etc/dhcp/dhcpd.keytab"
    # Kerberos credentials cache
    krb5cc="/tmp/krb5cc_0"
    # Use MIT kerberos args instead of heimdal.
    KRB5MIT="YES"
    
    # Domain appended to hostname
    domain="home.com"
    # Space separated list of DNS servers for sending updates to
    NSRVS="cchisheng.home.com"
    # Default DNS resource records TTL
    RRTTL="3600"
    # Do not use TXT RRs (rfc4701)
    NOTXTRRS="YES"
    
    # Additional nsupdate flags (-g already applied), e.g. "-d" for debug
    #NSUPDFLAGS="-d"
    # Run in the foreground (for manual run only!!!), it's better to use "-d" as script's first argument
    #DEBUG="YES"
    
    ######################################################
    
    ## VARIABLES ##
    [ "$1" = "-d" ] && DEBUG="YES" && shift
    action=$1
    ip=$2
    DHCID=$3
    name=${4%%.*}
    [ -n "$5" ] && RRTTL="$5"
    
    _usage() {
    echo "Usage:"
    echo " `basename $0` [-d] add ip-address dhcid|mac-address hostname [dns-ttl]"
    echo " `basename $0` [-d] delete ip-address dhcid|mac-address"
    }
    
    _kerberos() {
    export KRB5_KTNAME="$keytab"
    export KRB5CCNAME="$krb5cc"
    
    if [ "$KRB5MIT" = "YES" ]; then
     KLISTARG="-s"
    else
     KLISTARG="-t"
    fi
    
    klist $KLISTARG || kinit -k -t "$keytab" -c "$krb5cc" "$principal" || { echo "DDNS: kinit failed"; exit 1; }
    }
    
    _main() {
    umask 77
    
    if [ -z "$ip" ] || [ -z "$DHCID" ]; then
     _usage
     exit 1
    fi
    
    
    ## NSUPDATE ##
    case "$action" in
     add)
     RRPTR="$name.$domain"
     if [ "$NOTXTRRS" != "YES" ]; then
     NOTXTRRS=""
     RRAOLD=`host $RRPTR | awk '/has address/ {print $4}'`
     if [ -n "$RRAOLD" ]; then
     RRTXTOLD=`host -t txt "$RRPTR" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p'`
     [ -z "$RRTXTOLD" ] && echo "DDNS: adding records for $ip ($RRPTR) FAILED: has A record but no DHCID, not mine" && exit 1
    
     RRTXT=`echo "$DHCID$RRPTR" | sha256sum`
     RRTXT="000101${RRTXT%% *}"
     [ "$RRTXT" != "$RRTXTOLD" ] && echo "DDNS: adding records for $ip ($RRPTR) FAILED: has A record but DHCID is wrong" && exit 1
     else
     RRTXT=`echo "$DHCID$RRPTR" | sha256sum`
     RRTXT="000101${RRTXT%% *}"
     fi
     else
     NOTXTRRS=";"
     fi
    
     RRPTRNAME=`echo $ip | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}'`
    
     _kerberos
    
     for NSRV in $NSRVS; do
     nsupdate -g $NSUPDFLAGS << UPDATE
    server $NSRV
    realm $realm
    update delete $RRPTR. $RRTTL A
    ${NOTXTRRS}update delete $RRPTR. $RRTTL TXT
    ${NOTXTRRS}update add $RRPTR. $RRTTL TXT $RRTXT
    update add $RRPTR. $RRTTL A $ip
    send
    update delete $RRPTRNAME. $RRTTL PTR
    update add $RRPTRNAME. $RRTTL PTR $name.$domain.
    send
    UPDATE
      result=$?
     [ "$result" -eq "0" ] && echo "DDNS: adding records for $ip ($RRPTR) succeeded" && exit 0
     done
    
     [ "$result" != "0" ] && echo "DDNS: adding records for $ip ($RRPTR) FAILED: nsupdate status $result" && exit "$result"
     ;;
     delete)
     RRPTR=`host $ip | awk '/domain name pointer/ { sub(/\.$/, "", $5); print $5}'`
     if [ "$NOTXTRRS" != "YES" ]; then
     NOTXTRRS=""
     if [ -n "$RRPTR" ]; then
     RRTXTOLD=`host -t txt "$RRPTR" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p'`
     [ -z "$RRTXTOLD" ] && echo "DDNS: removing records for $ip ($RRPTR) FAILED: has A record but no DHCID, not mine" && exit 1
    
     RRTXT=`echo "$DHCID$RRPTR" | sha256sum`
     RRTXT="000101${RRTXT%% *}"
     [ "$RRTXT" != "$RRTXTOLD" ] && echo "DDNS: removing records for $ip ($RRPTR) FAILED: has A record but DHCID is wrong" && exit 1
     else
     echo "DDNS: removing records for $ip FAILED: has no PTR, can not determine A record" && exit 1
     fi
     else
     NOTXTRRS=";"
     fi
    
     RRPTRNAME=`echo $ip | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}'`
    
     _kerberos
    
     for NSRV in $NSRVS; do
     nsupdate -g $NSUPDFLAGS << UPDATE
    server $NSRV
    realm $realm
    update delete $RRPTR. $RRTTL A
    ${NOTXTRRS}update delete $RRPTR. $RRTTL TXT
    send
    update delete $RRPTRNAME. $RRTTL PTR
    send
    UPDATE
     result=$?
     [ "$result" -eq "0" ] && echo "DDNS: removing records for $ip ($RRPTR) succeeded" && exit 0
     done
    
