Module 2_ Administering Active Directory Securely and Efficiently

07/06/13 Module 2: Administering Active Directory Securely and Efficiently

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 1/93

Module2:AdministeringActiveDirectorySecurelyandEfficiently

Contents:

Lesson1: WorkwithActiveDirectoryAdministrationTools

Lesson2: CustomConsolesandLeastPrivilege

LabA: AdministeringActiveDirectorybyUsingAdministrativeTools

Lesson3: FindObjectsinActiveDirectory

LabB: FindObjectsinActiveDirectory

Lesson4: UseWindowsPowerShelltoAdministerActiveDirectory

LabC: UseWindowsPowerShelltoAdministerActiveDirectory

Module Overview



MostadministratorsfirstexperienceActiveDirectorybyopeningActiveDirectoryUsersandComputersandcreatinguser,computer,orgroupobjectswithintheorganizationalunits(OUs)ofadomain.

Unfortunately,manyadministratorsnevertakethetimetoelevatetheirskillsetswiththeActiveDirectoryadministrativetools.Whetheryouareanewadministratororaseasonedveteran,youneedtoworksecurelyandefficiently.Therefore,thismodulewillsharethesecretsofeffectiveadministrationthatareoftenlearnedonlyaftermonthsoryearsofexperience.

Objectives



Aftercompletingthismodule,youwillbeableto:

DescribeandworkwithActiveDirectoryadministrationtools.

Describethepurposeandfunctionalityofcustomconsolesandleastprivilege.

LocateobjectsinActiveDirectory.

AdministerActiveDirectorybyusingWindowsPowerShell.

Lesson 1: Work with Active Directory AdministrationTools



ActiveDirectoryadministrativetoolsexposethefunctionalityyourequiretosupportthedirectoryservice.Inthislesson,youwillidentifyandlocatethemostimportantActiveDirectorytools.

Objectives

Aftercompletingthislesson,youwillbeableto:

IdentifythesnapinswithinServerManagerandthenativeconsolesusedtoadministerActiveDirectoryDomainServices(ADDS).

PerformadministrativetasksbyusingtheActiveDirectoryAdministrativeCenter.



InstalltheRemoteServerAdministrationTools(RSAT).

PerformadministrativetasksbyusingActiveDirectoryadministrativetools.

Active Directory Administration Snap-ins

MostActiveDirectoryadministrationisperformedwiththefollowingsnapinsandconsoles:

ActiveDirectoryUsersandComputers.Thissnapinmanagesmostcommondaytodayresources,includingusers,groups,computers,printers,andsharedfolders.



ThisislikelytobethemostheavilyusedsnapinforanActiveDirectoryadministrator.

ActiveDirectorySitesandServices.Thismanagesreplication,networktopology,andrelatedservices.

ActiveDirectoryDomainsandTrusts.Thisconfiguresandmaintainstrustrelationshipsandthedomainandforestfunctionallevel.

ActiveDirectorySchema.ThisschemaexaminesandmodifiesthedefinitionofActiveDirectoryattributesandobjectclasses.ItistheblueprintforActiveDirectory.Itisrarelyviewedandevenmorerarelychanged.Therefore,theActiveDirectorySchemasnapinisnotinstalledbydefault.

What Is the Active Directory Administrative Center?



NoteThecontentinthistopiconlyappliestoWindowsServer2008R2.

WindowsServer2008R2providesanotheroptionformanagingActiveDirectoryDomainServices(ADDS)objects.TheActiveDirectoryAdministrativeCenterprovidesagraphicaluserinterface(GUI)builtuponWindowsPowerShell.ThisenhancedinterfaceallowsyoutoperformActiveDirectoryobjectmanagementbyusingtaskorientednavigation.TasksthatcanbeperformedbyusingtheActiveDirectoryAdministrativeCenterinclude:

Createandmanageuser,computer,andgroupaccounts.



Createandmanageorganizationalunits.

ConnecttoandmanagemultipledomainswithinasingleinstanceoftheActiveDirectoryAdministrativeCenter.

SearchandfilterActiveDirectorydatabybuildingqueries.

Installation Requirements

TheActiveDirectoryAdministrativeCentercanonlybeinstalledoncomputersrunningWindowsServer2008R2andWindows7.YoucaninstalltheActiveDirectoryAdministrativeCenterbyusingthefollowingmethods:

InstalltheActiveDirectoryDomainServices(ADDS)serverrolethroughServerManager.

PromoteaservertoadomaincontrollerbyusingDcpromo.exe.

InstalltheRemoteServerAdministrationTools(RSAT)onaWindowsSerer2008R2serverorWindows7.

NoteTheActiveDirectoryAdministrativeCenterreliesontheActiveDirectoryWeb

Services(ADWS)service,whichmustbeinstalledonatleastonedomaincontroller



inthedomain.Theservicealsorequiresport9389tobeopenonthedomaincontrollerwhere

ADWSisrunning.

Find Active Directory Administration Tools

ActiveDirectorysnapinsandconsolesareinstalledwhenyouaddtheADDSroletoaserver.TwocommonlyusedActiveDirectoryadministrativetoolsareaddedtoServerManagerwhenyouinstalltheADDSrole:theActiveDirectoryUsersandComputerssnapinandtheActiveDirectorySitesandServicessnapin.



ToadministerActiveDirectoryfromasystemthatisnotadomaincontroller,youmustinstallRSAT.RSATisafeaturethatcanbeinstalledfromtheFeaturesnodeofServerManageronWindowsServer2008.

RSATcanalsobeinstalledonWindowsclients,includingWindowsVistaServicePack1(orlater)andWindows7.SimplydownloadtheRSATinstallationfilesfromwww.microsoft.com/downloads.TheSetupWizardwillstepyouthroughtheinstallation.AfteryouhaveinstalledRSAT,youmustalsoturnonthetoolortoolsyouwishtohavevisible.Todothis,usetheTurnWindowsFeaturesOnorOffcommandintheProgramsAndFeaturesapplicationinControlPanel.

Afteritisinstalledandturnedon,allActiveDirectoryadministrativeconsolescanbefoundintheAdministrativeToolsfolder,whichitselfisfoundinControlPanel.IntheclassicviewofControlPanel,youwillseetheAdministrativeToolsfolder.IntheControlPanelHomeview,administrativetoolsarefoundinSystemandMaintenance.

Demonstration: Perform Administrative Tasks by UsingActive Directory Administration Tools



ActiveDirectoryUsersandComputersandtheActiveDirectoryAdministrativeCentercanbothbeusedtoperformadministrativetasks.Thefollowingsectionsprovideinformationonperformingtasksbyusingeachtool.

Active Directory Users and Computers Viewing Objects

TheActiveDirectoryUsersandComputerssnapindisplaystheobjectsinthecontainer(domain,OU,orcontainer)selectedintheconsoletree.

Refreshing the View

Theviewisnotrefreshedautomatically.Ifyouwanttoseethelatestchangestothe



viewofobjects,selectthecontainerintheconsoletreeandtheneitherclicktheRefreshbuttononthesnapintoolbarorpressF5.

YoumustselectthecontainerintheconsoletreebeforeclickingRefresh(orpressingF5)clickinginanemptyareaofthedetailspaneisnotsufficient.ThisisaquirkoftheActiveDirectoryUsersandComputerssnapin.

Creating Objects

TocreateanobjectinActiveDirectoryUsersandComputers,rightclickthedomain,acontainer(suchasUsersorComputers),oranOU.Then,pointtoNewandclickthetypeofobjectyouwanttocreate.

Whenyoucreateanobject,youarepromptedtoconfigureafewofthemostbasicpropertiesoftheobject,includingthepropertiesthatarerequiredforthattypeofobject.

Configuring Object Attributes

Afteranobjecthasbeencreated,youcanaccessitsproperties.Rightclicktheobject,andthenclickProperties.

ThePropertiesdialogthatappearsdisplaysmanyofthemostcommonpropertiesoftheobject.



Propertiesaregroupedontabs,tomakeiteasiertolocateaspecificproperty.

