Upload
jorge-samano-aranda
View
166
Download
3
Embed Size (px)
Citation preview
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 1/93
Module2:AdministeringActiveDirectorySecurelyandEfficiently
Contents:
Lesson1: WorkwithActiveDirectoryAdministrationTools
Lesson2: CustomConsolesandLeastPrivilege
LabA: AdministeringActiveDirectorybyUsingAdministrativeTools
Lesson3: FindObjectsinActiveDirectory
LabB: FindObjectsinActiveDirectory
Lesson4: UseWindowsPowerShelltoAdministerActiveDirectory
LabC: UseWindowsPowerShelltoAdministerActiveDirectory
Module Overview
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 2/93
MostadministratorsfirstexperienceActiveDirectorybyopeningActiveDirectoryUsersandComputersandcreatinguser,computer,orgroupobjectswithintheorganizationalunits(OUs)ofadomain.
Unfortunately,manyadministratorsnevertakethetimetoelevatetheirskillsetswiththeActiveDirectoryadministrativetools.Whetheryouareanewadministratororaseasonedveteran,youneedtoworksecurelyandefficiently.Therefore,thismodulewillsharethesecretsofeffectiveadministrationthatareoftenlearnedonlyaftermonthsoryearsofexperience.
Objectives
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 3/93
Aftercompletingthismodule,youwillbeableto:
DescribeandworkwithActiveDirectoryadministrationtools.
Describethepurposeandfunctionalityofcustomconsolesandleastprivilege.
LocateobjectsinActiveDirectory.
AdministerActiveDirectorybyusingWindowsPowerShell.
Lesson 1: Work with Active Directory AdministrationTools
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 4/93
ActiveDirectoryadministrativetoolsexposethefunctionalityyourequiretosupportthedirectoryservice.Inthislesson,youwillidentifyandlocatethemostimportantActiveDirectorytools.
Objectives
Aftercompletingthislesson,youwillbeableto:
IdentifythesnapinswithinServerManagerandthenativeconsolesusedtoadministerActiveDirectoryDomainServices(ADDS).
PerformadministrativetasksbyusingtheActiveDirectoryAdministrativeCenter.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 5/93
InstalltheRemoteServerAdministrationTools(RSAT).
PerformadministrativetasksbyusingActiveDirectoryadministrativetools.
Active Directory Administration Snap-ins
MostActiveDirectoryadministrationisperformedwiththefollowingsnapinsandconsoles:
ActiveDirectoryUsersandComputers.Thissnapinmanagesmostcommondaytodayresources,includingusers,groups,computers,printers,andsharedfolders.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 6/93
ThisislikelytobethemostheavilyusedsnapinforanActiveDirectoryadministrator.
ActiveDirectorySitesandServices.Thismanagesreplication,networktopology,andrelatedservices.
ActiveDirectoryDomainsandTrusts.Thisconfiguresandmaintainstrustrelationshipsandthedomainandforestfunctionallevel.
ActiveDirectorySchema.ThisschemaexaminesandmodifiesthedefinitionofActiveDirectoryattributesandobjectclasses.ItistheblueprintforActiveDirectory.Itisrarelyviewedandevenmorerarelychanged.Therefore,theActiveDirectorySchemasnapinisnotinstalledbydefault.
What Is the Active Directory Administrative Center?
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 7/93
NoteThecontentinthistopiconlyappliestoWindowsServer2008R2.
WindowsServer2008R2providesanotheroptionformanagingActiveDirectoryDomainServices(ADDS)objects.TheActiveDirectoryAdministrativeCenterprovidesagraphicaluserinterface(GUI)builtuponWindowsPowerShell.ThisenhancedinterfaceallowsyoutoperformActiveDirectoryobjectmanagementbyusingtaskorientednavigation.TasksthatcanbeperformedbyusingtheActiveDirectoryAdministrativeCenterinclude:
Createandmanageuser,computer,andgroupaccounts.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 8/93
Createandmanageorganizationalunits.
ConnecttoandmanagemultipledomainswithinasingleinstanceoftheActiveDirectoryAdministrativeCenter.
SearchandfilterActiveDirectorydatabybuildingqueries.
Installation Requirements
TheActiveDirectoryAdministrativeCentercanonlybeinstalledoncomputersrunningWindowsServer2008R2andWindows7.YoucaninstalltheActiveDirectoryAdministrativeCenterbyusingthefollowingmethods:
InstalltheActiveDirectoryDomainServices(ADDS)serverrolethroughServerManager.
PromoteaservertoadomaincontrollerbyusingDcpromo.exe.
InstalltheRemoteServerAdministrationTools(RSAT)onaWindowsSerer2008R2serverorWindows7.
NoteTheActiveDirectoryAdministrativeCenterreliesontheActiveDirectoryWeb
Services(ADWS)service,whichmustbeinstalledonatleastonedomaincontroller
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 9/93
inthedomain.Theservicealsorequiresport9389tobeopenonthedomaincontrollerwhere
ADWSisrunning.
Find Active Directory Administration Tools
ActiveDirectorysnapinsandconsolesareinstalledwhenyouaddtheADDSroletoaserver.TwocommonlyusedActiveDirectoryadministrativetoolsareaddedtoServerManagerwhenyouinstalltheADDSrole:theActiveDirectoryUsersandComputerssnapinandtheActiveDirectorySitesandServicessnapin.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 10/93
ToadministerActiveDirectoryfromasystemthatisnotadomaincontroller,youmustinstallRSAT.RSATisafeaturethatcanbeinstalledfromtheFeaturesnodeofServerManageronWindowsServer2008.
RSATcanalsobeinstalledonWindowsclients,includingWindowsVistaServicePack1(orlater)andWindows7.SimplydownloadtheRSATinstallationfilesfromwww.microsoft.com/downloads.TheSetupWizardwillstepyouthroughtheinstallation.AfteryouhaveinstalledRSAT,youmustalsoturnonthetoolortoolsyouwishtohavevisible.Todothis,usetheTurnWindowsFeaturesOnorOffcommandintheProgramsAndFeaturesapplicationinControlPanel.
Afteritisinstalledandturnedon,allActiveDirectoryadministrativeconsolescanbefoundintheAdministrativeToolsfolder,whichitselfisfoundinControlPanel.IntheclassicviewofControlPanel,youwillseetheAdministrativeToolsfolder.IntheControlPanelHomeview,administrativetoolsarefoundinSystemandMaintenance.
Demonstration: Perform Administrative Tasks by UsingActive Directory Administration Tools
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 11/93
ActiveDirectoryUsersandComputersandtheActiveDirectoryAdministrativeCentercanbothbeusedtoperformadministrativetasks.Thefollowingsectionsprovideinformationonperformingtasksbyusingeachtool.
Active Directory Users and Computers Viewing Objects
TheActiveDirectoryUsersandComputerssnapindisplaystheobjectsinthecontainer(domain,OU,orcontainer)selectedintheconsoletree.
Refreshing the View
Theviewisnotrefreshedautomatically.Ifyouwanttoseethelatestchangestothe
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 12/93
viewofobjects,selectthecontainerintheconsoletreeandtheneitherclicktheRefreshbuttononthesnapintoolbarorpressF5.
YoumustselectthecontainerintheconsoletreebeforeclickingRefresh(orpressingF5)clickinginanemptyareaofthedetailspaneisnotsufficient.ThisisaquirkoftheActiveDirectoryUsersandComputerssnapin.
Creating Objects
TocreateanobjectinActiveDirectoryUsersandComputers,rightclickthedomain,acontainer(suchasUsersorComputers),oranOU.Then,pointtoNewandclickthetypeofobjectyouwanttocreate.
Whenyoucreateanobject,youarepromptedtoconfigureafewofthemostbasicpropertiesoftheobject,includingthepropertiesthatarerequiredforthattypeofobject.
Configuring Object Attributes
Afteranobjecthasbeencreated,youcanaccessitsproperties.Rightclicktheobject,andthenclickProperties.
ThePropertiesdialogthatappearsdisplaysmanyofthemostcommonpropertiesoftheobject.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 13/93
Propertiesaregroupedontabs,tomakeiteasiertolocateaspecificproperty.
Youcanconfigureasmanypropertiesasyouwant,onasmanytabsasyouwant,thenclickApplyorOKoncetosaveallthechanges.ThedifferencebetweenApplyandOKisthattheOKbuttonclosesthePropertiesdialogbox,whereasApplysavesthechangesandkeepsthedialogboxopensothatyoucanmakeadditionalchanges.
