Automating Administrative Template Configuration In AD

["Rob McComber" <rmccomber () gmail com>]

During the installation of our product, we deploy a full AD domain (or
in some cases, integrate with an existing company domain). We are in
the process of automating the application of strict security controls
to ensure that our clients receive a system which can meet all of
their regulatory obligations. In an effort to minimize human error and
cut down on deployment time, we've been automating most of the Active
Directory config through the use of security templates, registry
scripting, etc. Almost everything has gone smoothly, save for setting
the values for the administrative templates to a significantly more
secure configuration.

According to MS, the Admin Templates in AD provide access to write the
settings to the registry, which will in turn affect the appropriate
software when it reads the keys. That works as advertised, and through
some windiff work, it's possible to isolate the key associated with
each function I'm trying to restrict, if it's not in the base list.

Unfortunately, it's proving to be a nightmare to automate. I'm looking
at upwards of 400 config items, and there's no MS interface I can find
that will allow me to script the configuration of the values for the
Admin Templates. I've also tried to write directly to the registry but
AD doesn't read up from it, so we then end up with gpedit listing one
value and the registry listing another.

Has anyone managed to successfully automate the configuration of the
AD Administrative Template values? It'll make things significantly
easier when it comes to securing our installed product but it's
looking like a tough battle at this point.

Regards,
Rob

--
Rob McComber, GSEC, MCSE
Security Architect