1 week 3 secure and efficient administration of act. dir. work with active directory snap-ins custom...
Post on 26-Dec-2015
213 Views
Preview:
TRANSCRIPT
1
Week 3 Secure and Efficient Administration of Act. Dir.• Work with Active Directory Snap-Ins
• Custom Consoles and Least Privilege
• Find Objects in Active Directory
• Use DS Commands to Administer Active Directory
• Create Computers Accounts and Join the Domain
• Administer Computer Objects and Accounts
2
The MMC ConsoleShow/Hide
Console Tree
Show/Hide Console
Tree
Show/Hide Actions Pane
Show/Hide Actions Pane
Console Tree
Console Tree
DetailsPane
DetailsPane
Actions Pane
Actions Pane
3
Active Directory Administration Snap-ins
• Active Directory Users and Computers
Manage most common day-to-day objects, including users, groups, computers, printers, and shared folders
• Active Directory Sites and Services
Manage replication, network topology, and related services
• Active Directory Domains and Trusts
Configure and maintain trust relationships and the domain and forest functional level
• Active Directory Schema
Administer the Schema
4
Find Active Directory Snap-ins
• Active Directory snap-ins are installed on a domain controller
Server Manager: Users and Computers, Sites and Services
Administrative Tools folder
• Install the RSAT on a member client or server
Windows Server® 2008
• Server Manager Features Add Feature Remote Server Administration Tools
Windows Vista® SP1, Windows 7
• Download RSAT from www.microsoft.com/downloads
• Double-click the file, then follow the instructions in the Setup Wizard.
• Control Panel Programs And Features Turn Windows Features On Or Off Remote Server Administration Tools
AD Snap-in Demo
AD Snap-in Demo
5
Secure Administration with Least Privilege, Run As Administrator, and User Account Control
• Maintain at least two accounts A standard user account
An account with administrative privileges
• Log on to your computer as a standard user
Do not log on to your computer with administrative credentials
• Launch administrative consoles with Run As Administrator
1.Right-click the console and click Run As Administrator
2.Click Use another account
3.Enter the username and password for your administrative account
DemoDemo
6
Find Objects in Active Directory
• When you assign permissions to a folder or file
Select the group or user to which permissions are assigned
• When you add members to a group
Select the user or group that will be added as a member
• When you configure a linked attribute such as Managed By
Select the user or group that will be displayed on the Managed By tab
• When you need to administer a user, group, or computer
Perform a search to locate the object in Active Directory,instead of browsing for the object
DemoDemo
7
Options for Locating Objects in Active Directory Users and Computers
Sorting: Use column headings in Active Directory Users and Computers to find the objects based on the columns
Sorting: Use column headings in Active Directory Users and Computers to find the objects based on the columns
Searching: Provide the criteria for which you want to search
Searching: Provide the criteria for which you want to search
DemoDemo
8
DNs, RDNs, and CNs
• DN must be completely unique
• RDN must therefore be unique within the parent container
cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com
ou=Employees,ou=User Accounts,dc=contoso,dc=com
Relative Distinguished Name (RDN)
Distinguished Name (DN)
Distinguished Name (DN)
Common Name (CN)
9
The DS Commands
•DSQuery. Performs a query based on parameters provided at the command line and returns a list of matching objects
•DSGet. Returns specified attributes of an object
•DSMod. Modifies specified attributes of an object
•DSMove. Moves an object to a new container or OU
•DSAdd. Creates an object in the directory
•DSRm. Removes an object, all objects in the subtree beneath a container object, or both
•DScommand /?For example: dsquery /?
10
Find Objects with DSQuery
• dsquery objectType
objectType: user, computer, group, ou
By default, search scope is the entire domain
-limit switch to specify number of results
• 100 is default
• 0 means “return all results”
• dsquery objectType –attribute “criteria”
attribute is objectType specific: dsquery objectType /?
Examples for user: -name, -samid, -office, -desc
criteria in quotes if there is a space. Wildcards (*) allowed
• dsquery objectType BaseDN –scope {subtree|onelevel|base}
Specify search start and scope
12
Retrieve Object Attributes with DSGet
• dsget objectType objectDN -attribute
Common syntax for many DS commands
• dsget user "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com" -email
• What is the difference between DSGet and DSQuery?
