ADConfig Tool
2/9/2009
The Active Directory Configuration Tool (ADConfig) is a configuration tool that you must use to configure Active Directory directory services for System Center Mobile Device Manager. With ADConfig, you can do the following:
- Create and name different MDM instances.
- Create the Active Directory instance structure, service connection points (SCP), Universal Security Groups (USG), organizational units (OU), and other containers for MDM.
- Co-locate MDM instances side-by-side.
- Install and enable certificate templates on certification authorities
- Set security on Group Policy objects (GPOs) and the default Group Policy object.
- Upgrade Active Directory configuration from MDM 2008 to MDM 2008 SP1.
ADConfig.exe is in the ADConfig directory of the installation disc for MDM. You can start ADConfig at a command prompt, as the following describes.
- You must run ADConfig from a computer or server that is in the same site and domain as the MDM system servers.
- You must not attempt to create two instances in the same domain or forest at the same time and with the same name. If two instances are given the same name, conflicts will occur.
- You must allow for enough time for the changes to replicate across all domain controllers before you continue with the next parameter in the process.
- You must run ADConfig from a secure local location and not from a network share.
- You must have Domain Administrator or equivalent permissions to create MDM instances, Universal Security Groups (USGs), and service connection points (SCPs).
- You must have Enterprise Administrator (or equivalent) credentials to create a new template in the enterprise. This is because all certificate templates are created in the Active Directory configuration container.
- You must have Enterprise Administrator and Administrator permissions on the certification authority to enable certificate templates and grant revocation permissions on the certification authority.
- For the /enablegpsecurity parameter, depending on the options that you select, you must have either Domain Administrator permissions, Schema Administrator permissions, or permissions on a specific GPO.
- Do not give permissions to Group Policy objects from instances that you do not want calculating policies on behalf of devices.
Syntax
ADConfig.exe /?
ADConfig.exe /listinstance /domain:<domain name> [/quiet]
ADConfig.exe /createinstance:<instance> /domain:<domain name> [/quiet]
ADConfig.exe /enableinstance:<instance> /domain:<domain name> [/quiet]
ADConfig.exe /validateinstance:<instance> /domain:<domain name> [/quiet]
ADConfig.exe /removeinstance:<instance> /domain:<domain name> [/quiet] [/force]
ADConfig.exe /disableinstance:<instance> /domain:<domain name> [/quiet] [/force]
ADConfig.exe /createtemplates:<instance> [/quiet]
ADConfig.exe /enabletemplates:<instance> /ca:<ca server>\<ca name> [/quiet]
ADConfig.exe /disabletemplates:<instance> /ca:<ca server>\<ca name> [/quiet] [/force]
ADConfig.exe /removetemplates:<instance> [/quiet] [/force]
ADConfig.exe /enablegpsecurity:<instance> /gpo:default [/quiet]
ADConfig.exe /enablegpsecurity:<instance> /gpo:<all|GPO ID> /domain:<domain> [/quiet]
ADConfig.exe /disablegpsecurity:<instance> /gpo:default [/quiet] [/force]
ADConfig.exe /disableGPSecurity:<instance> /gpo:<all|GPO ID> /domain:<domain> [/quiet] [/force]
ADConfig.exe /upgradeinstance:<instance> [/quiet]
ADConfig.exe /upgradetemplates:<instance> [/quiet]
Primary Parameters
Actions | Description |
---|---|
/createinstance:<instance name> /domain:<domain name> |
|
/enableinstance:<instance name> /domain:<domain name> |
|
/removeinstance:<instance name> /domain:<domain name> |
|
/disableinstance:<instance name> /domain:<domain name> |
|
/listinstance |
|
/validateinstance |
|
/createtemplates:<instance name> |
|
/removetemplates:<instance name> |
|
/enabletemplates:<instance name>/ca:<ca_server_name>\<ca_name> |
|
/disabletemplates:<instance name>/ca:<ca_server_name>\<ca_name> |
|
/enableGPsecurity:<instance name> /domain:<domain name> /gpo: <all|default|GPO ID> |
|
/disablegpsecurity:<instance name> /domain:<domain name> /gpo: <all|default|GPO ID> |
|
/upgradeinstance:<instance name> |
|
/upgradetemplates:<instance name> |
|
Additional Parameters
Parameters | Description |
---|---|
/domain:<domain name> |
|
/ca:<ca_server_name>\<ca_name> |
|
/gpo:<all|default|GPO ID> |
|
/force |
|
/quiet |
|
Remarks
The order of the parameters is important to deploy MDM successfully.