Youcanconfigureasmanypropertiesasyouwant,onasmanytabsasyouwant,thenclickApplyorOKoncetosaveallthechanges.ThedifferencebetweenApplyandOKisthattheOKbuttonclosesthePropertiesdialogbox,whereasApplysavesthechangesandkeepsthedialogboxopensothatyoucanmakeadditionalchanges.

Viewing All Object Attributes

AuserobjecthasevenmorepropertiesthanarevisibleinitsPropertiesdialogbox.Someofthesocalledhiddenpropertiescanbequiteusefultoyourenterprise.Toviewthesehiddenuserattributes,youmustturnontheAttributeEditor,anewfeatureinWindowsServer2008.

ToturnontheAttributeEditorintheActiveDirectoryUsersandComputerssnapin,clicktheViewmenu,andthenselecttheAdvancedFeaturesoption.

ToopentheAttributeEditorforaspecificActiveDirectoryobject:

1. Rightclicktheobject,andthenclickProperties.

2. ClicktheAttributeEditortab.

TheAttributeEditortabofthePropertiesdialogboxappears.



Asyoucanseeinthescreenshotabove,someattributesofauserobjectcanbequiteuseful,includingdivision,employeeID,employeeNumber,andemployeeType.Althoughtheattributesarenotshownonthestandardtabsofauserobject,theyarenowavailablethroughtheAttributeEditor.

Tochangethevalueofanattribute,doubleclickthevalue.

TheattributescanalsobeaccessedprogrammaticallywithWindowsPowerShell,WindowsVisualBasic ScriptingEdition,orMicrosoft.NETFramework.

Active Directory Administrative Center Navigation



TheActiveDirectoryAdministrativeCenterprovidesanavigationpanethatcanbesetasaListViewandaTreeView.TheListViewdisplaysthreemainnodes:anOverviewnode,adomainnode,andaGlobalSearchnode.TheTreeViewchangesthedomainnodetoprovideaviewoftheentiredomainstructure.

Performing Administrative Tasks

WhentheOverviewnodeisselected,youcanperformspecifictaskssuchasResetPassword,andGlobalSearch.ResetPasswordprovidestheabilitytoenteraknownusernameandresetthepassword,unlocktheaccount,andconfiguretheusertochangethepasswordatthenextlogon.GlobalSearchprovidestheabilitytosearchforobjectsbaseduponadomainscopeoraGlobalCatalogscope.

Dependingupontheobjectselected,youwillbeabletoperformmanyrelatedtasks.Forexample,ifauserobjectisselected,youcanperformtaskssuchasresetthepassword,addtoagroup,disabletheaccount,movetheaccount,deletetheaccount,locatetheaccount,oropenthePropertiesdialogboxoftheaccount.

Lesson 2: Custom Consoles and Least Privilege



Inthislesson,youwillgobeyondtheAdministrativeToolsfoldertoworkmoresecurelyandefficiently.Youwilllearnhowtobuildcustomizedadministrativeconsolesandhowtoworkinaleastprivilegeenvironment,inwhichyouareloggedonasanonadministrativeuser,butperformadministrativetasksasanadministrator.

Objectives


CreateacustomMMCconsoleforadministration.

Performadministrativetaskswhileloggedonasauser.



Demonstration: Create a Custom MMC Console forAdministering Active Directory

ItseasiertoadministerWindowswhenthetoolsyouneedareinoneplaceandcanbecustomizedtomeetyourneeds.ThisisachievedbycreatingacustomizedMMCadministrativeconsolethatcontainsthesnapinsyouneedtoperformyouradministrativetasks.WhenyoucreateacustomizedMMCconsole,youcan:

Addmultiplesnapinssothatyoudonothavetoswitchbetweenconsolestoperformyourjobtasks,andyouonlyhavetorunoneconsoletoperformanyofyouradministrativetasks.



Savetheconsolesoitcanbeusedregularly.

Distributetheconsoletootheradministrators.

Savetheconsole,andotherconsoles,toasharedlocationforunified,customizedadministration.

TocreateacustomizedMMCconsole:

1. ClickStart.Then,intheStartSearchbox,typemmc.exe,andthenpressEnter.

2. ClicktheFilemenu,andthenclickAdd/RemoveSnapins.

TheAdd/RemoveSnapinsdialogboxallowsyoutoadd,remove,reorder,andmanagetheconsolessnapins.

AfteryouhaveinstalledRSAT,allfourActiveDirectorymanagementsnapinsareinstalledhowever,theActiveDirectorySchemasnapinwillnotappearintheAdd/RemoveSnapinsdialogboxuntilafteryouhaveregisteredthesnapin.

ToregisterActiveDirectorySchema:

1. OpenacommandpromptbyclickingStart,typingcmd.exe,andpressing



Enter.

2. Typeregsvr32.exeschmmgmt.dll,andthenpressEnter.

Question:HaveyoubuiltacustomMMCconsole?

Question:Whatsnapinshaveyoufounduseful?

Question:Whydidyoubuildyourownconsole?

Secure Administration with Least Privilege, Run AsAdministrator, and User Account Control



Manyadministratorslogontotheircomputerbyusingtheiradministrativeaccounts.Thispracticeisdangerousbecauseanadministrativeaccounthasmoreprivilegesandaccesstomoreofthenetworkthanastandarduseraccount.Therefore,malwarethatisrunwithadministrativecredentialscancausesignificantdamage.

Toavoidthisproblem,donotlogonasanadministrator.Instead,logonasastandarduserandusetheRunAsAdministratorfeaturetostartadministrativetoolsinthesecuritycontextofanadministrativeaccount.

1. Rightclicktheshortcutforanexecutable,ControlPanelapplet,orMMCconsolethatyouwanttorun,andthenclickRunasadministrator.Ifyoudonotsee



thecommand,tryholdingdowntheSHIFTkeyandrightclicking.

2. TheUserAccountControl(UAC)dialogboxappears,promptingforadministrativecredentials.

3. ClickUseanotheraccount.

4. Entertheusernameandpasswordofyouradministrativeaccount.

5. ClickOK.

TipIfyouwillberunninganapplicationregularlyasanadministrator,youshouldcreatea

newshortcutthatpreconfiguresRunAsAdministrator.CreateashortcutandopenthePropertiesdialogboxfortheshortcut.ClicktheAdvancedbuttonandselectRunAsAdministrator.Whenyouruntheshortcut,theUserAccountControldialogboxwill

appear.

Demonstration: Secure Administration with User AccountControl and Run As Administrator



Whenyourunaprocessasanadministrator,theadministrativeaccountmaynothaveaccesstothesamelocationsthatyouruseraccountdoes.Therefore,werecommendthatyousavecustomconsolesinalocationthatisaccessibletobothyouruserandyouradministrativeaccounts.

Torunasanadministrator:

1. Rightclicktheshortcutforanexecutable,ControlPanelapplet,orMMCconsolethatyouwanttorun,andthenclickRunasadministrator.Ifyoudonotseethecommand,tryholdingdowntheSHIFTkeyandrightclicking.

2. TheUserAccountControldialogboxappears,promptingforadministrative



credentials.

3. ClickUseanotheraccount.

4. Entertheusernameandpasswordofyouradministrativeaccount.

5. ClickYes.

Lab A: Administer Active Directory by UsingAdministrative Tools



Lab Setup

Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubeginthelab,youmustcompletethefollowingsteps:

1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthenclickHyperVManager.

2. InHyperVManager,click6425CNYCDC1,andintheActionspane,clickStart.

3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.

4. Logonbyusingthefollowingcredentials:

Username:Pat.Coleman_Admin

Password:Pa$$w0rd

Domain:Contoso

5. OpenWindowsExplorerandbrowsetoD:\Labfiles\Lab02a.

6. RightclickLab02a_Setup.bat,andthenclickRunasadministrator.

7. AUserAccountControldialogboxappears.

8. ClickYes.

9. Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue.



10. ClosetheWindowsExplorerwindow.

Lab Scenario

Inthislab,youarePatColeman,anActiveDirectoryadministratoratContoso,Ltd.YouareresponsibleforavarietyofActiveDirectorysupporttasks,andyouhavefoundyourselfconstantlyopeningmultipleconsolesfromtheAdministrativeToolsfolderinControlPanel.Youhavedecidedtobuildasingleconsolethatcontainsallthesnapinsyourequiretodoyourwork.Additionally,theContoso,Ltd.ITsecuritypolicyischanging,andyouwillnolongerbepermittedtologontoasystemwithcredentialsthathaveadministrativeprivileges,unlessthereisanemergency.Instead,youarerequiredtologonwithnonprivilegedcredentials.