DSGet retrieves a property from a specific object, whereas DSQuery finds an object based on a property
13
Pipe DNs to Other DS Commands
• Typing DNs is difficult!
dsget user "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com" -email
• DSQuery returns DNs
dsquery user -name "Jeff Ford"> "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com"
• Pipe (send) the DNs from DSQuery to DSGet with |
dsquery user -name "Jeff Ford" | dsget user –email
Or multiple results:dsquery user -name "Dan*" | dsget user –email
14
Modify Object Attributes with DSMod
• dsmod objectType "objectDN" -attribute "new value"
• dsmod user "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com" -dept "Information Technology"
• dsquery user "ou=Admins,dc=contoso,dc=com" | dsmod user -department "Information Technology"
15
Delete an Object with DSRm
• dsrm objectDN
Note that DSRm does not take an objectType
• dsrm "cn=DESKTOP234,ou=Client Computers,dc=contoso,dc=com"
• dsquery computer -stalepwd 90 | dsrm
16
Move an Object with DSMove
• dsmove objectDN –newparent targetOUDN
objectDN: object to be moved
targetOUDN: target (destination) OU
• dsmove objectDN –newname newName
objectDN: object to be moved
newName: new name for object (used in the RDN)
17
Add an Object with DSAdd
• dsadd objectType objectDN -attribute "value"
objectType: class of object to add
objectDN: OU in which to create object
-attribute "value": attributes to populate
• Each object class has required attributes
• dsadd ou "ou=Lab,dc=contoso,dc=com"
18
Administration Without the GUI
• Command Prompt
DS commands
csvde.exe and ldifde.exe
• LDAP
ldp.exe
• Windows PowerShell
• Scripting
Windows PowerShell scripts
VBScript
Script enables you to use ADSI to create & modify objects
Script can use .csv as data sources
19
Computer Account and Secure Channel
• Computers have accounts
sAMAccountName and password
Used to create a secure channel between the computer and a domain controller (Trust relationship)
• Secure channel can be broken
Reinstalling computer, even with same name, generates new SID and password
Restoring a computer from an old backup, or rolling back a computer to an old snapshot
Computer and domain disagree about what the password is
• Re-establish Trust relationship
Reset the computer account
Re-join the domain
20
Join a Computer to the Domain • You must have permissions to the computer object
• Requires restart
21
The Computer’s Container and Organizational Units (OUs)
• The default Computer’s container is a container,not an organizationalUnit object
Cannot link Group Policy objects (GPOs) to a container
Cannot create sub-OUs in a container
• Best practice is to create OUs for computer objects
Servers
• Typically subdivided by server role
Client computers
• Divide OUs based first on administration,then to facilitate configuration with Group Policy
22
Secure Computer Creation and Joins
• Prestage computer objects in the correct OUs
Computer is in correct OU and does not require moving
Group Policy applies to the computer immediately after joining the domain
Tighter security of computer OU and Computers container
• Configure the default computer container
Use command: redircmp “DN of OU for new computer objects”
• Restrict the ability of users to create computers
By default, any user can join 10 machines to the domain
• Requires no prestaging
• Delegate to appropriate groups the permission to create computer objects in the appropriate OUs
23
Prestage a Computer Account
• Prestage (pre-create) a computer in the correct OU
• Right-click the OU and choose New Computer
24
Automate Computer Account Creation
• Comma Separated Value Directory Exchange (CSVDE)
Import (create) or export computer accounts
• Lightweight Directory Access Protocol (LDAP) Data Interchange Format Directory Exchange (LDIFDE)
Import (create), modify, or export computer accounts
• DSAdd
Create computer accounts and set initial properties
• NetDom
Create computer accounts
Join machines to domain
25
Import Computers with CSVDE
• CSVDE.exe
csvde –i -f filename [-k]
-i: Import (default mode is export)
-k: Continue past errors (such as Object Already Exists)
filename.ldf Active Directory
Import
Export
• CSVDE.exe
26
Import Computers with LDIFDE
• Lightweight Directory Access Protocol Data Interchange Format (LDIF)
• LDIFDE.exe
ldifde [-i] [-f filename] [-k]
-i: Import
