Scribd Logo
Upload

Welcome to Scribd!

  • Active Directory New User Interface

    Uploaded by

    lsujata
    79 views13 pages
    Active Directory - New User Interface has improvements in usability, performance. New graphical user interface and command line tools make it easier to query, create, modify and delete objects. Improvements in permissions management apply to NTFS file system and Registry permissions.

    Original Description:

    Original Title

    Active Directory New User Interface[1]

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Active Directory - New User Interface has improvements in usability, performance. New graphical user interface and command line tools make it easier to query, create, modify and delete objects. Improvements in permissions management apply to NTFS file system and Registry permissions.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    79 views13 pages

    Active Directory New User Interface

    Uploaded by

    lsujata
    Active Directory - New User Interface has improvements in usability, performance. New graphical user interface and command line tools make it easier to query, create, modify and delete objects. Improvements in permissions management apply to NTFS file system and Registry permissions.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 13

    Microsoft Virtual Labs

    Active Directory New User Interface

    Active Directory New User Interface

    Table of Contents
    Active Directory New User Interface...................................................................................................... 3
    Exercise 1 User Management and Saved Queries ...............................................................................................4 Exercise 2 Permissions User Interface ................................................................................................................8 Exercise 3 Active Directory Management.........................................................................................................10

    Active Directory New User Interface

    Active Directory New User Interface


    Objectives After completing this lab, you will be able to: Employ Queries as a tool for managing objects. Manage permissions on Active Directory objects. Prevent accidental deletion of domain controller computer objects. Configuring the caching of universal group membership per site so that Global Catalog (GC) servers are not needed when users log on. Reset the Directory Services Restore Mode Administrator account password. Use new command line tools to query, create, modify and delete users, groups and other objects in Active Directory.

    Scenario

    Windows Server 2003 Active Directory has improvements in such areas as performance, management and usability. Over the course of the next hour, we will step through some of the improvements to the user interface, both in the graphical user interface and the command line interface. We will see how easy it is to create, manage and manipulate Active Directory objects singly and in groups through Active Directory Users and Computers. We will see how the Saved Queries functionality both finds objects based an LDAP queries and allows us to manage those objects. We will see improvements in permissions management that apply not only to managing Active Directory objects, but also to NTFS file system and Registry permissions. Finally, we will look at the new way to protect domain controller computer objects, how to configure caching for universal group membership and new command line tools to do everything from query, create, modify and delete objects to resetting the Directory Services Restore Mode password.

    Estimated time to complete this lab: 60 minutes

    Active Directory New User Interface

    Computers used in this Lab:


    Paris

    Exercise 1 User Management and Saved Queries


    In this exercise, we will examine some of the new user interface improvements in the Active Directory management tools for creating, managing and manipulating Active directory objects. We will also see how Saved Queries can be a powerful and dynamic tool for managing objects.

    Tasks
    1.

    Detailed steps a. Click Start | Administrative Tools and click Active Directory Users and Computers. b. In the Active Directory Users and Computers console, expand contoso.com. c. Right-click contoso.com, point to New and click Organizational Unit. d. In the New Object - Organizational Unit dialog box, type Sales OU and click OK. e. Right-click contoso.com, click New and click User. f. In the New Object - User dialog box, type UserA in the First name and User logon name boxes.

    We will use the enhanced Active Directory Users and Computers snap-in to create an Organizational Unit for our Sales department and a new User for that department. Then we will drag and drop the user into the OU.

    g. Click Next. h. In the next New Object - User dialog box, enter and confirm the password Password1. i. Click Next. Info: By default, Windows Server 2003 requires that passwords are complex when created, changed or reset. j. l. In the final New Object - User dialog box, click Finish. In the right pane, drag UserA to the Sales OU. k. In the left pane, select contoso.com. Info: Active Directory Users and Computers now supports drag-and-drop functionality for objects.
    2.

