ACTIVE DIRECTORY (AD OR ADS)

Part I

What is it? Where is it? What’s in it?

NOS Directory Data Store(directory service, database) Located on Domain Controllers (DCs), globally

distributed, replicated (no longer PDCs/BDCs) Directory data is stored in the Ntds.dit file on

each DC (pull data with DSQUERY) Objects:

Users, Computers, Printers, Faxes, Servers, Services Containers - Organizational Units (OUs), Groups,

Domains Group Policy Objects (GPOs)

Tree StructureBuiltin OU contains default accounts and groups

Users OU contains user accounts or additional OUs

AD Users and Computers Snap-in

Domain Controller (DC)

Houses AD database Single function There are 2 types of servers:

Domain Controllers Member Servers

Icons

This icon indicates object is a group (container)

This icon indicates object is a single account

This icon indicates object is disabled

This indicates object type. Valid types are User, Security Group, Distribution Group

Organizational Units (OUs)

Microsoft recommends as few domains as possible in Active Directory and a reliance on OUs to produce structure and improve the implementation of policies and administration.

The OU is the common level at which to apply GPOs.

The OU is the level at which administrative powers are commonly delegated; however, delegation can be performed on individual objects (or Sites – for another day).

Groups

Protected groups should have limited members and services (each service should be researched for appropriateness): Enterprise Admins Schema Admins Domain Admins Administrators

Custom groups are created by the entity and should follow a defined naming convention. For example, a group name of HRData should have members from the HR department that are authorized to access sensitive HR data.

Password Settings

http://technet.microsoft.com/en-us/library/cc737614(WS.10).aspx (MS Recommendations)

Password Settings (cont’d)

Audit Settings

Logon Controls

Group Policy Management Console (GPMC)

Group Policy Management Console (GPMC)

Group Policy Objects (GPOs)

Can only be performed with Domain Admin, Enterprise Admin, or delegated authority.

Should be a highly-managed task and subject to change management policies and procedures.

More than one policy can be applied to a computer (precedence dictates cumulative effect).

A DC always obtains the account policy from a GPO linked to the domain, which by default is the Default Domain Policy GPO (occurs even if a different policy is applied to the OU that contains the DC).

Delegation

Often, separation of duties for the network administration function are described as too difficult to implement, advise delegation. Tasks to delegate: Help Desk functions User account Management Group Management Group Policy

U:\ITA\Section22X\Audit\Questionnaires, Guides, and Other Audit Information\AD http://technet.microsoft.com/en-us/library/cc756087(WS.10).aspx

Delegation Wizard

Good for Help Desk Staff

Not good

HOW TO: Customize the Task List in the Delegation Wizard,” MS Knowledge Base Article 308404

DSQuery Syntax

To return user information for the domain:

dsquery user domainroot

dsquery user OU=Sales,DC=Contoso,DC=Com -o dn

dsquery user domainroot -inactive 3

Results provide all users in the domain

Results provide all users in the Sales OU in the Contoso.com domainResults provide all

users in the domain that have been inactive for 3 weeks

DSQUERY source information: http://technet.microsoft.com/en-us/library/cc732952(WS.10).aspx

* Output is in Unicode.

Dsquery Commands

Command* Description

DSQUERY * Finds any object

DSQUERY computer Finds computer accounts

DSQUERY contact Finds contacts

DSQUERY group Finds group accounts

DSQUERY ou Finds OUs

DSQUERY partition Finds AD Partitions

DSQUERY quota Finds object quotas

DSQUERY server Finds domain controllers

DSQUERY site Finds AD sites

DSQUERY subnet Finds subnet objects

DSQUERY user Finds user accounts

Tidbits

Default Administrator account cannot be locked out.

Spaces can be used in Windows passwords. If protected group is modified it resets after

a period of time (one exception) MS Updates should follow change control

process Delegation wizard is customizable Delegate permissions using ACL Editor GPO refresh is 90-120 minutes, by default

http://technet.microsoft.com/en-us/library/cc756087(WS.10).aspx

Tidbits

From my experience: Loopback policy processing Computer vs. User Configuration Kiosk solutions Non-ADS LDAP repositories Password-protected screen saver – 4 settings

to be effective, .scr file on end-user workstations