- You must run the /createinstance parameter first, before you run any other parameter. Make sure that the MDM groups and containers appear in Active Directory and that they replicate to all domain controllers before you use any other parameter.
- Run ADConfig.exe /enableinstance on any domain where you will have devices for this particular instance.
- Run the /createtemplates parameter next. Verify that the certificate templates are visible in your designated certification authority before you continue with the next parameter.
- Run the /enabletemplates parameter next, after the /createtemplates parameter. You can run this parameter multiple times on different certification authorities.
- Run the /validateinstance parameter next to make sure that the certificate templates, Active Directory structure, and organizational units are set up properly.
If you remove MDM from the network, the order of the parameters is also important. You must remove them in reverse order. This requires that you run /disablegpsecurity; /disabletemplates; /removetemplates; /disableinstance and finally, /removeinstance.
The following example shows you how to create an instance named "instance1":
ADConfig.exe /createinstance:instance1 /domain:contoso
The following example shows you how to create an instance named "instance1" but not prompt for confirmation:
ADConfig.exe /createinstance:instance1 /domain:contoso /quiet
MDM Groups Created by ADConfig
ADConfig creates the USGs required by MDM for security.
ADConfig does not configure deny permissions for MDM USGs.
Note
ADConfig grants documented permissions for MDM groups explicitly, without regard to inherited behavior.
SCMDM Managed Devices (<instance name>) is the default organizational unit (OU) created during ADConfig Setup. The instance name is appended to the MDM Managed Devices OU.
MDM Infrastructure Groups
ADConfig creates the following MDM infrastructure groups:
- SCMDMDeviceManagementServers (<instance name>)
- SCMDMEnrollmentServers (<instance name>)
- SCMDMEnrolledDevices (<instance name>)
- SCMDMSelfServiceServers (<instance name>)
Universal Group for MDM Device Management Server
ADConfig creates this group for all MDM Device Management Server server accounts.
The following describes this group.
USG name |
SCMDMDeviceManagementServers (<instance name>) |
Control of membership |
SCMDMServerAdmins |
Active Directory permissions |
Enables MDM Device Management Server to access global settings and servers. |
Universal Group for MDM Enrollment Server
ADConfig creates this group for all MDM Enrollment Server server accounts. Members of this group can create and delete computer objects from the default MDM Devices OU and revoke certificates for devices on the certification authority.
The following describes this group.
USG name |
SCMDMEnrollmentServers (<instance name>) |
Control of membership |
SCMDMServerAdmins |
Active Directory permissions |
Enables MDM Enrollment Server to access global settings and servers. |
Universal Group for Managed Devices
ADConfig creates this group that includes all managed devices enrolled in MDM.
The following describes this group.
USG Name |
SCMDMEnrolledDevices (<instance name>) |
Control of membership |
SCMDMEnrollmentServers |
Active Directory permissions |
None |
Certification authority permissions |
This group has permissions on the certification authority to renew certificates. |
Universal Group for MDM Self Service Portal
ADConfig creates this group for MDM administrators to control wipe requests, enrollment requests, device history, and inventory.
The following describes this group.