    Now we will add a new User directly to the Organizational Unit where we want him. Then, using the extended functionality of Active Directory Users and Computers, we will see how certain Active Directory attributes can be modified for multiple objects at the same time.

    a. Right-click Sales OU, point to New and click User. b. In the New Object - User dialog box, type UserB in the First name and User logon name boxes. c. Click Next. d. In the next New Object - User dialog box, enter and confirm the password Password1. e. Click to deselect the User must change password at next logon check box. f. Click Next. g. In the final New Object - User dialog box, click Finish.

    Active Directory New User Interface Further, if we accidentally modify attributes so that they conflict with each other, we are warned and can make the corrections right away. h. In the left pane, select Sales OU. i. j. In the right pane, select UserA, hold down CTRL and click UserB. Right-click the selected user accounts and click Properties.

    Note: Active Directory Users and Computers now supports modifying common attributes of multiple users at one time. k. In the Properties On Multiple Objects dialog box, click the Profile tab l. Click to select the Logon Script check box and type userlogon.vbs. m. Click the Account tab. n. In the Account options box, click to select the edit check box (the left hand check box) for User cannot change password. o. Click to select the User cannot change password check box (both check boxes next to User cannot change password should be selected). Note: Only the attributes for which the edit check box is enabled will be updated on the selected user accounts. p. Click OK to close the Properties On Multiple Objects dialog box. Note: A dialog box appears, indicating that for UserA two conflicting options are set. The account options for UserB are already applied. q. In the Active Directory dialog box, click Properties to change the settings for UserA. r. In the UserA Properties dialog box, click the Account tab, disable User must change password at next logon, and click OK. s. t. Click Close. In the Properties On Multiple Objects dialog box, click OK to continue applying the changes to the selected user accounts.

    Note: The Logon Script setting and the User cannot change password setting are applied to both UserA and UserB.
    3.

    Now we will create a new global group in the Sales OU. This group is for our sales managers and we will examine the behavior of the object picker as we add our users to the group.

    a. Right-click Sales OU, point to New, and click Group. b. In the New Object - Group dialog box, type Sales Managers in the Group name box. c. Ensure that the Group scope is set to Global and the Group type is set to Security and click OK. d. Click Sales Managers to change the selection. e. Right-click Sales Managers, and the click Properties. f. In the Sales Managers Properties dialog box, click the Members tab and click Add.

    Info: Active Directory Users and Computers has a new dialog box to select objects. The new dialog box is called the object picker. g. In the Select Users, Contacts, or Computers object picker, type user and click Check Names. Note: The object picker lists all user accounts whose name starts with "user". h. In the Multiple Names Found dialog box, select UserA, hold down CTRL, click UserB and click OK. i. j.
    4.

    Click OK to close the Select Users, Contacts, or Computers object picker. Click OK to close the Sales Managers Properties dialog box.

    Using the saved query feature, we will create a way

    a. In Active Directory Users and Computers, select Saved Queries.

    Active Directory New User Interface to find and keep up to date listings of all disabled user accounts. We will also see that administrative tasks can be performed on the objects that we have found through our query. b. Right-click Saved Queries, point to New, and click Folder. c. In the New Folder text box, type User Management, and press Enter. d. In the right pane, right-click User Management, point to New and click Query. e. In the New Query dialog box, in the Name text box, type Disabled User Accounts, and click Define Query. f. In the Find Common Queries dialog box, click to select the Disabled accounts check box and click OK.

    g. Click OK to close the New Query dialog box. Note: In the right pane, three disabled user accounts appear (Guest, krbtgt and SUPPORT_388945a0). h. In the left pane, select Sales OU. i. j. In the right pane, right-click UserA and click Disable Account. Click OK to confirm that UserA has been disabled.

    k. In the left pane, select Disabled User Accounts, right-click Disabled User Accounts and click Refresh. Note: UserA now appears in the disabled user accounts list. l. In the right pane, right-click UserA and click Enable Account. m. Click OK to confirm that UserA has been enabled. n. Right-click Disabled User Accounts and click Refresh. Note: UserA no longer appears in the disabled users accounts list. o. In the left pane, select Sales OU, right-click Sales OU and click Refresh. Note: UserA is no longer displayed as disabled in the Sales OU.
    5.

