11/11/2008

The ADConfig tool, ADConfig.exe, is a configuration tool that you must use to configure Active Directory® for System Center Mobile Device Manager (MDM). ADConfig lets you do the following:

ADConfig.exe is in the ADConfig directory of the installation disc for MDM. You can start the ADConfig tool at a command prompt, as the following describes.

Syntax

ADConfig.exe /domain:<domain name> [/quiet]
ADConfig.exe /gpsecurity:default [/quiet]
ADConfig.exe /gpsecurity:<all|ID>
/gpdomain:<domain_name> [/quiet]
ADConfig.exe /createtemplates [/quiet]
ADConfig.exe /enabletemplates /ca:<ca_server>\<ca_name>
[/quiet]
ADConfig.exe [/? | /help]
ADConfig.exe /enabletemplates /ca:<ca_server>\<ca_name>
/unconfig [/quiet] [/force]
ADConfig.exe /createtemplates /unconfig [/quiet] [/force]
ADConfig.exe /gpsecurity:<all|ID>
/gpdomain:<domain_name> /unconfig [/quiet] [/force]
ADConfig.exe /gpsecurity:default /unconfig [/quiet] [/force]
ADConfig.exe /domain:<domain_name> /unconfig [/quiet]
[/force]

Parameters

/createtemplates

Creates the MDM certificate templates in Active Directory and sets the appropriate permissions. Run this parameter only one time in each forest, and after the /domainparameter. This parameter requires Enterprise Administrator permissions.

/domain:<domain_name>

Creates universal groups, SCP, organizational units, and domain containers for MDM installation. Run this parameter before you install any MDM system components, and before you run any other parameters. This parameter requires Domain Administrator permissions.

/enabletemplates /ca:<ca_server> \<ca_instance>

Enables the MDM certificate templates on the specified certification authority. The certification authority server and certification authority name are required for this parameter. To avoid installation problems, make sure that the certification authority server is online.

Run this parameter only one time for each certification authority, and after you run the /domainand /createtemplatesparameters. This parameter requires permissions to enable templates on the certification authority.

/gpsecurity:all /gpdomain:<domain>

Grants the minimum required permissions to the specified Group Policy objects (GPOs) in the specified domain. Run this parameter after you run the /domainparameter. This parameter is optional and requires Domain Administrator credentials.

/gpsecurity:<identifier>/gpdomain:<domain>

Grants the minimum required permissions to the specified GPOs in the specified domain. The identifier should be a valid GUID for a GPO in the specified domain. Run this parameter after you run the /domainparameter. This parameter requires Domain Administrator credentials.

/gpsecurity:default

Configures the default GPO security descriptor for MDM. Run this parameter after you run the /domainparameter, but only run it one time for each Active Directory forest. This parameter is optional and requires Schema Administrator credentials.

/quiet

Runs the Active Directory Configuration tool but does not prompt the user for confirmation.

/unconfig

Instructs ADConfig to perform the undo operations of the associated step when it is combined with any of the following parameters:

  • /domain

  • /create templates

  • /gpsecurity

/force

Together with the /unconfigparameter, this parameter forces removal and undo operations regardless if MDM system components have not been uninstalled. We do not recommend that you use this parameter.

/help

Displays Help together with command syntax and examples.

Remarks

The order of the parameters is important to deploy MDM successfully.

  1. You must run the /domainparameter first, before you run any other parameter. Make sure that the MDM groups and containers appear in Active Directory and that they replicate to all domain controllers before you use any other parameter.

  2. Run the /createtemplatesparameter next. Verify that the certificate templates are visible in your designated certification authority before you continue with the next parameter.

  3. Run the /enabletemplatesparameter next, after the /createtemplatesparameter. You can run this parameter multiple times on different certification authorities.

If you remove MDM from the network, the order of the parameters is also important. You must remove them in reverse order. This requires that you run /unconfigwith /gpsecurity; /unconfigwith /enabletemplates; /unconfigwith /createtemplates; and finally, /unconfigdomain.

The following example shows you how to create only the USG, containers, and SCP.

Copy Code
ADConfig.exe /domain:<domain name>

The following example shows you how to create the certificate templates.

Copy Code
ADConfig.exe /createtemplates

The following example shows you how to create the USG, SCP, and certificate templates, but not prompt for confirmation.

Copy Code
ADConfig.exe /createtemplates /quiet

ADConfig-Created MDM Groups

The ADConfig tool creates the USGs used in the MDM infrastructure and for security.

ADConfig does not configure deny permissions for MDM USGs.

Note:
ADConfig grants documented permissions for MDM groups explicitly, without regard to inherited behavior.

MDM Managed Devices is the default organizational unit (OU) created during ADConfig Setup.