USG name |
SCMDMSelfServiceServers (<instance name>) |
Control of membership |
SCMDMServerAdmins |
Active Directory permissions |
Enables MDM Self Service Portal to have permissions on specific services. |
MDM Security Groups
ADConfig creates the following MDM security groups:
- SCMDMSecurityAdmins (<instance name>)
- SCMDMServerAdmins (<instance name>)
- SCMDMDeviceAdmins (<instance name>)
- SCMDMDeviceSupport (<instance name>)
- SCMDMHelpdeskOperator (<instance name>)
- SCMDMReadOnlyUsers (<instance name>)
- SCMDMAuthorizedUsers (<instance name>)
To read more on MDM Security Groups, see Security and Protection for Mobile Device Manager.
Universal Group for Security Administrators
ADConfig creates this group for MDM security administrators to manage group membership to other MDM groups.
The SCMDMSecurityAdmins group has control over membership of all user-based USGs:
- SCMDMServerAdmins (<instance name>)
- SCMDMDeviceAdmins (<instance name>)
- SCMDMDeviceSupport (<instance name>)
- SCMDMHelpdeskOperator (<instance name>)
- SCMDMAuthorizedUsers (<instance name>)
- SCMDMReadOnlyUsers (<instance name>)
The following describes this group:
USG name |
SCMDMSecurityAdmins (<instance name>) |
Control of membership |
DomainAdmins |
Active Directory permissions |
The SCMDMSecurityAdmins group enables enterprise-level administrators to control all MDM user-based USGs. |
Universal Group for MDM Server Administrators
ADConfig creates this group for MDM administrators to manage and set up computers to run the MDM system. Members can add or remove members from all other groups and implicitly have complete management abilities over managed devices.
The following describes this group.
USG name |
SCMDMServerAdmins (<instance name>) |
Control of membership |
SCMDMSecurityAdmins (<instance name>) |
Active Directory permissions |
The SCMDMServerAdmins group must have access and credentials to create databases on the computer that is running Microsoft SQL Server. The SQL administrator adds this group to the system access control list (SACL) manually. The SCMDMServerAdmins group Active Directory credentials enable the enterprise-level administrator to control all global settings and any computer that is running MDM. The SCMDMServerAdmins group provides the following:
|
Universal Group for Managed Device Administrators
ADConfig creates this group for enterprise-level administrators to control global settings on any managed device that is connected to the MDM system.
This group provides the following:
- Ability for enterprise-level administrators to control all MDM configuration settings for any computer that is running the MDM system
- Read permission on all global settings
- Read permission on server and instance settings
The following describes this group:
USG name |
SCMDMDeviceAdmins (<instance name>) |
Control of membership |
SCMDMSecurityAdmins (<instance name>) |
Active Directory permissions |
Device administrators for MDM have access to device management functions. A universal security group for MDM device administrators to manage devices and perform device operations. |
Universal Group for Managed Device Support
ADConfig creates this group for enterprise-level administrators to control global settings for any computer that is running the MDM system.
This group provides the following:
- Read permission on all global settings
- Read permission on all users and computers in the MDM system
- Read permission on server and instance settings
- Read permission on all users in the MDM system
The following describes this group:
USG name |
SCMDMDeviceSupport (<instance name>) |
Control of membership |
SCMDMSecurityAdmins (<instance name>) |
Active Directory permissions |
Second-tier senior Helpdesk device support A universal security group for MDM Device Support to provide device support for MDM managed devices |
Universal Group for Helpdesk Operator
ADConfig creates this group for enterprise-level administrators to control global settings for any computer that is running the MDM system.
This group provides the following:
- Read permission on all global settings
- Read permission on all users and computers in the MDM domain
- Read permission on server and instance settings
- Read permission on all user settings in the MDM domain
The following describes this group.
USG name |
SCMDMHelpdeskOperator (<instance name>) |
Control of membership |
SCMDMSecurityAdmins (<instance name>) |
Active Directory permissions |
First-tier Helpdesk support A universal security group for Helpdesk operators to provide device support for MDM-managed devices |
Universal Group for Read-Only Users
ADConfig creates this group for read-only permissions on an instance. This group provides device support for MDM-managed devices. This group cannot create tasks or modify any settings in the MDM system.