Viewing All Object Attributes
AuserobjecthasevenmorepropertiesthanarevisibleinitsPropertiesdialogbox.Someofthesocalledhiddenpropertiescanbequiteusefultoyourenterprise.Toviewthesehiddenuserattributes,youmustturnontheAttributeEditor,anewfeatureinWindowsServer2008.
ToturnontheAttributeEditorintheActiveDirectoryUsersandComputerssnapin,clicktheViewmenu,andthenselecttheAdvancedFeaturesoption.
ToopentheAttributeEditorforaspecificActiveDirectoryobject:
1. Rightclicktheobject,andthenclickProperties.
2. ClicktheAttributeEditortab.
TheAttributeEditortabofthePropertiesdialogboxappears.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 14/93
Asyoucanseeinthescreenshotabove,someattributesofauserobjectcanbequiteuseful,includingdivision,employeeID,employeeNumber,andemployeeType.Althoughtheattributesarenotshownonthestandardtabsofauserobject,theyarenowavailablethroughtheAttributeEditor.
Tochangethevalueofanattribute,doubleclickthevalue.
TheattributescanalsobeaccessedprogrammaticallywithWindowsPowerShell,WindowsVisualBasic ScriptingEdition,orMicrosoft.NETFramework.
Active Directory Administrative Center Navigation
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 15/93
TheActiveDirectoryAdministrativeCenterprovidesanavigationpanethatcanbesetasaListViewandaTreeView.TheListViewdisplaysthreemainnodes:anOverviewnode,adomainnode,andaGlobalSearchnode.TheTreeViewchangesthedomainnodetoprovideaviewoftheentiredomainstructure.
Performing Administrative Tasks
WhentheOverviewnodeisselected,youcanperformspecifictaskssuchasResetPassword,andGlobalSearch.ResetPasswordprovidestheabilitytoenteraknownusernameandresetthepassword,unlocktheaccount,andconfiguretheusertochangethepasswordatthenextlogon.GlobalSearchprovidestheabilitytosearchforobjectsbaseduponadomainscopeoraGlobalCatalogscope.
Dependingupontheobjectselected,youwillbeabletoperformmanyrelatedtasks.Forexample,ifauserobjectisselected,youcanperformtaskssuchasresetthepassword,addtoagroup,disabletheaccount,movetheaccount,deletetheaccount,locatetheaccount,oropenthePropertiesdialogboxoftheaccount.
Lesson 2: Custom Consoles and Least Privilege
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 16/93
Inthislesson,youwillgobeyondtheAdministrativeToolsfoldertoworkmoresecurelyandefficiently.Youwilllearnhowtobuildcustomizedadministrativeconsolesandhowtoworkinaleastprivilegeenvironment,inwhichyouareloggedonasanonadministrativeuser,butperformadministrativetasksasanadministrator.
Objectives
Aftercompletingthislesson,youwillbeableto:
CreateacustomMMCconsoleforadministration.
Performadministrativetaskswhileloggedonasauser.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 17/93
Demonstration: Create a Custom MMC Console forAdministering Active Directory
ItseasiertoadministerWindowswhenthetoolsyouneedareinoneplaceandcanbecustomizedtomeetyourneeds.ThisisachievedbycreatingacustomizedMMCadministrativeconsolethatcontainsthesnapinsyouneedtoperformyouradministrativetasks.WhenyoucreateacustomizedMMCconsole,youcan:
Addmultiplesnapinssothatyoudonothavetoswitchbetweenconsolestoperformyourjobtasks,andyouonlyhavetorunoneconsoletoperformanyofyouradministrativetasks.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 18/93
Savetheconsolesoitcanbeusedregularly.
Distributetheconsoletootheradministrators.
Savetheconsole,andotherconsoles,toasharedlocationforunified,customizedadministration.
TocreateacustomizedMMCconsole:
1. ClickStart.Then,intheStartSearchbox,typemmc.exe,andthenpressEnter.
2. ClicktheFilemenu,andthenclickAdd/RemoveSnapins.
TheAdd/RemoveSnapinsdialogboxallowsyoutoadd,remove,reorder,andmanagetheconsolessnapins.
AfteryouhaveinstalledRSAT,allfourActiveDirectorymanagementsnapinsareinstalledhowever,theActiveDirectorySchemasnapinwillnotappearintheAdd/RemoveSnapinsdialogboxuntilafteryouhaveregisteredthesnapin.
ToregisterActiveDirectorySchema:
1. OpenacommandpromptbyclickingStart,typingcmd.exe,andpressing
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 19/93
Enter.
2. Typeregsvr32.exeschmmgmt.dll,andthenpressEnter.
Question:HaveyoubuiltacustomMMCconsole?
Question:Whatsnapinshaveyoufounduseful?
Question:Whydidyoubuildyourownconsole?
Secure Administration with Least Privilege, Run AsAdministrator, and User Account Control
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 20/93
Manyadministratorslogontotheircomputerbyusingtheiradministrativeaccounts.Thispracticeisdangerousbecauseanadministrativeaccounthasmoreprivilegesandaccesstomoreofthenetworkthanastandarduseraccount.Therefore,malwarethatisrunwithadministrativecredentialscancausesignificantdamage.
Toavoidthisproblem,donotlogonasanadministrator.Instead,logonasastandarduserandusetheRunAsAdministratorfeaturetostartadministrativetoolsinthesecuritycontextofanadministrativeaccount.
1. Rightclicktheshortcutforanexecutable,ControlPanelapplet,orMMCconsolethatyouwanttorun,andthenclickRunasadministrator.Ifyoudonotsee
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 21/93
thecommand,tryholdingdowntheSHIFTkeyandrightclicking.
2. TheUserAccountControl(UAC)dialogboxappears,promptingforadministrativecredentials.
3. ClickUseanotheraccount.
4. Entertheusernameandpasswordofyouradministrativeaccount.
5. ClickOK.
TipIfyouwillberunninganapplicationregularlyasanadministrator,youshouldcreatea
newshortcutthatpreconfiguresRunAsAdministrator.CreateashortcutandopenthePropertiesdialogboxfortheshortcut.ClicktheAdvancedbuttonandselectRunAsAdministrator.Whenyouruntheshortcut,theUserAccountControldialogboxwill
appear.
Demonstration: Secure Administration with User AccountControl and Run As Administrator
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 22/93
Whenyourunaprocessasanadministrator,theadministrativeaccountmaynothaveaccesstothesamelocationsthatyouruseraccountdoes.Therefore,werecommendthatyousavecustomconsolesinalocationthatisaccessibletobothyouruserandyouradministrativeaccounts.
Torunasanadministrator:
1. Rightclicktheshortcutforanexecutable,ControlPanelapplet,orMMCconsolethatyouwanttorun,andthenclickRunasadministrator.Ifyoudonotseethecommand,tryholdingdowntheSHIFTkeyandrightclicking.
2. TheUserAccountControldialogboxappears,promptingforadministrative
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 23/93
credentials.
3. ClickUseanotheraccount.
4. Entertheusernameandpasswordofyouradministrativeaccount.
5. ClickYes.
Lab A: Administer Active Directory by UsingAdministrative Tools
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 24/93
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubeginthelab,youmustcompletethefollowingsteps:
1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthenclickHyperVManager.
2. InHyperVManager,click6425CNYCDC1,andintheActionspane,clickStart.
3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.
4. Logonbyusingthefollowingcredentials:
Username:Pat.Coleman_Admin
Password:Pa$$w0rd
Domain:Contoso
5. OpenWindowsExplorerandbrowsetoD:\Labfiles\Lab02a.
6. RightclickLab02a_Setup.bat,andthenclickRunasadministrator.
7. AUserAccountControldialogboxappears.
8. ClickYes.
9. Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 25/93
10. ClosetheWindowsExplorerwindow.
Lab Scenario
Inthislab,youarePatColeman,anActiveDirectoryadministratoratContoso,Ltd.YouareresponsibleforavarietyofActiveDirectorysupporttasks,andyouhavefoundyourselfconstantlyopeningmultipleconsolesfromtheAdministrativeToolsfolderinControlPanel.Youhavedecidedtobuildasingleconsolethatcontainsallthesnapinsyourequiretodoyourwork.Additionally,theContoso,Ltd.ITsecuritypolicyischanging,andyouwillnolongerbepermittedtologontoasystemwithcredentialsthathaveadministrativeprivileges,unlessthereisanemergency.Instead,youarerequiredtologonwithnonprivilegedcredentials.
Exercise 1: Perform Basic Administrative Tasks by UsingAdministrative Tools
Inthisexercise,youwillperformbasicadministrativetasksintheActiveDirectoryUsersandComputerssnapin.
