1

Week 3 Secure and Efficient Administration of Act. Dir.• Work with Active Directory Snap-Ins

• Custom Consoles and Least Privilege

• Find Objects in Active Directory

• Use DS Commands to Administer Active Directory

• Create Computers Accounts and Join the Domain

• Administer Computer Objects and Accounts

2

The MMC ConsoleShow/Hide

Console Tree

Show/Hide Console

Tree

Show/Hide Actions Pane

Show/Hide Actions Pane

Console Tree

Console Tree

DetailsPane

DetailsPane

Actions Pane

Actions Pane

3

Active Directory Administration Snap-ins

• Active Directory Users and Computers

Manage most common day-to-day objects, including users, groups, computers, printers, and shared folders

• Active Directory Sites and Services

Manage replication, network topology, and related services

• Active Directory Domains and Trusts

Configure and maintain trust relationships and the domain and forest functional level

• Active Directory Schema

Administer the Schema

4

Find Active Directory Snap-ins

• Active Directory snap-ins are installed on a domain controller

Server Manager: Users and Computers, Sites and Services

Administrative Tools folder

• Install the RSAT on a member client or server

Windows Server® 2008

• Server Manager Features Add Feature Remote Server Administration Tools

Windows Vista® SP1, Windows 7

• Download RSAT from www.microsoft.com/downloads

• Double-click the file, then follow the instructions in the Setup Wizard.

• Control Panel Programs And Features Turn Windows Features On Or Off Remote Server Administration Tools

AD Snap-in Demo

AD Snap-in Demo

5

Secure Administration with Least Privilege, Run As Administrator, and User Account Control

• Maintain at least two accounts A standard user account

An account with administrative privileges

• Log on to your computer as a standard user

Do not log on to your computer with administrative credentials

• Launch administrative consoles with Run As Administrator

1.Right-click the console and click Run As Administrator

2.Click Use another account

3.Enter the username and password for your administrative account

DemoDemo

6

Find Objects in Active Directory

• When you assign permissions to a folder or file

Select the group or user to which permissions are assigned

• When you add members to a group

Select the user or group that will be added as a member

• When you configure a linked attribute such as Managed By

Select the user or group that will be displayed on the Managed By tab

• When you need to administer a user, group, or computer

Perform a search to locate the object in Active Directory,instead of browsing for the object

DemoDemo

7

Options for Locating Objects in Active Directory Users and Computers

Sorting: Use column headings in Active Directory Users and Computers to find the objects based on the columns

Sorting: Use column headings in Active Directory Users and Computers to find the objects based on the columns

Searching: Provide the criteria for which you want to search

Searching: Provide the criteria for which you want to search

DemoDemo

8

DNs, RDNs, and CNs

• DN must be completely unique

• RDN must therefore be unique within the parent container

cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com

ou=Employees,ou=User Accounts,dc=contoso,dc=com

Relative Distinguished Name (RDN)

Distinguished Name (DN)

Distinguished Name (DN)

Common Name (CN)

9

The DS Commands

•DSQuery. Performs a query based on parameters provided at the command line and returns a list of matching objects

•DSGet. Returns specified attributes of an object

•DSMod. Modifies specified attributes of an object

•DSMove. Moves an object to a new container or OU

•DSAdd. Creates an object in the directory

•DSRm. Removes an object, all objects in the subtree beneath a container object, or both

•DScommand /?For example: dsquery /?

10

Find Objects with DSQuery

• dsquery objectType

objectType: user, computer, group, ou

By default, search scope is the entire domain

-limit switch to specify number of results

• 100 is default

• 0 means “return all results”

• dsquery objectType –attribute “criteria”

attribute is objectType specific: dsquery objectType /?

Examples for user: -name, -samid, -office, -desc

criteria in quotes if there is a space. Wildcards (*) allowed

• dsquery objectType BaseDN –scope {subtree|onelevel|base}

Specify search start and scope

11

Find Objects with DSQuery

12

Retrieve Object Attributes with DSGet

• dsget objectType objectDN -attribute

Common syntax for many DS commands

• dsget user "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com" -email

• What is the difference between DSGet and DSQuery?