Exercise 1: Perform Basic Administrative Tasks by UsingAdministrative Tools

Inthisexercise,youwillperformbasicadministrativetasksintheActiveDirectoryUsersandComputerssnapin.

Themaintasksforthisexerciseareasfollows:

1. ViewandcreateobjectsbyusingActiveDirectoryUsersandComputers.

2. PerformtasksbyusingActiveDirectoryAdministrativeCenter.



Task 1: View and create objects by using Active Directory Users andComputers.

1. OpenActiveDirectoryUsersandComputersfromtheAdministrativeToolsfolder.

2. LookattheobjectsintheUserAccounts\EmployeesOU.

3. CreateanewOUintheEmployeesOUcalledFullTime.

4. SelecttheEmployeesOUandthenopenthepropertiesofPatColeman.

5. ConfiguretheOfficeattributeontheGeneraltabtoRedmond.

6. ConfirmthattheAttributeEditortabisnotvisibleinthePropertiesdialogboxofPatColeman,andthatthereisnoinputcontrolforthedivisionpropertyonanyofthetabs.

7. TurnontheviewofAdvancedFeaturesfortheActiveDirectoryUsersandComputerssnapin.

8. ViewtheAttributeEditorforPatColeman.

9. ChangePatColemansdivisionattributeto6425C.

10. CloseActiveDirectoryUsersandComputers.



Task 2: Perform tasks by using Active Directory Administrative Center.

1. OpentheActiveDirectoryAdministrativeCenterfromtheAdministrativeToolsfolder.

2. NavigatetotheUserAccounts\ContractorsOUandmoveAdamCartertotheUserAccounts\EmployeesOU.

3. IntheContractorsOU,disabletheAaronConuseraccount.

4. IntheUserAccounts\EmployeesOU,openthePropertiesofAdamCarterandconfigureJobTitletobeManager.

5. ClosetheActiveDirectoryAdministrativeCenter.

Results:Inthisexercise,youexperiencedthefundamentalsofadministrationbyusingtheActiveDirectoryUsersandComputerssnapinandtheActiveDirectoryAdministrativeCenter.

Exercise 2: Create a Custom Active Directory AdministrativeConsole

Inthisexercise,youwillcreateasingle,customadministrativeconsolethat



containsallthesnapinsyouneedtodoyourwork.


1. CreateacustomMMCconsolewiththeActiveDirectoryUsersandComputerssnapin.

2. AddotherActiveDirectorysnapinstotheconsole.

3. AddtheActiveDirectorySchemasnapintoacustomMMCconsole.

4. ManagesnapinsinacustomMMCconsole(optional).

Task 1: Create a custom MMC console with the Active Directory Users andComputers snap-in.

1. OnNYCDC1,openanemptyMMCconsoleandmaximizeit.

2. AddtheActiveDirectoryUsersandComputerssnapin.

3. Savetheconsole.CreateanewfoldercalledC:\AdminToolsandsavetheconsoleinthatfolderasMyConsole.msc.

Task 2: Add other Active Directory snap-ins to the console.



1. AddtheActiveDirectorySitesandServicesandActiveDirectoryDomainsandTrustssnapinslisttoyourconsole.

2. RenametheconsolerootActiveDirectoryAdministrativeTools.

3. Savetheconsole.

Task 3: Add the Active Directory Schema snap-in to a custom MMC console.

1. ConfirmthatActiveDirectorySchemaisnotlistedasanavailablesnapinintheAddorRemoveSnapinsdialogbox.

TheActiveDirectorySchemasnapinisinstalledwiththeActiveDirectoryDomainServicesrole,andwiththeRSAT,butitisnotregistered,soitdoesnotappear.

2. IntheStartmenu,browsetotheAccessoriesgroup,rightclickCommandPrompt,andthenclickRunasadministrator.

3. Inthecommandprompt,typethecommand,regsvr32.exeschmmgmt.dll.

Thiscommandregistersthedynamiclinklibrary(DLL)fortheActiveDirectorySchemasnapin.Youmustperformthisstepatleastonceonasystembeforeyoucanaddthesnapintoaconsole..

4. ClosetheCommandPromptwindow.



5. AddtheActiveDirectorySchemasnapintotheconsole.

6. Savetheconsole.

Results:Inthisexercise,youcreatedacustomMMCconsolewiththeActiveDirectoryUsersandComputers,ActiveDirectorySitesandServices,ActiveDirectoryDomainsandTrusts,andActiveDirectorySchemasnapins.

Exercise 3: Perform Administrative Tasks with Least Privilege, RunAs Administrator, and User Account Control

Inthisexercise,youwillperformadministrativetaskswhileloggedonwithstandardusercredentials.


1. Logonwithcredentialsthatdonothaveadministrativeprivileges.

2. RunServerManagerasanadministrator.

3. Examinethecredentialsusedbyrunningprocesses.

4. Runthecommandpromptasanadministrator.

5. RunAdministrativeToolsasanadministrator.



6. Runacustomadministrativeconsoleasanadministrator.

Task 1: Log on with credentials that do not have administrative privileges.

1. LogofffromNYCDC1.

2. LogontoNYCDC1asPat.Coleman,withthepassword,Pa$$w0rd.

Pat.ColemanisamemberofDomainUsersandhasnoadministrativeprivileges.

Task 2: Run Server Manager as an administrator.

1. ClicktheServerManagericonintheQuickLaunch,nexttotheStartbutton.

AUserAccountControldialogboxappears.

BecauseyouruseraccountisnotamemberofAdministrators,thedialogboxrequiresyoutoenteradministrativecredentials:ausernameandapassword.

IfyoudonotseetheUserNameandPasswordboxes,makesurethatyouareloggedonasPat.Coleman,andnotasPat.Coleman_Admin.

2. ClickUseanotheraccount,andthen,intheUsernamebox,type



Pat.Coleman_Admin.

3. InthePasswordbox,typePa$$w0rd,andthenpressEnter.

ServerManageropens.

Task 3: Examine the credentials used by running processes.

1. RightclickthetaskbarandclickStartTaskManager.

2. ClicktheProcessestab.

3. ClickShowprocessesfromallusers.Then,intheUserAccountControldialogbox,authenticateasPat.Coleman_Admin,withthepassword,Pa$$w0rd

TaskManagercanrunwithoutadministrativecredentials,butitwillshowonlythoseprocessesrunningunderthecurrentuseraccount.Therefore,theUserAccountControldialogboxincludesanoptiontoauthenticatebyusingthesamecredentialswithwhichyouareloggedon:Pat.Coleman.

4. ClicktheProcessestabandsortbyUserName.

5. LocatetheprocessesbeingrunasPat.ColemanandPat.Coleman_Admin.

Question:WhichprocessesarerunningasPat.Coleman_Admin?Whatapplicationsdotheprocessesrepresent?



Task 4: Run the command prompt as an administrator.

1. ClickStart,clickAllPrograms,clickAccessories,rightclickCommandPrompt,andthenclickRunasadministrator.

2. IntheUserAccountControldialogbox,authenticateasPat.Coleman_Admin,withthepassword,Pa$$w0rd.

TheAdministrator:CommandPromptwindowappears.

3. ClosetheCommandPromptwindow.

4. ClickStart,andintheStartSearchbox,typecmd.exe,andthenpressCtrl+Shift+Enter.

IntheStartSearchbox,thekeyboardshortcutCtrl+Shift+Enterrunsthespecifiedcommandasanadministrator.


6. TheAdministrator:CommandPromptwindowappears.

Task 5: Run administrative tools as an administrator.



1. ClicktheShowdesktopiconinthenotificationarea.

2. ClickStart,pointtoAdministrativeTools,rightclickActiveDirectoryAdministrativeCenter,andthenclickRunasadministrator.


Task 6: Run a custom administrative console as an administrator.

Youarebeginningtoseethatitcanbecometedioustorunasanadministratoreachandeveryadministrativetoolthatyourequire.Oneadvantageofacustomadministrativeconsoleisthatyoucanruntheconsole,containingmultiplesnapins,withasingleRunAsAdministratorcommand.