This group provides the following:
- Read permission on all global settings
- Read permission on all users and computers in the MDM domain
- Read permission on server and instance settings
- Read permission on all user settings in the MDM domain
- Read permissions on device objects
The following describes this group:
USG name |
SCMDMReadOnlyUsers (<instance name>) |
Control of membership |
SCMDMSecurityAdmins (<instance name>) |
Active Directory permissions |
Read-only administrators for MDM have access to device support functions. A universal security group for MDM device support administrators to view device settings and information. |
Universal Group for Instance Authorized Users
ADConfig creates this group for authorized users to access MDM Self Service Portal and other portions of the instance. Users of this group can access any MDM Self Service Portals associated with the instance, as well as other instance resources.
The following describes this group:
USG name |
SCMDMAuthorizedUsers (<instance name>) |
Control of membership |
SCMDMSecurityAdmins (<instance name>) |
Active Directory permissions |
By default, all domain users are added to this group. To restrict access to MDM Self Service Portal, limit this group membership. To grant access to MDM Self Service Portal, add members to this group. |
MDM Self Service Portal applies access control lists (ACLs) to this group to restrict access to MDM Self Service Portal based on the membership of this group. Administrators can remove members from the group to restrict access.
ADConfig Operations
When you run ADConfig, MDM performs certain operations based on the parameters that you use. The following provides details about the operations that MDM performs when you run ADConfig.
Note
By default, ADConfig writes a log file to the current directory, or the Temp directory, depending on where it has permissions. You should back up these log files to persistent storage and periodically remove extraneous log files to save hard disk space.
ADConfig-Created Domain Objects
When you run ADConfig by using the /createinstance parameter, MDM creates objects in Active Directory to contain elements of MDM. The following shows the structure of these objects.
DefaultNamingContext
CN=System
CN= SCMDM
<instance name> [SCP]
SCMDM Managed Devices (<instance name>) [OU]
(The devices OU where all MDM devices are created by default)
CN=Users and Computers [container or Users Redirect OU]
SCMDMSecurityAdmins (<instance name>) [USG]
SCMDMServerAdmins (<instance name>) [USG]
SCMDMDeviceAdmins (<instance name>) [USG]
SCMDMDeviceSupport (<instance name>) [USG]
SCMDMHelpdeskOperator (<instance name>) [USG]
SCMDMAuthorizedUsers (<instance name>) [USG]
SCMDMReadOnlyUsers (<instance name>) [USG]
CN= SCMDM Infrastructure Groups (<instance name>) [OU]
SCMDMDeviceManagementServers (<instance name>) [USG]
SCMDMEnrollmentServers (<instance name>) [USG]
SCMDMEnrolledDevices (<instance name>) [USG]
SCMDMSelfServiceServers (<instance name>) [USG]
Under CN=System, MDM creates the following container structure in the specified domain. This example is shown by using the default naming context:
CN=SCMDM <instance name> [SCP]
Under CN=Users and Computers, MDM creates the following container in the specified domain. This example is shown by using the default naming context:
- USG: SCMDMSecurityAdmins (<instance name>) - USG: SCMDMServerAdmins (<instance name>) - USG: SCMDMDeviceAdmins (<instance name>) - USG: SCMDMDeviceSupport (<instance name>) - USG: SCMDMHelpdeskOperator (<instance name>) - USG: SCMDMAuthorizedUsers (<instance name>) - USG: SCMDMReadOnlyUsers (<instance name>)
As a sibling of CN=Users, MDM creates the following OU in the specified domain. This example is shown by using the default naming context:
OU=SCMDMInfrastructure Groups (<instance name>) - USG: SCMDMDeviceManagementServers (<instance name>) - USG: SCMDMEnrollmentServers (<instance name>) - USG: SCMDMEnrolledDevices (<instance name>) - USG: SCMDMSelfServiceServers (<instance name>)
At the root level, MDM creates the following OU:
OU= SCMDM Managed Devices (<instance name>) (default OU for enrolled devices)
MDM adds members of the Domain Administrators group of the specified domain to the SCMDMServerAdmins (<instance name>) group.