• Default mode is export
-k: Continue past errors
• Object already exists
filename.ldf Active Directory
Import
Export
• LDIFDE.exe
dn: CN=FILE25,OU=File, OU=Servers, DC=contoso,DC=comchangetype: addobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: userobjectClass: computercn: FILE25userAccountControl: 4096sAMAccountName: FILE25$
dn: CN=FILE25,OU=File, OU=Servers, DC=contoso,DC=comchangetype: addobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: userobjectClass: computercn: FILE25userAccountControl: 4096sAMAccountName: FILE25$
27
Create Computers with DSAdd
• DSAdd creates objects in Active Directory
dsadd computer ComputerDN
ComputerDN: The distinguished name (DN) of the computer
Multiple values can be provided by:
• Separating ComputerDN ComputerDN… with a space
• Leaving ComputerDN empty, then entering DNsone at a time followed by ENTER, with CTRL+Z and then ENTER after the last DN
• Piping a list of DNs from another command, such as DSQuery
• Optional options
-samid ComputerName
-desc Description
-loc Location
28
Create and Join Computers with NetDom
• Create account
netdom add ComputerName /domain:DomainName [/ou:"OUDN"] [/ UserD:DomainUsername /PasswordD:DomainPassword]
• Join the domain (and, if necessary, create account)
netdom join MachineName /Domain:DomainName [/OU:"OUDN"]
[/UserD:DomainUsername] [/PasswordD:{DomainPassword|*} ]
[/UserO:LocalUsername] [/PasswordO:{LocalPassword|*} ]
[/SecurePasswordPrompt]
[/REBoot[:TimeInSeconds]]
29
Configure Computer Attributes
• Useful attributes
Description
Location
• US\WA\SEA\HQ\Building33\Floor3\Q04\1531
• Used by location-aware applications such as Search For Printers
Managed By
• Link to user who is the primary user of the computer
• Link to group that is responsible for the computer (servers)
Member Of
• Groups: Group Policy filtering, software deployment
dsmod computer "ComputerDN" [-desc "Description"] [-loc "Location"]
30
Move a Computer
• Using Active Directory Users and Computers
Drag and drop
Right-click the computer, and then click Move
• dsmove ObjectDN [-newname NewName] [-newparent ParentDN]
-newname NewName: Used to rename a computer
-newparent ParentDN: Used to move a computer to the OU specified by ParentDN
31
Recognize Computer Account Problems
• Logon errors
Password
Trust
Secure channel
Relationships with the domain or domain controllers
• A computer account is missing in Active Directory
32
Reset a Computer Account
• Do not simply remove computer from domain and rejoin
Creates new account: new SID, lost group memberships
• Reset the secure channel
Active Directory Users and Computers**
• Right-click the computer, and then click Reset Account
DSMod**• dsmod computer "ComputerDN" –reset
NetDom• netdom reset MachineName /domain DomainName /UserO UserName /PasswordO {Password | *}
NLTest• nltest /server:ServerName /sc_reset:[DOMAINName]
** = requires rejoining domain and rebooting
33
Rename a Computer
• Use System Properties of computer itself to rename computer and its account correctly
• NetDom
netdom renamecomputer MachineName /NewName:NewName[/UserO:LocalUsername] [/PasswordO:{LocalPassword|*} ][/UserD:DomainUsername] [/PasswordD:{DomainPassword|*} ][/SecurePasswordPrompt] [/REBoot[:TimeInSeconds] ]
• Be cautious of impact that rename can have on services and on certificates associated with computer's name
34
Disable and Enable a Computer
• Disable computer if it will be offline for extended time
Similar to disabling a user who is on a leave of absence
Prevents secure channel from being established, so users who do not have cached credentials on the computer cannot log on
• Active Directory Users and Computers
Right-click computer, and then click Enable Accountor Disable Account
• DSMod
dsmod computer ComputerDN -disabled yesdsmod computer ComputerDN -disabled no
35
Delete and Recycle Computer Accounts
• Delete a computer with Active Directory Users and Computers
Right-click the computer, and then click Delete
• Delete a computer with DSRm
dsrm ObjectDN
• Delete destroys SID and group memberships
If replacing or reinstalling a computer, if computer will play same role, reset computer account instead of deleting it
Preserves all attributes of computer, including SID and group memberships
You can rename object if computer is being renamed during reinstallation/upgrade
This "recycles" the computer account
top related