1. Week 3 Objectives Manage User Accounts Manage Group Accounts Manage Computer Accounts Delegation Use Commandline Tools and Windows PowerShell for AD DS Administration Performe Bulk Operations with Windows PowerShell

2. AD DS Administration Tools To manage AD DS objects, you can use the following graphical tools: You can also use the following command-line tools: Active Directory Administration snap-ins Active Directory Administrative Center Active Directory module in Windows PowerShell Directory Service commands

3. Creating User Profiles

4. Group Types Distribution groups Used only with email applications Not security-enabled (no SID); cannot be given permissions Security groups Security principal with an SID; can be given permissions Can also be email-enabled

5. Group Scopes U User CComputer GGGlobal Group DLGDomain Local Group UGUniversal Group Group scope Members from same domain Members from domain in same forest Members from trusted external domain Can be assigned permissions to resources LocalU, C, GG, DLG, UG and local users U, C, GG, UG U, C, GG On the local computer only Domain Local U, C, GG, DLG, UG U, C, GG, UG U, C, GG Anywhere in the domain UniversalU, C, GG, UG U, C, GG, UG N/AAnywhere in the forest GlobalU, C, GG N/A Anywhere in the domain or a trusted domain

6. Implementing Group Management ACL_Sales_Read (Domain Local Group) Domain local groups Which provide management such as resource access, DL which are Sales (Global Group) Auditors (Global Group) In a multi domain forest, it is IGUDLA, where U is Universal Assigned access to a resource A Identities Users or computers, I which are members of Global groups Which collect members based on members’ roles, G which are members of

7. Default Groups Carefully manage the default groups that provide administrative privileges, because these groups: Typically have broader privileges than are necessary for most delegated environments Often apply protection to their members GroupLocation Enterprise AdminsUsers container of the forest root domain Schema AdminsUsers container of the forest root domain AdministratorsBuilt-in container of each domain Domain AdminsUsers container of each domain Server OperatorsBuilt-in container of each domain Account OperatorsBuilt-in container of each domain Backup OperatorsBuilt-in container of each domain Print OperatorsBuilt-in container of each domain

8. Special Identities Special identities: Are groups for which membership is controlled by the operating system Can be used by the Windows Server operating system to provide access to resources: Based on the type of authentication or connection Not based on the user account Important special identities include: Anonymous Logon Authenticated Users Everyone Interactive Network

9. Specifying the Location of Computer Accounts Best practice is to create OUs for computer objects Servers Typically subdivided by server role Client computers Typically subdivided by region Divide OUs: By administration To facilitate configuration with Group Policy

10. Computer Accounts and Secure Channels Computers have accounts sAMAccountName and password Used to create a secure channel between the computer and a domain controller Scenarios where a secure channel can be broken Reinstalling a computer, even with same name, generates a new SID and password Restoring a computer from an old backup, or rolling back a computer to an old snapshot Computer and domain disagree about what the password is

11. Resetting the Secure Channel Do not remove a computer from the domain and rejoin This process creates a new account, resulting in new SID and lost group memberships Options for resetting the secure channel: Active Directory Users and Computers DSMod.exe NetDom.exe NLTest.exe Windows PowerShell

12. Effective AD DS Permissions Permissions assigned to users and groups accumulate Best practice is to assign permissions to groups, not to individual users In the event of conflicts: To evaluate effective permissions, you can use: Deny permissions override Allow permissions Explicit permissions override Inherited permissions Explicit Allow overrides Inherited Deny The Effective Permissions tab Manual analysis

13. What Are DS Commands? Windows Server 2012 includes command-line tools that are suitable for use in scripts Examples To modify the department of a user account, type: To display the email of a user account, type: To delete a user account, type: To create a new user account, type: Dsmod user "cn=Joe Healy,ou=Managers, dc=adatum,dc=com" –dept IT Dsget user "cn=Joe Healy,ou=Managers, dc=adatum,dc=com" –email Dsrm "cn=Joe Healy,ou=Managers,dc=adatum,dc=com" Dsadd user "cn=Joe Healy,ou=Managers,dc=adatum,dc=com"

14. What Is Csvde? AD DS Import Export csvde.exe filename.csv Use csvde to export objects to a.csv file: Use csvde to create objects from a.csv file: -f filename -d RootDN -p SearchScope -r Filter -l ListOfAtrributes csvde –i –f filename –k

15. What Is Ldifde? Use ldifde to export objects to a LDIF file: Use ldifde to create, modify, or delete objects: -f filename -d RootDN -r Filter -p SearchScope -l ListOfAttributes -o ListOfAttributes ldifde –i –f filename –k Export ldifde.exe filename.ldif AD DS Import