1. Closeallopenwindowsonyourdesktop.

2. RunC:\AdminTools\MyConsolewithadministrativecredentials.IntheUserAccountControldialogbox,authenticateasPat.Coleman_Admin,withthepassword,Pa$$w0rd.

3. LogofffromNYCDC1.Donotshutdownorresetthevirtualmachine.



Results:Inthisexercise,youlearnedthatbyhavingasingle,customadministrativeconsole,youmakeiteasierforyourselftoworksecurely.Youcanlogontoyourcomputerwithuser(nonadministrative)credentialsandrunthatsingleconsoleasanadministrator.

NoteDonotshutdownthevirtualmachinesafteryoufinishthislabbecausethesettingsyouhaveconfiguredherewillbeusedinLabB.

Lab Review Questions

Question:Whichsnapinareyoumostlikelytouseonadaytodaybasistoadminister

ActiveDirectory?

Question:WhenyoubuildacustomMMCconsoleforadministrationinyourenterprise,

whatsnapinswillyouadd?

Lesson 3: Find Objects in Active Directory



AstheActiveDirectorydatabasebecomespopulatedwithuser,group,computer,andotherobjects,itmaybecomedifficulttofindaspecificobjectorobjectsthatyouwanttomodify.Inthislesson,youwilllearnseveralwaystolocateobjectsinActiveDirectory.

Objectives


ControltheviewofobjectsintheActiveDirectoryUsersandComputerssnapin.

LocateobjectsinActiveDirectory.



Workwithsavedqueries.

Scenarios for Finding Objects in Active Directory

YouhavelearnedhowtocreateobjectsinActiveDirectory.However,whatgoodisinformationinadirectoryserviceifyoucantgetitoutofthedirectory?TherearemanyoccasionsonwhichyouwillneedtolocateobjectsinActiveDirectory:

Grantingpermissions.Whenyouconfigurepermissionsforafileorfolder,youmustselectthegroup(oruser)towhichpermissionsshouldbeassigned.



Addingmemberstogroups.Agroupsmembershipcanconsistofusers,computers,groups,oranycombinationofthethree.Whenyouaddanobjectasamemberofagroup,youmustselecttheobject.

Creatinglinks.Linkedpropertiesarepropertiesofoneobjectthatrefertoanotherobject.Groupmembershipis,infact,alinkedproperty.Thereareotherlinkedproperties,suchastheManagedByattribute,thatarealsolinks.WhenyouspecifytheManagedByname,youmustselecttheappropriateuserorgroup.

Lookingupanobject.YoucansearchforanyobjectinyourActiveDirectorydomain.

TherearemanyothersituationsthatwillrequiresearchingActiveDirectory.Thereareseveraluserinterfacesthatyouwillencounter.Inthislesson,youlllearnsometricksforworkingwitheach.

Demonstration: Use the Select Users, Contacts,Computers, Service Accounts, or Groups Dialog Box



Whenyouaddamembertoagroup,assignapermission,orcreatealinkedproperty,youarepresentedwiththeSelectUsers,Contacts,Computers,ServiceAccounts,orGroupsdialogboxshownhere.



Ifyouknowthenamesoftheobjectsyouneed,youcantypethemdirectlyintothelargetextbox.Multiplenamescanbeentered,separatedbysemicolons,asshownabove.

WhenyouclickOK,Windowslooksupeachiteminthelistandconvertsitintoalinktotheobject,thenclosesthedialogbox.TheCheckNamesbuttonalsoconvertseachnametoalink,butleavesthedialogboxopen.

Youdonotneedtoenterthefullnameyoucanentereithertheuser'sfirstnameorlastname,orevenjustpartofthefirstorlastname.WhenyouclickOKorCheckNames,Windowswillattempttoconvertyourpartialnametothecorrectobject.Ifthereisonlyonematchingobject,thenameswillberesolved.

Iftherearemultiplematches,suchasthename,Tony,youwillbepresentedwiththeMultipleNamesFoundboxshownbelow.Selectthecorrectname(s)andclickOK.



Bydefault,theSelectdialogboxsearchestheentiredomain.Ifyouaregettingtoomanyresultsandwishtonarrowdownthescopeofyoursearch,orifyouneedtosearchanotherdomainorthelocalusersandgroupsonadomainmember,clickLocations.

Additionally,theSelectdialogboxdespiteitsfullname,SelectUsers,Contacts,Computers,Services,orGroupsrarelysearchesallobjecttypes.Forexample,whenyouaddmemberstoagroup,computersarenotsearchedbydefault.Ifyouenteracomputername,itwillnotberesolvedcorrectly.WhenyouspecifythenameontheManagedBytab,groupsarenotsearchedbydefault.YoumustensurethattheSelectdialogboxisscopedtoresolvethetypesofobjectsyouwanttoselect.ClicktheObjectTypesbuttonandusetheObjectTypesdialogboxshownbelowtoselectthecorrecttypes,andthenclickOK.



Ifyouarehavingtroublelocatingtheobjectsyouwant,clicktheAdvancedbuttonontheSelectdialogbox.Theadvancedview,shownbelow,allowsyoutosearchbothnameanddescriptionfields,anddisabledaccounts,nonexpiringpasswords,andstaleaccountsthathavenotloggedonforaspecificperiodoftime.

SomeofthefieldsontheCommonQueriestabmaybedisabled,dependingonthe



objecttypeyouaresearchingfor.ClicktheObjectTypesbuttontospecifyexactlythetypeofobjectyouwant.

Options for Locating Objects

AlthoughyoucannavigatethroughActiveDirectoryandbrowseforanobject,youwilloftenlocatetheobjectyouneedmorequicklybysortingorsearching.YoucanuseboththeActiveDirectoryUsersandComputersandtheActiveDirectoryAdministrativeCentertosortandsearch.Eachoftheseoptionscanhelpyoulocateanobjectmorequickly.

Demonstration: Control the View of Objects in Active



Directory Administrative Tools

ThedetailspaneoftheActiveDirectoryUsersandComputerssnapinandtheActiveDirectoryAdministrativeCentercanbecustomizedtohelpyouworkeffectivelywiththeobjectsinyourdirectory.UsetheAdd/RemoveColumnscommandontheViewmenu(inActiveDirectoryUsersandComputers)ortheSelectColumnscommand(inActiveDirectoryAdministrativeCenter)toaddcolumnstothedetailspane.Noteveryattributeisavailabletobedisplayedasacolumn,butyouarecertaintofindcolumnsthatwillbeusefultodisplay.Youmightalsofindcolumnsthatareunnecessary.IfyourOUshaveonlyonetypeofobject(forexample,userorcomputer),theTypecolumnmaynotbehelpful.



Whenacolumnisvisible,youcanchangetheorderofcolumnsbydraggingthecolumnheadingstotheleftorright.Youcanalsosorttheviewinthedetailspanebyclickingthecolumnthefirstclickwillsortinascendingorder,thesecondindescendingorder,justlikeinWindowsExplorer.

AcommoncustomizationistoaddtheLastNamecolumntoaviewofusers,sothattheycanbesortedbylastname.ItisgenerallyeasiertofindusersbylastnamethanbytheNamecolumn,whichisthecommonname(CN)andisgenerallyfirstnamelastname.

ToaddtheLastNamecolumntothedetailspaneintheActiveDirectoryUsersandComputersconsole:

1. ClicktheViewmenu,andthenclickAdd/RemoveColumns.

2. IntheAvailablecolumnslist,clickLastName.

3. ClicktheAddbutton.

4. IntheDisplayedcolumnslist,clickLastName,andthenclickMoveUptwotimes.

5. IntheDisplayedcolumnslist,clickType,andthenclickRemove.

6. ClickOK.

7. Inthedetailspane,clicktheLastNamecolumnheadertosortalphabeticallyby



lastname.

