Top Banner
ACTIVE DIRECTORY (AD OR ADS) Part I
20

Part I. NOS Directory Data Store(directory service, database) Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

Dec 28, 2015

Download

Documents

Darlene Kennedy
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

ACTIVE DIRECTORY (AD OR ADS)

Part I

Page 2: Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

What is it? Where is it? What’s in it?

NOS Directory Data Store(directory service, database) Located on Domain Controllers (DCs), globally

distributed, replicated (no longer PDCs/BDCs) Directory data is stored in the Ntds.dit file on

each DC (pull data with DSQUERY) Objects:

Users, Computers, Printers, Faxes, Servers, Services Containers - Organizational Units (OUs), Groups,

Domains Group Policy Objects (GPOs)

Page 3: Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

Tree StructureBuiltin OU contains default accounts and groups

Users OU contains user accounts or additional OUs

AD Users and Computers Snap-in

Page 4: Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

Domain Controller (DC)

Houses AD database Single function There are 2 types of servers:

Domain Controllers Member Servers

Page 5: Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

Icons

This icon indicates object is a group (container)

This icon indicates object is a single account

This icon indicates object is disabled

This indicates object type. Valid types are User, Security Group, Distribution Group

Page 6: Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

Organizational Units (OUs)

Microsoft recommends as few domains as possible in Active Directory and a reliance on OUs to produce structure and improve the implementation of policies and administration.

The OU is the common level at which to apply GPOs.

The OU is the level at which administrative powers are commonly delegated; however, delegation can be performed on individual objects (or Sites – for another day).

Page 7: Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

Groups

Protected groups should have limited members and services (each service should be researched for appropriateness): Enterprise Admins Schema Admins Domain Admins Administrators

Custom groups are created by the entity and should follow a defined naming convention. For example, a group name of HRData should have members from the HR department that are authorized to access sensitive HR data.

Page 8: Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

Password Settings

http://technet.microsoft.com/en-us/library/cc737614(WS.10).aspx (MS Recommendations)

Page 9: Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

Password Settings (cont’d)

Page 10: Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

Audit Settings

Page 11: Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

Logon Controls

Page 12: Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

Group Policy Management Console (GPMC)

Page 13: Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

Group Policy Management Console (GPMC)

Page 14: Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

Group Policy Objects (GPOs)

Can only be performed with Domain Admin, Enterprise Admin, or delegated authority.

Should be a highly-managed task and subject to change management policies and procedures.

More than one policy can be applied to a computer (precedence dictates cumulative effect).

A DC always obtains the account policy from a GPO linked to the domain, which by default is the Default Domain Policy GPO (occurs even if a different policy is applied to the OU that contains the DC).

Page 15: Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

Delegation

Often, separation of duties for the network administration function are described as too difficult to implement, advise delegation. Tasks to delegate: Help Desk functions User account Management Group Management Group Policy

U:\ITA\Section22X\Audit\Questionnaires, Guides, and Other Audit Information\AD http://technet.microsoft.com/en-us/library/cc756087(WS.10).aspx

Page 16: Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

Delegation Wizard

Good for Help Desk Staff

Not good

HOW TO: Customize the Task List in the Delegation Wizard,” MS Knowledge Base Article 308404

Page 17: Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

DSQuery Syntax

To return user information for the domain:

dsquery user domainroot

dsquery user OU=Sales,DC=Contoso,DC=Com -o dn

dsquery user domainroot -inactive 3

Results provide all users in the domain

Results provide all users in the Sales OU in the Contoso.com domainResults provide all

users in the domain that have been inactive for 3 weeks

DSQUERY source information: http://technet.microsoft.com/en-us/library/cc732952(WS.10).aspx

Page 18: Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

* Output is in Unicode.

Dsquery Commands

Command* Description

DSQUERY * Finds any object

DSQUERY computer Finds computer accounts

DSQUERY contact Finds contacts

DSQUERY group Finds group accounts

DSQUERY ou Finds OUs

DSQUERY partition Finds AD Partitions

DSQUERY quota Finds object quotas

DSQUERY server Finds domain controllers

DSQUERY site Finds AD sites

DSQUERY subnet Finds subnet objects

DSQUERY user Finds user accounts

Page 19: Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

Tidbits

Default Administrator account cannot be locked out.

Spaces can be used in Windows passwords. If protected group is modified it resets after

a period of time (one exception) MS Updates should follow change control

process Delegation wizard is customizable Delegate permissions using ACL Editor GPO refresh is 90-120 minutes, by default

http://technet.microsoft.com/en-us/library/cc756087(WS.10).aspx

Page 20: Part I.  NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

Tidbits

From my experience: Loopback policy processing Computer vs. User Configuration Kiosk solutions Non-ADS LDAP repositories Password-protected screen saver – 4 settings

to be effective, .scr file on end-user workstations