Administrators’ IdolWindows and Active Directory Best Practices Dan HolmeDirector of Training & ConsultingIntelliem

SESSION CODE: WSV301

Dan HolmeConsultant & Trainer at Intelliem

www.intelliem.comFortune-caliber business, academic & government clientsMicrosoft Technologies Consultant, NBC Olympics

Contributing Editor, Windows IT Pro magazine,SharePoint Pro Connections magazine

www.SharePointProConnections.comAuthor: Microsoft PressMVP: Directory Services (2007)SharePoint Server (2008-2010)danh@intelliem.comhttp://www.intelliem.com/resourcekit

Fire Hose “On"Goals of session

Cover tips, tricks & traps, best practicesShow you things you may never have been told and might never find out about anywhere elseDemonstrate (and give you) valuable scripts & tools

Very important resourceshttp://www.intelliem.com/resourcekit

Enhanced slides with details & step-by-stepsScripts and tools!

Windows Administration Resource Kit

GroupsManaging roles, rules, and resources

Role-Based ManagementQuestions: “What can Joe get to?” and “Who has access to the budget?”Answers: “Umm….”

demo & best practices

Identity Access Management

Access Management Without Groups

Resource

Groups Add Manageability

Identity GroupAccess Management

Resource

Groups Add Scalability

Identity GroupAccess Management

Resource

One Type of Group Is Not Enough

Identity Group Access Management Resource

Role-Based Management: Role Groups and Rule Groups

Identity Role Group Rule GroupAccess Management

Resource

Role-Based Management: Windows Group Scopes

Identity AccessGlobal Domain Local

Identity Role Group Rule GroupAccess Management

Resource

Role-Based ManagementUsers Role Rule ResourceMaxTokenSize long story short

>200-300 groups and you’re in troubleYou can work around it: deploy a larger MaxTokenSize throughout forest1024 is the hard limit (Kerberos)Double-rule your resources

Migration to RBMDesign your managed frameworkDraw a line in the sand: From now on, managedBack-fill the management over time

Group Management

best practices

Define Group Naming ConventionsNaming conventions

Role groups. Simple, unique name, such as Sales or ConsultantsManagement groups. For example, ACL_Sales Folders_Read

Prefix. Management purpose of group, such as ACLResource identifier. What is managed, such as Sales FoldersSuffix. Access level, such as ReadDelimiter. Separates name components, such as underscore (_)

Best Practices for Group DocumentationWhy document groups?

Easier to find them when you need themEasier to understand how and when to use a group

Establish and adhere to a strict naming conventionPrefix, for example, helps distinguishAPP_Budget from ACL_Budget_EditPrefix helps you find the group in the Select dialog box

Summarize a group's purpose with its descriptionAppears in Active Directory Users and Computers details pane

Detail a group's purpose in its Notes field

Copy Group MembershipCopy members from one group to another

Copy memberships of one user to another

dsget group "CN=Sales,OU=Role,OU=Groups,DC=contoso,DC=com" –members | dsmod group "CN=Marketing,OU=Role,OU=Groups,DC=contoso,DC=com" –addmbrdsget group "CN=Sales,OU=Role,OU=Groups,DC=contoso,DC=com" –members | dsmod group "CN=Marketing,OU=Role,OU=Groups,DC=contoso,DC=com" –addmbr

dsget user "SourceUserDN" –memberof | dsmod group –addmbr "TargetUserDN"

dsget user "SourceUserDN" –memberof | dsmod group –addmbr "TargetUserDN"

Delegate Membership Management with Managed ByThe Managed By tab serves two purposes:

Provide contact information for who manages the groupAllow specified user (or group) to modify group membership if Manager Can Update Membership List is selected

TipsMust click OK (not just Apply)to change the ACL on the groupTo set a group in the Name box,click Change, then clickObject Types, and then click Groups

Shadow groupsMembership based on an LDAP queryGroup_Shadow.vbs

demo

Delegating System Administration

best practices

System Administration

Implementation: local Administrators groupProcess

Define scopes of computersCreate (global or domain local) role groups defining scopes of administration

e.g. SYS_NYC_Clients_Admins, SYS_FileServer_AdminsCreate rules defining the computers in each scope

OUs: OU=NYC,OU=Clients,DC=contoso…, OU=File,OU=Servers,DC=contoso…or (global) rule groups: COMP_NYC_Clients, COMP_Servers_File

Group Policy Restricted Groups (MemberOf version—cumulative)Filter GPO by rule groups

User-as-Administrator

Make it manageableProcess

Create a (domain local) rule group for each computerSERVER05_Admin, LAPTOP12_Admin

Add the computer admin group to the local Administrators groupOne-time, e.g. imageStartup Script

NoteDo not nest support staff using this method in large environments

MaxTokenSizeDouble-Rule: Use the process on the previous slide

System Administration

Get Domain Admins out of clients’ Administrators groupConsider the Administrator account

No more generic passwords!Why do you need local Administrator logon?