MDM adds the SCMDMDeviceManagementServers (<instance name>) group to the Windows Authorization Access (WAA) group of the specified domain.
MDM gives Add/Remove Members permissions on all other MDM groups to the SCMDMServerAdmins (<instance name>) group.
MDM gives Add/Remove Members permissions on the SCMDMEnrolledDevices (<instance name>) group to the SCMDMEnrollmentServers (<instance name>) group.
MDM gives Create/Delete computer objects permissions on the MDM Devices OU to the SCMDMEnrollmentServers (<instance name>) group.
MDM gives read/write permissions on the keywords attribute of the SCMDM SCP to the SCMDMServerAdmins (<instance name>) and Enterprise Administrators groups.
When you run MDM in successive domains, it adds the SCMDMDeviceManagementServers (<instance name>) group to the Windows Authorization Access (WAA) group of the specified domain. To run MDM in successive domains, you must use the /enableinstance parameter.
Enable Certificate Templates on the Certification Authority
When you run ADConfig by using the /enabletemplates parameter, MDM enables the certificate templates on the certification authority specified by <CA server>\<CA name> and grants permissions to users and USGs on the certification authority. It also sets certificate enroll permissions and certificate restrictions on the certification authority.
For information about the three certificate templates that MDM creates with the /createtemplates parameter, see Manual Certificate Procedures.
Modify Permissions on Group Policy Objects
When you run ADConfig by using the /enablegpsecurity parameter, MDM modifies permissions on certain Group Policy objects (GPOs).
- /enablegpsecurity:< instance name > /gpo:default
- Modifies permissions on the default GPO security descriptor for MDM
- Requires permissions on the default GPO security descriptor. Generally, these are schema administrator credentials
- /enablegpsecurity:< instance name > /domain:< instance name > /gpo:<GPO ID>
- Modifies permissions on the specified GPO in the specified domain
- Requires permissions on the GPO object
- /enablegpsecurity:< instance name > /domain:< instance name > /gpo:all
- Modifies permissions on all existing GPOs in the specified domain
- Requires permissions on all existing GPOs in the specified domain
Modifying an MDM Instance Friendly Name
After you install MDM or make modifications to the MDM system, you may want to change the instance friendly name. You cannot change the immutable instance name. However, you can change the friendly name by following the steps below.
If you modify the SCPs, you must restart all administration consoles or any open MDM Shell to show the change. These restarts are necessary to correctly detect the new SCPs.
Important
If you modify Active Directory with a low-level editor such as ADSIEdit, you could cause problems with your Active Directory structure or environment. Any changes you make to Active Directory could cause serious system errors. We cannot guarantee that these errors can be resolved. Modify Active Directory at your own risk.
To modify an instance friendly name
Start ADSIEdit.
Expand the domain in which you first ran ADConfig.
Expand CN=System.
Expand CN=SCMDM. The list of instance SCPs is shown.
Right-click the SCP for the instance that you want to modify. For example, CN=<Instance Name SCP>.
Select Properties.
In the CN=<Instance Name SCP> Properties dialog box, select Show only attributes that have values.
Locate and then select the keywords attribute.
Choose Edit to view the current values for that instance.
In the Multi-valued String Editor dialog box, select the value "friendlyname=<name>," and then choose Remove. The value appears in the Value to add box.
Modify the entry but do not change the friendlyname= in front of the newly modified Value to add entry.
Choose Add. The modified entry appears in the Values list.
Choose OK two times to close the editor.