Themaintasksforthisexerciseareasfollows:
1. ViewandcreateobjectsbyusingActiveDirectoryUsersandComputers.
2. PerformtasksbyusingActiveDirectoryAdministrativeCenter.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 26/93
Task 1: View and create objects by using Active Directory Users andComputers.
1. OpenActiveDirectoryUsersandComputersfromtheAdministrativeToolsfolder.
2. LookattheobjectsintheUserAccounts\EmployeesOU.
3. CreateanewOUintheEmployeesOUcalledFullTime.
4. SelecttheEmployeesOUandthenopenthepropertiesofPatColeman.
5. ConfiguretheOfficeattributeontheGeneraltabtoRedmond.
6. ConfirmthattheAttributeEditortabisnotvisibleinthePropertiesdialogboxofPatColeman,andthatthereisnoinputcontrolforthedivisionpropertyonanyofthetabs.
7. TurnontheviewofAdvancedFeaturesfortheActiveDirectoryUsersandComputerssnapin.
8. ViewtheAttributeEditorforPatColeman.
9. ChangePatColemansdivisionattributeto6425C.
10. CloseActiveDirectoryUsersandComputers.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 27/93
Task 2: Perform tasks by using Active Directory Administrative Center.
1. OpentheActiveDirectoryAdministrativeCenterfromtheAdministrativeToolsfolder.
2. NavigatetotheUserAccounts\ContractorsOUandmoveAdamCartertotheUserAccounts\EmployeesOU.
3. IntheContractorsOU,disabletheAaronConuseraccount.
4. IntheUserAccounts\EmployeesOU,openthePropertiesofAdamCarterandconfigureJobTitletobeManager.
5. ClosetheActiveDirectoryAdministrativeCenter.
Results:Inthisexercise,youexperiencedthefundamentalsofadministrationbyusingtheActiveDirectoryUsersandComputerssnapinandtheActiveDirectoryAdministrativeCenter.
Exercise 2: Create a Custom Active Directory AdministrativeConsole
Inthisexercise,youwillcreateasingle,customadministrativeconsolethat
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 28/93
containsallthesnapinsyouneedtodoyourwork.
Themaintasksforthisexerciseareasfollows:
1. CreateacustomMMCconsolewiththeActiveDirectoryUsersandComputerssnapin.
2. AddotherActiveDirectorysnapinstotheconsole.
3. AddtheActiveDirectorySchemasnapintoacustomMMCconsole.
4. ManagesnapinsinacustomMMCconsole(optional).
Task 1: Create a custom MMC console with the Active Directory Users andComputers snap-in.
1. OnNYCDC1,openanemptyMMCconsoleandmaximizeit.
2. AddtheActiveDirectoryUsersandComputerssnapin.
3. Savetheconsole.CreateanewfoldercalledC:\AdminToolsandsavetheconsoleinthatfolderasMyConsole.msc.
Task 2: Add other Active Directory snap-ins to the console.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 29/93
1. AddtheActiveDirectorySitesandServicesandActiveDirectoryDomainsandTrustssnapinslisttoyourconsole.
2. RenametheconsolerootActiveDirectoryAdministrativeTools.
3. Savetheconsole.
Task 3: Add the Active Directory Schema snap-in to a custom MMC console.
1. ConfirmthatActiveDirectorySchemaisnotlistedasanavailablesnapinintheAddorRemoveSnapinsdialogbox.
TheActiveDirectorySchemasnapinisinstalledwiththeActiveDirectoryDomainServicesrole,andwiththeRSAT,butitisnotregistered,soitdoesnotappear.
2. IntheStartmenu,browsetotheAccessoriesgroup,rightclickCommandPrompt,andthenclickRunasadministrator.
3. Inthecommandprompt,typethecommand,regsvr32.exeschmmgmt.dll.
Thiscommandregistersthedynamiclinklibrary(DLL)fortheActiveDirectorySchemasnapin.Youmustperformthisstepatleastonceonasystembeforeyoucanaddthesnapintoaconsole..
4. ClosetheCommandPromptwindow.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 30/93
5. AddtheActiveDirectorySchemasnapintotheconsole.
6. Savetheconsole.
Results:Inthisexercise,youcreatedacustomMMCconsolewiththeActiveDirectoryUsersandComputers,ActiveDirectorySitesandServices,ActiveDirectoryDomainsandTrusts,andActiveDirectorySchemasnapins.
Exercise 3: Perform Administrative Tasks with Least Privilege, RunAs Administrator, and User Account Control
Inthisexercise,youwillperformadministrativetaskswhileloggedonwithstandardusercredentials.
Themaintasksforthisexerciseareasfollows:
1. Logonwithcredentialsthatdonothaveadministrativeprivileges.
2. RunServerManagerasanadministrator.
3. Examinethecredentialsusedbyrunningprocesses.
4. Runthecommandpromptasanadministrator.
5. RunAdministrativeToolsasanadministrator.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 31/93
6. Runacustomadministrativeconsoleasanadministrator.
Task 1: Log on with credentials that do not have administrative privileges.
1. LogofffromNYCDC1.
2. LogontoNYCDC1asPat.Coleman,withthepassword,Pa$$w0rd.
Pat.ColemanisamemberofDomainUsersandhasnoadministrativeprivileges.
Task 2: Run Server Manager as an administrator.
1. ClicktheServerManagericonintheQuickLaunch,nexttotheStartbutton.
AUserAccountControldialogboxappears.
BecauseyouruseraccountisnotamemberofAdministrators,thedialogboxrequiresyoutoenteradministrativecredentials:ausernameandapassword.
IfyoudonotseetheUserNameandPasswordboxes,makesurethatyouareloggedonasPat.Coleman,andnotasPat.Coleman_Admin.
2. ClickUseanotheraccount,andthen,intheUsernamebox,type
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 32/93
Pat.Coleman_Admin.
3. InthePasswordbox,typePa$$w0rd,andthenpressEnter.
ServerManageropens.
Task 3: Examine the credentials used by running processes.
1. RightclickthetaskbarandclickStartTaskManager.
2. ClicktheProcessestab.
3. ClickShowprocessesfromallusers.Then,intheUserAccountControldialogbox,authenticateasPat.Coleman_Admin,withthepassword,Pa$$w0rd
TaskManagercanrunwithoutadministrativecredentials,butitwillshowonlythoseprocessesrunningunderthecurrentuseraccount.Therefore,theUserAccountControldialogboxincludesanoptiontoauthenticatebyusingthesamecredentialswithwhichyouareloggedon:Pat.Coleman.
4. ClicktheProcessestabandsortbyUserName.
5. LocatetheprocessesbeingrunasPat.ColemanandPat.Coleman_Admin.
Question:WhichprocessesarerunningasPat.Coleman_Admin?Whatapplicationsdotheprocessesrepresent?
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 33/93
Task 4: Run the command prompt as an administrator.
1. ClickStart,clickAllPrograms,clickAccessories,rightclickCommandPrompt,andthenclickRunasadministrator.
2. IntheUserAccountControldialogbox,authenticateasPat.Coleman_Admin,withthepassword,Pa$$w0rd.
TheAdministrator:CommandPromptwindowappears.
3. ClosetheCommandPromptwindow.
4. ClickStart,andintheStartSearchbox,typecmd.exe,andthenpressCtrl+Shift+Enter.
IntheStartSearchbox,thekeyboardshortcutCtrl+Shift+Enterrunsthespecifiedcommandasanadministrator.
5. IntheUserAccountControldialogbox,authenticateasPat.Coleman_Admin,withthepassword,Pa$$w0rd.
6. TheAdministrator:CommandPromptwindowappears.
Task 5: Run administrative tools as an administrator.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 34/93
1. ClicktheShowdesktopiconinthenotificationarea.
2. ClickStart,pointtoAdministrativeTools,rightclickActiveDirectoryAdministrativeCenter,andthenclickRunasadministrator.
3. IntheUserAccountControldialogbox,authenticateasPat.Coleman_Admin,withthepassword,Pa$$w0rd.
Task 6: Run a custom administrative console as an administrator.
Youarebeginningtoseethatitcanbecometedioustorunasanadministratoreachandeveryadministrativetoolthatyourequire.Oneadvantageofacustomadministrativeconsoleisthatyoucanruntheconsole,containingmultiplesnapins,withasingleRunAsAdministratorcommand.
1. Closeallopenwindowsonyourdesktop.
2. RunC:\AdminTools\MyConsolewithadministrativecredentials.IntheUserAccountControldialogbox,authenticateasPat.Coleman_Admin,withthepassword,Pa$$w0rd.
