11/11/2008

The ADConfig tool, ADConfig.exe, is a configuration tool that you must use to configure Active Directory® for System Center Mobile Device Manager (MDM). ADConfig lets you do the following:

Create the Active Directory Universal Security Groups and containers for MDM
Add the service connection points (SCP) for MDM
Create the Mobile Device Templates in the enterprise certification authority

ADConfig.exe is in the ADConfig directory of the installation disc for MDM. You can start the ADConfig tool at a command prompt, as the following describes.

You must run the ADConfig tool from a computer or server that is in the same site and domain as the MDM system servers.
You must allow for enough time for the changes to replicate across all domain controllers before you continue with the next parameter in the process.
You must run the ADConfig tool from a secure local location and not from a network share.
You must have Domain Administrator or equivalent permissions to create the Universal Security Groups (USG) and SCP.
You must have Enterprise Administrator (or equivalent) credentials to create a new template in the enterprise. This is because all certificate templates are created in the Active Directory configuration container.
You must have Enterprise Administrator and Administrator permissions on the certification authority to enable certificate templates and grant revocation permissions on the certification authority.
For the /gpsecurityparameter, depending on the options that you select, you must have either Domain Administrator permissions, Schema Administrator permissions, or permissions on a specific GPO.

Syntax


ADConfig.exe /domain:<domain name> [/quiet] ADConfig.exe /gpsecurity:default [/quiet] ADConfig.exe /gpsecurity:<all\|ID> /gpdomain:<domain_name> [/quiet] ADConfig.exe /createtemplates [/quiet] ADConfig.exe /enabletemplates /ca:<ca_server>\<ca_name> [/quiet] ADConfig.exe [/? \| /help] ADConfig.exe /enabletemplates /ca:<ca_server>\<ca_name> /unconfig [/quiet] [/force] ADConfig.exe /createtemplates /unconfig [/quiet] [/force] ADConfig.exe /gpsecurity:<all\|ID> /gpdomain:<domain_name> /unconfig [/quiet] [/force] ADConfig.exe /gpsecurity:default /unconfig [/quiet] [/force] ADConfig.exe /domain:<domain_name> /unconfig [/quiet] [/force]

ADConfig.exe /domain:<domain name> [/quiet]
ADConfig.exe /gpsecurity:default [/quiet]
ADConfig.exe /gpsecurity:<all|ID>
/gpdomain:<domain_name> [/quiet]
ADConfig.exe /createtemplates [/quiet]
ADConfig.exe /enabletemplates /ca:<ca_server>\<ca_name>
[/quiet]
ADConfig.exe [/? | /help]
ADConfig.exe /enabletemplates /ca:<ca_server>\<ca_name>
/unconfig [/quiet] [/force]
ADConfig.exe /createtemplates /unconfig [/quiet] [/force]
ADConfig.exe /gpsecurity:<all|ID>
/gpdomain:<domain_name> /unconfig [/quiet] [/force]
ADConfig.exe /gpsecurity:default /unconfig [/quiet] [/force]
ADConfig.exe /domain:<domain_name> /unconfig [/quiet]
[/force]

Parameters

/createtemplates: Creates the MDM certificate templates in Active Directory and sets the appropriate permissions. Run this parameter only one time in each forest, and after the /domainparameter. This parameter requires Enterprise Administrator permissions.

/domain:<domain_name>: Creates universal groups, SCP, organizational units, and domain containers for MDM installation. Run this parameter before you install any MDM system components, and before you run any other parameters. This parameter requires Domain Administrator permissions.

/enabletemplates /ca:<ca_server> \<ca_instance>

Enables the MDM certificate templates on the specified certification authority. The certification authority server and certification authority name are required for this parameter. To avoid installation problems, make sure that the certification authority server is online.

Run this parameter only one time for each certification authority, and after you run the /domainand /createtemplatesparameters. This parameter requires permissions to enable templates on the certification authority.

/gpsecurity:all /gpdomain:<domain>: Grants the minimum required permissions to the specified Group Policy objects (GPOs) in the specified domain. Run this parameter after you run the /domainparameter. This parameter is optional and requires Domain Administrator credentials.

