1 Week 3 Secure and Efficient Administration of Act. Dir. Work with Active Directory Snap-Ins Custom Consoles and Least Privilege Find Objects in Active.

Slides:



Advertisements
Similar presentations
MOAC : Installing and Configuring Windows Server 2012
Advertisements

Chapter 6 Introducing Active Directory
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 5: Account Management.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts.
10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Administering Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Chapter 4 Introduction to Active Directory and Account Management
Lesson 14: Creating and Managing Active Directory Users and Computers
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW  Describe the process of adding a computer to.
Understanding Active Directory
Ch 9 Managing Active Directory User Accounts. Objectives Create Organizational Unit Creating User Accounts in Active Directory Disabling, Enabling, and.
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.
Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Chapter 7 WORKING WITH GROUPS.
Hands-On Microsoft Windows Server 2008
Microsoft ® Official Course Module 4 Automating Active Directory Domain Services Administration.
1 Chapter Overview Monitoring Server Performance Monitoring Shared Resources Microsoft Windows 2000 Auditing.
Week 4 Manage Users and Groups
Module 2 Creating Active Directory ® Domain Services User and Computer Objects.
DS Commands Notes and Examples. DS Commands Tools that are available to manage Active Directory from the command prompt. Use of DS commands requires an.
9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
CN1276 Server (V3) Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
Managing Active Directory Domain Services Objects
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 10: Managing Users, Groups, Computers and Resources.
Chapter 7: WORKING WITH GROUPS
Module 9: Active Directory Domain Services. Overview Describe new features in AD DS List manageability and reliability enhancements in AD DS.
Section 2: Using Group Policy Management Tools Local vs. Domain Policies Editing Local Policies Managing Domain Policies Understanding Group Policy Refresh.
Managing User and Service Accounts
7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Security Planning and Administrative Delegation Lesson 6.
Active Directory Windows2003 Server. Agenda What is Active Directory What is Active Directory Building an Active Directory Building an Active Directory.
Maintaining Active Directory Domain Services
Module 3: Configuring Active Directory Objects and Trusts.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
Module 2: Managing User and Computer Accounts. Overview Creating User Accounts Creating Computer Accounts Modifying User and Computer Account Properties.
Microsoft ® Official Course Module 3 Managing Active Directory Domain Services Objects.
Module 2 Creating Active Directory ® Domain Services User and Computer Objects.
Module 1: Implementing Active Directory ® Domain Services.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Security Planning and Administrative Delegation Lesson 6.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
1 Active Directory Administration Tasks And Tools Active Directory Administration Tasks Active Directory Administrative Tools Using Microsoft Management.
Introduction to Active Directory
Week 3 Objectives Manage User Accounts Manage Group Accounts Manage Computer Accounts Delegation Use Commandline Tools and Windows PowerShell for AD DS.
Microsoft ® Official Course Module 4 Automating Active Directory Domain Services Administration.
MIS Chapter 41 Chapter 4 – Implementing and Managing Group and Computer Accounts MIS 431 – Created Spring 2006.
1 Chapter Overview Using Group Objects Understanding Default Groups Creating Group Objects Managing Administrative Access.
Windows Enterprise Services.  Introductions  UNM Directory Services  RSAT  Organizational Units (OU)  Active Directory Groups  Naming Convention.
ACTIVE DIRECTORY ADMINISTRATION
ACTIVE DIRECTORY ADMINISTRATION
Active Directory Administration
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Active Directory Bulk Operations
Implementing and Managing Group and Computer Accounts
Presentation transcript:

1 Week 3 Secure and Efficient Administration of Act. Dir. Work with Active Directory Snap-Ins Custom Consoles and Least Privilege Find Objects in Active Directory Use DS Commands to Administer Active Directory Create Computers Accounts and Join the Domain Administer Computer Objects and Accounts

2 The MMC Console Show/Hide Console Tree Show/Hide Actions Pane Console Tree Details Pane Actions Pane

3 Active Directory Administration Snap-ins Active Directory Users and Computers  Manage most common day-to-day objects, including users, groups, computers, printers, and shared folders Active Directory Sites and Services  Manage replication, network topology, and related services Active Directory Domains and Trusts  Configure and maintain trust relationships and the domain and forest functional level Active Directory Schema  Administer the Schema

4 Find Active Directory Snap-ins Active Directory snap-ins are installed on a domain controller  Server Manager: Users and Computers, Sites and Services  Administrative Tools folder Install the RSAT on a member client or server  Windows Server® 2008 Server Manager  Features  Add Feature  Remote Server Administration Tools  Windows Vista® SP1, Windows 7 Download RSAT from Double-click the file, then follow the instructions in the Setup Wizard. Control Panel  Programs And Features  Turn Windows Features On Or Off  Remote Server Administration Tools AD Snap-in Demo

5 Secure Administration with Least Privilege, Run As Administrator, and User Account Control Maintain at least two accounts  A standard user account  An account with administrative privileges Log on to your computer as a standard user  Do not log on to your computer with administrative credentials Launch administrative consoles with Run As Administrator 1. Right-click the console and click Run As Administrator 2. Click Use another account 3. Enter the username and password for your administrative account Demo

