Upload
roxanne-flynn
View
220
Download
0
Tags:
Embed Size (px)
Citation preview
Administrators’ IdolWindows and Active Directory Best Practices Dan HolmeDirector of Training & ConsultingIntelliem
SESSION CODE: WSV301
Dan HolmeConsultant & Trainer at Intelliem
www.intelliem.comFortune-caliber business, academic & government clientsMicrosoft Technologies Consultant, NBC Olympics
Contributing Editor, Windows IT Pro magazine,SharePoint Pro Connections magazine
www.SharePointProConnections.comAuthor: Microsoft PressMVP: Directory Services (2007)SharePoint Server (2008-2010)[email protected]://www.intelliem.com/resourcekit
Fire Hose “On"Goals of session
Cover tips, tricks & traps, best practicesShow you things you may never have been told and might never find out about anywhere elseDemonstrate (and give you) valuable scripts & tools
Very important resourceshttp://www.intelliem.com/resourcekit
Enhanced slides with details & step-by-stepsScripts and tools!
Windows Administration Resource Kit
Role-Based ManagementQuestions: “What can Joe get to?” and “Who has access to the budget?”Answers: “Umm….”
demo & best practices
Role-Based Management: Role Groups and Rule Groups
Identity Role Group Rule GroupAccess Management
Resource
Role-Based Management: Windows Group Scopes
Identity AccessGlobal Domain Local
Identity Role Group Rule GroupAccess Management
Resource
Role-Based ManagementUsers Role Rule ResourceMaxTokenSize long story short
>200-300 groups and you’re in troubleYou can work around it: deploy a larger MaxTokenSize throughout forest1024 is the hard limit (Kerberos)Double-rule your resources
Migration to RBMDesign your managed frameworkDraw a line in the sand: From now on, managedBack-fill the management over time
Define Group Naming ConventionsNaming conventions
Role groups. Simple, unique name, such as Sales or ConsultantsManagement groups. For example, ACL_Sales Folders_Read
Prefix. Management purpose of group, such as ACLResource identifier. What is managed, such as Sales FoldersSuffix. Access level, such as ReadDelimiter. Separates name components, such as underscore (_)
Best Practices for Group DocumentationWhy document groups?
Easier to find them when you need themEasier to understand how and when to use a group
Establish and adhere to a strict naming conventionPrefix, for example, helps distinguishAPP_Budget from ACL_Budget_EditPrefix helps you find the group in the Select dialog box
Summarize a group's purpose with its descriptionAppears in Active Directory Users and Computers details pane
Detail a group's purpose in its Notes field
Copy Group MembershipCopy members from one group to another
Copy memberships of one user to another
dsget group "CN=Sales,OU=Role,OU=Groups,DC=contoso,DC=com" –members | dsmod group "CN=Marketing,OU=Role,OU=Groups,DC=contoso,DC=com" –addmbrdsget group "CN=Sales,OU=Role,OU=Groups,DC=contoso,DC=com" –members | dsmod group "CN=Marketing,OU=Role,OU=Groups,DC=contoso,DC=com" –addmbr
dsget user "SourceUserDN" –memberof | dsmod group –addmbr "TargetUserDN"
dsget user "SourceUserDN" –memberof | dsmod group –addmbr "TargetUserDN"
Delegate Membership Management with Managed ByThe Managed By tab serves two purposes:
Provide contact information for who manages the groupAllow specified user (or group) to modify group membership if Manager Can Update Membership List is selected
TipsMust click OK (not just Apply)to change the ACL on the groupTo set a group in the Name box,click Change, then clickObject Types, and then click Groups
System Administration
Implementation: local Administrators groupProcess
Define scopes of computersCreate (global or domain local) role groups defining scopes of administration
e.g. SYS_NYC_Clients_Admins, SYS_FileServer_AdminsCreate rules defining the computers in each scope
OUs: OU=NYC,OU=Clients,DC=contoso…, OU=File,OU=Servers,DC=contoso…or (global) rule groups: COMP_NYC_Clients, COMP_Servers_File
Group Policy Restricted Groups (MemberOf version—cumulative)Filter GPO by rule groups
User-as-Administrator
Make it manageableProcess
Create a (domain local) rule group for each computerSERVER05_Admin, LAPTOP12_Admin
Add the computer admin group to the local Administrators groupOne-time, e.g. imageStartup Script
NoteDo not nest support staff using this method in large environments
MaxTokenSizeDouble-Rule: Use the process on the previous slide
System Administration
Get Domain Admins out of clients’ Administrators groupConsider the Administrator account
No more generic passwords!Why do you need local Administrator logon?