ToaddtheLastNamecolumntothedetailspaneintheActiveDirectoryAdministrativeCenter:

1. Inthedetailspane,rightclickacolumnheading,andthenclickSelectColumns.

2. IntheAvailableColumnslist,clickLastName.

3. Clickthe>>button.

4. IntheSelectedcolumnslist,clickLastName,andthenclickMoveUptwotimes.

5. IntheSelectedcolumnslist,clickType,andthenclick



WindowssystemsalsoprovidetheActiveDirectoryquerytool,whichisknownastheFindbox.OnewaytostarttheFindboxistoclicktheFindObjectsInActiveDirectoryDomainServicesbuttonintheActiveDirectoryUsersandComputerssnapin.ThebuttonandtheresultingFindboxareshowninthefollowingimage.



UsetheFinddropdownlisttospecifythetype(s)ofobjectsyouwanttoquery,orselectCommonQueriesorCustomSearch.TheIndropdownlistspecifiesthescopeofthesearch.Werecommendthatwheneverpossible,younarrowthescopeofthesearchtoavoidtheperformanceimpactsofalarge,domainwidesearch.Together,theFindandtheInlistsdefinethescopeofthesearch.

Next,configurethesearchcriteria.Commonlyusedfieldsareavailableascriteriabasedonthetypeofqueryyouareperforming.Whenyouhavespecifiedyoursearchscopeandcriteria,clickFindNow.Theresultswillappear.

YoucanthenrightclickanyitemintheresultslistandchooseadministrativecommandssuchasMove,Delete,andProperties.

Determine Where an Object Is Located



Sometimes,youmaywanttofindanobjectbyusingtheFindcommand,becauseyoudon'tactuallyknowwheretheobjectis.

Todeterminewhereanobjectislocated:

1. InActivedirectoryUsersandComputers,clicktheViewmenu,andthenselectAdvancedFeatures.

2. ClicktheFindbutton,andthenperformasearchfortheobject.

3. Rightclicktheobject,clickProperties,andthenclicktheObjecttab.

4. TheCanonicalnameofobjectshowsyouthepathtotheobject,startingat



thedomain.

Alternatively,intheFinddialogbox,youcandisplaythePublishedAtcolumn.

1. IntheFinddialogbox,clicktheViewmenu,andthenclickChooseColumns.

2. IntheColumnsAvailablelist,clickPublishedAt,andthenclickAdd.

3. ClickOK.

Demonstration: Use Saved Queries



WindowsServer2003introducedtheSavedQueriesnodeoftheActiveDirectoryUsersandComputerssnapin.Thispowerfulfunctionallowsyoutocreateruledrivenviewsofyourdomain,displayingobjectsacrossoneormoreOUs.

Tocreateasavedquery:

1. OpentheActiveDirectoryUsersandComputerssnapin.

SavedqueriesarenotavailableintheActiveDirectoryUsersandComputerssnapinthatispartofServerManager.YoumustusetheActiveDirectoryUsersandComputersconsoleoracustomconsolewiththesnapin.

2. RightclickSavedQueries,pointtoNew,andthenclickQuery.

3. Enteranameforthequery.

4. Optionally,enteradescription.

5. ClickBrowsetolocatetherootforthequery.

ThesearchwillbelimitedtothedomainorOUyouselect.Werecommendthatyounarrowyoursearchasmuchaspossible,toimprovesearchperformance.

6. ClickDefineQuerytodefineyourquery.

7. IntheFinddialogbox,selectthetypeofobjectyouwanttoquery.

Thetabsinthedialogboxandtheinputcontrolsoneachtabchangetoprovide



optionsthatareappropriatefortheselectedquery.

8. Configurethecriteriaforyourquery.

9. ClickOK.

Afteryourqueryiscreated,itissavedwithintheinstanceoftheActiveDirectoryUsersandComputerssnapin.So,ifyouopenedtheActiveDirectoryUsersandComputersconsole(dsa.msc),yourquerywillbeavailablethenexttimeyouopentheconsole.Ifyoucreatedthesavedqueryinacustomconsole,itwillbeavailableinthatcustomconsole.Totransfersavedqueriestootherconsolesorusers,youcanexportthesavedqueryasanXMLfile,andthenimportittothetargetsnapin.

Theviewofthesavedqueryinthedetailspanecanbecustomizedasdescribedearlier,withspecificcolumnsandsorting.Averyimportantbenefitofsavedqueriesisthatthecustomizedviewisspecifictoeachsavedquery.WhenyouaddtheLastNamecolumntothenormalviewofanOU,theLastNamecolumnisactuallyaddedtotheviewofeveryOU,soyouwillseeanemptyLastNamecolumnevenforanOUofcomputersorgroups.Withsavedqueries,youcanaddtheLastNamecolumntoaqueryforuserobjects,andothercolumnsforothersavedqueries.

Savedqueriesareapowerfulwaytovirtualizetheviewofyourdirectoryandtomonitorforissuessuchasdisabledorlockedaccounts.Learningtocreateandmanagesavedqueriesisaworthwhileuseofyourtime.



Demonstration: Find Objects by Using Active DirectoryAdministrative Center

Key Points

TheActiveDirectoryAdministrativeCenterprovidesenhancedfeaturesforperformingsearchesthroughouttheinfrastructure.

ToperformasearchbyusingtheActiveDirectoryAdministrativeCenter:

1. OpentheActiveDirectoryAdministrativeCenter.

2. Inthenavigationpane,clickGlobalSearch.



3. Enterthesearchcriteriaandscope.

4. ClickSearch.

Youmayalsochoosetosaveyourquery,whichallowsyoutoquicklyreevaluateyoursearchcriteriaatanytime.

Lab B: Find Objects in Active Directory

Lab Setup



ThevirtualmachineshouldalreadybestartedandavailableaftercompletingLabA.However,ifitisnot,youshouldstartthevirtualmachine,completetheexercisesinLabA,andthenstartLabB.

LogontoNYCDC1asPat.Coleman,withthepassword,Pa$$w0rd.

Lab Scenario

Contoso,Ltd.nowspansfivegeographicsitesaroundtheworld,withover1,000employees.Becauseyourdomainhasbecomepopulatedwithsomanyobjects,ithasbecomemoredifficulttolocateobjectsbybrowsing.YouaretaskedwithdefiningthebestpracticesforlocatingobjectsinActiveDirectoryfortherestoftheteamofadministrators.Youarealsoaskedtomonitorthehealthofcertaintypesofaccounts.

Exercise 1: Find Objects in Active Directory

Inthisexercise,youwilluseseveraltoolsandinterfacesthatmakeiteasierforyoutofindanobjectinActiveDirectory.


1. ExplorethebehavioroftheSelectdialogbox.

2. ControltheviewofobjectsintheActiveDirectoryUsersandComputerssnapin.



3. UsetheFindcommand.

4. Determinewhereanobjectislocated.

Task 1: Explore the behavior of the Select dialog box.

ThevirtualmachineshouldalreadybestartedandavailableaftercompletingLabA.However,ifitisnot,youshouldstartthevirtualmachine,completetheexercisesinLabA,andthenstartLabB.

1. OnNYCDC1,runyourcustomconsole,C:\AdminTools\MyConsole.mscasanadministratorwithusername,Pat.Coleman_Admin,andthepassword,Pa$$w0rd.

2. Intheconsoletree,expandtheActiveDirectoryUsersandComputerssnapin,theContoso.comdomain,andtheUserAccountsOU,andthenclicktheEmployeesOU.

3. RightclickPatColeman,andthenclickProperties.

4. ClicktheMemberOftab.

5. ClickAdd.

6. IntheSelectGroupsdialogbox,typethename,Special.



7. ClickOK.ThenameisresolvedtoSpecialProject.

8. ClickOKagaintoclosethePropertiesdialogbox.

9. Intheconsoletree,expandtheGroupsOU,andthenclicktheRoleOU.

10. Inthedetailspane,rightclicktheSpecialProjectgroup,andthenclickProperties.

11. ClicktheMemberstab.

12. ClickAdd.

TheSelectUsers,Contacts,Computers,ServiceAccounts,orGroupsdialogboxappears.

13. Typelindajoan,andthenclicktheCheckNamesbutton.

TheSelectdialogboxresolvesthenamestoLindaMitchellandJoannaRybka,andunderlinesthenamestoindicatevisuallythatthenamesareresolved.

