Windows Server 2008 70-640
AD: Active Directory --> Database
1. Provides centralized control to records all password changes
2. Distributed across the world resource
3. Store Group policy
4. Everything in active directory is an object
Domain
logical group that share the same AD database
Domain Controller
1. run active dirctory domain services
2. Holds a copy of the active directory database
3. Authenticates users / Determines access
Windows Server 2008
1. Added through server manager
features: smaller add-ons
role: major feature
2. Self Healing NTFS: no need to perform the disk check when rebooting the server.
3. Parallel session createion for terminal services
4. Clean Server Shutdown: windows server will wait the process of application to finish as long as possible. If the process is hang or stack, windows will stop them and reboot.
5. Server Core
6. Hyper-V
7. Powershell: command line interface to instead of MS-DOS
Windows Server 2008 AD Feature
1. Active Directory Certificate Services: security
2. Active Directory Application Mode (ADAM)
3. Active Directory Federatino Service: share with other company's AD
4. Active Directory Rights Management
5. Read Only Domain Controller (RODC)
6. Active Directory is now restartable
7. Granular password policy: set different poasword policy for users
8. Active directory snapshots: backup of AD database
Windows Server 2008 R2
1. BranchCache
2. Direct Access
3. Active Directory recycle bin
4. Starter group polices
5. Change "Terminal Services" to "Remote Desktop"
Description
Check recycle bin status(poweshell): get-adoptionalfeature cmdlet
Windows Server 2008 R2 SP1
1. Dynamic Memory for Hyper-V
2. RemoteFX: show 3D on server side instead of clients.
NTDS.DIT
1. contains the active directory database
2. based on X.500 standard
3. Hierarchical based
Active Directory Structure
Organizational Unites (OU): Folder
Users, Computers...: Files
Lightweight Directory Access Protocol (LDAP): Use to access the Active Directory database (NTDS.DIT)
Example: Distinguished name: ITFreeTraining.com / Users / John
CN=John, OU=Users, DC=ITFreeTraining, DC=com
CN: Container Name
OU: Organizational Unit
DC: Domain Component
Global Catalog (GC)
1. Always one global catalog server per domain
2. Contain an index of every object in the forest
System Requirements
Hardware Requirements: 1.4GHz / 2GB / 64GB
Windows Editions: Enterprise / Datacenter / Standard / Foundation / HPC
Upgrading: requires at least Windows Server 2003 with SP2; Clean install if possible
DNS: AD can not work without it
Windows Server 2008 Enterprice R2 SP1 install AD
Pre-installation
1. Set static IP Address and hostname
2. DNS Infrastructure
3. First Domain controller: local administrator
Installation
1. FQDN: in orde to increase the security, set "XXX.local" Reason: it can not be resolved by internet DNS
2. Forest level: only can be upgrade; Domain functional level: only can be upgrade
3. Folder
Database folder: save database
Log folder: save log in order to recover after database crash
Sysvol folder: save login script and group policy
Post-installation
Physical files:
C:\Windows\NTDS\NTDS.DIT: Active Directory Database
C:\Widnows\SYSVOL\domain\script: login script
C:\Widnows\SYSVOL\domain\Policies: group policy
Service: Active Directory Domain Services
Windows Server Core install replica AD (run command sconfig to login the description windows)
Every change needs command
1. Change computername:
netdom renamecomputer localhost /NewName:<hostname>
2. Set ip address:
Check: netsh interface IPv4 show interfaces --> find Idx
Change: netsh interface IPv4 set address name=<Idx> source=static address=192.168.1.2 mask=255.255.255.0 gateway=192.168.1.1
3. Set DNS
netsh interface IPv4 add dnsserver name=21 address=192.168.1.1 index=1
netsh interface IPv4 add dnsserver name=21 address=127.0.0.1 index=2
4. Check role installation situation
oclist|more
5. Install DNS service: start /w ocsetup DNS-Server-Core-Role
6. Restart Server: shutdown /r /t 0
7. Insatall AD
Method 1: Use the answer file (Still have problem during test)
net use z: \\dc1\it
copy z:\dc1.txt c:\dc2.txt
notepad c:\dc2.txt
Change context:
ReplicaOrNewDomain=replica
;NewDomain=Forest
ReplicaDomainDNSName=ITFreeTraining.local
Add context:
UserDomain=ITFreeTraining.local
UserName=administrator
Password=P@ssw0rd
SafeModeAdminPassword=Pa$$word11
Description:
SafeModeAdminPassword: use to enter the safe mode for domain
Start the installation: dcpromo /unattend:c:\dc2.txt
Method 2: Use the command line
dcpromo /replicaOrnewDomain:replica /replicaDomainDNSName:ITFreeTraining.local /ConfirmGC:yes /userdomain: ITFreeTraining.local /UserName=administrator /Password=P@ssw0rd /SafeModeAdminPassword=Pa$$word11
9. Check domain users
dsquery * -attr objectsid - filter objectcategory=user
Global Catalog
Index of the forest, allow user to access to the resource outside the tree but inside the forest
1. Any domain controller can be a Global Catalog (GC)
2. Must have one GC per domain
3. Should have more than one for redundancy and load balance
4. Windows Server 2008 all DC's are GC's by default
Add or Remove Global Catalog
1. Go to Server Manager / Roles / Active Directory Domain Servers / Active Directory Users and Computers / ITFreeTraining.local / Domain Controllers / DC1 Properties / NTDS Settings
2. Operation
Add: Choose the tick box "Global Catalog"
Remove: Un choose the tick box "Global Catalog"
Reasons to deploy a GC
1. GC's contain forest wide information
2. Required when using Universal Principal Name (UPN) username@domain
3. Allows forest wide searching and services
4. Sites connected by a WAN link
5. Some software needs a global catalog server. Example: Exchange
Reasons not to deploy a GC More load on the Domain Controller, disk space and network bandwidth
Operation Master Roles
A. Forest wide roles
1. Schema master
2. Domain naming master
B. Domain wide roles
1. (Primayr Domain Controller) PDC Eumlator: Originally a bridge between to NT4 DC's / password request process