    Now we will modify the query string to manually create a new query that finds objects with the attributes defining them as users who have never been authenticated by this domain controller. We also see that cut and paste functionality works throughout the interface.

    a. In Active Directory Users and Computers, select Disabled User Accounts. b. Right-click Disabled User Accounts and click Edit. c. Right-click in the gray Query string text box and click Select All. d. Right-click the selected query string and click Copy. e. Click Cancel to close the Edit Query dialog box. f. Right-click User Management, click New and click Query. g. In the New Query dialog box, in the Name text box, type Never Logged On and click Define Query. h. In the Find Common Queries dialog box, in the Find list box, select Custom Search. i. j. In the Find Custom Search dialog box, click the Advanced tab. Right-click in the empty Enter LDAP query text box and click Paste. (&(objectCategory=person)(objectClass=user)(userAccountC ontrol:1.2.840.113556.1.4.803:=2)) To: l. (&(objectCategory=person)(objectClass=user)(logonCount=0) )

    k. Change the LDAP query text from:

    Click OK.

    Info: The logonCount attribute of a user indicates how many times the connected domain controller has authenticated the user's log on to the domain. (This number is kept per domain controller.) You can base the

    Active Directory New User Interface

    definition of a Saved Query on any LDAP query to the Active Directory. Info: Notice in the gray Query string text box, that Saved Queries adds an additional (& ... ) around the LDAP query text. This does not change the result of the query. m. Click OK to close the New Query dialog box. Info: The Saved Queries are stored in a file named dsa in the %userprofile%\Application Data\Microsoft\MMC folder. They are not stored in Active Directory.
    6.

    Now we will see the warning shown by Windows if we accidentally have Caps Lock enabled and try to enter or change a password in the password text box.

    a. In Active Directory Users and Computers, select Sales OU, rightclick UserA and click Reset Password. b. In the Reset Password dialog box, press the Caps Lock key. Info: The same warning message is displayed when users have the Caps Lock key on at the Windows logon dialog box. c. Click Cancel to close the Reset Password dialog box. d. Press the Caps Lock key to deactivate caps lock.

    Active Directory New User Interface

    Exercise 2 Permissions User Interface


    In this exercise, we will examine some of the new user interface improvements to manage permissions on Active Directory objects. Most of these improvements also apply to managing NTFS file system and Registry permissions.

    Tasks
    1.

    Detailed steps a. In Active Directory Users and Computers, click View | Advanced Features. Info: Advanced Features shows additional options in Active Directory Users and Computers, such as the Security tab with object permissions for each object. b. In the left pane, select contoso.com, right-click contoso.com and click Properties. c. In the contoso.com Properties dialog box, click the Security tab. Note: Scroll down the permissions list to see the new domain permissions, which can be used to implement delegation of administrative control of the domain. An example is the Reanimate Tombstones permission, which allows delegation of restoring deleted objects. Other new domain permissions for Windows Server 2003 include Create Inbound Forest Trust, Generate Resultant Set of Policy, Migrate SID History and Read/Write Domain Password & Lockout Policies. d. Click Cancel to close the contoso.com Properties dialog box. Info: All the features of the permissions user interface that are described in the next tasks are not only applicable to Active Directory objects, but also to NTFS files and folders, Registry keys and Registry entries.

    By enabling Advanced Features in Active Directory Users and Computers, we are able to view and modify domain permissions.

    2.

    We will create a new Organizational Unit and examine the default permissions for an object of this type in Active Directory.

    a. In Active Directory Users and Computers, right-click contoso.com and point to New and click Organizational Unit. b. In the New Object - Organizational Unit dialog box, type Perms OU and click OK. c. Right-click Perms OU and click Properties. d. In the Perms OU Properties dialog box, click the Security tab. e. In the Permissions box, scroll to the bottom of the permissions list. Info: The last in any permissions list is Special Permissions. This is not an existing permission. Instead, a check mark in the Allow or Deny column for Special Permissions is an indication that the entire Access Control List (ACL) for this object could not be expressed with just the permissions list on the Security tab. You can click the Advanced button to see the entire list of permissions on the ACL of the object. f. Click Advanced. g. Scroll down the Permission entries list, so that the Administrators group is displayed in the middle of the list box (~10 entries down). Info: Notice the new Inherited From column. For each Access Control Entry (ACE) this column indicates whether the permission is applied directly (<not inherited>), or inherited from a higher OU (or NTFS folder, or Registry key).The Default button can be used to reapply the default permissions for this object from the Schema. This is not applicable to NTFS

    Active Directory New User Interface permissions or Registry permissions.


