1 Week 3 Secure and Efficient Administration of Act. Dir. Work with Active Directory Snap-Ins Custom Consoles and Least Privilege Find Objects in Active Directory Use DS Commands to Administer Active Directory Create Computers Accounts and Join the Domain Administer Computer Objects and Accounts
2 The MMC Console Show/Hide Console Tree Show/Hide Actions Pane Console Tree Details Pane Actions Pane
3 Active Directory Administration Snap-ins Active Directory Users and Computers Manage most common day-to-day objects, including users, groups, computers, printers, and shared folders Active Directory Sites and Services Manage replication, network topology, and related services Active Directory Domains and Trusts Configure and maintain trust relationships and the domain and forest functional level Active Directory Schema Administer the Schema
4 Find Active Directory Snap-ins Active Directory snap-ins are installed on a domain controller Server Manager: Users and Computers, Sites and Services Administrative Tools folder Install the RSAT on a member client or server Windows Server® 2008 Server Manager Features Add Feature Remote Server Administration Tools Windows Vista® SP1, Windows 7 Download RSAT from Double-click the file, then follow the instructions in the Setup Wizard. Control Panel Programs And Features Turn Windows Features On Or Off Remote Server Administration Tools AD Snap-in Demo
5 Secure Administration with Least Privilege, Run As Administrator, and User Account Control Maintain at least two accounts A standard user account An account with administrative privileges Log on to your computer as a standard user Do not log on to your computer with administrative credentials Launch administrative consoles with Run As Administrator 1. Right-click the console and click Run As Administrator 2. Click Use another account 3. Enter the username and password for your administrative account Demo
6 Find Objects in Active Directory When you assign permissions to a folder or file Select the group or user to which permissions are assigned When you add members to a group Select the user or group that will be added as a member When you configure a linked attribute such as Managed By Select the user or group that will be displayed on the Managed By tab When you need to administer a user, group, or computer Perform a search to locate the object in Active Directory, instead of browsing for the object Demo
7 Options for Locating Objects in Active Directory Users and Computers Sorting: Use column headings in Active Directory Users and Computers to find the objects based on the columns Searching: Provide the criteria for which you want to search Demo
8 DNs, RDNs, and CNs DN must be completely unique RDN must therefore be unique within the parent container cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com ou=Employees,ou=User Accounts,dc=contoso,dc=com Relative Distinguished Name (RDN) Distinguished Name (DN) Common Name (CN)
9 The DS Commands DSQuery. Performs a query based on parameters provided at the command line and returns a list of matching objects DSGet. Returns specified attributes of an object DSMod. Modifies specified attributes of an object DSMove. Moves an object to a new container or OU DSAdd. Creates an object in the directory DSRm. Removes an object, all objects in the subtree beneath a container object, or both DScommand /? For example: dsquery /?
10 Find Objects with DSQuery dsquery objectType objectType: user, computer, group, ou By default, search scope is the entire domain -limit switch to specify number of results 100 is default 0 means “return all results” dsquery objectType –attribute “criteria” attribute is objectType specific: dsquery objectType /? Examples for user: -name, -samid, -office, -desc criteria in quotes if there is a space. Wildcards (*) allowed dsquery objectType BaseDN –scope {subtree|onelevel|base} Specify search start and scope
11 Find Objects with DSQuery
12 Retrieve Object Attributes with DSGet dsget objectType objectDN -attribute Common syntax for many DS commands dsget user "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com" - What is the difference between DSGet and DSQuery? DSGet retrieves a property from a specific object, whereas DSQuery finds an object based on a property
13 Pipe DNs to Other DS Commands Typing DNs is difficult! dsget user "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com" - DSQuery returns DNs dsquery user -name "Jeff Ford" > "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com" Pipe (send) the DNs from DSQuery to DSGet with | dsquery user -name "Jeff Ford" | dsget user – Or multiple results: dsquery user -name "Dan*" | dsget user –
14 Modify Object Attributes with DSMod dsmod objectType "objectDN" -attribute "new value" dsmod user "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com" -dept "Information Technology" dsquery user "ou=Admins,dc=contoso,dc=com" | dsmod user -department "Information Technology"
15 Delete an Object with DSRm dsrm objectDN Note that DSRm does not take an objectType dsrm "cn=DESKTOP234,ou=Client Computers,dc=contoso,dc=com" dsquery computer -stalepwd 90 | dsrm
16 Move an Object with DSMove dsmove objectDN –newparent targetOUDN objectDN: object to be moved targetOUDN: target (destination) OU dsmove objectDN –newname newName objectDN: object to be moved newName: new name for object (used in the RDN)
17 Add an Object with DSAdd dsadd objectType objectDN -attribute "value" objectType: class of object to add objectDN: OU in which to create object -attribute "value": attributes to populate Each object class has required attributes dsadd ou "ou=Lab,dc=contoso,dc=com"
18 Administration Without the GUI Command Prompt DS commands csvde.exe and ldifde.exe LDAP ldp.exe Windows PowerShell Scripting Windows PowerShell scripts VBScript Script enables you to use ADSI to create & modify objects Script can use.csv as data sources
19 Computer Account and Secure Channel Computers have accounts sAMAccountName and password Used to create a secure channel between the computer and a domain controller (Trust relationship) Secure channel can be broken Reinstalling computer, even with same name, generates new SID and password Restoring a computer from an old backup, or rolling back a computer to an old snapshot Computer and domain disagree about what the password is Re-establish Trust relationship Reset the computer account Re-join the domain