2. Relative ID(RID) master
3. Infrastucture Master: keep object references consistant across domains in the forest
Moving Domain wide Roles to Another DC
1. Go to Control Panel / Administrative Tools / Active Directory Users and Computers
2. Right click the "ITFreeTraining.local", click "Change Domain Controller"
3. Choose the destination server which want to move to
4. Right click the "ITFreeTraining.local", click "Operations Masters"
5. Choose the tab between RID/PDC/Infrasturcture, and Click "Change" and "OK"
RID role: related to account create
Moving Domain naming master to Another DC
1. Go to Control Panel / Administrative Tools / Active Directory Domains and Trusts
2. Right Click "Active Directory Domains and Trusts" and Click "Change Active Directory Domain Controller"
3. Choose the destination server which want to move to
4. Right Click "Active Directory Domains and Trusts" and Click "Operations Masters"
5. Click "Change" and "OK" to move the "Domain naming master"
Moving Schema master to Another DC
1. Open Windows Command
2. Run the command: regsvr32 schmmgmt.dll
3. Open the mmc by input run: mmc
4. Click Menu File --> Add / Remove Snap-in...
5. Add "Active Directory Schema" and click "OK"
6. Right click "Active Directory Schema" and Click "Change Active Directory Domain Controller"
7. Choose the destination server which want to move to
8. Right Click "Active Directory Schema" and Click "Operations Masters"
9. Click "Change" and "OK" to move the "Schema master"
Check the Operation Master Roles location
1. dcdiag /test:knowsofroleholders /v
2. netdom query fsmo
Operation Master Roles Placement
Reason:
1. move roles for availability
2. load on server
Policy:
1. Domain naming master come with Global Catalog
2. Schema Master no need Global Catalog
3. Put Domain naming master and Schema Master into Root DC
4. Put PDC Emulater to the most password request come with or just the most user located.
5. Put RID Master to relative slow link Server and can be a GC
6. If the environment is single domain forest, put Infrastructure Master with GC
If the environment is multi domain forest, put Infrasturcture Master without GC
7. If not all the DC has GC, put the GC in the server which near the high use appilcations like Exchange
Seizing Operation Master Roles (Disaster Recovery)
Always transfer the operations master role when possible.
But if can not transfer, role need to be seized.
Impact of mising the Operations Master Roles
1. Schema master: only require if you want to expand the schema
2. Domain naming master: Adding or removing domains
3. RID master: can be offline for a while unless you create a lot of objects at once
4. PDC Emulator: can impact password changes. Time synchronization will not be available
5. Infrastucture master: may affect cross domain reference updates
Seizing RIP master from dc3 to dc1
Pre-Seizing
1. Make sure Domain Controller is offline
2. Do not perform if there is a network outage
3. Considered this action as last resort when the DC will not be put back online again.
Seizing Operations Master Roles (RIP master)
1. Open windows Command
2. Run the command:
c:\ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server dc1
server connections: quit
fsmo maintenance: seize RID master
3. Check the Operations Master Roles status: netdom query fsmo
Post-Seizing (Clean the data of RIP master in the recent DC)
1. Open windows Command
2. Run the command:
c:\ntdsutil
ntdsutill: metadata cleanup
metadata cleanup: connections
server connections: connect to server dc1
server connection: quit
metadata cleanup: select operation target
select operation target: list domain
select operation target: select domain 0
select operation target: list sites
select operation target: select sites 0
select operation target: list servers in site
select operation target: select server 2
select operation target: quit
metadata cleanup: remove selected server
3. Go to Control Panel / Administrative Tools / Active Directory Sites and Services / Sites / Default-First-Site-Name
4. Right click "DC3" and delete it
Recovery the Domain Controller dc3
1. Pull out the network cable and start the server
2. Remove Active Directory from the server
A. Open Windows Command
B. Run the command: dcpromo /forceremoval
3. Restart the server and the server back to Workgroup
4. Plug in the network cable and reinstall and reconfigure the Active Directory
Setting an External Time Source
If time is to different you will not be able to login
DC with PDC Emulator --> Other DC --> All other clients
External Internet Time Source
Stratum 0 Satislites / Radio...
Stratum 1 / 2 / 3 .... Server
Set External Internet Time Source
1. Find out the Time Source
URL: http://support.microsoft.com/kb/262680
2. Choose one Time Source close to you and openaccess
3. Open command
4. Run command: w32tm /config /manualpeerlist:<domain name of the time server> /syncfromflags:manual /reliable:yes /update
5. Check Status: Event View to see the log
Domain Functional Level
Windows Server 2008 R2 --> Windows Server 2008 --> Windows Server 2003 --> Windows Server 2000 Native
Higher Domain Functional Level, More feature may have. Depending on the lowest DC windows version in Domain
Make sure you will never need to at a lower level DC again. All down level DC's have been upgraded
Update domain functional level
1. Go to Control Panel / Administartive Tools / Active Directory Users and Computers
2. Right click the domain and click "Raise domain functional level"
3. Choose the functino level you want to upgrade to and click ok
Windows Server 2000 Native domain functional level
1. The lowest DC windows version
2. Only get Active Directory
Windows Server 2003 domain functional level
1. Allow Domain Controllers to be renamed
2. Check last login time of users (Control Panel --> Administrative Tools --> ADSI Edit --> Domain Controller --> CN=Users --> Users' properties --> Last Logon)
3. Constrain Delegation: use administrator account from DC through client PC to other servers.
4. Selected authentication
5. Support to store authoriztion policies in Active Directory
Windows Server 2008 domain functional level
1. Support DFS replication for SYSVOL
2. Advanced Encryption System (AES) for Kerberos
3. Last logon including failed attempts
4. Fine-grained passwords: set different password policy for different Organization Unit
Windows Server 2008 R2 domain functional level
1. Authentication mechanism assurance
2. Automatic SPN (Service Principal Names) management
Forest Funcational Level
Windows Server 2008 R2 --> Windows Server 2008 --> Windows Server 2003 -->Windows Server 2000
Higher Forest Functional Level, More feature may have. Depending on the lowest domain funcational level in the forest.