/gpsecurity:<identifier>/gpdomain:<domain>: Grants the minimum required permissions to the specified GPOs in the specified domain. The identifier should be a valid GUID for a GPO in the specified domain. Run this parameter after you run the /domainparameter. This parameter requires Domain Administrator credentials.

/gpsecurity:default: Configures the default GPO security descriptor for MDM. Run this parameter after you run the /domainparameter, but only run it one time for each Active Directory forest. This parameter is optional and requires Schema Administrator credentials.

/quiet: Runs the Active Directory Configuration tool but does not prompt the user for confirmation.

/unconfig

Instructs ADConfig to perform the undo operations of the associated step when it is combined with any of the following parameters:

/domain
/create templates
/gpsecurity

/force: Together with the /unconfigparameter, this parameter forces removal and undo operations regardless if MDM system components have not been uninstalled. We do not recommend that you use this parameter.

/help: Displays Help together with command syntax and examples.

Remarks

The order of the parameters is important to deploy MDM successfully.

You must run the /domainparameter first, before you run any other parameter. Make sure that the MDM groups and containers appear in Active Directory and that they replicate to all domain controllers before you use any other parameter.
Run the /createtemplatesparameter next. Verify that the certificate templates are visible in your designated certification authority before you continue with the next parameter.
Run the /enabletemplatesparameter next, after the /createtemplatesparameter. You can run this parameter multiple times on different certification authorities.

If you remove MDM from the network, the order of the parameters is also important. You must remove them in reverse order. This requires that you run /unconfigwith /gpsecurity; /unconfigwith /enabletemplates; /unconfigwith /createtemplates; and finally, /unconfigdomain.

The following example shows you how to create only the USG, containers, and SCP.

	Copy Code
ADConfig.exe /domain:<domain name>

The following example shows you how to create the certificate templates.

	Copy Code
ADConfig.exe /createtemplates

The following example shows you how to create the USG, SCP, and certificate templates, but not prompt for confirmation.

	Copy Code
ADConfig.exe /createtemplates /quiet

ADConfig-Created MDM Groups

The ADConfig tool creates the USGs used in the MDM infrastructure and for security.

ADConfig does not configure deny permissions for MDM USGs.

Note:
ADConfig grants documented permissions for MDM groups explicitly, without regard to inherited behavior.

MDM Managed Devices is the default organizational unit (OU) created during ADConfig Setup.

MDM Infrastructure Groups

The ADConfig tool creates the following MDM infrastructure groups:

SCMDM2008DeviceManagementServers
SCMDM2008EnrollmentServers
SCMDM2008EnrolledDevices
SCMDM2008SelfService

Universal Group for MDM Device Management Server

ADConfig creates this group for all MDM Device Management Server machine accounts.

The following describes this group.

USG name	SCMDM2008DeviceManagementServers
Control of membership	SCMDM2008ServerAdministrators
Active Directory permissions	Enables MDM Device Management Server to access global Active Directory settings and servers

Universal Group for MDM Enrollment Server

ADConfig creates this group for all MDM Enrollment Server machine accounts. Members of this group can create and delete computer objects from the default MDM Devices OU and revoke certificates for devices on the certification authority.

The following describes this group.

USG name	SCMDM2008EnrollmentServers
Control of membership	SCMDM2008ServerAdministrators
Certification authority	Revoke certificates for SCMDM2008EnrolledDevices

Universal Group for Managed Devices

ADConfig creates this group that includes all managed devices enrolled in MDM.

The following describes this group.

USG Name	SCMDM2008EnrolledDevices
Control of membership	SCMDM2008EnrollmentServers
Active Directory permissions	None
Certification authority	The SCMDM2008EnrollmentServers group can remove members from this group

Universal Group for MDM Self Service Portal

ADConfig creates this group for MDM administrators to control wipe requests, enrollment requests, device history, and inventory.

The following describes this group.

USG name	SCMDM2008SelfService
Control of membership	SCMDM2008ServerAdministrators
Active Directory permissions	None

MDM Security Groups

The ADConfig tool creates the following MDM security groups:

SCMDM2008ServerAdministrators
SCMDM2008DeviceAdministrators
SCMDM2008DeviceSupport
SCMDM2008HelpdeskOperator

Universal Group for MDM Administrators

ADConfig creates this group for MDM administrators to manage and set up computers to run the MDM system. Members can add or remove members from all other groups and implicitly have complete management abilities over managed devices.

