Now that we have created the authentication policy, the next step is to create a new authentication policy silo. My requirement is to create a policy silo to prevent the user account of Peter from accessing REBEL-PC01.
Policy silos can be created using ADAC or the New-ADAuthenticationPolicySilo PowerShell cmdlet:
In this demo, let's create a new authentication policy silo called Restricted_REBEL_PC01:
New-ADAuthenticationPolicySilo -Name Restricted_REBEL_PC01 -UserAuthenticationPolicy AP_1hr_TGT -ComputerAuthenticationPolicy AP_1hr_TGT -ServiceAuthenticationPolicy AP_1hr_TGT -Enforce
In the preceding command, -UserAuthenticationPolicy, -ComputerAuthenticationPolicy, and -ServiceAuthenticationPolicy refer to the authentication policies that will be attached to the policy silo. Here, we are only using one policy, but if needed, the policy silo can be attached to multiple authentication policies that cover the user, computer, and service classes.
The next step is to add the related objects to the policy silo as permitted accounts. In my demo, this is the user account of Peter and the computer called REBEL-PC01.
We can add these objects to the policy silos using the Grant-ADAuthenticationPolicySiloAccess PowerShell cmdlet:
Grant-ADAuthenticationPolicySiloAccess -Identity Restricted_REBEL_PC01 -Account Peter
The preceding command adds the user account of Peter to the Restricted_REBEL_PC01 policy silo as a permitted account.
We also can combine it with a filter and then add the result to the policy silo:
Get-ADComputer -Filter 'Name -like "REBEL-PC01"' | Grant-ADAuthenticationPolicySiloAccess -Identity Restricted_REBEL_PC01
In the preceding command, we search for the computer object and then pass the result to the policy silo.
Once this is completed, we need to assign policy silos and the authentication policy to Peter and REBEL-PC01. This can be done using Set-ADAccountAuthenticationPolicySilo:
Set-ADAccountAuthenticationPolicySilo -Identity Peter -AuthenticationPolicySilo Restricted_REBEL_PC01 -AuthenticationPolicy AP_1hr_TGT
The preceding command assigns the Restricted_REBEL_PC01 policy silo and the AP_1hr_TGT authentication policy to the user account of Peter.
These commands can also be attached to filters:
Get-ADComputer -Filter 'Name -like "REBEL-PC01"' | Set-ADAccountAuthenticationPolicySilo -AuthenticationPolicySilo Restricted_REBEL_PC01 -AuthenticationPolicy AP_1hr_TGT
The preceding command filters for the REBEL-PC01 AD computer object and then assigns both the authentication policy and the policy silo.
The last step of the configuration is to define the access control condition for the AP_1hr_TGT authentication policy. This defines the condition of the device or host from which users log in. The condition for my demo will use the user's policy silo value:
Set-ADAuthenticationPolicy -Identity AP_1hr_TGT -UserAllowedToAuthenticateFrom "O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == `"Restricted_REBEL_PC01`"))"
In the preceding command, the condition is passed as an Security Descriptor Definition Language (SDDL) string. You can find more information about this SDDL string at https://blogs.technet.microsoft.com/askds/2008/04/18/the-security-descriptor-definition-language-of-love-part-1/.
This can also be modified by using the authentication policy properties window in ADAC:
This finishes the configuration of the authentication policy silo and the authentication policy. Authentication policies and authentication policy silos provide greater flexibility in protecting privileged accounts on critical systems.