Upgrade Forest Funcational Level
1. Go to Control Panel / Administartive Tools / Active Directory Domains and Trusts
2. Right click the title and click "Raise forest functional level"
3. Choose the functino level you want to upgrade to and click ok
Windows Server 2000 Forest Funcational Level
Basic Active Directory functionally
Windows Server 2003 Forest Funcational Level
1. Forest Trust: share resource between forests
2. Rename domains
3. Linked value Replication
4. Improved Knowledge Consistency Checker (KCC)
5. Dynamic auxiliary class (Dynamic entries)
6. Convernt inetOrgPerson object into a user object and reverse
7. Windows server 2008 read only domain controller (RODC)
8. Deactivation of attributes and classes in the schema
Windows Sever 2008 Forest Funcational Level
Nothing
Windows Sever 2008 R2 Forest Funcational Level
Active Directory recycle bin
Upgrading Active Directory to Windows Server 2008
Pre-Upgrading
1. Remove all NT4 Domain Controllers
2. Upgrade all Domain Controller to 2000 SP4 or above
3. All Domain functional level Windows 200 native or higher
4. Forest funcational level Windows Server 2000 or higher
5. Member of the Schema / Enterprise / Domain administrator
Upgrading
Run the ADPrep tool from the server 2008/R2 DVD (Location \support\adperp)
1. ADPrep /ForestPrep (Run on DC holding schema master role, Forest command once per forest) --> Upgrade the forest funcational level
2. ADPrep /DomainPrep (Run on DC holding infrasturcture master role, Domain command need to be run in every domain) --> Upgrade the domain funcational level
3. ADPrep /DomainPrep /GPPrep
4. ADPrep /RODCPrep (If you will use Read Only DC's)
Adding a child domain Reason
1. Business requirements
2. Different support requirements
3. Different security level
Windows Server 2008 Active Directory Uninstall
Before start check the operation master role location: netdom query fsmo
1. Input command: dcpromo.exe to uninstall the DC service
2. Uninstall the AD and DNS role
Active Directory Trust
Forest Trust (need manually create) / Tree Trust / Shortcut Trust (need manually create) / Domain Trust / AD to Non AD Trust / External Trust
Trust provides a path to access resouces, not grant access
Create Trust
1. Go to Control Panel / Administartive Tools / Active Directory Domains and Trusts
2. Right click the domain which need to create and click "Properties" and click "Trust"
3. Click "New Trust" to create trust
Sites and Subnets
Site: a group of well connected networks
Example:
New York company: 192.168.2.0/24; 192.168.20.0/24
Washington company: 192.168.3.0/24; 192.168.6.0/24
London company: 192.168.4.0/24; 192.168.5.0/24
Create Sites
1. Go to Control Panel / Administartive Tools / Active Directory Sites and Services
2. Right click "Sites" and click "New Site" to create sites
3. Right click "Subnets" and click "New Subnet" to create subnets
4. Drag the "DC" to the related sites
In order to prevent miss drag/delete the server, Right click "DC Server" and Properties, and click "Object" page and click the "Protect object from accedential deletion"
Active Directory Replication
Intrasite Replication
1. Happens between domain controllers in the same site
2. Automatic create
3. Happens 15 seconds after a change
Intersite Replication
1. Happens betwen domain controllers in different sites
2. Manually create
3. Bridgehead server replicates between DC's in different sites
4. Bridgehead server is automatically chosen.
5. If you manullly choose the bridgehead server and it is not available, the replicatin will not occur.
6. Schedule when replication will occur; Or depending on cost setting
Site Link
Either RPC over IP or SMTP
1. RPC over IP (synchronous): supports everything required for Active Directory.
2. RPC over SMTP (asynchronous): do not support file replication; can not be used by itself at the domain level.
Create Site Link
1. Go to Control Panel / Administartive Tools / Active Directory Sites and Services
2. Click Inter-Site Transports / IP to check current site links
3. Right IP and click "New Site Link" to create new site link
4. Change the Cost and Replication Interval by right click the site link and click the Properties
Knowledge Consistency Checker (KCC)
1. Automatically makes connections between sits
2. Reconfigures the connections when links go down
3. Runs in the background and does not need to be configured
4. Creates both Intrasite and Intersite connections
5. Chooses bridgehead servers
6. Uses the AD database to decide which connections to create
Check with Command line
1. repadmin /kcc site:NewYork
2. repadmin /syncall
3. repadmin / bridgeheads
User and Computer Accounts
All accounts have an SID associated with them
SID: Unique number to identify the accout
Example:
If one employee leave, company can just disable the account.
If one employee leave, company can just disable the account.
When the new employee enter to replace the leave one, company can just enable the account and change the name of it.
From the client, if the connection to DC is broken, the user will be display as SID.
If the connectino to DC recovery, the user will shows the domain account.
User log on standards
old standard: Domain \ Username
new standard: Username@domain
The user name last part(UPN suffix) can be change. Need to have Global Catalog (GC)
If you want to use other character as the last part of user name, you can
1. Go to Control Panel / Administrative Tools / Active Directory Domains and Trusts
2. Right Click "Active Directory Domains and Trusts" and click "Properties"
3. Input the new character into "Alternative UPN suffixes" and click "Add"
4. After it, when create new user, you may choose the new character.
Computer Account
Has a password like a user account. Password is randomly generated
Password is used to create secure connection to the DC.
Password changed every 30 days
Nested Group (Role based access control)
Try to create nested group depending on users' role besides group according to department.
Used in the system which contains a lot of servers and resources.
For Example:
Folder: Invoice
Sale / Account: Read Write Invoice folder
Audit: Read Invoice folder
1. Create: Invoice Modify Group and Invoice Read Group
2. Add Sales group and Account group into Invoice Modify Group
Add Audit group into Invoice Read Group
Group Types
| Scope | Same Domain in Same Forest Member | Different Domain in Same Forest Member | Different Domain in Different Forest Member | Store Position | |
| Local Group | Local Computer | User, Computer, Domain Local Group, Global Group, Universal Group | User, Computer, Global Group, Universal Group | User, Computer, Global Group | Local Computer |
| Domain Local Group | Local Domain | User, Computer, Domain Local Group, Global Group, Universal Group | User, Computer, Global Group, Universal Group | User, Computer, Global Group | Domain Controller |
| Global Group | Local Forest | User, Computer, Global Group | N/A | N/A | Global Catalog Server |
| Universal Group | Forests | User, Computer, Global Group, Universal Group | User, Computer, Global Group, Universal Group | N/A | Global Catalog Server |
Distribution and Security Groups
Security Groups: used for security with files and folders and other objects. Also can be used for Exchange.
Distribution Groups: Can not be used for security. Does not have a SID. Used by Exchange.
Converting Between Groups
1. Change from security to distribution
2. Change from distribution to security
3. Change at any time
Default Local Groups
Administrators: full control of the computer; access to everything; change permissions on all objects. take ownership if denied.
Users: used for the average user; run software; change setting relating to them
Power Users: introduced in Windows XP; for legacy support; same permission as users group; more permission to folders and registry to run application;
Guests: Limited access; used for kiosks; profile is not saved when they logoff;
Backup Operators: backup and restore any file or folder;
Remote Desktop Users: can connect to the computer using remote desktop; administrators have this right by default
Offer Remote Assistance Helpers: offer unsolicited help; otherwise help must be asked for
Network Configuration Operators: can change network settings; renew/relaese DHCP configuration
Performance Monitor Users: monitor performance counters; local and remote
Performance Log Users: all the above; create data collector sets
IIS_IUSRS: used with internet information services; has permission to run IIS
Replicator: used on a DC for replication
Distributed COM Users: often referred to as DCom; users can start, activate and use DCom objects
Cryptographic Operators: can perform cryptographic operations
Default Builtin Domain Groups
Domain \ Builtin: Keep the accounts and groups of the server before promote to DC; will be synchronized to all the DC.