The following describes this group.

USG name

SCMDM2008ServerAdministrators

Control of membership

SCMDM2008ServerAdministrators

Active Directory permissions

The SCMDM2008ServerAdministrators group must have access and credentials to create databases on the computer that is running Microsoft SQL Server®. The SQL administrator adds this group to the system access control list (SACL) manually.

The SCMDM2008ServerAdministrators group Active Directory credentials enable the enterprise-level administrator to control all global settings and any computer that is running MDM.

The SCMDM2008ServerAdministrators group provides the following:

Read permissions on SCMDM2008ServerAdministrators group
Read/write permissions on attributes for Active Directory SCP
Read/write permissions on all MDM universal groups, except for the following:
- SCMDM2008EnrolledDevices
- SCMDM2008ServerAdministrators

Universal Group for Managed Device Administrators

ADConfig creates this group for enterprise-level administrators to control global settings on any computer that is running the MDM system.

This group provides the following:

Enables enterprise-level administrators to control all global settings for any computer that is running the MDM system
Read permission on all global settings
Read permission on all users and computers in the MDM domain
Read permission on machine and instance settings
Read permission on all users in the MDM domain

The following describes this group.

USG name

SCMDM2008DeviceAdministrators

Control of membership

SCMDM2008ServerAdministrators

Active Directory permissions

Device administrators for MDM have access to device management functions.

A universal security group for MDM device administrators to manage devices and perform device operations.

Universal Group for Managed Device Support

ADConfig creates this group for enterprise-level administrators to control global settings for any computer that is running the MDM system.

This group provides the following:

Read permission on all global settings
Read permission on all users and computers in the MDM domain
Read permission on machine and instance settings
Read permission on all users in the MDM domain

The following describes this group:

USG name

SCMDM2008DeviceSupport

Control of membership

SCMDM2008ServerAdministrators

Active Directory permissions

Second-tier senior Helpdesk device support

A universal security group for MDM Device Support to provide device support for MDM managed devices

Universal Group for Helpdesk Operator

ADConfig creates this group for enterprise-level administrators to control global settings for any computer that is running the MDM system.

This group provides the following:

Read permission on all global settings
Read permission on all users and computers in the MDM domain
Read permission on machine and instance settings
Read permission on all users in the MDM domain

The following describes this group.

USG name

SCMDM2008HelpdeskOperator

Control of membership

SCMDM2008ServerAdministrators

Active Directory permissions

First-tier Helpdesk support

A universal security group for Helpdesk operators to provide device support for MDM-managed devices

ADConfig Operations

When you run the ADConfig tool, MDM performs certain operations based on the parameters that you use. The following provides details about the operations that MDM performs when you run the ADConfig tool.

ADConfig-Created Domain Objects

When you run the ADConfig tool by using the /domainparameter, MDM creates objects in Active Directory to contain elements of MDM. The following shows the structure of these objects.

	Copy Code
DefaultNamingContext CN=System CN= SCMDM2008 Dependencies (SCP with keywords: serverca, cainstance, sqlserver, sqlinstance) DeviceManagement (SCP with keywords: url, adminurl) Enrollment (SCP with keywords: url, adminurl) CN=Users SCMDM2008ServerAdmins SCMDM2008DeviceAdmins SCMDM2008DeviceSupport SCMDM2008HelpdeskOperator OU= SCMDM2008 Managed Devices (The devices OU where all MDM devices are created by default) CN= SCMDM2008 Infrastructure Groups SCMDM2008DeviceManagementServers SCMDM2008EnrollmentServers SCMDM2008EnrolledDevices SCMDM2008SelfService

Copy Code

DefaultNamingContext
 CN=System
   CN= SCMDM2008
	 Dependencies (SCP with keywords: 
		serverca, cainstance, sqlserver, sqlinstance)
   DeviceManagement (SCP with keywords: 
		url, adminurl)
   Enrollment (SCP with keywords:
		url, adminurl)
CN=Users
  SCMDM2008ServerAdmins
  SCMDM2008DeviceAdmins
  SCMDM2008DeviceSupport
  SCMDM2008HelpdeskOperator

OU= SCMDM2008 Managed Devices
  (The devices OU where all MDM devices are created by default)