14. ClickOK.

15. ClickAdd.

16. Typecarole,andthenclickOK.

TheSelectdialogboxresolvesthenametoCarolePolandandcloses.YouseeCarolePolandontheMemberslist.



WhenyouclicktheOKbutton,aCheckNamesoperationisperformedpriortoclosingthedialogbox.ItisnotnecessarytoclicktheCheckNamesbuttonunlessyouwanttochecknamesandremainintheSelectdialogbox.

17. ClickAdd.

18. Typetonyjeff,andthenclickOK.

Becausetherearemultipleusersmatchingtony,theMultipleNamesFoundboxappears.

19. ClickTonyKrijnen,andthenclickOK.

Becausetherearemultipleusersmatchingjeff,theMultipleNamesFoundboxappears.

20. ClickJeffFord,andthenclickOK.ClickOKtoclosetheSpecialProjectPropertiesdialogbox.

Wheneverthereismorethanoneobjectthatmatchestheinformationyouenter,thechecknamesoperationwillgiveyoutheopportunitytochoosethecorrectobject.

21. Intheconsoletree,clicktheApplicationOUundertheGroupsOU.

22. Inthedetailspane,rightclicktheAPP_Officegroup,andthenclickProperties.

23. ClicktheMemberstab.



24. ClickAdd.

25. IntheSelectdialogbox,typeNYCCL1.

26. ClickCheckNames.

ANameNotFounddialogboxappears,indicatingthattheobjectyouspecifiedcouldnotberesolved.

27. ClickCanceltoclosetheNameNotFoundbox.

28. IntheSelectbox,clickObjectTypes.

29. SelectthecheckboxnexttoComputers,andthenclickOK.

30. ClickCheckNames.

ThenamewillresolvenowthattheSelectboxisincludingcomputersinitsresolution.

31. ClickOK.

32. ClickOKtoclosetheAPP_OfficePropertiesdialogbox.

Task 2: Control the view of objects in the Active Directory Users and Computerssnap-in.



1. Intheconsoletree,expandthecontoso.comdomainandtheUserAccountsOU,andthenclicktheEmployeesOU.


3. IntheAvailableColumnslist,clickLastName.


5. IntheDisplayedcolumnslist,clickLastNameandclickMoveUptwotimes.

6. IntheDisplayedcolumnslist,clickType,andthenclickRemove.

7. ClickOK.


9. Inthedetailspane,clicktheLastNamecolumnheadertosortalphabeticallybylastname.


11. IntheAvailableColumnslist,clickPreWindows2000Logon.


13. IntheDisplayedcolumnslist,clickPreWindows2000LogoandclickMoveUp.



14. ClickOK.


Task 3: Use the Find command.


2. ClicktheFindbuttoninthetoolbar.

3. IntheNamebox,typeDan,andthenclickFindNow.

4. Howmanyitemswerefound?Lookatthestatusbar,atthelowerpartoftheFindUsers,Contacts,andGroupswindow.

5. ClicktheIndropdownlist,andthenclickEntireDirectory.

6. ClickFindNow.

7. Howmanyitemswerefound?Lookatthestatusbar,atthelowerpartoftheFindUsers,Contacts,andGroupswindow.

8. ClosetheFindUsers,Contacts,andGroupsdialogbox.



Task 4: Determine where an object is located.

1. TurnontheviewofAdvancedFeaturesfortheActiveDirectoryUsersandComputerssnapin.

2. UsetheFindcommandtolocateusersindomainwhosenamesbeginwithPat.Coleman.Youshouldseetworesults.

3. UsethepropertiesofPatColeman(Admin)todeterminewheretheuserislocatedinActiveDirectory.

Results:Inthisexercise,youlearnedthatthereareseveralinterfaceswithwhichyouperformsearchesagainstActiveDirectory,andyouknowhowtocontroltheviewintheActiveDirectoryUsersandComputerssnapin.

Exercise 2: Use Saved Queries

Inthisexercise,youwillcreatesavedquerieswithwhichadministrativetaskscanbemoreefficientlyperformed.


1. Createasavedquerythatdisplaysalldomainuseraccounts.



2. Createasavedquerythatshowsalluseraccountswithnonexpiringpasswords.

3. Transferaquerytoanothercomputer.

Task 1: Create a saved query that displays all domain user accounts.

CreateasavedquerycalledAllUserObjectsthatshowsallusersinthedomain.

Task 2: Create a saved query that shows all user accounts with non-expiringpasswords.

CreateasavedquerycalledNonExpiringPasswordsthatshowsallusersinthedomainwhosepasswordsdonotexpire.

Notethatforthepurposesofmaintainingasimple,singlepasswordforallusersinthiscourse,alluseraccountsareconfiguredsothatpasswordsdonotexpire.Inaproductionenvironment,useraccountsshouldnotbeconfiguredwithnonexpiringpasswords.

Task 3: Transfer a query to another computer.

1. ExporttheNonExpiringPasswordsqueryto



C:\AdminTools\Query_NonExpPW.xml.

2. DeletetheNonExpiringPasswordsquery.

3. ImporttheC:\AdminTools\Query_NonExpPW.xmlquery.

4. LogofffromNYCDC1.

Results:Inthisexercise,youcreatedtwosavedqueries.Thefirstquery,AllUserObjects,demonstratesthatasavedquerycancreateavirtualizedviewofyourdomain,allowingyoutoseeobjectsthatmeetasetofcriteria,regardlessofwhichOUthoseobjectsarein.Thesecondquery,NonExpiringPasswords,demonstratesthatyoucanusesavedqueriestomonitorthehealthofyourenvironment.

NoteDonotshutdownthevirtualmachineafteryoufinishthislabbecausethesettings

youhaveconfiguredherewillbeusedinLabC.

Lab Review Questions

Question:Inyourwork,whatscenariosrequireyoutosearchActiveDirectory?

Question:Whattypesofsavedqueriescanyoucreatetohelpyouperform



your

administrativetasksmoreefficiently?

Lesson 4: Use Windows PowerShell to AdministerActive Directory

WindowsPowerShellisquicklybecomingtheprimaryfoundationforadministeringanumberofMicrosoftserverproducts.Forexample,productssuchasMicrosoftExchange2010andMicrosoftSQLServer2008useWindowsPowerShellformost,



ifnotall,oftheconfigurationandmanagementtasks.WindowsServer2008R2providesanumberofenhancementstohowPowerShellcanadministerActiveDirectory.

Objectives


DescribeWindowsPowerShell.

DescribetherequirementsforusingWindowsPowerShell.

DescribehowWindowsPowerShellsyntaxworks.

DescribeActiveDirectoryPowerShellcmdlets.

UsePowerShellcmdletstoperformadministrativetasksinActiveDirectory.

What Is Windows PowerShell?



WindowsPowerShellisnotjustascriptinglanguage.WindowsPowerShellisanenginedesignedtoruncommandsthatperformadministrativetasks,suchascreatingnewuseraccounts,configuringservices,deletingmailboxes,andsoon.

WindowsPowerShellprovidesmanywaysinwhichyoucanspecifywhichcommandstorun.Youcan,forexample,manuallytypecommandnamesinacommandlineconsolewindow.Youcanalsotypecommandsinanintegratedscriptingenvironment(ISE)thatoffersamoregraphicallyrichcommandlineenvironment.WindowsPowerShellcanalsobeintegratedwithinanapplication,allowingcommandstoruninresponsetouseractionssuchasclickingbuttonsoricons.Youcanalsotypeaseriesofcommandsintoatextfile,andinstructtheshelltorunthecommandsinthatfile.



Inanidealworld,WindowsPowerShellisasingle,centralsourceforadministrativefunctionality.Ideally,youmayuseagraphicaluserinterface(GUI)withbuttons,icons,dialogboxes,andotherelementsthatrunWindowsPowerShellcommandsinthebackground.IftheGUIdoesnotallowyoutoaccomplishataskinexactlythewayyouwant,youmaychoosetorunthosesamecommandsintheorderandwayyouprefer,directlyinthecommandlineconsole,bypassingtheGUI.ManyMicrosoftproductsarebuiltinthatexactway,includingMicrosoftExchangeServer2007andMicrosoftExchangeServer2010.TheActiveDirectoryAdministrativeCenterinWindowsServer2008R2isalsobuiltinthisidealway.Thus,youcanchoosetouseaGUIthatrunsWindowsPowerShellcommandsinthebackground,oryoucanchoosetorunthecommandsdirectlyintheWindowsPowerShellconsoleorISE.