Admin credentials when domain is not accessiblePhysical, interactive logon only

In the enterprise: neverRemove disk and mount to a functioning system

On the road: possiblyIf users are not administrators of their own laptops

System Administration

SolutionsDisabled account

Log on in Safe Mode to enableRandom passwordIf system cannot connect to domain

Yank out diskOr reimage (non-destructive)

System Administration

SolutionsDisabled account

Log on in Safe Mode to enablePassword check out

Password stored securely, retrieved by IT support, then automatically changedSteve Riley’s book or tools like Liebermann

Unique passwordPassword based on a system characteristic

Something on your “label” on the computerSomething in BIOS: serial number, asset tag

Plus a unique or random piece that can be retrieved by ITChanged after use

Computers

Computer object managementWindows’ default computer management is highly over delegated and not least privilege

Redirect default computer container to an OU with appropriate delegation & configuration

redircmp "DN of OU for new computer objects“Remove default “any user can join 10 computers”

Computers_SetQuota.vbsDelegate creation of computer objects

computerou_delegate_create.bat "DN of OU" "Domain\group"Delegate joining computers to the domain

computerou_delegate_join.bat "DN of OU" "Domain\group"

Provision a computerComputer_JoinDomain

demo

Computer object managementPrestage computer accounts

No more joining a workgroup computer to the domain with no prestaged accountUse djoin.exe to perform an offline domain join for Windows 7 clients

Reset computer accountsNo more “remove from domain and rejoin domain”

Deletes computer objectWipes out group memberships of computer

Rename computer accountsWhen you give a user a new computer and retire the old oneMaintains group memberships of computerAlternately, copy group memberships from old to new computer

Extending The SchemaSchema_Create_AssignedComputers.vbs* Do not try at home without reading the Resource Kit and testing! Parental supervision required!

demo

User Accounts

Last Name, First Name

best practices

Scenario: User management

Problem: Finding users easily

Solution: The wrong solution

Do not use <Last>, <First> as the common name

LDAP distinguishedName is delimited by commas, so commas are 'escaped'Throws off many scripts and apps

displayName can be <Last>, <First>

Solution: Customize MMC viewView Add / Remove Columns

Last Name or Display NameSort by Last Name or Display Name

New problem: View affects all OUs

User Accounts

best practices

User Logon Names: A Modest ProposalPre-Windows 2000 Logon Name (sAMAccountName)

%username% - used in numerous places - unlikely to untangleUnique in the enterprise (Employee ID or alias)

User Principal Name (UPN)Make it the same as the user’s email address

Cultural change: Log on with email address – users never forget it!

Rename AdministratorNot for security – to reduce confusion and potential for lockoutUse Group Policy to scope name differently to different classes of computers

Generic User AccountsSecurity death wishTypical scenarios

Internet accessKiosk

Consider local accountUnique password on each system where neededSo account cannot authenticate to other systems with the generic accountCreate account with same name in the domain

Better yet: unique accounts for each user, managed the same wayUser name: Intern01, Intern02, Intern03 – Unique passwordsIn a group, “INTERN” that defines user experience

Be informedBe in control

Self-reportingComputer_SelfReport

demo

Self staging change controlSoftware_Deploy.vbs

demo

Active Directory

Active Directory Service Administration

best practices

Domain Security & Forest ModelsDomains

Multi-domain forests out – single-domain forests inTrusts out – federated identity and claims-based authentication in

OU modelsDesign first for security (delegation/administration/ACLs)Object-based models are most typical

Users: ACLed the sameAdministrative identities: separated from standard usersClient computers: typically by site – who can add computers to domain?Servers: typically by roleGroups: highly varied

Active Directory Administration & DelegationDomain’s Administrator account

Super-secured, never used, in-case-of-emergency-break-glassDomain Admins, Enterprise Admins, domain’s Administrators groups

E-M-P-T-Y (more or less): Custom accounts for use only as neededProtected accounts: adminSDHolder

Schema Admins: Empty. Add members when schema change needed.Builtin groups (Account/Server/Print/Backup Operators) empty

Over-delegatedProtected accounts (adminSDHolder)

DelegationCarefully managed – easy to get out-of-control and to lose documentabilityExcellent candidate for role-based management