6 Find Objects in Active Directory When you assign permissions to a folder or file  Select the group or user to which permissions are assigned When you add members to a group  Select the user or group that will be added as a member When you configure a linked attribute such as Managed By  Select the user or group that will be displayed on the Managed By tab When you need to administer a user, group, or computer  Perform a search to locate the object in Active Directory, instead of browsing for the object Demo

7 Options for Locating Objects in Active Directory Users and Computers Sorting: Use column headings in Active Directory Users and Computers to find the objects based on the columns Searching: Provide the criteria for which you want to search Demo

8 DNs, RDNs, and CNs DN must be completely unique RDN must therefore be unique within the parent container cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com ou=Employees,ou=User Accounts,dc=contoso,dc=com Relative Distinguished Name (RDN) Distinguished Name (DN) Common Name (CN)

9 The DS Commands DSQuery. Performs a query based on parameters provided at the command line and returns a list of matching objects DSGet. Returns specified attributes of an object DSMod. Modifies specified attributes of an object DSMove. Moves an object to a new container or OU DSAdd. Creates an object in the directory DSRm. Removes an object, all objects in the subtree beneath a container object, or both DScommand /? For example: dsquery /?

10 Find Objects with DSQuery dsquery objectType  objectType: user, computer, group, ou  By default, search scope is the entire domain  -limit switch to specify number of results 100 is default 0 means “return all results” dsquery objectType –attribute “criteria”  attribute is objectType specific: dsquery objectType /?  Examples for user: -name, -samid, -office, -desc  criteria in quotes if there is a space. Wildcards (*) allowed dsquery objectType BaseDN –scope {subtree|onelevel|base}  Specify search start and scope

11 Find Objects with DSQuery

12 Retrieve Object Attributes with DSGet dsget objectType objectDN -attribute  Common syntax for many DS commands dsget user "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com" - What is the difference between DSGet and DSQuery?  DSGet retrieves a property from a specific object, whereas DSQuery finds an object based on a property

13 Pipe DNs to Other DS Commands Typing DNs is difficult!  dsget user "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com" - DSQuery returns DNs  dsquery user -name "Jeff Ford" > "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com" Pipe (send) the DNs from DSQuery to DSGet with |  dsquery user -name "Jeff Ford" | dsget user –  Or multiple results: dsquery user -name "Dan*" | dsget user –

14 Modify Object Attributes with DSMod dsmod objectType "objectDN" -attribute "new value" dsmod user "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com" -dept "Information Technology" dsquery user "ou=Admins,dc=contoso,dc=com" | dsmod user -department "Information Technology"

15 Delete an Object with DSRm dsrm objectDN  Note that DSRm does not take an objectType dsrm "cn=DESKTOP234,ou=Client Computers,dc=contoso,dc=com" dsquery computer -stalepwd 90 | dsrm

16 Move an Object with DSMove dsmove objectDN –newparent targetOUDN  objectDN: object to be moved  targetOUDN: target (destination) OU dsmove objectDN –newname newName  objectDN: object to be moved  newName: new name for object (used in the RDN)

17 Add an Object with DSAdd dsadd objectType objectDN -attribute "value"  objectType: class of object to add  objectDN: OU in which to create object  -attribute "value": attributes to populate Each object class has required attributes dsadd ou "ou=Lab,dc=contoso,dc=com"

18 Administration Without the GUI Command Prompt  DS commands  csvde.exe and ldifde.exe LDAP  ldp.exe Windows PowerShell Scripting  Windows PowerShell scripts  VBScript  Script enables you to use ADSI to create & modify objects  Script can use.csv as data sources

19 Computer Account and Secure Channel Computers have accounts  sAMAccountName and password  Used to create a secure channel between the computer and a domain controller (Trust relationship) Secure channel can be broken  Reinstalling computer, even with same name, generates new SID and password  Restoring a computer from an old backup, or rolling back a computer to an old snapshot  Computer and domain disagree about what the password is Re-establish Trust relationship  Reset the computer account  Re-join the domain

20 Join a Computer to the Domain You must have permissions to the computer object Requires restart

21 The Computer’s Container and Organizational Units (OUs) The default Computer’s container is a container, not an organizationalUnit object  Cannot link Group Policy objects (GPOs) to a container  Cannot create sub-OUs in a container Best practice is to create OUs for computer objects  Servers Typically subdivided by server role  Client computers Divide OUs based first on administration, then to facilitate configuration with Group Policy

22 Secure Computer Creation and Joins Prestage computer objects in the correct OUs  Computer is in correct OU and does not require moving  Group Policy applies to the computer immediately after joining the domain  Tighter security of computer OU and Computers container Configure the default computer container  Use command: redircmp “DN of OU for new computer objects” Restrict the ability of users to create computers  By default, any user can join 10 machines to the domain Requires no prestaging Delegate to appropriate groups the permission to create computer objects in the appropriate OUs