MDM Infrastructure Groups

The ADConfig tool creates the following MDM infrastructure groups:

  • SCMDM2008DeviceManagementServers

  • SCMDM2008EnrollmentServers

  • SCMDM2008EnrolledDevices

  • SCMDM2008SelfService

Universal Group for MDM Device Management Server

ADConfig creates this group for all MDM Device Management Server machine accounts.

The following describes this group.

USG name

SCMDM2008DeviceManagementServers

Control of membership

SCMDM2008ServerAdministrators

Active Directory permissions

Enables MDM Device Management Server to access global Active Directory settings and servers

Universal Group for MDM Enrollment Server

ADConfig creates this group for all MDM Enrollment Server machine accounts. Members of this group can create and delete computer objects from the default MDM Devices OU and revoke certificates for devices on the certification authority.

The following describes this group.

USG name

SCMDM2008EnrollmentServers

Control of membership

SCMDM2008ServerAdministrators

Certification authority

Revoke certificates for SCMDM2008EnrolledDevices

Universal Group for Managed Devices

ADConfig creates this group that includes all managed devices enrolled in MDM.

The following describes this group.

USG Name

SCMDM2008EnrolledDevices

Control of membership

SCMDM2008EnrollmentServers

Active Directory permissions

None

Certification authority

The SCMDM2008EnrollmentServers group can remove members from this group

Universal Group for MDM Self Service Portal

ADConfig creates this group for MDM administrators to control wipe requests, enrollment requests, device history, and inventory.

The following describes this group.

USG name

SCMDM2008SelfService

Control of membership

SCMDM2008ServerAdministrators

Active Directory permissions

None

MDM Security Groups

The ADConfig tool creates the following MDM security groups:

  • SCMDM2008ServerAdministrators

  • SCMDM2008DeviceAdministrators

  • SCMDM2008DeviceSupport

  • SCMDM2008HelpdeskOperator

Universal Group for MDM Administrators

ADConfig creates this group for MDM administrators to manage and set up computers to run the MDM system. Members can add or remove members from all other groups and implicitly have complete management abilities over managed devices.

The following describes this group.

USG name

SCMDM2008ServerAdministrators

Control of membership

SCMDM2008ServerAdministrators

Active Directory permissions

The SCMDM2008ServerAdministrators group must have access and credentials to create databases on the computer that is running Microsoft SQL Server®. The SQL administrator adds this group to the system access control list (SACL) manually.

The SCMDM2008ServerAdministrators group Active Directory credentials enable the enterprise-level administrator to control all global settings and any computer that is running MDM.

The SCMDM2008ServerAdministrators group provides the following:

  • Read permissions on SCMDM2008ServerAdministrators group

  • Read/write permissions on attributes for Active Directory SCP

  • Read/write permissions on all MDM universal groups, except for the following:

    • SCMDM2008EnrolledDevices

    • SCMDM2008ServerAdministrators

Universal Group for Managed Device Administrators

ADConfig creates this group for enterprise-level administrators to control global settings on any computer that is running the MDM system.

This group provides the following:

  • Enables enterprise-level administrators to control all global settings for any computer that is running the MDM system

  • Read permission on all global settings

  • Read permission on all users and computers in the MDM domain

  • Read permission on machine and instance settings

  • Read permission on all users in the MDM domain

The following describes this group.

USG name

SCMDM2008DeviceAdministrators

Control of membership

SCMDM2008ServerAdministrators

Active Directory permissions

Device administrators for MDM have access to device management functions.

A universal security group for MDM device administrators to manage devices and perform device operations.

Universal Group for Managed Device Support

ADConfig creates this group for enterprise-level administrators to control global settings for any computer that is running the MDM system.

This group provides the following:

  • Read permission on all global settings

  • Read permission on all users and computers in the MDM domain

  • Read permission on machine and instance settings

  • Read permission on all users in the MDM domain

The following describes this group:

USG name

SCMDM2008DeviceSupport

Control of membership

SCMDM2008ServerAdministrators

Active Directory permissions

Second-tier senior Helpdesk device support

A universal security group for MDM Device Support to provide device support for MDM managed devices

Universal Group for Helpdesk Operator

ADConfig creates this group for enterprise-level administrators to control global settings for any computer that is running the MDM system.

This group provides the following:

  • Read permission on all global settings

  • Read permission on all users and computers in the MDM domain

  • Read permission on machine and instance settings

  • Read permission on all users in the MDM domain

The following describes this group.

USG name

SCMDM2008HelpdeskOperator

Control of membership

SCMDM2008ServerAdministrators

Active Directory permissions

First-tier Helpdesk support

A universal security group for Helpdesk operators to provide device support for MDM-managed devices

ADConfig Operations

When you run the ADConfig tool, MDM performs certain operations based on the parameters that you use. The following provides details about the operations that MDM performs when you run the ADConfig tool.