DSGet retrieves a property from a specific object, whereas DSQuery finds an object based on a property

13

Pipe DNs to Other DS Commands

• Typing DNs is difficult!

dsget user "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com" -email

• DSQuery returns DNs

dsquery user -name "Jeff Ford"> "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com"

• Pipe (send) the DNs from DSQuery to DSGet with |

dsquery user -name "Jeff Ford" | dsget user –email

Or multiple results:dsquery user -name "Dan*" | dsget user –email

14

Modify Object Attributes with DSMod

• dsmod objectType "objectDN" -attribute "new value"

• dsmod user "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com" -dept "Information Technology"

• dsquery user "ou=Admins,dc=contoso,dc=com" | dsmod user -department "Information Technology"

15

Delete an Object with DSRm

• dsrm objectDN

Note that DSRm does not take an objectType

• dsrm "cn=DESKTOP234,ou=Client Computers,dc=contoso,dc=com"

• dsquery computer -stalepwd 90 | dsrm

16

Move an Object with DSMove

• dsmove objectDN –newparent targetOUDN

objectDN: object to be moved

targetOUDN: target (destination) OU

• dsmove objectDN –newname newName

objectDN: object to be moved

newName: new name for object (used in the RDN)

17

Add an Object with DSAdd

• dsadd objectType objectDN -attribute "value"

objectType: class of object to add

objectDN: OU in which to create object

-attribute "value": attributes to populate

• Each object class has required attributes

• dsadd ou "ou=Lab,dc=contoso,dc=com"

18

Administration Without the GUI

• Command Prompt

DS commands

csvde.exe and ldifde.exe

• LDAP

ldp.exe

• Windows PowerShell

• Scripting

Windows PowerShell scripts

VBScript

Script enables you to use ADSI to create & modify objects

Script can use .csv as data sources

19

Computer Account and Secure Channel

• Computers have accounts

sAMAccountName and password

Used to create a secure channel between the computer and a domain controller (Trust relationship)

• Secure channel can be broken

Reinstalling computer, even with same name, generates new SID and password

Restoring a computer from an old backup, or rolling back a computer to an old snapshot

Computer and domain disagree about what the password is

• Re-establish Trust relationship

Reset the computer account

Re-join the domain

20

Join a Computer to the Domain • You must have permissions to the computer object

• Requires restart

21

The Computer’s Container and Organizational Units (OUs)

• The default Computer’s container is a container,not an organizationalUnit object

Cannot link Group Policy objects (GPOs) to a container

Cannot create sub-OUs in a container

• Best practice is to create OUs for computer objects

Servers

• Typically subdivided by server role

Client computers

• Divide OUs based first on administration,then to facilitate configuration with Group Policy

22

Secure Computer Creation and Joins

• Prestage computer objects in the correct OUs

Computer is in correct OU and does not require moving

Group Policy applies to the computer immediately after joining the domain

Tighter security of computer OU and Computers container

• Configure the default computer container

Use command: redircmp “DN of OU for new computer objects”

• Restrict the ability of users to create computers

By default, any user can join 10 machines to the domain

• Requires no prestaging

• Delegate to appropriate groups the permission to create computer objects in the appropriate OUs

23

Prestage a Computer Account

• Prestage (pre-create) a computer in the correct OU

• Right-click the OU and choose New Computer

24

Automate Computer Account Creation

• Comma Separated Value Directory Exchange (CSVDE)

Import (create) or export computer accounts

• Lightweight Directory Access Protocol (LDAP) Data Interchange Format Directory Exchange (LDIFDE)

Import (create), modify, or export computer accounts

• DSAdd

Create computer accounts and set initial properties

• NetDom

Create computer accounts

Join machines to domain

25

Import Computers with CSVDE

• CSVDE.exe

csvde –i -f filename [-k]

-i: Import (default mode is export)

-k: Continue past errors (such as Object Already Exists)

filename.ldf Active Directory

Import

Export

• CSVDE.exe

26

Import Computers with LDIFDE

• Lightweight Directory Access Protocol Data Interchange Format (LDIF)

• LDIFDE.exe

ldifde [-i] [-f filename] [-k]