CN= SCMDM2008 Infrastructure Groups
  SCMDM2008DeviceManagementServers
  SCMDM2008EnrollmentServers
  SCMDM2008EnrolledDevices
  SCMDM2008SelfService

Under CN=System, MDM creates the following container structure in the specified domain. This example is shown by using the default naming context:

	Copy Code
CN=SCMDM2008 1. Dependencies (SCP with keywords: serverca, cainstance, sqlserver, sqlinstance) 2. DeviceManagement (SCP with keywords: url, adminurl) 3. Enrollment (SCP with keywords: url, adminurl)

Under CN=Users, MDM creates the following container in the specified domain. This example is shown by using the default naming context:
Copy Code

- USG: SCMDM2008ServerAdministrators - USG: SCMDM2008DeviceAdministrators - USG: SCMDM2008HelpdeskOperator - USG: SCMDM2008DeviceSupport

	Copy Code
- USG: SCMDM2008ServerAdministrators - USG: SCMDM2008DeviceAdministrators - USG: SCMDM2008HelpdeskOperator - USG: SCMDM2008DeviceSupport

As a sibling of CN=Users, MDM creates the following OU in the specified domain. This example is shown by using the default naming context:

	Copy Code
OU=SCMDM2008Infrastructure Groups - USG: SCMDM2008DeviceManagementServers - USG: SCMDM2008EnrollmentServers - USG: SCMDM2008EnrolledDevices - USG: SCMDM2008SelfService

At the root level, MDM creates the following OU:

	Copy Code
OU= SCMDM2008 Managed Devices (default OU for enrolled devices)

MDM adds members of the Domain Administrators group of the specified domain to the <Instance Name>ServerAdministrators group.
MDM adds members of the <Instance Name>DeviceManagementServers group to the Windows Authorization Access (WAA) group of the specified domain.
MDM gives Add/Remove Members permissions on all other MDM groups to the <Instance Name>ServerAdministrators group.
MDM gives Add/Remove Members permissions on the <Instance Name>EnrolledDevices group to the <Instance Name>EnrollmentServers group.
MDM gives Create/Delete computer objects permissions on the MDM Devices OU to the <Instance Name>EnrollmentServers group.
MDM gives Read/Write permissions on the keywords attribute of the three SCPs to the <Instance Name>ServerAdministrators group.
When you run MDM in successive domains, it adds the SCMDM2008DeviceManagementServers group to the Windows Authorization Access (WAA) group of the specified domain.

Create Three Certificate Templates

When you run the ADConfig tool with the /createtemplatesparameter, MDM creates the following three certificate templates:

Certificate property	SCMDM2008GCM	SCMDM2008WebServer	SCMDM2008MobileDevice
Validity period	Two years	Two years	One year
Renewal period	Six weeks	Six weeks	Six weeks
Request minimum key size	1024 for signature and encryption	1024 for signature and encryption	1024 for signature and encryption
CSP	Microsoft DH SChannel Cryptographic provider and Microsoft RSA SChannel Cryptographic Provider	Microsoft DH SChannel Cryptographic provider and Microsoft RSA SChannel Cryptographic Provider	Microsoft RSA SChannel Cryptographic Provider
Subject name	Supplied in the request	Supplied in the request	Built from Active Directory: subject = common name, ASN = DNS name
EKU and application policies	Client authentication, 1.3.6.1.4.1.311.65.1.1 (GCM client authentication specific to MDM)	Server authentication	Client Authentication, 1.3.6.1.4.1.311.65.2.1 (device client authentication specific to MDM)
Key usage	Digital signature, key exchange	Digital signature, key exchange	Digital signature, key exchange
Computer security	MDM gives Enroll permissions to the DefaultDeviceManagementServers and DefaultServerAdministrators groups	MDM gives Enroll permissions to the DefaultServerAdministrators group	MDM gives Enroll permissions to the DefaultEnrolledDevice group
User security	MDM gives Read permissions to authenticated users	MDM gives Read permissions to authenticated users	MDM gives Read permissions to authenticated users
Admin security	MDM gives Full Control permissions to the Domain Administrators and Enterprise Administrators groups	MDM gives Full Control permissions to the Domain Administrators and Enterprise Administrators groups	MDM gives Full Control permissions to the Domain Administrators and Enterprise Administrators groups

Enable Certificate Templates on the Certification Authority

When you run the ADConfig tool by using the /enabletemplatesparameter, MDM enables the certificate templates on the certification authority specified by <CA server>\ <CA name>.