Server Operators: only effects Domain Controllers; no default members; user can login to all domain controllers; start and stop services; backup and restore operations; format disks; create shares on the domain controllers; shutdown and restart the domain controllers;
Account Operators: no default members; can create, modify, delete accounts in the domain; can login to a domain controller; can not make changes to the domain controller's OU and domain administrators group;
Print Operators: no default members; manage printers on the domain controllers; can login to a domain controller; shutdown a domain controller;
Terminal Server License Servers: used for tracking of terminal services user licenses; license server computer account is added to this group;
Incoming Forest Trust Builders: allow that user to create an incoming trust into that domain;
Certificate Service DCom Access: existing on windows server 2008 DC's and non-DC's;
Windows Authorization Access Group: Provide access to user computed token in the user account; add users to this only if software require it
Pre-Windows 2000 Compatible Access: allow read access to all users and groups in the domain; add uers and groups if they are using Windows NT.
Default Domain Group
Enterprise Admins: the most powerful group in AD; Admin rights for all domains in the forest; Access to forest wide configuration; Add/remove domains from the forest;
Schema Admins: root domain of the forest only; only group that can modify the schema (schema defines the AD database forest wide);
Domain Admins: administrator access to that domain; administrator rights to all users and computers includes DC;
Domain Users: logon to workstations; run applicatios; perform non administrative tasks;
Domain Guests: no default rights; not added to computer local guest group; can not login any computers by default;
Domain Computers: all computer accounts in the domain except for domain controllers;
Domain Controllers: contains all the domain controllers in that domain;
Read-only Domain Controllers: holders computer accounts for RODC; RODC is not a member of other groups;
Enterprise Read-only Domain Controllers: root domain only; empty by default;
Allowed RODC Password Replication Group: allows password to be cached on a RODC;
Denied RODC Password Replication Group: Prevents password to be cached on a RODC; Deny overrides allow;
DNS Admins: Provides basic DNS administration; start and stop DNS service;
DNS UpdateProxy: perform DNS updates for other clients;
DHCP Administrators: administrator DHCP servers; start and stop the service;
DHCP Users: read only access of the DHCP server;
Group Policy Creator Owners: modify group policy in the domain;
Cert Publishers: publish certificates for users and computers in AD;
RAS and IAS Servers: allow access to remote access properties of a user;
Special Identities (connection type / authentication) --> scope limit to local computer only
Anonymous logon: allows access without a username and password;
Authenticated Users: any users from any domain in the forest includes trusts domains outside the forest;
Everyone (S-1-1-0): includes authenticated users and builtin accounts;
Interactive: physically at the computer logged in; include via remote desktop;
Network: any access from the network;
Group Strategy AGDLP (Role based group strategy)
in medium size networks (500 users or more) / single domain single forest
AGDLP: Accounts --> Global Groups --> Domain Local Groups --> Permissions
Exampe
Resource: color printer
Domain Local Groups: Color printing allowed (Based on resource and role)
Global Groups: Sales Users / Marketing Users (Based on user / department)
Group Strategy AGUDLP
AGUDLP: Accounts --> Global Groups --> Universal Group --> Domain Local Groups --> Permissions
Example
Environment: 5 domain
1. depending on domain --> Global Groups
2. Combine all the Global Groups --> Universal Group
3. Depending on resource and role greate Domain Local Groups
Universal Group Membership Caching (UGMC)
Universal Groups: requires a global catalog for a user login. Only authentication.
If no GC available during login
1. local cache credentials used if available
2. can not access network resources
Domain Controller with Universal Group Membership Caching enabled when the GC is unavailable
Update every 8 hours
Enable UGMC
1. Go to Control Panel / Administrative Tools / Active Directory Sites and Services
2. Right click the "NTDS Site Settings" under the Site you want to config, Click "Properties"
3. Tick the "Enable Universal Group Membership Caching"
Windows Contacts
Contacts in Windows 7 and AD: contains 3rd party contact details
Contacts: only contain details, no security enabled (SID); can be accessed by systems like exchange
Can ba added into groups. It will receive the email.
Windows 7 Contacts
Stored in text based xml format
Create Contracts
1. Go to Control Panel / Administrative Tools / Active Directory Users and Computers
2. Right Click "Users", Click "New Contactor"
Protected Admin
User Account Control (UAC): first added in windows vista and windows server 2008
user SID / administrator SID
Service Account
Created to run only a particular application or service. Follows principle of least privilege
If use administrator account,
1. when the password change, all the related service need to be change;
2. when the password change not complete, the failed time will impact the application.
Create Service Account
1. Go to Control Panel / Administrative Tools / Active Directory Users and Computers
2. Right Click "Users", Click "New User" --> CWRService
3. Right Click "Users", Click "New Group" --> ServiceAccounts
4. Goto local computer, "Edit local users and groups" and add "CWRService" group to local administrator groups
5. Goto Services in local computer, and change the service and use the "CWRService" as the account of it.
Attention:
"User must change password at next logon" should no be choose
"User cannot change password" should be choose
"Password never expires" should be choose
Managed Service Accounts(MSA)
1. Password changed automatically
2. Random 120 characters
3. Changed every 30 days
4. Bound to one computer only
Requirements
Domain Function Level: Windows Server 2008 R2
Clients: Windows server 2008 R2 / Windows 7
Appilcation: .Net Framework 3.5 / Active Directory module for Windows PowerShell
Supported software
No interactive user supported
1. Exchange (except send email)
2. IIS
3. AD LDS
Create Managed Service Accounts
1. start "Powershell"
2. input command to load module: import-module ActiveDirectory
3. input command to create account: New-ADServiceAccount -name ManagedIISService -enable $true
4. Check: Go to Control Panel / Administrative Tools / Active Directory Users and Computers / Managed Service Accounts
5. input command to connect account to one server: Add-ADComputerServiceAccount -Identity Svr1 -ServiceAccount ManagedIISService / Install-ADServiceAccount -Identity ManagedIISService
6. close "Powershell"
7. Change the IIS service to use Managed Service Accounts "ManagedIISService" by
A. Choose the application in "Application Pools"
B. Right click the application and click "Advanced Settings"
C. Click "Identity"
D. input "ITFressTraining\ManagedIISService$" and leave the password empty
Offline Domain Join
Join a computer without a Domain Controller
Requirements
Clients: Windows 7 or Windows Server 2008 R2
Process
1. Open "Windows Command"
2. Input the command: DJoin /Provision /Domain ITFreeTraining.Local /Machine ws2 /SaveFile c:\1.txt
Client side
1. Copy the 1.txt to local computer
2. disable network
3. Open "Windows Command"
4. Input the command: DJoin /RequestODJ /LoadFile c:\1.txt /WindowsPath %windir% /LocalOS
5. Restart the computer
Organizational Unit & Shadow Groups
Divide objects based on business needs Geographical / Departments / Computer type
Shadow Group: contains all the users from the OU
Default OU's
can not be deleted
Builtin: local account database; can not group policy appiled
Users: can not group policy appiled
Computers: can not group policy appiled
Domain Controllers: can group policy appiled
Different OU and group?