Thischoice,tousecommandsdirectlyortohavecommandsrunforyouaspartofaGUI,ispartofwhatmakesWindowsPowerShellsocompelling.Withthisshell,MicrosoftrecognizesandacknowledgesthatsometasksareeasiertodoinaGUI,especiallytasksthatyoudontperformveryoften.AGUIcanguideyouthroughcomplexoperations,andcanhelpyouunderstandyourchoicesandoptionsmoreeasily.However,MicrosoftalsorecognizesthataGUIcanbeinefficientfortasksthatyouneedtoperformrepeatedly,suchascreatingnewuseraccounts.BybuildingasmuchadministrativefunctionalityaspossibleintheformofWindowsPowerShellcommands,youcanchoosewhatsrightforanygiventask:TheeaseofuseofaGUI,orthepowerandcustomizationofacommandlineshell.Overtime,WindowsPowerShellmayreplaceotherlowleveladministrativetoolsthatyoumayhaveused.Forexample,WindowsPowerShellcanalreadysupplantVisualBasicScriptEdition



(VBScript),becausetheshellhasaccesstothesamefeaturesthatVBScriptdoes,although,inmanycases,theshellprovideseasierwaystoaccomplishthesametasks.WindowsPowerShellmayalsoreplaceyouruseofWindowsManagementInstrumentation(WMI).AlthoughWMIremainsveryuseful,itcanalsobecomplextouse.WindowsPowerShellcanwraptaskspecificcommandsaroundunderlyingWMIfunctionality.YouaretechnicallystillusingWMI,butdoingsobecomeseasierbecauseyoucanrunaneasiertouse,taskbasedcommand.

Installation Requirements for Windows PowerShell 2.0

WindowsPowerShell2.0ispreinstalledbydefaultinWindowsServer2008R2andWindows7.InWindowsServer2008R2,youcanoptionallyinstalltheWindows



PowerShellISE,agraphicallyorientedshellenvironment.

WindowsPowerShell2.0isalsoavailableasaWebdownloadforWindowsXP,WindowsServer2003,WindowsVista,andWindowsServer2008.WindowsPowerShellv2isincludedintheWindowsManagementFrameworkCore,whichalsoincludesotherrelatedmanagementtechnologies.Thedownloadcanbefoundathttp://go.microsoft.com/fwlink/?LinkId=193574andseparateversionsareavailablefordifferentoperatingsystemsandarchitectures(32bitand64bit).ThedownloadincludestheWindowsPowerShellISEandthemoretraditionalcommandlineconsole.

WindowsPowerShellv2canbeinstalledonthefollowingoperatingsystems:

WindowsServer2008withServicePack1



WindowsVistawithServicePack2

WindowsVistawithServicePack1

WindowsXPwithServicePack3

WindowsEmbeddedPOSReady2009



WindowsEmbeddedforPointofService1.1

WindowsPowerShell2.0requiresMicrosoft.NETFramework2.0withServicePack1andWindowsPowerShellISErequiresMicrosoft.NETFramework3.5withServicePack1.

NoteThecontentinthefollowingsectiononlyappliestoWindowsServer2008R2.

Active Directory Module for Windows PowerShell

WindowsServer2008R2includestheActiveDirectoryModuleforWindowsPowerShell.ThismoduleconsolidatesagroupofcmdletsthatareusedtomanageADDSdomains,ActiveDirectoryLightweightDirectoryServices(ADLDS)configurationsets,andtheActiveDirectoryDatabaseMountingTool.

TheActiveDirectorymoduleisinstalledwhen:

YouinstalltheADDSorADLDSserverroles.

YourunDcpromo.exe.

YouinstallRemoteServerAdministrationTools(RSAT)onWindowsServer2008R2orWindows7.



NoteTousetheActiveDirectorymoduletomanageADDS,theWindowsServer2008R2ActiveDirectoryWebServices(ADWS)servicemustbeinstalledonatleastonedomaincontrollerinthedomain.

Overview of the Windows PowerShell Syntax

AllWindowsPowerShellcmdletsareusedasverbnounpairs.Ahyphen()withoutspacesseparatetheverbnounpair,andthecmdletnounsarealwayssingular.Verbsrefertotheactionthatthecmdlettakes.Nounsrefertotheobjectonwhichthe



cmdlettakesaction.Forexample,intheGetADUsercmdlet,theverbisGet,andthenounisADUser.Allcmdletsthatmanageaparticularfeaturesharethesamenoun.

Using Cmdlets

Cmdletsalsohavenamed,positional,andswitchparametersthatyouspecifywiththecmdlettomodifyitsbehaviorortoprovideadditionalinformationtocontrolit.Youspecifynamedparameterswithadditionalinformation,suchasthevalueyouwanttoset,andyoudefinethesevaluesbyusingaspecificname.Youcanusepositionalparameterstosupplyvaluestothecmdletbasedonthevalueslocation,ratherthanonaparametername.

MostoftheActiveDirectorycmdletsthatretrieveobjects(thosethatuseGetastheverbcomponentofthecmdletname)havedefinedamandatoryfilterparameter.Youcanspecify*forthisparameter,butyoushouldgenerallyspecifymoreprecisecriteriasothatyouarequeryingonlythoseobjectsthatyouabsolutelyneed.

ThefilterparameteroftheActiveDirectorycmdletsacceptsWindowsPowerShellstylecriteria.

Get-ADUser -Filter 'Name -like "*SvcAccount"' Get-ADUser -Filter {Name -eq "Adam Carter"}



Using Cmdlets Together

Pipeliningistheprocessofusingmultiplecmdletssimultaneouslytogatherinformation,whichyoucanthenpasstoothercmdletsforadditionalprocessing.Pipeliningallowsyoutochainonecmdlettoanothersothattheresultsofthepreviouscmdletactasinputtothenextcmdlet.Topipelineinformationfromonecmdlettoanother,specifythepipecharacterbetweenthecmdlets.Thepipecharacterisaverticalbar(|).Youcanpipelinemorethantwocmdlets.Infact,youcanuseasmanyasnecessarytoachievetheresultsyoudesire.

Windows PowerShell Cmdlets for Active Directory



ThefollowingtablelistsvarioustasksthatcanbeperformedbyusingtheActiveDirectoryforWindowsPowerShellmodule.

ManagementCategory

Task

UserManagement Creatingauser

Modifyinganattributeformultipleusers

Settingprofileattributes

Renamingauser

Findingandunlockinguseraccounts

Enablingordisablinguseraccounts

ComputerManagement Joiningacomputertoadomain

Addingorremovingacomputeraccount

Resettingacomputeraccount

Modifyingattributesofcomputeraccounts



GroupManagement Creatingagroup

Addingandremovingmembersofagroup

Viewingthemembersofagroup

Changingthegroupscopeortype

OrganizationalUnitManagement

CreatingordeletinganOU

ListingobjectsinanOU

AssigningorremovingamanagerofanOU

MovingtheobjectsinanOU

PasswordPolicyManagement

Creatingandmanagingfinegrainedpasswordpolicies

Modifyingthedefaultdomainpasswordpolicy

Getresultantpasswordpolicyforauser

Searchingandmodifyingobjects

Searchingtheglobalcatalog

ImportingobjectsbyusingaCSVfile



ExportingobjectstoaCSVfile

Searchingforandrestoringdeletedobjects

ForestandDomainManagement

Findingthedomainsinaforest

Raisingthefunctionallevelofthedomainorforest

Viewingthetrustsforadomain

DomainControllerandOperationsMasterManagement

Findingthedomaincontrollersforadomain

Movingthedomaincontrollertoadifferentsite

EnablinganddisablingtheGlobalCatalog

Managingoperationsmasterroles

ManagedServiceAccountManagement

Creatingorremovingamanagedserviceaccount

Associatingamanagedserviceaccountwithacomputer

Resettingthepasswordofamanagedserviceaccount

NoteTheprecedingtableisonlyasubsetofthefullfunctionalitythatcanbe



performed

withWindowsPowerShell.Forafulllistincludingexamples,seehttp://go.microsoft.com/fwlink/?LinkID=214183

Demonstration: Manage Users and Groups by UsingWindows PowerShell

Inthisdemonstration,yourinstructorwillshowyouvarioustasksthatcanbeperformedbyusingWindowsPowerShell.