Admin credentials when domain is not accessiblePhysical, interactive logon only
In the enterprise: neverRemove disk and mount to a functioning system
On the road: possiblyIf users are not administrators of their own laptops
System Administration
SolutionsDisabled account
Log on in Safe Mode to enableRandom passwordIf system cannot connect to domain
Yank out diskOr reimage (non-destructive)
System Administration
SolutionsDisabled account
Log on in Safe Mode to enablePassword check out
Password stored securely, retrieved by IT support, then automatically changedSteve Riley’s book or tools like Liebermann
Unique passwordPassword based on a system characteristic
Something on your “label” on the computerSomething in BIOS: serial number, asset tag
Plus a unique or random piece that can be retrieved by ITChanged after use
Computer object managementWindows’ default computer management is highly over delegated and not least privilege
Redirect default computer container to an OU with appropriate delegation & configuration
redircmp "DN of OU for new computer objects“Remove default “any user can join 10 computers”
Computers_SetQuota.vbsDelegate creation of computer objects
computerou_delegate_create.bat "DN of OU" "Domain\group"Delegate joining computers to the domain
computerou_delegate_join.bat "DN of OU" "Domain\group"
Computer object managementPrestage computer accounts
No more joining a workgroup computer to the domain with no prestaged accountUse djoin.exe to perform an offline domain join for Windows 7 clients
Reset computer accountsNo more “remove from domain and rejoin domain”
Deletes computer objectWipes out group memberships of computer
Rename computer accountsWhen you give a user a new computer and retire the old oneMaintains group memberships of computerAlternately, copy group memberships from old to new computer
Extending The SchemaSchema_Create_AssignedComputers.vbs* Do not try at home without reading the Resource Kit and testing! Parental supervision required!
demo
Solution: The wrong solution
Do not use <Last>, <First> as the common name
LDAP distinguishedName is delimited by commas, so commas are 'escaped'Throws off many scripts and apps
displayName can be <Last>, <First>
Solution: Customize MMC viewView Add / Remove Columns
Last Name or Display NameSort by Last Name or Display Name
User Logon Names: A Modest ProposalPre-Windows 2000 Logon Name (sAMAccountName)
%username% - used in numerous places - unlikely to untangleUnique in the enterprise (Employee ID or alias)
User Principal Name (UPN)Make it the same as the user’s email address
Cultural change: Log on with email address – users never forget it!
Rename AdministratorNot for security – to reduce confusion and potential for lockoutUse Group Policy to scope name differently to different classes of computers
Generic User AccountsSecurity death wishTypical scenarios
Internet accessKiosk
Consider local accountUnique password on each system where neededSo account cannot authenticate to other systems with the generic accountCreate account with same name in the domain
Better yet: unique accounts for each user, managed the same wayUser name: Intern01, Intern02, Intern03 – Unique passwordsIn a group, “INTERN” that defines user experience
Domain Security & Forest ModelsDomains
Multi-domain forests out – single-domain forests inTrusts out – federated identity and claims-based authentication in
OU modelsDesign first for security (delegation/administration/ACLs)Object-based models are most typical
Users: ACLed the sameAdministrative identities: separated from standard usersClient computers: typically by site – who can add computers to domain?Servers: typically by roleGroups: highly varied
Active Directory Administration & DelegationDomain’s Administrator account
Super-secured, never used, in-case-of-emergency-break-glassDomain Admins, Enterprise Admins, domain’s Administrators groups
E-M-P-T-Y (more or less): Custom accounts for use only as neededProtected accounts: adminSDHolder
Schema Admins: Empty. Add members when schema change needed.Builtin groups (Account/Server/Print/Backup Operators) empty
Over-delegatedProtected accounts (adminSDHolder)
DelegationCarefully managed – easy to get out-of-control and to lose documentabilityExcellent candidate for role-based management
Site topologyWhat’s changed
Networks are good, need for sites to partition replication has decreasedFewer sitesIncreased use of replicated resources for performance, DR
What’s neededMore sitesSites without domain controllers (domain controller-less sites)
Partition replicated resources (DFSN/DFSR)
SubnetsWhat’s changed
Multiple components, tools, technologies rely on AD sitesDomain controller location
Increased mobility: Where’s ComputerX?What’s needed
You must have a process by which IP subnets are synch’ed with AD DSEnsure all IP addresses are associated with an AD subnet (therefore, site)
IP address provisioningUse the LOCATION attribute of the AD subnet
US\LA\MSY\ConventionCenter\AudA
ReplicationWhat’s changed
Networks are goodIncreased need for convergencePeople trust AD
Notification-based replicationChange intersite replication to use notification-based replication
Same as intrasiteReduce convergence of replicationReduce issues related to password change, group change, lockout, etc.