3. LogofffromNYCDC1.Donotshutdownorresetthevirtualmachine.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 35/93
Results:Inthisexercise,youlearnedthatbyhavingasingle,customadministrativeconsole,youmakeiteasierforyourselftoworksecurely.Youcanlogontoyourcomputerwithuser(nonadministrative)credentialsandrunthatsingleconsoleasanadministrator.
NoteDonotshutdownthevirtualmachinesafteryoufinishthislabbecausethesettingsyouhaveconfiguredherewillbeusedinLabB.
Lab Review Questions
Question:Whichsnapinareyoumostlikelytouseonadaytodaybasistoadminister
ActiveDirectory?
Question:WhenyoubuildacustomMMCconsoleforadministrationinyourenterprise,
whatsnapinswillyouadd?
Lesson 3: Find Objects in Active Directory
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 36/93
AstheActiveDirectorydatabasebecomespopulatedwithuser,group,computer,andotherobjects,itmaybecomedifficulttofindaspecificobjectorobjectsthatyouwanttomodify.Inthislesson,youwilllearnseveralwaystolocateobjectsinActiveDirectory.
Objectives
Aftercompletingthislesson,youwillbeableto:
ControltheviewofobjectsintheActiveDirectoryUsersandComputerssnapin.
LocateobjectsinActiveDirectory.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 37/93
Workwithsavedqueries.
Scenarios for Finding Objects in Active Directory
YouhavelearnedhowtocreateobjectsinActiveDirectory.However,whatgoodisinformationinadirectoryserviceifyoucantgetitoutofthedirectory?TherearemanyoccasionsonwhichyouwillneedtolocateobjectsinActiveDirectory:
Grantingpermissions.Whenyouconfigurepermissionsforafileorfolder,youmustselectthegroup(oruser)towhichpermissionsshouldbeassigned.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 38/93
Addingmemberstogroups.Agroupsmembershipcanconsistofusers,computers,groups,oranycombinationofthethree.Whenyouaddanobjectasamemberofagroup,youmustselecttheobject.
Creatinglinks.Linkedpropertiesarepropertiesofoneobjectthatrefertoanotherobject.Groupmembershipis,infact,alinkedproperty.Thereareotherlinkedproperties,suchastheManagedByattribute,thatarealsolinks.WhenyouspecifytheManagedByname,youmustselecttheappropriateuserorgroup.
Lookingupanobject.YoucansearchforanyobjectinyourActiveDirectorydomain.
TherearemanyothersituationsthatwillrequiresearchingActiveDirectory.Thereareseveraluserinterfacesthatyouwillencounter.Inthislesson,youlllearnsometricksforworkingwitheach.
Demonstration: Use the Select Users, Contacts,Computers, Service Accounts, or Groups Dialog Box
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 39/93
Whenyouaddamembertoagroup,assignapermission,orcreatealinkedproperty,youarepresentedwiththeSelectUsers,Contacts,Computers,ServiceAccounts,orGroupsdialogboxshownhere.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 40/93
Ifyouknowthenamesoftheobjectsyouneed,youcantypethemdirectlyintothelargetextbox.Multiplenamescanbeentered,separatedbysemicolons,asshownabove.
WhenyouclickOK,Windowslooksupeachiteminthelistandconvertsitintoalinktotheobject,thenclosesthedialogbox.TheCheckNamesbuttonalsoconvertseachnametoalink,butleavesthedialogboxopen.
Youdonotneedtoenterthefullnameyoucanentereithertheuser'sfirstnameorlastname,orevenjustpartofthefirstorlastname.WhenyouclickOKorCheckNames,Windowswillattempttoconvertyourpartialnametothecorrectobject.Ifthereisonlyonematchingobject,thenameswillberesolved.
Iftherearemultiplematches,suchasthename,Tony,youwillbepresentedwiththeMultipleNamesFoundboxshownbelow.Selectthecorrectname(s)andclickOK.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 41/93
Bydefault,theSelectdialogboxsearchestheentiredomain.Ifyouaregettingtoomanyresultsandwishtonarrowdownthescopeofyoursearch,orifyouneedtosearchanotherdomainorthelocalusersandgroupsonadomainmember,clickLocations.
Additionally,theSelectdialogboxdespiteitsfullname,SelectUsers,Contacts,Computers,Services,orGroupsrarelysearchesallobjecttypes.Forexample,whenyouaddmemberstoagroup,computersarenotsearchedbydefault.Ifyouenteracomputername,itwillnotberesolvedcorrectly.WhenyouspecifythenameontheManagedBytab,groupsarenotsearchedbydefault.YoumustensurethattheSelectdialogboxisscopedtoresolvethetypesofobjectsyouwanttoselect.ClicktheObjectTypesbuttonandusetheObjectTypesdialogboxshownbelowtoselectthecorrecttypes,andthenclickOK.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 42/93
Ifyouarehavingtroublelocatingtheobjectsyouwant,clicktheAdvancedbuttonontheSelectdialogbox.Theadvancedview,shownbelow,allowsyoutosearchbothnameanddescriptionfields,anddisabledaccounts,nonexpiringpasswords,andstaleaccountsthathavenotloggedonforaspecificperiodoftime.
SomeofthefieldsontheCommonQueriestabmaybedisabled,dependingonthe
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 43/93
objecttypeyouaresearchingfor.ClicktheObjectTypesbuttontospecifyexactlythetypeofobjectyouwant.
Options for Locating Objects
AlthoughyoucannavigatethroughActiveDirectoryandbrowseforanobject,youwilloftenlocatetheobjectyouneedmorequicklybysortingorsearching.YoucanuseboththeActiveDirectoryUsersandComputersandtheActiveDirectoryAdministrativeCentertosortandsearch.Eachoftheseoptionscanhelpyoulocateanobjectmorequickly.
Demonstration: Control the View of Objects in Active
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 44/93
Directory Administrative Tools
ThedetailspaneoftheActiveDirectoryUsersandComputerssnapinandtheActiveDirectoryAdministrativeCentercanbecustomizedtohelpyouworkeffectivelywiththeobjectsinyourdirectory.UsetheAdd/RemoveColumnscommandontheViewmenu(inActiveDirectoryUsersandComputers)ortheSelectColumnscommand(inActiveDirectoryAdministrativeCenter)toaddcolumnstothedetailspane.Noteveryattributeisavailabletobedisplayedasacolumn,butyouarecertaintofindcolumnsthatwillbeusefultodisplay.Youmightalsofindcolumnsthatareunnecessary.IfyourOUshaveonlyonetypeofobject(forexample,userorcomputer),theTypecolumnmaynotbehelpful.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 45/93
Whenacolumnisvisible,youcanchangetheorderofcolumnsbydraggingthecolumnheadingstotheleftorright.Youcanalsosorttheviewinthedetailspanebyclickingthecolumnthefirstclickwillsortinascendingorder,thesecondindescendingorder,justlikeinWindowsExplorer.
AcommoncustomizationistoaddtheLastNamecolumntoaviewofusers,sothattheycanbesortedbylastname.ItisgenerallyeasiertofindusersbylastnamethanbytheNamecolumn,whichisthecommonname(CN)andisgenerallyfirstnamelastname.
ToaddtheLastNamecolumntothedetailspaneintheActiveDirectoryUsersandComputersconsole:
1. ClicktheViewmenu,andthenclickAdd/RemoveColumns.
2. IntheAvailablecolumnslist,clickLastName.
3. ClicktheAddbutton.
4. IntheDisplayedcolumnslist,clickLastName,andthenclickMoveUptwotimes.
5. IntheDisplayedcolumnslist,clickType,andthenclickRemove.
6. ClickOK.
7. Inthedetailspane,clicktheLastNamecolumnheadertosortalphabeticallyby
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 46/93
lastname.
ToaddtheLastNamecolumntothedetailspaneintheActiveDirectoryAdministrativeCenter:
1. Inthedetailspane,rightclickacolumnheading,andthenclickSelectColumns.
2. IntheAvailableColumnslist,clickLastName.
3. Clickthe>>button.
4. IntheSelectedcolumnslist,clickLastName,andthenclickMoveUptwotimes.
5. IntheSelectedcolumnslist,clickType,andthenclick
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 47/93
WindowssystemsalsoprovidetheActiveDirectoryquerytool,whichisknownastheFindbox.OnewaytostarttheFindboxistoclicktheFindObjectsInActiveDirectoryDomainServicesbuttonintheActiveDirectoryUsersandComputerssnapin.ThebuttonandtheresultingFindboxareshowninthefollowingimage.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 48/93
UsetheFinddropdownlisttospecifythetype(s)ofobjectsyouwanttoquery,orselectCommonQueriesorCustomSearch.TheIndropdownlistspecifiesthescopeofthesearch.Werecommendthatwheneverpossible,younarrowthescopeofthesearchtoavoidtheperformanceimpactsofalarge,domainwidesearch.Together,theFindandtheInlistsdefinethescopeofthesearch.