OU: used for Group policy / Delegation of administation object exists in one location
Groups: providing access to resources
Delegation of Control
Use to
1. reset password
2. manage user accounts
3. manage groups
5. manage group policy
Set Delegation Control
1. Go to Control Panel / Administrative Tools / Active Directory Users and Computers
2. Right click Organization Units / Users and "Delegation of Control"
3. Add the user or group to have delegation control
4. Choose the tasks
5. After it, the user or group has the permission to do the task in the OU.
6. You can check it by see the properties of users.
Command Line Tools
DSAdd: add an object to AD
1. Open "Windows Command"
2. Input Command to add user: DSAdd user "cn=Smith, cn=users, dc=ITFreeTraining, dc=local" -fn John -ln Smith -pwd P@ssw0rd -mustchpwd yes
3. Input Command to add computer: DSAdd computer "cn=pc1, cn=computers, dc=ITFreeTraining, dc=local"
4. Input Command to add global group: DSAdd group "cn=GSales, ou==Uers, ou=New York, dc=ITFreeTraining, dc=local" -scope g
DSGet: retrieves information about an object
1. Open "Windows Command"
2. Input Command to get first name, last name, email of the user: DSGet user "cn=John Doe, ou=Users, ou=New York, dc=ITFreeTraining, dc=local" -fn -ln -email
DSMod: modify an object
1. Open "Windows Command"
2. Input Command to change the password of user: DSMod user "cn=Smith, cn=users, dc=ITFreeTraining, dc=local" -pwd P@ssw0rd2 -mustchpwd yes
DSRM: delete an object
1. Open "Windows Command"
2. Input Command to delete ou: DSRm "OU=Testing, dc=ITFreeTraining, dc=local" -subtree -c
DSQuery: find out objects
1. Open "Windows Command"
2. Input Command to query ous: DSQuery ou DC=ITFreeTraining, DC=local
CSVDE & LDIFDE
Create a lot of user accounts; Migrate users between systems
CSVDE: user comma-delimited format / compatible with Excel
LDIFDE: LDAP data interchange format (LDif), can be used with non-Microsoft Directories
CSVDE
1. Open "Windows Command"
2. Input Command to export all objects: csvde -f <FILE NAME>
Example: csvde -f OutputAD.csv
3. Input Command to create objects: csvde -i -f <FILE NAME>
Example: csvde -i -f InputAD.csv
LDIFDE
1. Open "Windows Command"
2. Input Command to export all objects: ldifde -f <FILE NAME>
Example: ldifde -f OutputAD.ldf
2. Input Command to create objects: ldifde -i -f <FILE NAME>
Example: ldifde -i -f OutputAD.ldf
Powershell
Powershell vs Command
Command: Good for batch processing
Powershell: task based / integrated with other technologies
input Command to print string: Write-Host "Hello World" / echo "Hello World"
input Command to check command description: alias echo
input command to create AD user
$objOU=[ADSI]"LDAP://OU=New York, DC=ITFreeTraining, DC=local"
$objUser=$objOU.Create("user","CN=Charile Wilson")
$objUser.Put("sAMAccountName","Charile.Wilson")
$objUser.SetInfo()
input command to modify AD user
$objUser=[ADSI]"LDAP://CN=John Doe, OU=New York, DC=ITFreeTraining, DC=local"
$objUser.put("GivenName","John")
$objUser.put("Initials","M")
$objUser.put("sn","Doe")
$objUser.put("DisplayName","John Doe")
$objUser.SetInfo()
VBScript
Released 1996 / Based on Visual Basic
VBScript vs PowerShell
PowerShell requires .Net 2.0
Plenty of VBScript examples
VBScript no shell support
Example Create User --> createuser.vbs
set objOU=GetObject("LDAP://OU=User, OU=New York, DC=ITFreeTraining, DC=Local")
set objUse=objOU.create("user","CN=John Doe")
objUser.put("sAMAccountName","John Doe")
objUser.SetInfo()
Active Directory Migration Tool (ADMT) ADMT 3.2
Prerequisites: SQL Server / SQL Express
Migration type
Inter-Forest Migration
Intra-Forest Migration
Install ADMT
1. download ADMT / SQL Express
2. Install SQL Express
3. Install ADMT
4. Start ADMT. Right click "Active Directory Migration Tool" and click "User Account Migration Wizard"
5. Following the guide to process
RSAT & SNAP-INS
Remote Server Administrator Tools (RSAT) need to download from Microsoft website
Use Microsoft Management Console (MMC) to run RSAT
1. download the RSAT
2. install the RSAT
3. turn on the RSAT in Windows Features (Control Panel / Programs and Features)
4. in the Administrative Tools, there will list the features you choose
Enable "Server Manager" in workstation
1. input "mmc" in run
2. Click Files --> Add/Remove Sanp-in
3. Choose "Remote Desktops"
4. Right click "Remote Desktops", and Click "Add new connection" to create the connection to target server
5. Double click the target server
6. Click "Configure Server Manager Remote Management" in the target server through remote desktop
7. Click "Enable remote management of this server from other computers" and "OK"
8. Go back to MMC, Click Files --> Add/Remove Sanp-in
9. Choose "Server Manager" and input the target server
10. Go back to MMC, Click Files --> Options
11. Choose the mode in "Console mode"
A. Author mode: full access and modification
B. User mode: full access
...
Group Policy
Provides centralized control for: User settings / computer settings
Control and deployment of applications
Control user experience
Text based config files (hard to manage) --> Registry (cannot be rollback) --> Group Policy (easy manage and rollback)
Group Policy Mechanics
Can be download to client machine from DC : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
1. Policy: force every user / computer to follow
A. Software Settings
B. Windows Settings
C. Administartive Templates:
2. Preferences (Start used in Windows 2008): suggest every user / computer to use
Group Policy Features
1. Group Policy Comments: description of the group policy
2. Starter Group Policy Objects: template file used to create new group policy
3. Network Location Awareness: group policy can detect network change
4. Preferences
5. PowerShell support: requires Windows Server 2008 R2 or Windows 7
6. File Format:
Before Windows Server 2008 is ADM File and saved in SysVol share; language specific
In Windows Server 2008 is ADMX File (xml based); multiple language support
Group Policy Configing
1. Go to Control Panel / Administrative Tools / Group Policy Management
2. Different types: "group policy object" and "link to group policy object"
Create group policy
1. right click Domain and clieck "Create a GPO in this domain..."
