Presentation is loading. Please wait.

Presentation is loading. Please wait.

WCL313. Get-ADOrganizationalUnit -filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true.

Published byValerie Nicholson Modified over 9 years ago

Similar presentations

Presentation on theme: "WCL313. Get-ADOrganizationalUnit -filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true."— Presentation transcript:

1 WCL313

2 Get-ADOrganizationalUnit -filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

3 Search-ADAccount -usersonly -accountinactive -timespan "90" Search-ADAccount -computersonly -accountinactive -timespan "90" Get-ADGroup -LDAPFilter “(!member=*)”

4

5 http://blogs.technet.com/b/askpfeplat/archive/2013 /03/27/how-to-create-an-active-directory-subnet- site-with-32-or-128-and-why.aspx

6 What’s wrong with this picture?

7 Some interesting advice on Technet: calculating site link costs… http://technet.microsoft.com/en-us/library/bb727085.aspx#EEAA

8 Most NZ AD deployments suit a basic model

9 Guidelines Keep it simple Avoid loading site links with multiple sites Register your subnets Consider enabling change notification on site links (http://blogs.technet.com/b/qzaidi/archive/2010/09/23/enable-change-notifications-between-sites-how-and-why.aspx)http://blogs.technet.com/b/qzaidi/archive/2010/09/23/enable-change-notifications-between-sites-how-and-why.aspx Don’t disable site transitivity (bridge all site links) – it might break DFS Don’t disable the KCC Avoid manually created connection objects

10

11 No more Ntdsutil.exe! Windows Server 2008 (and up)

12 Protecting your AD against poor delegations since 1999!

13 Example Service Desk has Full permissions over user objects in OU=Minions Bob Smith in OU=Minions is added to Account Operators group Service Desk can’t set Bob’s password (which makes Bob sad  ) Service Desk are given Domain Admins and everyone is happy??? AdminSDHolder Behaviour Runs once per hour on PDCE Finds all protected objects Stamps security descriptor from AdminSDHolder container object onto protected objects Sets adminCount attribute on object to 1 (default = ) AdminSDHolder process does not work in reverse, i.e. when objects are removed from protected groups

14 Finding protected objects Not 100% reliable! Value is not cleared when object becomes unprotected Options for cleaning up 1 – Manual (safe, but tedious) 2 – Scripted (quick, but introduces small element of risk) http://www.open-a-socket.com/index.php/2013/09/11/cleaning-up-adminsdholder-orphans Get-ADObject -LDAPFilter "(adminCount=1)"

15

16

17 Not so many “spare” AD attributes Exchange extension attributes not intended for generic use Cleared when mail/mailbox-enabling or mail/mailbox disabling an object Since 2003 (Forest Functional Level) you can deactivate (defunct) classes and/or attributes

18

19

20 $BA = (Get-ADDomain).domainsid $BA = $BA.ToString() + "-500" Get-ADUser -Identity $BA

21 Technet offers some potentially confusing advice Keep things simple… If you have a single domain forest: Make all your DCs GCs Assign all FSMO roles to a single DC If you have a multi-domain forest: Make all your DCs GCs (unless you have bandwidth constraints) Assign all FSMO roles to a single DC in each domain

22 Move-ADDirectoryServerOperationMasterRole -identity DC1 -OperationMasterRole DomainNamingMaster, SchemaMaster, PDCEmulator, InfrastructureMaster, RIDMaster

23 Introduced in Windows Server 2008 Taken using Ntdsutil.exe Provide point-in-time read-only views of AD Uses Shadow Storage allocation Useful for: Fast manual or scripted reversion of changes Identifying backups to use for authoritative restore Combines well with AD auditing: who did what and when?

24 C:\SCHTASKS /Create /RU SYSTEM /SC DAILY /TN MYTASKS\DS_SNAPSHOT /TR "%windir%\system32\ntdsutil.exe sn \"ac i ntds\" create q q" /ST 05:00 Check the Shadow Storage allocation – is it sufficient?

25

26 repadmin /showobjmeta DC1 "CN=Aaron Morgan,OU=Standard Users,DC=fabrikam,DC=com"

27 Old -9 settings New – 53 settings

28

29

30 $grps = "Enterprise Admins", "Schema Admins" foreach ($grp in $grps) { Get-ADGroupMember -Identity $grp ` | %{Remove-ADGroupMember -Identity $grp -Members $_ -Confirm:$false} }

31 Best practice: Create staging OUs Apply highly restrictive Group Policy Redirect

32

33 Schema Update Windows Server 2012 R2 Domain and Forest Functional Level Workplace Join and Web Application Proxy New Protected Users global security group Authentication Policy and Silos (requires 2012 R2 DFL)

34 http://technet.microsoft.com/en-us/library/dn303411.aspx Dfscmd.exe File Replication Service (FRS; part of the Active Directory Domain Services role) - migrate any FRS-based SYSVOLs to use Distributed File System Replication (DFSR) Windows Server 2003 domain and forest functional levels

35

36 Head to... aka.ms/te

37

Download ppt "WCL313. Get-ADOrganizationalUnit -filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true."

Similar presentations

COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.

COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.
Implementing and Administering AD DS Sites and Replication

Implementing and Administering AD DS Sites and Replication
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Chapter 6 Introducing Active Directory

Chapter 6 Introducing Active Directory
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.

By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
Introduction to Dfs. Limits of Dfs 260 characters per file path 32 alternatives per volume 1 Dfs root per server Unlimited Dfs roots per domain Volumes.

Introduction to Dfs. Limits of Dfs 260 characters per file path 32 alternatives per volume 1 Dfs root per server Unlimited Dfs roots per domain Volumes.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Understanding Active Directory

Understanding Active Directory
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
(ITI310) By Eng. BASSEM ALSAID SESSIONS 9-10-11 2008.

(ITI310) By Eng. BASSEM ALSAID SESSIONS
Vikram Thakur Introduction to Active Directory Structure.

Vikram Thakur Introduction to Active Directory Structure.
1 Chapter Overview Creating Sites and Subnets Configuring Intersite Replication Troubleshooting Active Directory Replication.

1 Chapter Overview Creating Sites and Subnets Configuring Intersite Replication Troubleshooting Active Directory Replication.
Active Directory Implementation Class 4

Active Directory Implementation Class 4
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS

ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS

Similar presentations

Ads by Google