Modify Permissions on Group Policy Objects

When you run the ADConfig tool by using the /gpsecurityparameter, MDM modifies permissions on certain Group Policy objects (GPOs).

/gpsecurity:default
- Modifies permissions on the default GPO security descriptor for MDM
- Requires permissions on the default GPO security descriptor. Generally, these are schema administrator credentials
/gpsecurity:<GPO GUID> /gpdomain:<domain name>
- Modifies permissions on the specified GPO in the specified domain
- Requires permissions on the GPO object
/gpsecurity:all /gpdomain:<domain name>
- Modifies permissions on all existing GPOs in the specified domain
- Requires permissions on all existing GPOs in the specified domain

Manual Procedures for Modifying Permissions on Group Policy Objects (Optional)

The /gpsecurityparameter may be used during the ADConfig setup process to modify permissions on Group Policy objects (GPOs). This section is optional and performed automatically if you use the /gpsecurityparameter. However, if you want to perform these functions manually, the below procedures provide instruction for the following:

Configuring permissions on existing Group Policy objects
Configuring permissions on the Group Policy objects parent folder
Configuring the security descriptor of a default Group Policy template

Configuring Permissions on Existing Group Policy Objects

In the following procedure you will configure permissions on existing GPOs. You must be a member of the Domain Administrators group to perform this action. You must configure permissions on every domain, once per domain.

To configure permissions on existing Group Policy objects

Open the Group Policy Management Console.
In the navigation pane, expand Group Policy Objects.
For each GPO under the Group Policy Objectsfolder, choose the Delegationtab.
Choose Add.
In the Select User, Computer, or Groupdialog box, enter SCMDM2008DeviceManagementServers.
Choose OK.

Configuring Permissions on the Group Policy Objects Parent Folder

In the following procedure you will configure permissions on the Group Policy objects parent folder. You must be a member of the Domain Administrators group to perform this action. You must configure permissions on every domain, once per domain.

During this process, you will need a low-level Active Directory Editor, such as Active Directory Service Interfaces (ADSI). For more information about ADSI, see Adsiedit Overview on the Microsoft TechNet Web site:

http://go.microsoft.com/fwlink/?LinkId=105659

Important:
If you modify Active Directory with a low-level editor such as ADSIEdit, it may cause problems with your Active Directory structure or environment. If you modify Active Directory, it can cause serious system errors. We cannot guarantee that these errors can be resolved. Modify Active Directory at your own risk.

To configure permissions on the GPO parent folder

Start ADSIEdit.
Expand the domain in which you first ran ADConfig.
Expand CN=System.
Expand CN=Policies.
Right click on the Policiesnode, and then choose Security.
Choose Add.
In the Select Users, Computers, or Groupsdialog box, enter SCMDM2008DeviceManagementServers, and then choose OK.
In Permissions for Account Operatorsfor the added group, select Read, and then select Allow. Choose Advanced.
In Advanced Security Settingsunder Permission entries, select SCMDM2008DeviceManagementServers, and then choose Edit.
On the Objecttab under Permissions, select List Contents, Read All Properties, and Read Permissions. Choose OK, and then close all dialog boxes.

Configuring the Security Descriptor of a Default Group Policy Template

In the following procedure, you will configure permissions on the Group Policy objects parent folder. You must be a member of the Schema Administrators group to perform this action. You must configure one for each enterprise.

To configure the security descriptor of the default group policy template

Open Microsoft Management Console (MMC) with the Active Directory Schema snap-in.
Expand Classes, right click on groupPolicyContainer, and then choose Properties.
Choose the Default Securitytab.
Choose Add.
In the Select Users, Computers, or Groupsdialog box, enter SCMDM2008DeviceManagementServers, and then choose OK.
In Permissions for Account Operatorsfor the added group, select Read, and then select Allow. Choose Advanced.
In Advanced Security Settingsunder Permission entries, select SCMDM2008DeviceManagementServers, and then choose Edit.
On the Objecttab under Permissions, select List Contents, Read All Properties, and Read Permissions. Choose OKand close all dialog boxes.



ADConfig Tool