Site topologyWhat’s changed

Networks are good, need for sites to partition replication has decreasedFewer sitesIncreased use of replicated resources for performance, DR

What’s neededMore sitesSites without domain controllers (domain controller-less sites)

Partition replicated resources (DFSN/DFSR)

SubnetsWhat’s changed

Multiple components, tools, technologies rely on AD sitesDomain controller location

Increased mobility: Where’s ComputerX?What’s needed

You must have a process by which IP subnets are synch’ed with AD DSEnsure all IP addresses are associated with an AD subnet (therefore, site)

IP address provisioningUse the LOCATION attribute of the AD subnet

US\LA\MSY\ConventionCenter\AudA

ReplicationWhat’s changed

Networks are goodIncreased need for convergencePeople trust AD

Notification-based replicationChange intersite replication to use notification-based replication

Same as intrasiteReduce convergence of replicationReduce issues related to password change, group change, lockout, etc.

Extreme MMC Consoles

Extreme MMC Consoles

demo

Two accounts to same server?

Saved Queries

demo

Saved queriesUse SAVED QUERIES for administrative views

Don’t even try using actual OUs/nodes in ADUCBenefits

Columns (View Columns) unique to saved queryAdd Last Name column to a saved query In an OU you get Last Name in every OU

“Virtualizes” complex AD structureEfficient administrative views

e.g. disabled users, locked out users, users with passwords set to not expire

Unique views per query

Virtualized view of your enterprise hides the complexity of OU design

Efficient administrative views

Manage users by group (not OU)

Create a saved query that lists the (direct) members of a group(&(objectCategory=user)(memberOf=DN of Group))no wildcards—DN must be exact

Taskpads

demo

Taskpads as an "Admin Launch Pad"Create tasks for Shell commands

Can be any command you can run from Start RunFor command-line commands, prefix withcmd.exe /c

Anything that launches will launch with same credentials as MMC (admin/alternate creds)Suggestion

Add a folder snap-inRename the folder ToolsCreate a taskpad view with "No List" viewAdd shell command tasks

Custom Commands

demo

Integrate a custom commandLocate a useful command, script, or tool

mstsc /v:ComputerName [/h:WindowHeight /w:WindowWidth | /full][/console | /admin]

Identify parameters that can be passedComputerName

Add the command as a shell task to an MMC taskpad

Open remote command promptPSExec for remote command execution

Download from http://technet.microsoft.com/sysinternalsPut in system path (e.g. SYSTEM32) or include full path in task command

psexec \\computername cmd.exeCreate shell command task

Command: psexec.exeParameters: \\NAME cmd.exe\\$COL<0> cmd.exe

Deploy Administrative Tools

best practices

Deploy Administrative ToolsRemote Desktop Services: Remote ApplicationHuge benefits

Install onceCustomize onceAvailable anywhereRuns with alternate credentials

Admin launch pad (e.g. command prompt) is on the server itselfBe careful

Suggest a dedicated (virtual?) remote desktop server

Provisioning and Proxying

What Is Provisioning? Create a process or workflow

Inject business logicSupport business requirementsRequires

Going beyond the native toolsetsEnables

AutomationLogging / Auditing

Provision a computerComputer_JoinDomain

demo

What Is Proxying?

Performing a task on behalf of a userUser does not have rights to perform taskUser can use provisioning toolProxy performs task with separate credentials

Ideally, a Windows service (service account credentials)Web application (applicaton pool credentials)Scheduled task (easiest – scheduled task credentials)

Enforces a provisioned workflow and enablesConsistencySecurityLogging / Reporting / Auditing / Compliance

Simple Proxy Application

User requests an actionUser credentialsApplication authenticates & authorizes user’s ability to make a requestForms provide UI, data validation, required fields, calculated fieldsSubmitting request enters request in task queue

Simple Proxy Application

Service executes tasksPrivileged account managed with Windows Service Control Manager

Can even use a scheduled task (see Resource Kit)User does not require such permissionsEnables enforcement of provisioned process

Command queue maintains action requestsService sees open tasks, executes them, logs results

ReportingTask queue and logs as audit trail

Proxy frameworkWindows Administration Resource Kit

demo

Wrap-Up

demo

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

ResourcesWindows Administration Resource Kit: Productivity Solutions for IT ProfessionalsWindows IT Pro magazineBlogs

http://www.intelliem.com/resourcekitdanh@intelliem.com

Complete an evaluation on CommNet and enter to win!

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

http://northamerica.msteched.com/registration

You can also register at the

North America 2011 kiosk located at registrationJoin us in Atlanta next year

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

JUNE 7-10, 2010 | NEW ORLEANS, LA