20 Join a Computer to the Domain You must have permissions to the computer object Requires restart
21 The Computer’s Container and Organizational Units (OUs) The default Computer’s container is a container, not an organizationalUnit object Cannot link Group Policy objects (GPOs) to a container Cannot create sub-OUs in a container Best practice is to create OUs for computer objects Servers Typically subdivided by server role Client computers Divide OUs based first on administration, then to facilitate configuration with Group Policy
22 Secure Computer Creation and Joins Prestage computer objects in the correct OUs Computer is in correct OU and does not require moving Group Policy applies to the computer immediately after joining the domain Tighter security of computer OU and Computers container Configure the default computer container Use command: redircmp “DN of OU for new computer objects” Restrict the ability of users to create computers By default, any user can join 10 machines to the domain Requires no prestaging Delegate to appropriate groups the permission to create computer objects in the appropriate OUs
23 Prestage a Computer Account Prestage (pre-create) a computer in the correct OU Right-click the OU and choose New Computer
24 Automate Computer Account Creation Comma Separated Value Directory Exchange (CSVDE) Import (create) or export computer accounts Lightweight Directory Access Protocol (LDAP) Data Interchange Format Directory Exchange (LDIFDE) Import (create), modify, or export computer accounts DSAdd Create computer accounts and set initial properties NetDom Create computer accounts Join machines to domain
25 Import Computers with CSVDE CSVDE.exe csvde –i -f filename [-k] -i: Import (default mode is export) -k: Continue past errors (such as Object Already Exists) filename.ldf Active Directory Import Export CSVDE.exe
26 Import Computers with LDIFDE Lightweight Directory Access Protocol Data Interchange Format (LDIF) LDIFDE.exe ldifde [-i] [-f filename] [-k] -i: Import Default mode is export -k: Continue past errors Object already exists filename.ldf Active Directory Import Export LDIFDE.exe dn: CN=FILE25,OU=File, OU=Servers, DC=contoso,DC=com changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: FILE25 userAccountControl: 4096 sAMAccountName: FILE25$ dn: CN=FILE25,OU=File, OU=Servers, DC=contoso,DC=com changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: FILE25 userAccountControl: 4096 sAMAccountName: FILE25$
27 Create Computers with DSAdd DSAdd creates objects in Active Directory dsadd computer ComputerDN ComputerDN: The distinguished name (DN) of the computer Multiple values can be provided by: Separating ComputerDN ComputerDN… with a space Leaving ComputerDN empty, then entering DNs one at a time followed by ENTER, with CTRL+Z and then ENTER after the last DN Piping a list of DNs from another command, such as DSQuery Optional options -samid ComputerName -desc Description -loc Location
28 Create and Join Computers with NetDom Create account netdom add ComputerName /domain:DomainName [/ou:"OUDN"] [/ UserD:DomainUsername /PasswordD:DomainPassword] Join the domain (and, if necessary, create account) netdom join MachineName /Domain:DomainName [/OU:"OUDN"] [/UserD:DomainUsername] [/PasswordD:{DomainPassword|*} ] [/UserO:LocalUsername] [/PasswordO:{LocalPassword|*} ] [/SecurePasswordPrompt] [/REBoot[:TimeInSeconds]]
29 Configure Computer Attributes Useful attributes Description Location US\WA\SEA\HQ\Building33\Floor3\Q04\1531 Used by location-aware applications such as Search For Printers Managed By Link to user who is the primary user of the computer Link to group that is responsible for the computer (servers) Member Of Groups: Group Policy filtering, software deployment dsmod computer "ComputerDN" [-desc "Description"] [- loc "Location"]
30 Move a Computer Using Active Directory Users and Computers Drag and drop Right-click the computer, and then click Move dsmove ObjectDN [-newname NewName] [-newparent ParentDN] -newname NewName: Used to rename a computer -newparent ParentDN: Used to move a computer to the OU specified by ParentDN
31 Recognize Computer Account Problems Logon errors Password Trust Secure channel Relationships with the domain or domain controllers A computer account is missing in Active Directory
32 Reset a Computer Account Do not simply remove computer from domain and rejoin Creates new account: new SID, lost group memberships Reset the secure channel Active Directory Users and Computers** Right-click the computer, and then click Reset Account DSMod** dsmod computer "ComputerDN" –reset NetDom netdom reset MachineName /domain DomainName /UserO UserName /PasswordO {Password | *} NLTest nltest /server:ServerName /sc_reset:[DOMAINName] ** = requires rejoining domain and rebooting
33 Rename a Computer Use System Properties of computer itself to rename computer and its account correctly NetDom netdom renamecomputer MachineName /NewName:NewName [/UserO:LocalUsername] [/PasswordO:{LocalPassword|*} ] [/UserD:DomainUsername] [/PasswordD:{DomainPassword|*} ] [/SecurePasswordPrompt] [/REBoot[:TimeInSeconds] ] Be cautious of impact that rename can have on services and on certificates associated with computer's name
34 Disable and Enable a Computer Disable computer if it will be offline for extended time Similar to disabling a user who is on a leave of absence Prevents secure channel from being established, so users who do not have cached credentials on the computer cannot log on Active Directory Users and Computers Right-click computer, and then click Enable Account or Disable Account DSMod dsmod computer ComputerDN -disabled yes dsmod computer ComputerDN -disabled no
35 Delete and Recycle Computer Accounts Delete a computer with Active Directory Users and Computers Right-click the computer, and then click Delete Delete a computer with DSRm dsrm ObjectDN Delete destroys SID and group memberships If replacing or reinstalling a computer, if computer will play same role, reset computer account instead of deleting it Preserves all attributes of computer, including SID and group memberships You can rename object if computer is being renamed during reinstallation/upgrade This "recycles" the computer account