Next,configurethesearchcriteria.Commonlyusedfieldsareavailableascriteriabasedonthetypeofqueryyouareperforming.Whenyouhavespecifiedyoursearchscopeandcriteria,clickFindNow.Theresultswillappear.
YoucanthenrightclickanyitemintheresultslistandchooseadministrativecommandssuchasMove,Delete,andProperties.
Determine Where an Object Is Located
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 49/93
Sometimes,youmaywanttofindanobjectbyusingtheFindcommand,becauseyoudon'tactuallyknowwheretheobjectis.
Todeterminewhereanobjectislocated:
1. InActivedirectoryUsersandComputers,clicktheViewmenu,andthenselectAdvancedFeatures.
2. ClicktheFindbutton,andthenperformasearchfortheobject.
3. Rightclicktheobject,clickProperties,andthenclicktheObjecttab.
4. TheCanonicalnameofobjectshowsyouthepathtotheobject,startingat
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 50/93
thedomain.
Alternatively,intheFinddialogbox,youcandisplaythePublishedAtcolumn.
1. IntheFinddialogbox,clicktheViewmenu,andthenclickChooseColumns.
2. IntheColumnsAvailablelist,clickPublishedAt,andthenclickAdd.
3. ClickOK.
Demonstration: Use Saved Queries
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 51/93
WindowsServer2003introducedtheSavedQueriesnodeoftheActiveDirectoryUsersandComputerssnapin.Thispowerfulfunctionallowsyoutocreateruledrivenviewsofyourdomain,displayingobjectsacrossoneormoreOUs.
Tocreateasavedquery:
1. OpentheActiveDirectoryUsersandComputerssnapin.
SavedqueriesarenotavailableintheActiveDirectoryUsersandComputerssnapinthatispartofServerManager.YoumustusetheActiveDirectoryUsersandComputersconsoleoracustomconsolewiththesnapin.
2. RightclickSavedQueries,pointtoNew,andthenclickQuery.
3. Enteranameforthequery.
4. Optionally,enteradescription.
5. ClickBrowsetolocatetherootforthequery.
ThesearchwillbelimitedtothedomainorOUyouselect.Werecommendthatyounarrowyoursearchasmuchaspossible,toimprovesearchperformance.
6. ClickDefineQuerytodefineyourquery.
7. IntheFinddialogbox,selectthetypeofobjectyouwanttoquery.
Thetabsinthedialogboxandtheinputcontrolsoneachtabchangetoprovide
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 52/93
optionsthatareappropriatefortheselectedquery.
8. Configurethecriteriaforyourquery.
9. ClickOK.
Afteryourqueryiscreated,itissavedwithintheinstanceoftheActiveDirectoryUsersandComputerssnapin.So,ifyouopenedtheActiveDirectoryUsersandComputersconsole(dsa.msc),yourquerywillbeavailablethenexttimeyouopentheconsole.Ifyoucreatedthesavedqueryinacustomconsole,itwillbeavailableinthatcustomconsole.Totransfersavedqueriestootherconsolesorusers,youcanexportthesavedqueryasanXMLfile,andthenimportittothetargetsnapin.
Theviewofthesavedqueryinthedetailspanecanbecustomizedasdescribedearlier,withspecificcolumnsandsorting.Averyimportantbenefitofsavedqueriesisthatthecustomizedviewisspecifictoeachsavedquery.WhenyouaddtheLastNamecolumntothenormalviewofanOU,theLastNamecolumnisactuallyaddedtotheviewofeveryOU,soyouwillseeanemptyLastNamecolumnevenforanOUofcomputersorgroups.Withsavedqueries,youcanaddtheLastNamecolumntoaqueryforuserobjects,andothercolumnsforothersavedqueries.
Savedqueriesareapowerfulwaytovirtualizetheviewofyourdirectoryandtomonitorforissuessuchasdisabledorlockedaccounts.Learningtocreateandmanagesavedqueriesisaworthwhileuseofyourtime.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 53/93
Demonstration: Find Objects by Using Active DirectoryAdministrative Center
Key Points
TheActiveDirectoryAdministrativeCenterprovidesenhancedfeaturesforperformingsearchesthroughouttheinfrastructure.
ToperformasearchbyusingtheActiveDirectoryAdministrativeCenter:
1. OpentheActiveDirectoryAdministrativeCenter.
2. Inthenavigationpane,clickGlobalSearch.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 54/93
3. Enterthesearchcriteriaandscope.
4. ClickSearch.
Youmayalsochoosetosaveyourquery,whichallowsyoutoquicklyreevaluateyoursearchcriteriaatanytime.
Lab B: Find Objects in Active Directory
Lab Setup
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 55/93
ThevirtualmachineshouldalreadybestartedandavailableaftercompletingLabA.However,ifitisnot,youshouldstartthevirtualmachine,completetheexercisesinLabA,andthenstartLabB.
LogontoNYCDC1asPat.Coleman,withthepassword,Pa$$w0rd.
Lab Scenario
Contoso,Ltd.nowspansfivegeographicsitesaroundtheworld,withover1,000employees.Becauseyourdomainhasbecomepopulatedwithsomanyobjects,ithasbecomemoredifficulttolocateobjectsbybrowsing.YouaretaskedwithdefiningthebestpracticesforlocatingobjectsinActiveDirectoryfortherestoftheteamofadministrators.Youarealsoaskedtomonitorthehealthofcertaintypesofaccounts.
Exercise 1: Find Objects in Active Directory
Inthisexercise,youwilluseseveraltoolsandinterfacesthatmakeiteasierforyoutofindanobjectinActiveDirectory.
Themaintasksforthisexerciseareasfollows:
1. ExplorethebehavioroftheSelectdialogbox.
2. ControltheviewofobjectsintheActiveDirectoryUsersandComputerssnapin.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 56/93
3. UsetheFindcommand.
4. Determinewhereanobjectislocated.
Task 1: Explore the behavior of the Select dialog box.
ThevirtualmachineshouldalreadybestartedandavailableaftercompletingLabA.However,ifitisnot,youshouldstartthevirtualmachine,completetheexercisesinLabA,andthenstartLabB.
1. OnNYCDC1,runyourcustomconsole,C:\AdminTools\MyConsole.mscasanadministratorwithusername,Pat.Coleman_Admin,andthepassword,Pa$$w0rd.
2. Intheconsoletree,expandtheActiveDirectoryUsersandComputerssnapin,theContoso.comdomain,andtheUserAccountsOU,andthenclicktheEmployeesOU.
3. RightclickPatColeman,andthenclickProperties.
4. ClicktheMemberOftab.
5. ClickAdd.
6. IntheSelectGroupsdialogbox,typethename,Special.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 57/93
7. ClickOK.ThenameisresolvedtoSpecialProject.
8. ClickOKagaintoclosethePropertiesdialogbox.
9. Intheconsoletree,expandtheGroupsOU,andthenclicktheRoleOU.
10. Inthedetailspane,rightclicktheSpecialProjectgroup,andthenclickProperties.
11. ClicktheMemberstab.
12. ClickAdd.
TheSelectUsers,Contacts,Computers,ServiceAccounts,orGroupsdialogboxappears.
13. Typelindajoan,andthenclicktheCheckNamesbutton.
TheSelectdialogboxresolvesthenamestoLindaMitchellandJoannaRybka,andunderlinesthenamestoindicatevisuallythatthenamesareresolved.
14. ClickOK.
15. ClickAdd.
16. Typecarole,andthenclickOK.
TheSelectdialogboxresolvesthenametoCarolePolandandcloses.YouseeCarolePolandontheMemberslist.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 58/93
WhenyouclicktheOKbutton,aCheckNamesoperationisperformedpriortoclosingthedialogbox.ItisnotnecessarytoclicktheCheckNamesbuttonunlessyouwanttochecknamesandremainintheSelectdialogbox.
17. ClickAdd.
18. Typetonyjeff,andthenclickOK.
Becausetherearemultipleusersmatchingtony,theMultipleNamesFoundboxappears.