-i: Import

• Default mode is export

-k: Continue past errors

• Object already exists

filename.ldf Active Directory

Import

Export

• LDIFDE.exe

dn: CN=FILE25,OU=File, OU=Servers, DC=contoso,DC=comchangetype: addobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: userobjectClass: computercn: FILE25userAccountControl: 4096sAMAccountName: FILE25$

dn: CN=FILE25,OU=File, OU=Servers, DC=contoso,DC=comchangetype: addobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: userobjectClass: computercn: FILE25userAccountControl: 4096sAMAccountName: FILE25$

27

Create Computers with DSAdd

• DSAdd creates objects in Active Directory

dsadd computer ComputerDN

ComputerDN: The distinguished name (DN) of the computer

Multiple values can be provided by:

• Separating ComputerDN ComputerDN… with a space

• Leaving ComputerDN empty, then entering DNsone at a time followed by ENTER, with CTRL+Z and then ENTER after the last DN

• Piping a list of DNs from another command, such as DSQuery

• Optional options

-samid ComputerName

-desc Description

-loc Location

28

Create and Join Computers with NetDom

• Create account

netdom add ComputerName /domain:DomainName [/ou:"OUDN"] [/ UserD:DomainUsername /PasswordD:DomainPassword]

• Join the domain (and, if necessary, create account)

netdom join MachineName /Domain:DomainName [/OU:"OUDN"]

[/UserD:DomainUsername] [/PasswordD:{DomainPassword|*} ]

[/UserO:LocalUsername] [/PasswordO:{LocalPassword|*} ]

[/SecurePasswordPrompt]

[/REBoot[:TimeInSeconds]]

29

Configure Computer Attributes

• Useful attributes

Description

Location

• US\WA\SEA\HQ\Building33\Floor3\Q04\1531

• Used by location-aware applications such as Search For Printers

Managed By

• Link to user who is the primary user of the computer

• Link to group that is responsible for the computer (servers)

Member Of

• Groups: Group Policy filtering, software deployment

dsmod computer "ComputerDN" [-desc "Description"] [-loc "Location"]

30

Move a Computer

• Using Active Directory Users and Computers

Drag and drop

Right-click the computer, and then click Move

• dsmove ObjectDN [-newname NewName] [-newparent ParentDN]

-newname NewName: Used to rename a computer

-newparent ParentDN: Used to move a computer to the OU specified by ParentDN

31

Recognize Computer Account Problems

• Logon errors

Password

Trust

Secure channel

Relationships with the domain or domain controllers

• A computer account is missing in Active Directory

32

Reset a Computer Account

• Do not simply remove computer from domain and rejoin

Creates new account: new SID, lost group memberships

• Reset the secure channel

Active Directory Users and Computers**

• Right-click the computer, and then click Reset Account

DSMod**• dsmod computer "ComputerDN" –reset

NetDom• netdom reset MachineName /domain DomainName /UserO UserName /PasswordO {Password | *}

NLTest• nltest /server:ServerName /sc_reset:[DOMAINName]

** = requires rejoining domain and rebooting

33

Rename a Computer

• Use System Properties of computer itself to rename computer and its account correctly

• NetDom

netdom renamecomputer MachineName /NewName:NewName[/UserO:LocalUsername] [/PasswordO:{LocalPassword|*} ][/UserD:DomainUsername] [/PasswordD:{DomainPassword|*} ][/SecurePasswordPrompt] [/REBoot[:TimeInSeconds] ]

• Be cautious of impact that rename can have on services and on certificates associated with computer's name

34

Disable and Enable a Computer

• Disable computer if it will be offline for extended time

Similar to disabling a user who is on a leave of absence

Prevents secure channel from being established, so users who do not have cached credentials on the computer cannot log on

• Active Directory Users and Computers

Right-click computer, and then click Enable Accountor Disable Account

• DSMod

dsmod computer ComputerDN -disabled yesdsmod computer ComputerDN -disabled no

35

Delete and Recycle Computer Accounts

• Delete a computer with Active Directory Users and Computers

Right-click the computer, and then click Delete

• Delete a computer with DSRm

dsrm ObjectDN

• Delete destroys SID and group memberships

If replacing or reinstalling a computer, if computer will play same role, reset computer account instead of deleting it

Preserves all attributes of computer, including SID and group memberships

You can rename object if computer is being renamed during reinstallation/upgrade

This "recycles" the computer account