2. Input the group policy name
3. right click the group policy object and click "edit"
4. use filter to find suitable policy.
Installing Group Policy Tools (Use Client workstation to run group policy management)
Group Policy Management Console (GPMC)
Windows Server 2008: add as a feature
Windows 7 / Vista: add with RSAT
Windows XP: download GPMC from Microsoft
Windows 7 to setup Group Policy Tools
1. download and install RSAT
2. Go to Control Panel / Programs / Windows Features / Remote Server Administration Tools / Feature Administration Tools / Group Policy Management Tools
3. download the latest ADMX template with key word "ADMX Windows Server 2008 R2"
4. Install the download file
5. The default location is "C:\Windows\PolicyDefinitions"
6. The install location is "C:\Program Files(x86)\Microsoft Group Policy\win72008r2\PolicyDefinitions"
7. Used the install location, copy the folder "C:\Program Files(x86)\Microsoft Group Policy\win72008r2\PolicyDefinitions" to DC sysvol folder ( \\<domain controller name>\sysvol\<domain name>\policies )
8. Go to Control Panel / Administrative Tools / Group Policy Management
Group Policy Processing Order
Processing order: Local --> Site --> Domain --> OU's
The later level will overwrite the prior one.
Same level GP has different link order. It is the priority. Execute order is low to high, high one may overwrite low one
Local Group Policy
1. Input "group policy" in run command and open "Local Group Policy Editor"
2. Change the policy in it
3. log off and re-login to check the policy
Site Group Policy
1. Create "Group Policy Object" in Group Policy Management
2. Right click "Sites" and click "Show sites"
3. Right click specific site and click "Link an Existing GPO"
4. Right click the GPO under specific site and change the policy in it
5. log off and re-login to check the policy
Domain Group Policy
1. Create "Group Policy Object" in Group Policy Management
2. Right click "domain" and click "Link an Exiting GPO"
3. Right click the GPO under domain and change the policy in it
4. log off and re-login to check the policy
OU Group Policy
1. Create "Group Policy Object" in Group Policy Management
2. Right click specific OU and clieck "Create a GPO in this domain, and link it here.."
3. Right click the GPO under OU and change the policy in it
4. log off and re-login to check the policy
Enforcing and Blocking Group Policy (use only when really need)
Block inheritant: prevents settings from being appiled, configured per OU
Enforced : configured per Group Policy, make the GPO moved to the end
Enforced process: OU --> Domain --> Sites
Config GP Block
1. Go to Control Panel / Administrative Tools / Group Policy Management
2. Right click specific OU, and click "Block inheritant"
Config GP Enforce
1. Go to Control Panel / Administrative Tools / Group Policy Management
2. Right click specific GP, and click "Enforce"
Group Policy Loopback Process
Focus on computer
Loopback Model: Replace/Merge
User side GP applied depending on where the computer locate.
Config Loopback Replace Model
1. change the setting to user configuration in GP;
2. Enable the setting: Computer Configurations \ Policies \ Administrative Template \ Systems \ Group Policy \ User Group Policy loopback processing mode
3. Restart the computer
Group Policy Preferences
Introduced in Windows Server 2008
Provides a lot of functionally
Preferences not enforced
Not overwrite the user local setting
Starter GPOs
1. Go to Control Panel / Administrative Tools / Group Policy Management
2. Go to Forest / Domains / <Domain name> / Starter GPOs
3. Click "Create Starter GPOs Folder"
4. Right click "Starter GPOs" and click "New"
5. Config the "Starter GPOs"
6. This GP can be used in same forest and different domain
7. Also the GP can be further modify
You can use copy / past or backup / import to move GP.
Group Policy Filtering
OU Structure: first divided by location, then user divided by department, computer divided by operation system.
Click GP, in detail page can choose to disable all / computer / user
WMI Filters
can use select script to find out suitable items
Example:
Select * from win32_operatingsystem where caption="Microsoft Windows XP Professional" and CDVersion="Service Pack 3"
Group Policy Replication
1. Group Policy Containter (GPC): saved in Active Diretory Database; use Active Directory Replication
2. Group Policy Templage (GPT): saved in Sysvol Folder; use FRS or DFS-R to replicate
If two parts are not synchronization, it may trigger problem.
Check the synchronization status
File synchronization
1. Go to Control Panel / Administrative Tools / Group Policy Management
2. Click the GP, choose the details tab
3. In it, check the user version and computer version. If the nunber of AD and SYSVOL is same, it means the synchronization.
4. Find out the version, to compare with Database part
a. Open the sysvol folder by \\<domain controller hostname>\sysvol
b. Go to \<domain name>\policies\<specific GP ID>\
c. find the version in the file GPT.INI.
Database synchronization
1. Go to Control Panel / Administrative Tools / Active Directory Users and Computers
2. Click view in menu and click "Advanced Features"
3. Go to domain \ System \ Policies \ <specific GP ID>
4. Right click it and click the properties
5. Go to "Attribute Editor" tab and check the "versionNumber"
6. Compare with the above 4/c.
Group Policy Restricted Groups
Instead of go to local computer to grant domain user with some privilege, you can use group policy restricted group to achieved.
Example:
1. Go to Control Panel / Administrative Tools / Group Policy Management
2. Right Click specific GP, Click Edie
3. Go to Computer Configuration / Windows Settings / Security Settings / Restricted Groups
4. Right click "Restricted Group", click "Add Group"
5. Input the domain group and click OK
6. Click Add for "This group is a member of" and input the local group and click OK
7. On local machine, Open "Windows Command" and input the command "gpupdate /force" to refresh
8. Check in the local group manager by "lusrmgr.msc"
Local Goup Management with Preferences (Restricted Group overrid Group Policy Preferences)
Instead of go to local computer to grant domain user with some privilege, you can use group policy preference to achieved.
Also can modify the group name, modify the user of the group.