23 Prestage a Computer Account Prestage (pre-create) a computer in the correct OU Right-click the OU and choose New  Computer

24 Automate Computer Account Creation Comma Separated Value Directory Exchange (CSVDE)  Import (create) or export computer accounts Lightweight Directory Access Protocol (LDAP) Data Interchange Format Directory Exchange (LDIFDE)  Import (create), modify, or export computer accounts DSAdd  Create computer accounts and set initial properties NetDom  Create computer accounts  Join machines to domain

25 Import Computers with CSVDE CSVDE.exe  csvde –i -f filename [-k]  -i: Import (default mode is export)  -k: Continue past errors (such as Object Already Exists) filename.ldf Active Directory Import Export CSVDE.exe

26 Import Computers with LDIFDE Lightweight Directory Access Protocol Data Interchange Format (LDIF) LDIFDE.exe  ldifde [-i] [-f filename] [-k]  -i: Import Default mode is export  -k: Continue past errors Object already exists filename.ldf Active Directory Import Export LDIFDE.exe dn: CN=FILE25,OU=File, OU=Servers,  DC=contoso,DC=com changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: FILE25 userAccountControl: 4096 sAMAccountName: FILE25$ dn: CN=FILE25,OU=File, OU=Servers,  DC=contoso,DC=com changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: FILE25 userAccountControl: 4096 sAMAccountName: FILE25$

27 Create Computers with DSAdd DSAdd creates objects in Active Directory dsadd computer ComputerDN  ComputerDN: The distinguished name (DN) of the computer Multiple values can be provided by: Separating ComputerDN ComputerDN… with a space Leaving ComputerDN empty, then entering DNs one at a time followed by ENTER, with CTRL+Z and then ENTER after the last DN Piping a list of DNs from another command, such as DSQuery Optional options  -samid ComputerName  -desc Description  -loc Location

28 Create and Join Computers with NetDom Create account  netdom add ComputerName /domain:DomainName [/ou:"OUDN"] [/ UserD:DomainUsername /PasswordD:DomainPassword] Join the domain (and, if necessary, create account)  netdom join MachineName /Domain:DomainName [/OU:"OUDN"] [/UserD:DomainUsername] [/PasswordD:{DomainPassword|*} ] [/UserO:LocalUsername] [/PasswordO:{LocalPassword|*} ] [/SecurePasswordPrompt] [/REBoot[:TimeInSeconds]]

29 Configure Computer Attributes Useful attributes  Description  Location US\WA\SEA\HQ\Building33\Floor3\Q04\1531 Used by location-aware applications such as Search For Printers  Managed By Link to user who is the primary user of the computer Link to group that is responsible for the computer (servers)  Member Of Groups: Group Policy filtering, software deployment  dsmod computer "ComputerDN" [-desc "Description"] [- loc "Location"]

30 Move a Computer Using Active Directory Users and Computers  Drag and drop  Right-click the computer, and then click Move dsmove ObjectDN [-newname NewName] [-newparent ParentDN]  -newname NewName: Used to rename a computer  -newparent ParentDN: Used to move a computer to the OU specified by ParentDN

31 Recognize Computer Account Problems Logon errors  Password  Trust  Secure channel  Relationships with the domain or domain controllers A computer account is missing in Active Directory

32 Reset a Computer Account Do not simply remove computer from domain and rejoin  Creates new account: new SID, lost group memberships Reset the secure channel  Active Directory Users and Computers** Right-click the computer, and then click Reset Account  DSMod** dsmod computer "ComputerDN" –reset  NetDom netdom reset MachineName /domain DomainName /UserO UserName /PasswordO {Password | *}  NLTest nltest /server:ServerName /sc_reset:[DOMAINName]  ** = requires rejoining domain and rebooting

33 Rename a Computer Use System Properties of computer itself to rename computer and its account correctly NetDom  netdom renamecomputer MachineName /NewName:NewName [/UserO:LocalUsername] [/PasswordO:{LocalPassword|*} ] [/UserD:DomainUsername] [/PasswordD:{DomainPassword|*} ] [/SecurePasswordPrompt] [/REBoot[:TimeInSeconds] ] Be cautious of impact that rename can have on services and on certificates associated with computer's name

34 Disable and Enable a Computer Disable computer if it will be offline for extended time  Similar to disabling a user who is on a leave of absence  Prevents secure channel from being established, so users who do not have cached credentials on the computer cannot log on Active Directory Users and Computers  Right-click computer, and then click Enable Account or Disable Account DSMod  dsmod computer ComputerDN -disabled yes dsmod computer ComputerDN -disabled no

35 Delete and Recycle Computer Accounts Delete a computer with Active Directory Users and Computers  Right-click the computer, and then click Delete Delete a computer with DSRm  dsrm ObjectDN Delete destroys SID and group memberships  If replacing or reinstalling a computer, if computer will play same role, reset computer account instead of deleting it  Preserves all attributes of computer, including SID and group memberships  You can rename object if computer is being renamed during reinstallation/upgrade  This "recycles" the computer account