    3.

    Using the built-in graphical user interface, it is easy to change the owner of the Perms OU to the Enterprise Admins group.

    a. In the Advanced Security Settings for Perms OU dialog box, click the Owner tab. Info: Notice that you can take or assign ownership of this object. Although this was also possible in Windows 2000 Server, assigning ownership to other users was highly unusual. b. Click Other Users or Groups. c. In the Select User, Computer, or Group object picker, type Enterprise Admins and click OK. d. In the Change owner to list box, ensure that Enterprise Admins is selected, and click Apply. Info: You can only assign ownership to object, if you have the Restore files and directories user right. Even the Full Control permission on the object is not sufficient.

    4.

    It is also easy to see the effective permissions on Active Directory objects. Here we sill examine the effective permissions on the Perms OU for the Account Operators group, the Administrators group and the Administrator account.

    a. In the Advanced Security Settings for Perms OU dialog box, click the Effective Permissions tab. Info: The Effective Permissions for an object can be calculated for any user or group. b. Click Select. c. In the Select User, Computer, or Group object picker, type Account Operators and click OK. Note: Scroll down the Effective permissions list to see that members of the Account Operators group only have create/delete permissions for computer, group, inetorgperson and user objects. d. Click Select. e. In the Select User, Computer, or Group object picker, type Administrators and click OK. Note: Members of the Administrators group have almost all the permissions on the Perms OU. f. Click Select. g. In the Select User, Computer, or Group object picker, type Administrator and click OK. h. In the Multiple Names Found dialog box, ensure that Administrator is selected and click OK. Note: The Administrator has Full Control permission on the Perms OU. Info: Determining the effective permissions does not take everything into account. Logon-specific information, such as membership in the Interactive, Network or Service group, and the effect of share permissions in the case of effective permissions on files and folders are not considered. i. j. Click Cancel to close the Advanced Security Settings for Perms OU dialog box. Click Cancel to close the Perms OU Properties dialog box.

    10

    Active Directory New User Interface

    Exercise 3 Active Directory Management


    In this exercise, we will explore several improvements for managing Active Directory. These improvements include: The options preventing accidental deletion of domain controller computer objects The process for configuring the caching of universal group membership per site so that Global Catalog (GC) servers are not needed when users log on The process for resetting the Directory Services Restore Mode Administrator account password New command line tools to query, create, modify and delete users, groups and other objects in Active Directory

    Tasks
    1.

    Detailed steps a. In Active Directory Users and Computers, right-click Domain Controllers point to New and click Computer. b. In the New Object - Computer dialog box, type DALLAS in the Computer Name box. c. Click to select the Assign this computer account as a backup domain controller check box and click Next. d. In the Managed dialog box, click Next. e. Click Finish. f. In the left pane, select Domain Controllers. g. In the right pane, right-click DALLAS and click Properties. Note: The role of this computer account is set to Domain controller. h. Click Cancel. Note: Although a physical computer is not associated with the Dallas computer account, Active Directory considers the account to represent a true replica domain controller when attempting to remove the account in the next steps. i. j. Right-click Dallas and click Delete. Click Yes to confirm that you want to delete this object.

    We will create a new domain controller computer object in Active Directory and examine the options for modifying it without deleting it. Then we will look at the actual process for deleting the object.

    Info: The Deleting Domain Controller dialog box appears. You can choose from three possible reasons for deleting the computer account. Only the third option actually deletes the account. The first two options are not valid reasons for deleting the account. k. In the Deleting Domain Controller dialog box, click to select the I want to restart Active Directory replication for this domain controller radio button and click Delete. l. Click OK to confirm that deleting the computer account is not required to manage Active Directory replication.