19. ClickTonyKrijnen,andthenclickOK.
Becausetherearemultipleusersmatchingjeff,theMultipleNamesFoundboxappears.
20. ClickJeffFord,andthenclickOK.ClickOKtoclosetheSpecialProjectPropertiesdialogbox.
Wheneverthereismorethanoneobjectthatmatchestheinformationyouenter,thechecknamesoperationwillgiveyoutheopportunitytochoosethecorrectobject.
21. Intheconsoletree,clicktheApplicationOUundertheGroupsOU.
22. Inthedetailspane,rightclicktheAPP_Officegroup,andthenclickProperties.
23. ClicktheMemberstab.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 59/93
24. ClickAdd.
25. IntheSelectdialogbox,typeNYCCL1.
26. ClickCheckNames.
ANameNotFounddialogboxappears,indicatingthattheobjectyouspecifiedcouldnotberesolved.
27. ClickCanceltoclosetheNameNotFoundbox.
28. IntheSelectbox,clickObjectTypes.
29. SelectthecheckboxnexttoComputers,andthenclickOK.
30. ClickCheckNames.
ThenamewillresolvenowthattheSelectboxisincludingcomputersinitsresolution.
31. ClickOK.
32. ClickOKtoclosetheAPP_OfficePropertiesdialogbox.
Task 2: Control the view of objects in the Active Directory Users and Computerssnap-in.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 60/93
1. Intheconsoletree,expandthecontoso.comdomainandtheUserAccountsOU,andthenclicktheEmployeesOU.
2. ClicktheViewmenu,andthenclickAdd/RemoveColumns.
3. IntheAvailableColumnslist,clickLastName.
4. ClicktheAddbutton.
5. IntheDisplayedcolumnslist,clickLastNameandclickMoveUptwotimes.
6. IntheDisplayedcolumnslist,clickType,andthenclickRemove.
7. ClickOK.
8. Intheconsoletree,expandthecontoso.comdomainandtheUserAccountsOU,andthenclicktheEmployeesOU.
9. Inthedetailspane,clicktheLastNamecolumnheadertosortalphabeticallybylastname.
10. ClicktheViewmenu,andthenclickAdd/RemoveColumns.
11. IntheAvailableColumnslist,clickPreWindows2000Logon.
12. ClicktheAddbutton.
13. IntheDisplayedcolumnslist,clickPreWindows2000LogoandclickMoveUp.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 61/93
14. ClickOK.
15. Intheconsoletree,expandthecontoso.comdomainandtheUserAccountsOU,andthenclicktheEmployeesOU.
Task 3: Use the Find command.
1. Intheconsoletree,expandthecontoso.comdomainandtheUserAccountsOU,andthenclicktheEmployeesOU.
2. ClicktheFindbuttoninthetoolbar.
3. IntheNamebox,typeDan,andthenclickFindNow.
4. Howmanyitemswerefound?Lookatthestatusbar,atthelowerpartoftheFindUsers,Contacts,andGroupswindow.
5. ClicktheIndropdownlist,andthenclickEntireDirectory.
6. ClickFindNow.
7. Howmanyitemswerefound?Lookatthestatusbar,atthelowerpartoftheFindUsers,Contacts,andGroupswindow.
8. ClosetheFindUsers,Contacts,andGroupsdialogbox.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 62/93
Task 4: Determine where an object is located.
1. TurnontheviewofAdvancedFeaturesfortheActiveDirectoryUsersandComputerssnapin.
2. UsetheFindcommandtolocateusersindomainwhosenamesbeginwithPat.Coleman.Youshouldseetworesults.
3. UsethepropertiesofPatColeman(Admin)todeterminewheretheuserislocatedinActiveDirectory.
Results:Inthisexercise,youlearnedthatthereareseveralinterfaceswithwhichyouperformsearchesagainstActiveDirectory,andyouknowhowtocontroltheviewintheActiveDirectoryUsersandComputerssnapin.
Exercise 2: Use Saved Queries
Inthisexercise,youwillcreatesavedquerieswithwhichadministrativetaskscanbemoreefficientlyperformed.
Themaintasksforthisexerciseareasfollows:
1. Createasavedquerythatdisplaysalldomainuseraccounts.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 63/93
2. Createasavedquerythatshowsalluseraccountswithnonexpiringpasswords.
3. Transferaquerytoanothercomputer.
Task 1: Create a saved query that displays all domain user accounts.
CreateasavedquerycalledAllUserObjectsthatshowsallusersinthedomain.
Task 2: Create a saved query that shows all user accounts with non-expiringpasswords.
CreateasavedquerycalledNonExpiringPasswordsthatshowsallusersinthedomainwhosepasswordsdonotexpire.
Notethatforthepurposesofmaintainingasimple,singlepasswordforallusersinthiscourse,alluseraccountsareconfiguredsothatpasswordsdonotexpire.Inaproductionenvironment,useraccountsshouldnotbeconfiguredwithnonexpiringpasswords.
Task 3: Transfer a query to another computer.
1. ExporttheNonExpiringPasswordsqueryto
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 64/93
C:\AdminTools\Query_NonExpPW.xml.
2. DeletetheNonExpiringPasswordsquery.
3. ImporttheC:\AdminTools\Query_NonExpPW.xmlquery.
4. LogofffromNYCDC1.
Results:Inthisexercise,youcreatedtwosavedqueries.Thefirstquery,AllUserObjects,demonstratesthatasavedquerycancreateavirtualizedviewofyourdomain,allowingyoutoseeobjectsthatmeetasetofcriteria,regardlessofwhichOUthoseobjectsarein.Thesecondquery,NonExpiringPasswords,demonstratesthatyoucanusesavedqueriestomonitorthehealthofyourenvironment.
NoteDonotshutdownthevirtualmachineafteryoufinishthislabbecausethesettings
youhaveconfiguredherewillbeusedinLabC.
Lab Review Questions
Question:Inyourwork,whatscenariosrequireyoutosearchActiveDirectory?
Question:Whattypesofsavedqueriescanyoucreatetohelpyouperform
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 65/93
your
administrativetasksmoreefficiently?
Lesson 4: Use Windows PowerShell to AdministerActive Directory
WindowsPowerShellisquicklybecomingtheprimaryfoundationforadministeringanumberofMicrosoftserverproducts.Forexample,productssuchasMicrosoftExchange2010andMicrosoftSQLServer2008useWindowsPowerShellformost,
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 66/93
ifnotall,oftheconfigurationandmanagementtasks.WindowsServer2008R2providesanumberofenhancementstohowPowerShellcanadministerActiveDirectory.
Objectives
Aftercompletingthislesson,youwillbeableto:
DescribeWindowsPowerShell.
DescribetherequirementsforusingWindowsPowerShell.
DescribehowWindowsPowerShellsyntaxworks.
DescribeActiveDirectoryPowerShellcmdlets.
UsePowerShellcmdletstoperformadministrativetasksinActiveDirectory.
What Is Windows PowerShell?
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 67/93
WindowsPowerShellisnotjustascriptinglanguage.WindowsPowerShellisanenginedesignedtoruncommandsthatperformadministrativetasks,suchascreatingnewuseraccounts,configuringservices,deletingmailboxes,andsoon.
WindowsPowerShellprovidesmanywaysinwhichyoucanspecifywhichcommandstorun.Youcan,forexample,manuallytypecommandnamesinacommandlineconsolewindow.Youcanalsotypecommandsinanintegratedscriptingenvironment(ISE)thatoffersamoregraphicallyrichcommandlineenvironment.WindowsPowerShellcanalsobeintegratedwithinanapplication,allowingcommandstoruninresponsetouseractionssuchasclickingbuttonsoricons.Youcanalsotypeaseriesofcommandsintoatextfile,andinstructtheshelltorunthecommandsinthatfile.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 68/93
Inanidealworld,WindowsPowerShellisasingle,centralsourceforadministrativefunctionality.Ideally,youmayuseagraphicaluserinterface(GUI)withbuttons,icons,dialogboxes,andotherelementsthatrunWindowsPowerShellcommandsinthebackground.IftheGUIdoesnotallowyoutoaccomplishataskinexactlythewayyouwant,youmaychoosetorunthosesamecommandsintheorderandwayyouprefer,directlyinthecommandlineconsole,bypassingtheGUI.ManyMicrosoftproductsarebuiltinthatexactway,includingMicrosoftExchangeServer2007andMicrosoftExchangeServer2010.TheActiveDirectoryAdministrativeCenterinWindowsServer2008R2isalsobuiltinthisidealway.Thus,youcanchoosetouseaGUIthatrunsWindowsPowerShellcommandsinthebackground,oryoucanchoosetorunthecommandsdirectlyintheWindowsPowerShellconsoleorISE.