16. Using Windows PowerShell Cmdlets to Manage User Accounts Cmdlet Description New-ADUserCreates user accounts Set-ADUserModifies properties of user accounts Remove-ADUserDeletes user accounts Set-ADAccountPasswordResets the password of a user account Set-ADAccountExpirationModifies the expiration date of a user account Unlock-ADAccount Unlocks a user account after it has become locked after too many incorrect login attempts Enable-ADAccountEnables a user account Disable-ADAccountDisables a user account New-ADUser "Sten Faerch" –AccountPassword (Read-Host –AsSecureString "Enter password") ‑ Department IT

17. Using Windows PowerShell Cmdlets to Manage Groups New-ADGroup –Name "CustomerManagement" –Path "ou=managers,dc=adatum,dc=com" –GroupScope Global –GroupCategory Security Add-ADGroupMember CustomerManagement –Members "Joe" Cmdlet Description New-ADGroupCreates new groups Set-ADGroupModifies properties of groups Get-ADGroupDisplays properties of groups Remove-ADGroupDeletes groups Add-ADGroupMemberAdds members to groups Get-ADGroupMemberDisplays membership of groups Remove-ADGroupMemberRemoves members from groups Add-ADPrincipalGroupMembershipAdds group membership to objects Get-ADPrincipalGroupMembershipDisplays group membership of objects Remove-ADPrincipalGroupMembershipRemoves group membership from an object

18. Using Windows PowerShell Cmdlets to Manage Computer Accounts New-ADComputer –Name LON-SVR8 -Path "ou=marketing,dc=adatum,dc=com" -Enabled $true Test-ComputerSecureChannel -Repair Cmdlet Description New-ADComputerCreates new computer accounts Set-ADComputer Modifies properties of computer accounts Get-ADComputer Displays properties of computer accounts Remove-ADComputerDeletes computer accounts Test-ComputerSecureChannel Verifies or repairs the trust relationship between a computer and the domain Reset-ComputerMachinePasswordResets the password for a computer account

19. Using Windows PowerShell Cmdlets to Manage OUs New-ADOrganizationalUnit –Name Sales –Path "ou=marketing,dc=adatum,dc=com" –ProtectedFromAccidentalDeletion $true Cmdlet Description New-ADOrganizationalUnitCreates organizational units Set-ADOrganizationalUnit Modifies properties of organizational units Get-ADOrganizationalUnitViews properties of organizational units Remove-ADOrganizationalUnitDeletes organizational units New-ADOrganizationalUnitCreates organizational units Set-ADOrganizationalUnit Modifies properties of organizational units Get-ADOrganizationalUnitViews properties of organizational units

20. What Are Bulk Operations? A bulk operation is a single action that changes multiple objects The process for performing a bulk operation is: You can perform bulk operations by using: Graphical tools Command-line tools Scripts 1.Define a query 2.Modify the objects defined by the query

21. Querying Objects with Windows PowerShell Show all the properties for a user account: Show all the user accounts in the Marketing OU and all its subcontainers: Show all of the user accounts with a last logon date older than a specific date: Show all of the user accounts in the Marketing department that have a last logon date older than a specific date: Get ADUser Administrator Properties * Get ADUser –Filter * SearchBase "ou=Marketing,dc=adatum,dc=com" SearchScope subtree Get ADUser Filter {lastlogondate lt "January 1, 2012"} Get ADUser Filter {(lastlogondate lt "January 1, 2012") and (department eq "Marketing")} OperatorDescription -eqEqual to -neNot equal to -ltLess than -leLess than or equal to -gtGreater than -geGreater than or equal to -likeUses wildcards for pattern matching ParameterDescription SearchBaseDefines the AD DS path to begin searching. SearchScopeDefines at what level below the SearchBase a search should be performed. ResultSetSizeDefines how many objects to return in response to a query. PropertiesDefines which object properties to return and display.

22. Modifying Objects with Windows PowerShell Use the pipe character ( | ) to pass a list of objects to a cmdlet for further processing Get ‑ ADUser ‑ Filter {company ‑ notlike "*"} | Set ‑ ADUser ‑ Company "A. Datum" Get ‑ ADUser ‑ Filter {lastlogondate ‑ lt "January 1, 2012"} | Disable ‑ ADAccount Get Content C:\users.txt | Disable ADAccountGet Content C:\users.txt | Disable ADAccount

23. Working with CSV Files The first line of a.csv file defines the names of the columns A foreach loop processes the contents of a.csv that have been imported into a variable FirstName,LastName,Department Greg,Guzik,IT Robin,Young,Research Qiong,Wu,Marketing $users=Import-CSV C:\users.csv Foreach ($i in $users) { Write-Host "The first name is:" $i.FirstName }