    Note: The DALLAS computer account is not deleted. m. Right-click DALLAS and click Delete. n. Click Yes to confirm that you want to delete this object. o. In the Deleting Domain Controller dialog box, click to select the This

    Active Directory New User Interface domain controller is permanently offline radio button and click Delete. p. Minimize Active Directory Users and Computers. Info: Normally, you must delete the associated Server object in Active Directory Sites and Services as well.
    2.

    11

    We will create a new site and configure that site to cache universal group membership so that a Global Catalog will not be required for log on in that site.

    a. Click Start | Administrative Tools and click Active Directory Sites and Services. b. In Active Directory Sites and Services, expand Sites, right-click Sites and click New | Site. c. In the New Object - Site dialog box, type Office-Houston in the Name text box, select DEFAULTIPSITELINK and click OK. d. Click OK to confirm the steps needed to finish configuration of the Office-Houston site. Info: In order to make the site less dependent on the availability of a Global Catalog (GC) server when users log on, you can configure the site to cache the universal group membership data that is normally only kept on the GC. e. In the left pane, ensure that Office-Houston is selected. f. In the right pane, right-click NTDS Site Settings and click Properties. g. In the NTDS Site Settings Properties dialog box, click to select the Enable Universal Group Membership Caching check box. h. Select Default-First-Site-Name from the Refresh cache from dropdown box and click OK. Note: The domain controllers in the Office-Houston site will cache the universal group membership data per user account. When users log on to domain controllers in the site, a GC is no longer contacted. The cached data per user account is automatically refreshed every 8 hours. i. Close Active Directory Sites and Services.

    3.

    With the powerful Ntdsutil.exe command, we can perform many actions on the Active Directory. Here, we will use it to reset the Directory Services Restore Mode (DSRM) Administrator password on Paris.

    a. Click Start | Command Prompt. b. Type ntdsutil.exe and press Enter. c. At the ntdsutil: prompt, type help and press Enter. Info: Ntdsutil shows the list of available commands. d. Type set dsrm password and press Enter. Info: This password is used to log on to the domain controller in Directory Services Restore Mode (DSRM) or to log on when using the Recovery Console. The password is initially set when the Active Directory Installation Wizard (dcpromo.exe) is run. e. At the Reset DSRM Administrator Password: prompt, type reset password on server Paris and press Enter. f. At the Please type password for DS Restore Mode Administrator Account: prompt, type password and press Enter.

    g. At the Please confirm new password: prompt, type password and press Enter. Note: Ntdsutil fails to set the password. The DSRM password must meet complexity requirements. h. At the Reset DSRM Administrator Password: prompt, type again reset password on server Paris and press Enter. i. At the Please type password for DS Restore Mode Administrator Account: prompt, type Password1 and press Enter.

    12

    Active Directory New User Interface j. At the Please confirm new password: prompt, type Password1 and press Enter.

    Note: Because this password meets the domain password complexity requirements, Ntdsutil successfully sets the DSRM password. k. At the Reset DSRM Administrator Password: prompt, type quit and press Enter. l.
    4.

    At the ntdsutil: prompt, type quit and press Enter.

    We will use the dsquery and dsget commands to display information about users and computers in Active Directory

    a. At the Command Prompt, type cd \ and press Enter. b. Type dsquery user and press Enter. Info: The dsquery command finds and displays users or other objects in Active Directory. c. Type (on one line) dsget user cn=Administrator,cn=Users,dc=contoso,dc=com -memberof and press Enter. Note: The dsget command displays properties of users or other objects. In this example, it displays the 6 groups that explicitly list the Administrator as member. d. Press the Up Arrow key to recall the previous command. At the end of the line, type a space and -expand and press Enter. Note: The -memberof -expand combination recursively expands the list of groups of which the user is a member. In this example, the Users group is added to the list because Domain Users is a member of the Users group. e. Type dsquery user | dsget user -samid -sid and press Enter. Info: The output of the dsquery command can be used as input for the dsget command by using a pipe ( | ). In this example, the SAM account name and the security ID (SID) of each user is displayed. f. Type dsquery server and press Enter. Info: The dsquery server command displays all domain controllers. g. Type dsquery server -o rdn -hasfsmo pdc and press Enter. Info: The command displays the relative distinguished name (rdn) of the domain controller that currently is the PDC operations master. (FSMO is another term for operations master.) Other operations masters can be found by using the parameter schema, name, infr, or rid. h. Type dsquery server | dsget server -dnsname -site -isgc and press Enter. Info: The command displays the DNS host name, the site name, and whether the server is Global Catalog (GC) server for each domain controller.