Example:
1. Go to Control Panel / Administrative Tools / Group Policy Management
2. Right Click specific GP, Click Edie
3. Go to User Configuration / Preferences / Control Panel Settings / Local Users and Groups
4. Right click the blank area and click "New" / "Local Group"
5. In the Action drop down list choose proper action
A. Create: If not exist, create it
B. Replcae: delete and recreate the group and users; SID also change.
C. Update: creates if not exist
D. Delete: If exist, delete it.
Group Policy Software Deployment
Using group policy to do software deployment
1. Group Policy Software Installation (GPSI)
2. No additional software or cost
3. software deployed per user
Three ways
| Publishing User | Assigning Computer | Assigning User | |
| Installed by | Control Panel | Computer starts up | User logs in running shortcut |
| User opens associated file | Yes | Already Installed | Yes |
| Can user remove software | Yes | No | Yes |
| Supports ZAP | Yes | No | No |
MSI file
1. Contains all files and configuration
2. Defines features
3. Used by Windows Installer
MST file
1. Windows Installer Transform
2. Allow MSI files to customized
A. shortcuts
B. Configure install directory
C. Choose components
D. Plus more
MSP file
1. Patch file
2. Can have updates, service packs
3. Software needs to be installed, MSP only used to update
ZAP file
1. A text script that installs the application
2. Does not support elevation
3. Installs only once, no install fail detection
4. Does not support roll back
Group Policy Software Deployment
1. Network test: min speed 500kps(default)
2. Software share: Right click the software and click properties and share the folder with everyone read access
Example for assigning computer installation
1. Go to Control Panel / Administrative Tools / Group Policy Management
2. Go to the OU and modify the GP
3. Right Click GP and click Edit
4. Go to Computer Configuration / Policies / Software Settings / Software Installation
5. Right cilck "Software Installation" and click "New" / "Package"
6. Choose the specific software by network path
7. Choose "Publish"
8. login the client workstation. the application will be installed.
Description
"Deployment" tab, and choose "Uninstall this application when it fails out of the scope of management": If when the computer leave the domain or the GP change, the application need to be uninstall. This should be choose
Example for publish user
1. Go to Control Panel / Administrative Tools / Group Policy Management
2. Go to the OU and modify the GP
3. Right Click GP and click Edit
4. Go to User Configuration / Policies / Software Settings / Software Installation
5. Right cilck "Software Installation" and click "New" / "Package"
6. Choose the specific software by network path
7. Choose "Assign"
8. login the client workstation. Go to the control panel / programs and features / install a program from the network
Applocker
Control the application which can be run in the client workstation
1. Added in Windows 7 / Server 2008
2. Replaced Software Restriction Polices
3. Requires:
Windows 7 Enterprise / Ultimate
Windows 8 Enterprise
Windows Server 2008 R2 Standare / Enterprise / Datacenter
Applocker Feature
1. Application Inventory: statistics collecting
2. Blocking unauthorized software
3. License conformance
4. Software standardization
Applocker Rules
1. Publisher: requires digital signature / can test for different versions
2. Hash: creates a hash value to identify the file / can not check for new versions
3. Path: created based on directory path
Setup Applocker
1. Go to Control Panel / Administrative Tools / Group Policy Management
2. Go to the proper OU and GP
3. Right click the GP and click edit
4. Go to Computer configuration / Policies / Windows Settings / Security Settings / System Services
5. Double click "Application Identity" and select "Define this policy setting"
6. set the service startup mode as Automatic
7. Go to Computer configuration / Policies / Windows Settings / Security Settings / Application Control Policies / AppLocker
8. Click "Configure rule enforcement"
Suggestion: Choose "Audit only" first to test the AppLocker
9. Click "Executable Rules". Right click the blank area and Click "Automatically Generate Rules"
10. Follow the default options and go to the end.
Or create the rule by ourselves
Group Policy Optimization
When the GP change, the change will record on DC which contain PDC emulator role by default.
If the DC with PDC is not available, you may change it by
1. Go to Control Panel / Administrative Tools / Group Policy Management
2. Right click domain, and click "Change Domain Controller"
Afte GP change, the Active Directory Replication will run.
1. By default, the replication will run automatically (90 or 120 mins);
change the computer interval: Computer configuration \ Policies \ Administrative Templates \ System \ Group Policy \ Group Policy Refresh interval for computers
change the DC interval: Computer configuration \ Policies \ Administrative Templates \ System \ Group Policy \ Group Policy Refresh interval for domain controllers
2. You may manually run the replication.
Method 1
a. Go to Control Panel / Administrative Tools / Active Directory Sites and Services
b. Go to the site / server / NTDS Settings
c. choose the connection and right click, click the "Replication Now"
Method 2
a. Open "Windows command"
b. input command: repadmin /syncall
Check the replication status: DCDiag
Group Policy Applying Problems
Group Policy applied before network start
Change the policy setting to confirm the policy will be applied before the network woks
Computer Configuration \ Policies \ Administrative Templates \ System \ Logon \ Always wait for the network at computer startup and logon
Manually refresh:
1. Open "Windows command"
2. input following command
a. all: gpupdate /force
b. users: gpupdate /target:user
c. computers: gpupdate /target:computer
Group Policy Troubleshooting
Resultant Set of Policy (RSOP)
Requirements
1. Has administrative rights
2. Run Windows XP or above
3. For remote user
A. 135 and 445 must open
B. WMI Servic need to be running
Use RSOP
1. Go to Control Panel / Administrative Tools / Group Policy Management
Group Policy Result: check the group policy result
1. Right click "Goup Policy Result" and click "Group Policy Results Wizard"
A. If you want to check one client, the client must run "WMI Performance Adapter" service
B. Go to Control Panel / Administrative Tools / Windows Firewall and click "Advanced Settings"
C. Go to Inbound Rules and enable the following rules
I. "Remote Event Log Management(NP-In)" rule with domain Profile
II. "Remote Event Log Management(RPC)" rule with domain profile
III. "Remote Event Log Management(RPC-EPMAP)" with domain profile
IV. "Windows Management Instrumentation(WMI-In)" with domain profile
2. Following the default and finish
3. You may check the result of the specific computer
Group Policy Modeling: simulate the group policy running
From client, we may use following command to check:
1. Show the general: GPResult /r
2. Show the user setting: GPResult /v /Scope User
3. Show the computer setting: GPResult /v /Scope Computer
4. Export as html format: GPResult /h <filename>
5. Export as xml format: GPResult /x
Windows Security Setting
Security Template for Windows XP
1. improve compatibility
2. increase security
Local Security Policy --> local computer
Default Domain Controllers Policy --> Domain
Security Policy Migration
Method 1: can use export and import to migration security policy
Method 2:
export the local security policy from server1 to inf file to compare with that of the local server
1. go to MMC
2. Add "Security Configuration and Analysis"
3. Right click "Security Configuration and Analysis" and click "Open Database"
4. Input a file name for the database and choose the inf file
5. Right click "Security Configuration and Analysis" and click "Analyze Computer Now"
If you want to use the inf file setting to config the local server,
Right click "Security Configuration and Analysis" and click "Configure Computer Now"
Security Configuration Wizard
1. Go to Control Panel / Administrative Tools / Security Configuration Wizard
2. Select "Create a new security policy"
3. Select the role which the server now or later will install
4. Select the features which the server now or later will install
5. Select "Disable the service" to disable the 3rd party application which not mentioned in the wizard. If you need to use, you may enable later.