ADConfig-Created Domain Objects

When you run the ADConfig tool by using the /domainparameter, MDM creates objects in Active Directory to contain elements of MDM. The following shows the structure of these objects.

Copy Code
DefaultNamingContext
 CN=System
   CN= SCMDM2008
	 Dependencies (SCP with keywords: 
		serverca, cainstance, sqlserver, sqlinstance)
   DeviceManagement (SCP with keywords: 
		url, adminurl)
   Enrollment (SCP with keywords:
		url, adminurl)
CN=Users
  SCMDM2008ServerAdmins
  SCMDM2008DeviceAdmins
  SCMDM2008DeviceSupport
  SCMDM2008HelpdeskOperator

OU= SCMDM2008 Managed Devices
  (The devices OU where all MDM devices are created by default)

CN= SCMDM2008 Infrastructure Groups
  SCMDM2008DeviceManagementServers
  SCMDM2008EnrollmentServers
  SCMDM2008EnrolledDevices
  SCMDM2008SelfService
  • Under CN=System, MDM creates the following container structure in the specified domain. This example is shown by using the default naming context:

    Copy Code
    CN=SCMDM2008
    1.  Dependencies (SCP with keywords:   serverca, cainstance,
    sqlserver, sqlinstance)
    2.  DeviceManagement (SCP with keywords:   url, adminurl)
    3.  Enrollment (SCP with keywords:   url, adminurl)
    
  • Under CN=Users, MDM creates the following container in the specified domain. This example is shown by using the default naming context:

    Copy Code
    - USG: SCMDM2008ServerAdministrators
    - USG: SCMDM2008DeviceAdministrators
    - USG: SCMDM2008HelpdeskOperator
    - USG: SCMDM2008DeviceSupport
    
  • As a sibling of CN=Users, MDM creates the following OU in the specified domain. This example is shown by using the default naming context:

    Copy Code
    OU=SCMDM2008Infrastructure Groups
    - USG: SCMDM2008DeviceManagementServers
    - USG: SCMDM2008EnrollmentServers
    - USG: SCMDM2008EnrolledDevices
    - USG: SCMDM2008SelfService
    
  • At the root level, MDM creates the following OU:

    Copy Code
     OU=  SCMDM2008 Managed Devices (default OU for enrolled devices)
    
  • MDM adds members of the Domain Administrators group of the specified domain to the <Instance Name>ServerAdministrators group.

  • MDM adds members of the <Instance Name>DeviceManagementServers group to the Windows Authorization Access (WAA) group of the specified domain.

  • MDM gives Add/Remove Members permissions on all other MDM groups to the <Instance Name>ServerAdministrators group.

  • MDM gives Add/Remove Members permissions on the <Instance Name>EnrolledDevices group to the <Instance Name>EnrollmentServers group.

  • MDM gives Create/Delete computer objects permissions on the MDM Devices OU to the <Instance Name>EnrollmentServers group.

  • MDM gives Read/Write permissions on the keywords attribute of the three SCPs to the <Instance Name>ServerAdministrators group.

  • When you run MDM in successive domains, it adds the SCMDM2008DeviceManagementServers group to the Windows Authorization Access (WAA) group of the specified domain.

Create Three Certificate Templates

When you run the ADConfig tool with the /createtemplatesparameter, MDM creates the following three certificate templates:

Certificate property SCMDM2008GCM SCMDM2008WebServer SCMDM2008MobileDevice

Validity period

Two years

Two years

One year

Renewal period

Six weeks

Six weeks

Six weeks

Request minimum key size

1024 for signature and encryption

1024 for signature and encryption

1024 for signature and encryption

CSP

Microsoft DH SChannel Cryptographic provider and Microsoft RSA SChannel Cryptographic Provider

Microsoft DH SChannel Cryptographic provider and Microsoft RSA SChannel Cryptographic Provider

Microsoft RSA SChannel Cryptographic Provider

Subject name

Supplied in the request

Supplied in the request

Built from Active Directory: subject = common name, ASN = DNS name

EKU and application policies

Client authentication, 1.3.6.1.4.1.311.65.1.1 (GCM client authentication specific to MDM)

Server authentication

Client Authentication, 1.3.6.1.4.1.311.65.2.1 (device client authentication specific to MDM)

Key usage

Digital signature, key exchange

Digital signature, key exchange

Digital signature, key exchange

Computer security

MDM gives Enroll permissions to the DefaultDeviceManagementServers and DefaultServerAdministrators groups

MDM gives Enroll permissions to the DefaultServerAdministrators group

MDM gives Enroll permissions to the DefaultEnrolledDevice group

User security

MDM gives Read permissions to authenticated users

MDM gives Read permissions to authenticated users

MDM gives Read permissions to authenticated users

Admin security

MDM gives Full Control permissions to the Domain Administrators and Enterprise Administrators groups

MDM gives Full Control permissions to the Domain Administrators and Enterprise Administrators groups

MDM gives Full Control permissions to the Domain Administrators and Enterprise Administrators groups

Enable Certificate Templates on the Certification Authority

When you run the ADConfig tool by using the /enabletemplatesparameter, MDM enables the certificate templates on the certification authority specified by <CA server>\ <CA name>.