Thischoice,tousecommandsdirectlyortohavecommandsrunforyouaspartofaGUI,ispartofwhatmakesWindowsPowerShellsocompelling.Withthisshell,MicrosoftrecognizesandacknowledgesthatsometasksareeasiertodoinaGUI,especiallytasksthatyoudontperformveryoften.AGUIcanguideyouthroughcomplexoperations,andcanhelpyouunderstandyourchoicesandoptionsmoreeasily.However,MicrosoftalsorecognizesthataGUIcanbeinefficientfortasksthatyouneedtoperformrepeatedly,suchascreatingnewuseraccounts.BybuildingasmuchadministrativefunctionalityaspossibleintheformofWindowsPowerShellcommands,youcanchoosewhatsrightforanygiventask:TheeaseofuseofaGUI,orthepowerandcustomizationofacommandlineshell.Overtime,WindowsPowerShellmayreplaceotherlowleveladministrativetoolsthatyoumayhaveused.Forexample,WindowsPowerShellcanalreadysupplantVisualBasicScriptEdition
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 69/93
(VBScript),becausetheshellhasaccesstothesamefeaturesthatVBScriptdoes,although,inmanycases,theshellprovideseasierwaystoaccomplishthesametasks.WindowsPowerShellmayalsoreplaceyouruseofWindowsManagementInstrumentation(WMI).AlthoughWMIremainsveryuseful,itcanalsobecomplextouse.WindowsPowerShellcanwraptaskspecificcommandsaroundunderlyingWMIfunctionality.YouaretechnicallystillusingWMI,butdoingsobecomeseasierbecauseyoucanrunaneasiertouse,taskbasedcommand.
Installation Requirements for Windows PowerShell 2.0
WindowsPowerShell2.0ispreinstalledbydefaultinWindowsServer2008R2andWindows7.InWindowsServer2008R2,youcanoptionallyinstalltheWindows
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 70/93
PowerShellISE,agraphicallyorientedshellenvironment.
WindowsPowerShell2.0isalsoavailableasaWebdownloadforWindowsXP,WindowsServer2003,WindowsVista,andWindowsServer2008.WindowsPowerShellv2isincludedintheWindowsManagementFrameworkCore,whichalsoincludesotherrelatedmanagementtechnologies.Thedownloadcanbefoundathttp://go.microsoft.com/fwlink/?LinkId=193574andseparateversionsareavailablefordifferentoperatingsystemsandarchitectures(32bitand64bit).ThedownloadincludestheWindowsPowerShellISEandthemoretraditionalcommandlineconsole.
WindowsPowerShellv2canbeinstalledonthefollowingoperatingsystems:
WindowsServer2008withServicePack1
WindowsServer2008withServicePack2
WindowsServer2003withServicePack2
WindowsVistawithServicePack2
WindowsVistawithServicePack1
WindowsXPwithServicePack3
WindowsEmbeddedPOSReady2009
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 71/93
WindowsEmbeddedforPointofService1.1
WindowsPowerShell2.0requiresMicrosoft.NETFramework2.0withServicePack1andWindowsPowerShellISErequiresMicrosoft.NETFramework3.5withServicePack1.
NoteThecontentinthefollowingsectiononlyappliestoWindowsServer2008R2.
Active Directory Module for Windows PowerShell
WindowsServer2008R2includestheActiveDirectoryModuleforWindowsPowerShell.ThismoduleconsolidatesagroupofcmdletsthatareusedtomanageADDSdomains,ActiveDirectoryLightweightDirectoryServices(ADLDS)configurationsets,andtheActiveDirectoryDatabaseMountingTool.
TheActiveDirectorymoduleisinstalledwhen:
YouinstalltheADDSorADLDSserverroles.
YourunDcpromo.exe.
YouinstallRemoteServerAdministrationTools(RSAT)onWindowsServer2008R2orWindows7.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 72/93
NoteTousetheActiveDirectorymoduletomanageADDS,theWindowsServer2008R2ActiveDirectoryWebServices(ADWS)servicemustbeinstalledonatleastonedomaincontrollerinthedomain.
Overview of the Windows PowerShell Syntax
AllWindowsPowerShellcmdletsareusedasverbnounpairs.Ahyphen()withoutspacesseparatetheverbnounpair,andthecmdletnounsarealwayssingular.Verbsrefertotheactionthatthecmdlettakes.Nounsrefertotheobjectonwhichthe
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 73/93
cmdlettakesaction.Forexample,intheGetADUsercmdlet,theverbisGet,andthenounisADUser.Allcmdletsthatmanageaparticularfeaturesharethesamenoun.
Using Cmdlets
Cmdletsalsohavenamed,positional,andswitchparametersthatyouspecifywiththecmdlettomodifyitsbehaviorortoprovideadditionalinformationtocontrolit.Youspecifynamedparameterswithadditionalinformation,suchasthevalueyouwanttoset,andyoudefinethesevaluesbyusingaspecificname.Youcanusepositionalparameterstosupplyvaluestothecmdletbasedonthevalueslocation,ratherthanonaparametername.
MostoftheActiveDirectorycmdletsthatretrieveobjects(thosethatuseGetastheverbcomponentofthecmdletname)havedefinedamandatoryfilterparameter.Youcanspecify*forthisparameter,butyoushouldgenerallyspecifymoreprecisecriteriasothatyouarequeryingonlythoseobjectsthatyouabsolutelyneed.
ThefilterparameteroftheActiveDirectorycmdletsacceptsWindowsPowerShellstylecriteria.
Get-ADUser -Filter 'Name -like "*SvcAccount"' Get-ADUser -Filter {Name -eq "Adam Carter"}
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 74/93
Using Cmdlets Together
Pipeliningistheprocessofusingmultiplecmdletssimultaneouslytogatherinformation,whichyoucanthenpasstoothercmdletsforadditionalprocessing.Pipeliningallowsyoutochainonecmdlettoanothersothattheresultsofthepreviouscmdletactasinputtothenextcmdlet.Topipelineinformationfromonecmdlettoanother,specifythepipecharacterbetweenthecmdlets.Thepipecharacterisaverticalbar(|).Youcanpipelinemorethantwocmdlets.Infact,youcanuseasmanyasnecessarytoachievetheresultsyoudesire.
Windows PowerShell Cmdlets for Active Directory
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 75/93
ThefollowingtablelistsvarioustasksthatcanbeperformedbyusingtheActiveDirectoryforWindowsPowerShellmodule.
ManagementCategory
Task
UserManagement Creatingauser
Modifyinganattributeformultipleusers
Settingprofileattributes
Renamingauser
Findingandunlockinguseraccounts
Enablingordisablinguseraccounts
ComputerManagement Joiningacomputertoadomain
Addingorremovingacomputeraccount
Resettingacomputeraccount
Modifyingattributesofcomputeraccounts
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 76/93
GroupManagement Creatingagroup
Addingandremovingmembersofagroup
Viewingthemembersofagroup
Changingthegroupscopeortype
OrganizationalUnitManagement
CreatingordeletinganOU
ListingobjectsinanOU
AssigningorremovingamanagerofanOU
MovingtheobjectsinanOU
PasswordPolicyManagement
Creatingandmanagingfinegrainedpasswordpolicies
Modifyingthedefaultdomainpasswordpolicy
Getresultantpasswordpolicyforauser
Searchingandmodifyingobjects
Searchingtheglobalcatalog
ImportingobjectsbyusingaCSVfile
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 77/93
ExportingobjectstoaCSVfile
Searchingforandrestoringdeletedobjects
ForestandDomainManagement
Findingthedomainsinaforest
Raisingthefunctionallevelofthedomainorforest
Viewingthetrustsforadomain
DomainControllerandOperationsMasterManagement
Findingthedomaincontrollersforadomain
Movingthedomaincontrollertoadifferentsite
EnablinganddisablingtheGlobalCatalog
Managingoperationsmasterroles
ManagedServiceAccountManagement
Creatingorremovingamanagedserviceaccount
Associatingamanagedserviceaccountwithacomputer
Resettingthepasswordofamanagedserviceaccount
NoteTheprecedingtableisonlyasubsetofthefullfunctionalitythatcanbe
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 78/93
performed
withWindowsPowerShell.Forafulllistincludingexamples,seehttp://go.microsoft.com/fwlink/?LinkID=214183
Demonstration: Manage Users and Groups by UsingWindows PowerShell
Inthisdemonstration,yourinstructorwillshowyouvarioustasksthatcanbeperformedbyusingWindowsPowerShell.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 79/93
Demonstration Steps
1. OpentheActiveDirectoryModuleforWindowsPowerShell.
2. Performthefollowingtasks:
CreateanewOU.
new-adorganizationalunit Test1 new-adorganizationalunit Test2
Createanewuser.
new-aduser -name TestUser1 -department IT -city "NewYork" -organization "Contoso"
MoveausertoanewOU.
get-aduser -filter 'Name -eq "TestUser1"' | move-adobject -targetpath "ou=Test2,dc=contoso,dc=com"
Viewgroupmembership.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 80/93
get-adgroup -filter "Name -eq 'Domain Admins'" get-adgroup -filter "Name -eq 'Domain Admins'" | get-adgroupmember
Addmemberstoagroup.
add-adgroupmember "Marketing" testuser1
Setthepasswordforanewuserandenabletheuseraccount.