Saved queriesUse SAVED QUERIES for administrative views
Don’t even try using actual OUs/nodes in ADUCBenefits
Columns (View Columns) unique to saved queryAdd Last Name column to a saved query In an OU you get Last Name in every OU
“Virtualizes” complex AD structureEfficient administrative views
e.g. disabled users, locked out users, users with passwords set to not expire
Manage users by group (not OU)
Create a saved query that lists the (direct) members of a group(&(objectCategory=user)(memberOf=DN of Group))no wildcards—DN must be exact
Taskpads as an "Admin Launch Pad"Create tasks for Shell commands
Can be any command you can run from Start RunFor command-line commands, prefix withcmd.exe /c
Anything that launches will launch with same credentials as MMC (admin/alternate creds)Suggestion
Add a folder snap-inRename the folder ToolsCreate a taskpad view with "No List" viewAdd shell command tasks
Integrate a custom commandLocate a useful command, script, or tool
mstsc /v:ComputerName [/h:WindowHeight /w:WindowWidth | /full][/console | /admin]
Identify parameters that can be passedComputerName
Add the command as a shell task to an MMC taskpad
Open remote command promptPSExec for remote command execution
Download from http://technet.microsoft.com/sysinternalsPut in system path (e.g. SYSTEM32) or include full path in task command
psexec \\computername cmd.exeCreate shell command task
Command: psexec.exeParameters: \\NAME cmd.exe\\$COL<0> cmd.exe
Deploy Administrative ToolsRemote Desktop Services: Remote ApplicationHuge benefits
Install onceCustomize onceAvailable anywhereRuns with alternate credentials
Admin launch pad (e.g. command prompt) is on the server itselfBe careful
Suggest a dedicated (virtual?) remote desktop server
What Is Provisioning? Create a process or workflow
Inject business logicSupport business requirementsRequires
Going beyond the native toolsetsEnables
AutomationLogging / Auditing
What Is Proxying?
Performing a task on behalf of a userUser does not have rights to perform taskUser can use provisioning toolProxy performs task with separate credentials
Ideally, a Windows service (service account credentials)Web application (applicaton pool credentials)Scheduled task (easiest – scheduled task credentials)
Enforces a provisioned workflow and enablesConsistencySecurityLogging / Reporting / Auditing / Compliance
Simple Proxy Application
User requests an actionUser credentialsApplication authenticates & authorizes user’s ability to make a requestForms provide UI, data validation, required fields, calculated fieldsSubmitting request enters request in task queue
Simple Proxy Application
Service executes tasksPrivileged account managed with Windows Service Control Manager
Can even use a scheduled task (see Resource Kit)User does not require such permissionsEnables enforcement of provisioned process
Command queue maintains action requestsService sees open tasks, executes them, logs results
ReportingTask queue and logs as audit trail
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
ResourcesWindows Administration Resource Kit: Productivity Solutions for IT ProfessionalsWindows IT Pro magazineBlogs
http://www.intelliem.com/[email protected]
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registrationJoin us in Atlanta next year
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.