Modify Permissions on Group Policy Objects

When you run the ADConfig tool by using the /gpsecurityparameter, MDM modifies permissions on certain Group Policy objects (GPOs).

  • /gpsecurity:default

    • Modifies permissions on the default GPO security descriptor for MDM

    • Requires permissions on the default GPO security descriptor. Generally, these are schema administrator credentials

  • /gpsecurity:<GPO GUID> /gpdomain:<domain name>

    • Modifies permissions on the specified GPO in the specified domain

    • Requires permissions on the GPO object

  • /gpsecurity:all /gpdomain:<domain name>

    • Modifies permissions on all existing GPOs in the specified domain

    • Requires permissions on all existing GPOs in the specified domain

Manual Procedures for Modifying Permissions on Group Policy Objects (Optional)

The /gpsecurityparameter may be used during the ADConfig setup process to modify permissions on Group Policy objects (GPOs). This section is optional and performed automatically if you use the /gpsecurityparameter. However, if you want to perform these functions manually, the below procedures provide instruction for the following:

  • Configuring permissions on existing Group Policy objects

  • Configuring permissions on the Group Policy objects parent folder

  • Configuring the security descriptor of a default Group Policy template

Configuring Permissions on Existing Group Policy Objects

In the following procedure you will configure permissions on existing GPOs. You must be a member of the Domain Administrators group to perform this action. You must configure permissions on every domain, once per domain.

To configure permissions on existing Group Policy objects
  1. Open the Group Policy Management Console.

  2. In the navigation pane, expand Group Policy Objects.

  3. For each GPO under the Group Policy Objectsfolder, choose the Delegationtab.

  4. Choose Add.

  5. In the Select User, Computer, or Groupdialog box, enter SCMDM2008DeviceManagementServers.

  6. Choose OK.

Configuring Permissions on the Group Policy Objects Parent Folder

In the following procedure you will configure permissions on the Group Policy objects parent folder. You must be a member of the Domain Administrators group to perform this action. You must configure permissions on every domain, once per domain.

During this process, you will need a low-level Active Directory Editor, such as Active Directory Service Interfaces (ADSI). For more information about ADSI, see Adsiedit Overview on the Microsoft TechNet Web site:

http://go.microsoft.com/fwlink/?LinkId=105659

Important:
If you modify Active Directory with a low-level editor such as ADSIEdit, it may cause problems with your Active Directory structure or environment. If you modify Active Directory, it can cause serious system errors. We cannot guarantee that these errors can be resolved. Modify Active Directory at your own risk.
To configure permissions on the GPO parent folder
  1. Start ADSIEdit.

  2. Expand the domain in which you first ran ADConfig.

  3. Expand CN=System.

  4. Expand CN=Policies.

  5. Right click on the Policiesnode, and then choose Security.

  6. Choose Add.

  7. In the Select Users, Computers, or Groupsdialog box, enter SCMDM2008DeviceManagementServers, and then choose OK.

  8. In Permissions for Account Operatorsfor the added group, select Read, and then select Allow. Choose Advanced.

  9. In Advanced Security Settingsunder Permission entries, select SCMDM2008DeviceManagementServers, and then choose Edit.

  10. On the Objecttab under Permissions, select List Contents, Read All Properties, and Read Permissions. Choose OK, and then close all dialog boxes.

Configuring the Security Descriptor of a Default Group Policy Template

In the following procedure, you will configure permissions on the Group Policy objects parent folder. You must be a member of the Schema Administrators group to perform this action. You must configure one for each enterprise.

To configure the security descriptor of the default group policy template
  1. Open Microsoft Management Console (MMC) with the Active Directory Schema snap-in.

  2. Expand Classes, right click on groupPolicyContainer, and then choose Properties.

  3. Choose the Default Securitytab.

  4. Choose Add.

  5. In the Select Users, Computers, or Groupsdialog box, enter SCMDM2008DeviceManagementServers, and then choose OK.

  6. In Permissions for Account Operatorsfor the added group, select Read, and then select Allow. Choose Advanced.

  7. In Advanced Security Settingsunder Permission entries, select SCMDM2008DeviceManagementServers, and then choose Edit.

  8. On the Objecttab under Permissions, select List Contents, Read All Properties, and Read Permissions. Choose OKand close all dialog boxes.