Set-ADAccountPassword testuser1 -Reset -NewPassword(ConvertTo-SecureString -AsPlainText "Pa$$w0rd1" -Force) get-aduser -filter 'Name -eq "TestUser1"' |enable-adaccount
Lab C: Use Windows PowerShell to Administer ActiveDirectory
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 81/93
Lab Setup
ThevirtualmachineshouldalreadybestartedandavailableaftercompletingLabB.However,ifitisnot,youshouldstartthevirtualmachine,completetheexercisesinLabB,andthenstartLabC.
LogontoNYCDC1asContoso\Administrator,withthepassword,Pa$$w0rd.
Lab Scenario
Contoso,Ltd.isgrowing,andchangesneedtobemadetoobjectsinActiveDirectory.YouareanadministratorofADDS,andyouknowthatitiseasiertoview,create,
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 82/93
delete,andmodifyobjectsbyusingWindowsPowerShell.
Exercise: Use Windows PowerShell to Administer Active Directory
Inthisexercise,youwilluseWindowsPowerShelltoperformbasicadministrativetasks.
Themaintasksforthisexerciseareasfollows:
1. ListallcommandsintheActiveDirectorymodule.
2. Retrieveallusersmatchingaspecificdepartmentandofficebyusingserversidefiltering.
3. Resetuserpasswordsandaddressinformation.
4. Disableuserswhobelongtoaspecificgroup.
5. DiscoveranyOUsthatarenotprotectedagainstaccidentaldeletion.
6. CreateareportshowingallWindowsServer2008R2servers.
NoteBecauseofthecomplexityofthecommandlinerequirements,theworkbookstepsmatchthelabanswerkeysforthislab.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 83/93
Task 1: List all commands in the Active Directory module.
1. OntheStartmenuofNYCDC1,clickAllPrograms,clickAdministrativeTools,andthenclickActiveDirectoryModuleforWindowsPowerShell.
2. InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-Command -Module ActiveDirectory
Task 2: Retrieve all users matching a specific department and office by usingserver-side filtering.
1. InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-Help Get-ADUser -Full
2. InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-ADUser
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 84/93
3. WhenyouarepromptedtoenteravaluefortheFilterparameter,typethefollowing,andthenpressEnter.
!?
4. AfterreviewingthehelpdocumentationfortheFilterparameter,typethefollowing,andthenpressEnter.
department -eq "Marketing"
5. InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-ADUser -Filter 'department -eq "Marketing"'
6. InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-ADUser -Filter '(department -eq "Marketing") -and(office -eq "London")'
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 85/93
Task 3: Reset user passwords and address information.
1.InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-ADUser -Filter 'office -eq"New York"'
2.InthePowerShellwindow,typethefollowingcommand,andthenpressEnteraftereachline.
Get-Help Read-Host -Full Get-Help Set-ADAccountPassword -Full
3.InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-ADUser -Filter 'office -eq"New York"' | Set-ADAccountPassword-Reset -NewPassword (Read-Host -AsSecureString 'New password')
4.Whenprompted,enterthepassword,Pa$$w0rd1,andthenpressEnter.
Pa$$w0rd1
5.InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 86/93
Get-Help Get-ADUser -Parameter Properties
6.InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-ADUser -Filter 'office -eq"New York"' -PropertiesOffice,StreetAddress,City,State,Country,PostalCode | Format-TableSamAccountName,Office,StreetAddress,City,State,Country,PostalCode
7.InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-Help Set-ADUser -Full
8.InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-ADUser -Filter 'office -eq"New York"' -PropertiesOffice,StreetAddress,City,State,Country,PostalCode | Set-ADUser -Office Main - StreetAddress '2345 Main St.' -CityBellevue -State WA -Country US -PostalCode '95102'
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 87/93
Task 4: Disable users who belong to a specific group.
1. InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-Help Get-ADGroup -Full
2. InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-ADGroup -Filter *
3. InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-ADGroup -Identity Sales
4. InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-Help Get-ADGroupMember -Full
5. InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 88/93
Get-ADGroup -Identity Sales| Get-ADGroupMember
6. InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-Help Disable-ADAccount -Full
7. InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.NotethattheerrormessagereferringtotheSalesManagersgroupisexpected.
Get-ADGroup -Identity Sales| Get-ADGroupMember |Disable-ADAccount -WhatIf
8. InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.NotethattheerrormessagereferringtotheSalesManagersgroupisexpected.
Get-ADGroup -Identity Sales| Get-ADGroupMember | Disable-ADAccount
Task 5: Discover any OUs that are not protected against accidental deletion.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 89/93
1. InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-Help Get-ADOrganizationalUnit -Full
2. InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-ADOrganizationalUnit -Filter * -PropertiesProtectedFromAccidentalDeletion
3. InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-ADOrganizationalUnit -Filter * -PropertiesProtectedFromAccidentalDeletion | Where- Object {-not$_.ProtectedFromAccidentalDeletion}
Task 6: Create a report showing all Windows Server 2008 R2 servers.
1.InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-ADComputer -Filter 'OperatingSystem -like "Windows Server 2008 R2*"' -Properties
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 90/93
OperatingSystem,OperatingSystemHotfix,OperatingSystemServicePack,OperatingSystemVersion
2.InthePowerShellwindow,typethefollowingcommands,andthenpressEnterattheendofeachline.
Get-Help ConvertTo-Html Full Get-Help Out-File -Full
3.InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-ADComputer -Filter 'OperatingSystem -like "Windows Server 2008 R2*"' -PropertiesOperatingSystem,OperatingSystemHotfix,OperatingSystemServicePack,OperatingSystemVersion| ConvertTo-Html -Property Name,SID,OperatingSystem* -Fragment
4.InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
Get-ADComputer -Filter 'OperatingSystem -like "Windows Server 2008 R2*"' -PropertiesOperatingSystem,OperatingSystemHotfix,OperatingSystemServicePack,OperatingSystemVersion| ConvertTo-Html -Property Name,SID,OperatingSystem* | Out-File C:\OSList.htm
5.InthePowerShellwindow,typethefollowingcommand,andthenpressEnter.
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 91/93
C:\OSlist.htm
Results:Inthisexercise,yousuccessfullyperformedadministrativetasksbyusingWindowsPowerShell.
To prepare for the next module
Whenyoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis,completethefollowingsteps:
1. Onthehostcomputer,startHyperVManager.
2. Rightclick6425CNYCDC1intheVirtualMachineslist,andthenclickRevert.
3. IntheRevertVirtualMachinedialogbox,clickRevert.
Module Review and Takeaways
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 92/93
Review Questions
1. WhatarethefourmainsnapinsusedforActiveDirectoryadministration?
2. IstheActiveDirectoryAdministrativeCenterbaseduponanMMC?
3. ListsomeofthetasksthatcanbeperformedwithWindowsPowerShell.
Tools
Tool Usefor Wheretofindit
07/06/13 Module 2: Administering Active Directory Securely and Efficiently
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=4&FontSize=3&FontType=segoe 93/93
ActiveDirectoryUsersandComputers
ManaginganActiveDirectorydomain
AdministrativeTools
ActiveDirectoryAdministrativeCenter
ManaginganActiveDirectorydomain
AdministrativeTools
WindowsPowerShell
ManaginganActiveDirectorydomain
AdministrativeTools
Windows Server 2008 R2 Features Introduced in this Module
WindowsServer2008R2feature
Description
ActiveDirectoryAdministrativeCenter
UsedtomanageActiveDirectoryDomainServices
ActiveDirectoryModuleforWindowsPowerShell
UsedtomanageActiveDirectoryDomainServicesbyusingWindowsPowerShell