     [ "$result" != "0" ] && echo "DDNS: removing records for $ip ($RRPTR) FAILED: nsupdate status $result" && exit "$result"
     ;;
     *)
     _usage && exit 1
     ;;
    esac
    }
    
    if [ "$DEBUG" = "YES" ]; then
     _main
    else
     :
     _main | logger -s -t dhcpd &
    fi

    修改 /etc/dhcp/dhcpd.conf

    subnet 192.168.0.0 netmask 255.255.255.0 {
     authoritative;
     option netbios-name-servers 192.168.0.1;
     option domain-name-servers 192.168.0.1;
     option domain-name "home.com";
     option netbios-node-type 8;
     option routers 192.168.1.1;
     option subnet-mask 255.255.255.0;
     default-lease-time 259200;
     range 192.168.0.10 192.168.1.250;
     on commit {
     set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
     set ClientName = pick-first-value(option host-name, host-decl-name);
     set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
     execute("/usr/local/sbin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID, ClientName);
     }
     on release {
     set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
     set ClientName = pick-first-value(option host-name, host-decl-name);
     set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
     execute("/usr/local/sbin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
     }
     on expiry {
     set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
     set ClientName = pick-first-value(option host-name, host-decl-name);
     set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
     execute("/usr/local/sbin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
     }
    }

    改變檔案權限

    # chmod 755 /usr/local/sbin/dhcp-dyndns.sh
    # chmod 755 /usr/local/sbin/dns-krbnsupdate.sh

    重啟 dhcpd

    # service dhcpd restart
  8. 測試
    # samba_dnsupdate --verbose --all-names

    若上述指令沒有錯誤表示 bind9 設定正確. 若有錯誤請檢查檔案及目錄權限, 讓 bind9 可以讀取  dns.keytab
    當 dhcp client 端開機或者在 Windows 命令提示視窗執行 ipconfig /renew 時, server上的 syslog 會有以下紀錄, 表示動態更新成功

    Dec  9 00:00:15 samba4dc dhcpd: DDNS: adding records for 192.168.0.186 (win7.home.com) succeeded
    Dec  9 00:00:15 samba4dc logger: dhcpd: DDNS: adding records for 192.168.0.186 (win7.home.com) succeeded
  9. 問題
    I.Windows client本身會執行 secure dns update, 因此 named 紀錄裡會有更新失敗的錯誤. 由於我們是透過dhcpd更新dns, 因此該錯誤可以忽略.
    II.Samba4目前對於讓 dc 及file server 在同台伺服器上尚未完整支援, 因此 client 端在網路芳鄰內找不到 server, 需要手動輸入 \\server 連結伺服器. 如果在登入指令檔或者 RSAT 的使用者管理裡指定連線磁碟機就可以解決該問題
    III. RSAT 的 DNS 管理員可以新增刪除紀錄但有時會有錯誤訊息但不影響
  10. 參考文獻
    https://wiki.samba.org/index.php/User_Documentation
    http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
    https://wiki.archlinux.org/index.php/Samba_4_Active_Directory_Domain_Controller

Windows 7 加入 Windows 2003 AD 後防火牆及網路無法啟動

Dell 最近告知雖有降級XP license, 但出廠機器無法預設安裝xp給客戶, 這下真的是麻煩了, 還得自行處理安裝xp. 公司內仍有部份舊版erp軟體無法在Windows 7 上面安裝, 必須版更但是版更帶來的影響尚無法估計. 但遲早得升級, 還是得裝幾台來測試.

看過文件似乎直接加入網域即可, Windows 7 找不到給 window 7的GPO時會使用本機端的admx 檔. 但是事實上可沒這麼好 … 加入網域重開機後即發生網路無法連線的問題,dhcp client,network location awareness等服務都無法啟動, 防火牆開啟會有”0x8007042c”的錯誤. 可見還是會套用windows XP的部份安全性原則, 以至於部份服務的系統服務帳號的權限被移除.

Google了好一陣發現可以使用WMI filter的方式避免Window 7套用網域安全性原則. 方式如如下

  1. 從Windows XP或Windows 2003開啟”Active Directory 使用者及電腦”, 並於你要管理的網域上按右鍵, 點選內容.
    win7_gpo
  2. 切到”群組原則”攔, 點選要修改的原則, 這邊要修改的是預設網域原則, 然後點選內容
    win7_gpo1 
  3. 切到WMI篩選器, 選擇” 瀏覽/管理”
    win7_gpo2 
  4. 點選”進階”
    win7_gpo3
  5. 點選新增, 然後輸入名稱及描述, 主要是在查詢部份需加入”Select * from Win32_operatingsystem where BuildNumber! = 7600”. 7600 是 Windows 版號, 可以在命令提示字元下”winver”查詢.完成後儲存設定. 如果其它OU有不同的安全性原則且windows 7也會放置到該OU下, 那麼該WMI filter也需套用在其上.
    win7_gpo4

完成後安全性原則就不會被套用到windows 7. 至於windows 7的安全性原則可以先在 windows 2003 AD 上建立 Central Store 然後在 windows 7 安裝 RSAT 來管理. 詳細可參考 KB929841