Demonstration Steps

1. OpentheActiveDirectoryModuleforWindowsPowerShell.

2. Performthefollowingtasks:

CreateanewOU.

new-adorganizationalunit Test1 new-adorganizationalunit Test2

Createanewuser.

new-aduser -name TestUser1 -department IT -city "NewYork" -organization "Contoso"

MoveausertoanewOU.

get-aduser -filter 'Name -eq "TestUser1"' | move-adobject -targetpath "ou=Test2,dc=contoso,dc=com"

Viewgroupmembership.



get-adgroup -filter "Name -eq 'Domain Admins'" get-adgroup -filter "Name -eq 'Domain Admins'" | get-adgroupmember

Addmemberstoagroup.

add-adgroupmember "Marketing" testuser1

Setthepasswordforanewuserandenabletheuseraccount.

Set-ADAccountPassword testuser1 -Reset -NewPassword(ConvertTo-SecureString -AsPlainText "Pa$$w0rd1" -Force) get-aduser -filter 'Name -eq "TestUser1"' |enable-adaccount

Lab C: Use Windows PowerShell to Administer ActiveDirectory



Lab Setup

ThevirtualmachineshouldalreadybestartedandavailableaftercompletingLabB.However,ifitisnot,youshouldstartthevirtualmachine,completetheexercisesinLabB,andthenstartLabC.

LogontoNYCDC1asContoso\Administrator,withthepassword,Pa$$w0rd.

Lab Scenario

Contoso,Ltd.isgrowing,andchangesneedtobemadetoobjectsinActiveDirectory.YouareanadministratorofADDS,andyouknowthatitiseasiertoview,create,



delete,andmodifyobjectsbyusingWindowsPowerShell.

Exercise: Use Windows PowerShell to Administer Active Directory

Inthisexercise,youwilluseWindowsPowerShelltoperformbasicadministrativetasks.


1. ListallcommandsintheActiveDirectorymodule.

2. Retrieveallusersmatchingaspecificdepartmentandofficebyusingserversidefiltering.

3. Resetuserpasswordsandaddressinformation.

4. Disableuserswhobelongtoaspecificgroup.

5. DiscoveranyOUsthatarenotprotectedagainstaccidentaldeletion.

6. CreateareportshowingallWindowsServer2008R2servers.

NoteBecauseofthecomplexityofthecommandlinerequirements,theworkbookstepsmatchthelabanswerkeysforthislab.



Task 1: List all commands in the Active Directory module.

1. OntheStartmenuofNYCDC1,clickAllPrograms,clickAdministrativeTools,andthenclickActiveDirectoryModuleforWindowsPowerShell.

2. InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.

Get-Command -Module ActiveDirectory

Task 2: Retrieve all users matching a specific department and office by usingserver-side filtering.


Get-Help Get-ADUser -Full


Get-ADUser



3. WhenyouarepromptedtoenteravaluefortheFilterparameter,typethefollowing,andthenpressEnter.

!?

4. AfterreviewingthehelpdocumentationfortheFilterparameter,typethefollowing,andthenpressEnter.

department -eq "Marketing"


Get-ADUser -Filter 'department -eq "Marketing"'


Get-ADUser -Filter '(department -eq "Marketing") -and(office -eq "London")'



Task 3: Reset user passwords and address information.

1.InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.

Get-ADUser -Filter 'office -eq"New York"'

2.InthePowerShellwindow,typethefollowingcommand,andthenpressEnteraftereachline.

Get-Help Read-Host -Full Get-Help Set-ADAccountPassword -Full


Get-ADUser -Filter 'office -eq"New York"' | Set-ADAccountPassword-Reset -NewPassword (Read-Host -AsSecureString 'New password')

4.Whenprompted,enterthepassword,Pa$$w0rd1,andthenpressEnter.

Pa$$w0rd1




Get-Help Get-ADUser -Parameter Properties


Get-ADUser -Filter 'office -eq"New York"' -PropertiesOffice,StreetAddress,City,State,Country,PostalCode | Format-TableSamAccountName,Office,StreetAddress,City,State,Country,PostalCode


Get-Help Set-ADUser -Full


Get-ADUser -Filter 'office -eq"New York"' -PropertiesOffice,StreetAddress,City,State,Country,PostalCode | Set-ADUser -Office Main - StreetAddress '2345 Main St.' -CityBellevue -State WA -Country US -PostalCode '95102'



Task 4: Disable users who belong to a specific group.


Get-Help Get-ADGroup -Full


Get-ADGroup -Filter *


Get-ADGroup -Identity Sales


Get-Help Get-ADGroupMember -Full




Get-ADGroup -Identity Sales| Get-ADGroupMember


Get-Help Disable-ADAccount -Full

7. InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.NotethattheerrormessagereferringtotheSalesManagersgroupisexpected.

Get-ADGroup -Identity Sales| Get-ADGroupMember |Disable-ADAccount -WhatIf

8. InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.NotethattheerrormessagereferringtotheSalesManagersgroupisexpected.

Get-ADGroup -Identity Sales| Get-ADGroupMember | Disable-ADAccount

Task 5: Discover any OUs that are not protected against accidental deletion.




Get-Help Get-ADOrganizationalUnit -Full


Get-ADOrganizationalUnit -Filter * -PropertiesProtectedFromAccidentalDeletion


Get-ADOrganizationalUnit -Filter * -PropertiesProtectedFromAccidentalDeletion | Where- Object {-not$_.ProtectedFromAccidentalDeletion}

Task 6: Create a report showing all Windows Server 2008 R2 servers.


Get-ADComputer -Filter 'OperatingSystem -like "Windows Server 2008 R2*"' -Properties



OperatingSystem,OperatingSystemHotfix,OperatingSystemServicePack,OperatingSystemVersion

2.InthePowerShellwindow,typethefollowingcommands,andthenpressEnterattheendofeachline.

Get-Help ConvertTo-Html Full Get-Help Out-File -Full


Get-ADComputer -Filter 'OperatingSystem -like "Windows Server 2008 R2*"' -PropertiesOperatingSystem,OperatingSystemHotfix,OperatingSystemServicePack,OperatingSystemVersion| ConvertTo-Html -Property Name,SID,OperatingSystem* -Fragment


Get-ADComputer -Filter 'OperatingSystem -like "Windows Server 2008 R2*"' -PropertiesOperatingSystem,OperatingSystemHotfix,OperatingSystemServicePack,OperatingSystemVersion| ConvertTo-Html -Property Name,SID,OperatingSystem* | Out-File C:\OSList.htm




C:\OSlist.htm

Results:Inthisexercise,yousuccessfullyperformedadministrativetasksbyusingWindowsPowerShell.

To prepare for the next module

Whenyoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis,completethefollowingsteps:

1. Onthehostcomputer,startHyperVManager.

2. Rightclick6425CNYCDC1intheVirtualMachineslist,andthenclickRevert.

3. IntheRevertVirtualMachinedialogbox,clickRevert.

Module Review and Takeaways



Review Questions

1. WhatarethefourmainsnapinsusedforActiveDirectoryadministration?

2. IstheActiveDirectoryAdministrativeCenterbaseduponanMMC?

3. ListsomeofthetasksthatcanbeperformedwithWindowsPowerShell.

Tools

Tool Usefor Wheretofindit



ActiveDirectoryUsersandComputers

ManaginganActiveDirectorydomain

AdministrativeTools

ActiveDirectoryAdministrativeCenter


AdministrativeTools

WindowsPowerShell


AdministrativeTools

Windows Server 2008 R2 Features Introduced in this Module

WindowsServer2008R2feature

Description

ActiveDirectoryAdministrativeCenter

UsedtomanageActiveDirectoryDomainServices

ActiveDirectoryModuleforWindowsPowerShell

UsedtomanageActiveDirectoryDomainServicesbyusingWindowsPowerShell

Documents

Module 2_ Administering Active Directory Securely and Efficiently