Darren Watt » windows http://darrenwatt.com There Are Many Darren Watts Like Him, But This One Is Me Sun, 13 May 2012 09:59:58 +0000 en hourly 1 http://wordpress.org/?v=3.3.2 Applying WPA2 via Group Policy in Windows Server 2003 http://darrenwatt.com/applying-wpa2-via-group-policy-in-windows-server-2003/ http://darrenwatt.com/applying-wpa2-via-group-policy-in-windows-server-2003/#comments Wed, 15 Oct 2008 17:21:02 +0000 Darren http://www.darrenwatt.com/?p=116 [Updated 11/03/2010; fixed typos and clarified a few things]

One of the things I get involved with at work is sorting auto-deployment of wireless profiles via Group Policy. In the past this has been great for configuring WPA/TKIP wireless profiles which are fine for most situations. However, most implementations of 802.11n require either no encryption or WPA2 before the advanced features of ‘n’ (eg. high speeds) are available.

Microsoft Server 2003 doesn’t support WPA2 in Group Policy, despite the fact it’s in XP Service Pack 3, and Windows Server 2008. It is also supported in Windows XP Service Pack 2 with update kb893357. After a lot of faffing around various forums it turns out there is a workaround to implement WPA2 in GPO on Server 2003.

wpa2_gpo_w2k3_server

WPA2 Option in Server 2003

Updating Active Directory for Group Policy Enhancements

Described in http://technet.microsoft.com/en-gb/library/bb727029.aspx.

This is just a howto so I won’t go into great detail, just how to quickly get it done.

Copy the file 802.11Schema.ldf onto the Active Directory server (the content of this file is listed at the end of this post in plaintext which you can cut n paste into a file if the link fails: KEEP THE ‘-’ AT THE END OF THE FILE, THIS IS IMPORTANT.
Open command prompt and run the following command on AD Server:

C:>ldifde -i -v -k -f 802.11Schema.ldf -c DC=X [Distinguished_Name_of_Domain]

I’ll paraphrase the M$ example at this point, if your domain is beans.com, the command you enter should be:

C:>ldifde -i -v -k -f 802.11Schema.ldf -c DC=X DC=beans,DC=com

It should respond that 6 items have been updated. It could probably benefit from a restart at this point, but other than that: That’s it for the Server!

Group Policy Update from Vista PC or Server 2008

Even though the Server 2003 box will support WPA2 now, you can’t set it up on the box itself. This needs to be done from either a Vista or Server 2008 machine (probably works with Windows 7 now – if anyone finds out can you pop me a comment please?). Join the PC to the domain if not already on it. Log onto the PC as Schema Administrator if possible – usually a Domain Admin account is fine.

Start, Run ‘gpmc.msc’ – If it’s not installed you need to install Microsoft Remote Server Administration Tools for Windows Vista (KB941314)

After the MRSAT have been installed you need to enable them. Go to:
Control Panel, Programs and Features, Turn Windows features on and off, Enable Tools.

From Group Policy Management you should now be able to select the Wireless Policy under:
Computer Config, Policies, Windows Settings, Security Settings, Wireless Network Policies, edit ‘XP’ policy, select Preferred Networks, and enter or edit the network profile. Change the authentication type to WPA2 and encryption to AES. Job done!

I’m always interested in feedback from this, if there’s anything I’ve missed or if things have moved on pop me a note and I’ll update.

The following is the content of the ldf file, you should just be able to download the file above though.


# -----------------------------------------------------------------------
# Copyright (c) 2006 Microsoft Corporation
#
# MODULE: 802.11Schema.ldf
# -----------------------------------------------------------------------

# -----------------------------------------------------------------------
# define schemas for these attributes:
#ms-net-ieee-80211-GP-PolicyGUID
#ms-net-ieee-80211-GP-PolicyData
#ms-net-ieee-80211-GP-PolicyReserved
# -----------------------------------------------------------------------

dn: CN=ms-net-ieee-80211-GP-PolicyGUID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-80211-GP-PolicyGUID
adminDisplayName: ms-net-ieee-80211-GP-PolicyGUID
adminDescription: This attribute contains a GUID which identifies a specific 802.11 group policy object on the domain.
attributeId: 1.2.840.113556.1.4.1951
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 64
schemaIdGuid:: YnBpNa8ei0SsHjiOC+T97g==
showInAdvancedViewOnly: TRUE
systemFlags: 16

dn: CN=ms-net-ieee-80211-GP-PolicyData,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-80211-GP-PolicyData
adminDisplayName: ms-net-ieee-80211-GP-PolicyData
adminDescription: This attribute contains all of the settings and data which comprise a group policy configuration for 802.11 wireless networks.
attributeId: 1.2.840.113556.1.4.1952
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 4194304
schemaIdGuid:: pZUUnHZNjkaZHhQzsKZ4VQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16

dn: CN=ms-net-ieee-80211-GP-PolicyReserved,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-80211-GP-PolicyReserved
adminDisplayName: ms-net-ieee-80211-GP-PolicyReserved
adminDescription: Reserved for future use
attributeId: 1.2.840.113556.1.4.1953
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 4194304
schemaIdGuid:: LsZpD44I9U+lOukjzsB8Cg==
showInAdvancedViewOnly: TRUE
systemFlags: 16

# -----------------------------------------------------------------------
# Reload the schema cache to pick up altered classes and attributes
# -----------------------------------------------------------------------
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-

# -----------------------------------------------------------------------
# define schemas for the parent class:
#ms-net-ieee-80211-GroupPolicy
# -----------------------------------------------------------------------

dn: CN=ms-net-ieee-80211-GroupPolicy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: ms-net-ieee-80211-GroupPolicy
adminDisplayName: ms-net-ieee-80211-GroupPolicy
adminDescription: This class represents an 802.11 wireless network group policy object. This class contains identifiers and configuration data relevant to an 802.11 wireless network.
governsId: 1.2.840.113556.1.5.251
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1953
systemMayContain: 1.2.840.113556.1.4.1952
systemMayContain: 1.2.840.113556.1.4.1951
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: 1.2.840.113556.1.3.23
systemPossSuperiors: 2.5.6.6
schemaIdGuid:: Yxi4HCK4eUOeol/3vcY4bQ==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-net-ieee-80211-GroupPolicy,CN=Schema,CN=Configuration,DC=X
systemFlags: 16

# -----------------------------------------------------------------------
# Reload the schema cache to pick up altered classes and attributes
# -----------------------------------------------------------------------
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-

]]> http://darrenwatt.com/applying-wpa2-via-group-policy-in-windows-server-2003/feed/ 27