    5.

    Earlier, we used Active Directory Users and Computers to create and modify an OU and user. Here we will use the dsadd and dsmod commands to add and modify an organizational unit and user in Active Directory.

    a. At the Command Prompt, type dsadd ou ou=GuestOU,dc=contoso,dc=com and press Enter. Info: The dsadd command adds organizational units (OU), users or other objects to Active Directory. b. Type dsadd user cn=Greg,ou=GuestOU,dc=contoso,dc=com and press Enter. c. Type dsquery user -name Greg | dsget user -dn -disabled and press Enter. Note: The new user account is still disabled. d. Type dsmod user cn=Greg,ou=GuestOU,dc=contoso,dc=com -pwd Password2 and press Enter.

    Active Directory New User Interface Info: The dsmod command modifies existing objects.
    6.

    13

    We can also set limits on the number of objects a particular user can create in Active Directory. With the dsadd command, we will assign a quota to the user we created above, view that quota and then remove it through Active Directory Users and Computers.

    a. At the Command Prompt, type dsadd quota -part dc=contoso,dc=com -acct contoso\Greg -qlimit 25 -desc "Max 25" and press Enter. Info: The dsadd quota command defines the maximum number of objects that a user can create or own in a partition. b. Type dsget partition dc=contoso,dc=com -dn -qtmbstnwt and press Enter. Info: The qtmbstnwt value (quota tombstone weight) specifies the percentage weight given to a deleted object (tombstone) for the partition. For example, if the value is set to 50 (or 50%) and Greg owns 10 deleted objects, then he can create 20 additional objects to reach his maximum quota of 25. The default value is 100 (or 100%). c. Expand Active Directory Users and Computers. d. In the left pane, select NTDS Quotas. Note: In the right pane, the CONTOSO_Greg object represents the quota specification for the user Greg. Note that you cannot change the quota specification through the graphical user interface of the console. e. Right-click CONTOSO_Greg, and click Delete. f. Click Yes to confirm that you want to delete the object. g. Close the Active Directory Users and Computers console.

    7.

    We will now use the dsrm command to remove the newly created organizational unit.

    a. At the Command Prompt, type dsrm ou=GuestOU,dc=contoso,dc=com -subtree and press Enter. b. At the prompt, type Y to confirm that you wish to delete GuestOU and press Enter. Info: The dsrm command removes objects from Active Directory. In this example, the -subtree parameter causes all the objects in the container to be deleted as well The dsrm command is unrelated to directory services restore mode (DSRM).

    8.

    We will use the dsquery * command, which display information about objects in Active Directory by using an LDAP query, to display information about the Administrator and then about the isMemberOfPartialAttrib uteSet attribute which defines the information that replicates to Global Catalog servers.

    a. At the Command Prompt, type dsquery * -filter (cn=Administrator) -attr * and press Enter. Info: The dsquery * command can use any LDAP query to display information of objects in Active Directory. In this example all attributes of the Administrator account are displayed. b. Type dsquery * -filter (dc=contoso) -attr * and press Enter. Note: This example displays all attributes of the contoso.com domain object. c. Type (on one line) dsquery * cn=Schema,cn=Configuration,dc=contoso,dc=com -filter "(&(objectCategory=attributeSchema)(isMemberOfPartialAttribu teSet=TRUE))" -limit 0 -attr name and press Enter. Note: This complex example displays the names of all attributes (150) that Windows Server 2003 replicates to Global Catalog servers. (If the command displays no attributes, ensure that you typed TRUE in capital letters.) d. Close Command Prompt.

    You might also like