6. Unselect network security rule
Example: if the server is static ip, you may unselect the DHCP
Convert the secrity policy file (xml) to GP Object
1. Open "Windows command"
2. Input command: Scwcrm transfrom /p:"<xml file path>" /g:"<GP Object name>"
Windows Audit
Object Permision: Access Control List (ACL)
1. Direct Access Control List (DACL)
2. System Access Control List (SACL)
Windows Audit Config
1. Go to Control Panel / Administrative Tools / Group Policy Management
2. Right click the default Group Policy and clicc edit
3. Go to Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Audit Policy
4. Click "Audit account logon events", Choose the option "Define these policy settings", "Success" and "Failure" to audit the user login action
Windows Server 2008 R2 Default Setting
| Setting | Description | Windows Server 2008 R2 |
| Audit account logon events | Validates a logon (authoritative) | Success |
| Audit Account Management | Changes to accounts and password resets | Success |
| Audit Directory Service Access | Changes to Active Directory accounts | Success if SACL is configued |
| Audit Logon events | Login or connections are made | Success |
| Audit Object Access | Non Active Directory Objects (Files and Folders) | None |
| Audit Policy Change | User Rights assignment, Auditing, Account and Trust Policies | Success |
| Audit Privilege Use | E.g. Taking ownership | None |
| Audit Process Tracking | Porcess createion, termination, etc | None |
| Auidt System Events | Startup, shutdown, time changes, logs | Success |
Windows Server 2008 Auditing Change
Can record what has changed, and the value before the change.
Enable by runnign the command: AuditPol /set /SubCategory:"Directory service chagnes" /Success:Enable
Check "Event Viewer", Windows logs \ Security
Windows Files Auditing
Config File / Folder audit
1. Go to the specific folder or file you need audit;
2. Right click the object and click "Properties"
3. Click the "Security" tab and click "Advanced" button
4. Click the "Auditing" tab and click "Continue" button
5. Input the user / everyone / group to "Principal"
6. Choose the typ: Success / Fail / All
7. Choose the permission needs audit
8. Choose the condition
9. input "gpedit.msc" to start "Local Group Policy Editor"
10. Go to Computer Configurations / Windows Settings / Security Settings / Local Policy
11. Click "Audit object access" and choose "Success" / "Failure"
12. Open "Windows Command"
13. Input command to refresh GP: GPUpdate /force
14. Check "Event Viewer", Windows logs \ Security
Active Directory Password Policy
Default Password Policy
1. Go to Control Panel \ Administrative Tools \ Group Policy Management
2. Right Click "Default Domain Policy" and click "Edit"
3. Go to Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Account Policies
Password Policy
| Enforce Password History | Number of password changes required before a previous password can be used. Default 24. |
| Maximum Password age | Maximum number of days a password can be used before it has to be changed. Default 42 days |
| Minimum password age | How long a user must keep a password before they can change it. Default 1 day |
| Minimum password length | Number of characters required in password. 1 to 14 characters. Default 7 characters |
| Password must meet complexity requirements | Password => 6 characters. Has 3 of the following, A-Z, a-z, digits, non Alphanumeric. Does not contain name or username. |
| Store passwords using reversible encryption | On next password change password is stored using reversible encrytion. |
Account lockout Policy
| Account lockout duration | Number of minutes an account will stay locked until it automatically unlocks itself. |
| Account lockout threshold | Number of failed attempts before the user account is locked out. Default 0. |
| Reset account lockout counter after | Minutes until failed login counter is reset. Must be less or equal to Account Lockout duration if Account lockout threshold is set |
Windows Server 2003 and above will check the previous password used by that user. If there is a match it will not lockout the account.
The built in administrator account will not be locked out. Windows uses a delay to protect the administrator account from brute force attacks.
Fine-Grained Password Policy
Define multiple policy for different groups
Requires: Windows Server 2008 domain functional level or higher
Function: setting password setting objects that contain password policy settings and apply to users and groups
Example:
Set long password length for security group;
Set no lokout policy for service account.
When multiple PSO (password setting objects) apply on one user, the password settings precedence define the order
1. value needs be 1 or greater
2. lower values have priority
3. same value lowest GUID will be used
Implement multiple password policy
1. Check the domain functional level
2. Go to Control Panel / Administrative Tools / ADSI Edit
3. Right click "ADSI Edit" and select "Connect to..."
4. Choose the domain and click "OK"
5. Go to domain / system / Password Settings Container
6. Right click "Password Settings Container" and click New / Object
7. Input the name of the PSO in "Value"
8. Input the number of password settings precedence, 1 or higher
9. Input "False" for "ReversibleEncryptionEnabled"
10. Following the instruction to input value.
For duration, value should be
1 day: 1:00:00:00
30 mins: 0:00:30:00
11. Right the object and click "Properties"
12. Add the user or group for column "msDS-PSOAppilesTo"
Check the implement
1. Go to Contral Panel / Administrative Tools / Active Directory Users and Computers
2. Click menu View / Advanced Features
3. Right click the user of the specific group, click properties
4. Go to “Attribute Editor” tab and click "Filter"
5. Click "Constructed"
6. Check the value of column "msDS-ResultantPSO" whether is the same name of PSO created before.
How to apply PSO to OU (Create shadow group which contains all users in the OU)
1. Go to Contral Panel / Administrative Tools / Active Directory Users and Computers
2. Create one group in specific OU
3. Find the script(ShadowGroupsDemo.vbs) in attachment
4. Need to modify the following context
Const OULDAP = "LDAP://OU=[OUName],DC=[Domain],DC={Ext]"
Const SGLDAP = "LDAP://CN=[GroupName],OU=[OptionalOU],DC=[Domain],DC=[Ext]"
5. Use Windows Schedule Task to automatically run the script
Example:
Const OULDAP = "LDAP://OU=Washington,DC=ITFreeTraining,DC=Local"
Const SGLDAP = "LDAP://CN=SecureShadowGroup,OU=Washington, DC=ITFreeTraining, DC=Local"
Deny Domain Local Group
1. Go to Control Panel / Administrative Tools / Group Policy Management
2. Right click default group policy and click edit
3. Go to Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment
4. Five deny policies
Example: deny remote desktop service --> config the "Deny access to this computer from the network" policy
Comments
Post a Comment