Contacts
the main

Managing Active Directory using PowerShell. The term "trust relationship". Control objects Active Directory

Lesson 7. Administer Active Directory.

The Active Directory administration process is to manage:

  • active Directory Domains;
  • domain directory structure;
  • domain objects (users, contacts, computers, groups, printers, etc.);
  • sites and networks Active Directory;
  • replication of data.

All these tasks are solved using three control consoles installed in the process. installing Active Directory on the domain controller:

  • Active Directory - Domains and Trust
  • Active Directory - Users and Computers
  • Active Directory - Sites and Services

These consoles can be installed on other computers domains as part of the administrative utility package.

Description of Active Directory objects.

All Active Directory Management Consoles use a single set of icons to display directory objects. Below are all basic Active Directory objects and the corresponding icons. This information will help you easier to navigate in the Active Directory directory.

Active Directory.

Represents the Active Directory directory as a whole. In the control tools, it is practically not found, with the exception of the search and selection of objects

Represents the Windows domain. Allows you to manage the global domain parameters

Container, folder

Represents a simple container object. Such objects can only be created by the operating system and are usually generated when Active Directory is installed.

Organizational division

Represents op. This container object is used to build a hierarchy of containers containing other objects.

User

Represents a user account. The object contains a large number of Attributes describing the user

Represents a user - not a member of the domain. Contacts are used to store information about external users in the information directory, are not credentials and do not allow users to register in the domain

Represents a group of users and is usually used to simplify the management of permits and privileges

A computer

Represents a single computer in local network. For computers under windows control NT, 2000 and later versions of Windows is a computer account. The object contains basic information about the computer and allows you to manage it.

Domain Controller

Represents a separate Windows domain controller. In Active Directory snap-in, users and computers domain controllers are displayed as the same icons as regular computers. The specified icon is used to display domain controllers in the Active Directory snap-in - sites and services. Allows you to manage the domain controller parameters

Represents a network printer. The object is a reference to the printer provided in general access. Objects of this type can be added to the directory as manually and automatically. Manual adding is possible only for printers connected to computers running more early versionsthan Windows 2000

Shared resource

Represents a common folder. The object is a link to the shared network resource and does not contain any data

Licensing parameters

Represents Global Site Licensing Settings. Allows centrally to manage licenses for software products and their replication within the site

Domain Policy

Represents a domain policy. Allows you to configure domain level policies

Domain Controller Policy

Represents the domain controller policy object. Allows you to configure policy settings for all domain controllers

Group Policy

Represents an arbitrary group policy object. Allows you to manage policies for objects of that container to which

Represents a separate Active Directory site. Allows you to control it parameters. Contains links to objects of domain controllers, sites links, site parameters

Compound

Represents a connection between domain controllers within the site. Allows you to control the topology and replication parameters between domain controllers within the site

Site connection

Represents a separate link between sites. Allows you to control the topology and parameters of cross-line replication

Site parameters

Represents the site configuration object or domain controller on the site. Allows you to manage the parameters of the replication of the entire site or the parameters for the interaction of the domain controller with the site

Represents a separate subnet associated with a specific site. Allows you to specify the boundaries of the IP network

Icon

An object

Description

Active Directory (AD) is the service programs developed for the operating system. Microsoft Server. Originally was created as a lightweight access algorithm to user directories. From version Windows Server 2008 There was integration with authorization services.

It makes it possible to follow the group policy using the same type of parameters and on all controlled PCs using System Center Configuration Manager.

If simple words for beginners are the role of a server that allows you to manage all access and permissions on the local network from one place.

Functions and purpose

Microsoft Active Directory - (so-called directory) Package of funds to carry out manipulations with users and network data. the main goal Creating is to facilitate the work of system administrators in extensive networks.

Catalogs contain different information related to users, groups, network devices, file resources - in a word, objects. For example, the user attributes that are stored in the directory must be as follows: address, login, password, mobile phone number, etc. The directory is used as authentication pointswith which you can find out necessary information All about

Basic concepts occurring during the work

There are a number of specialized concepts that are used when working with AD:

  1. The server is a computer containing all the data.
  2. The controller is a server with the role of AD, which processes requests from people using a domain.
  3. Domain AD is a set of devices united under one unique name that simultaneously use the common directory database.
  4. Data warehouse is part of the directory responsible for storing and extracting data from any domain controller.

How to work active directory

The basic principles of work are:

  • Authorizationwith which it appears the opportunity to use the PC in the network simply by entering personal password. At the same time, all information from the account is postponed.
  • Security. Active Directory contains user recognition functions. For any network object, you can remotely, from one device, to put the right rights that will depend on categories and specific users.
  • Network Administration From one point. While working with the asset director, Sisadmin does not need to re-configure the entire PC if you need to change access rights, for example, to the printer. Changes are carried out remotely and globally.
  • Full integration with DNS.. With its help, confusion does not occur in AD, all devices are indicated in the same way as in the worldwide web.
  • Large scale. The set of servers is capable of monitoring one Active Directory.
  • Search It is performed according to various parameters, such as the name of the computer, login.

Objects and attributes

The object is a set of attributes united under its own name, which is a network resource.

Attribute - characteristics of the object in the directory. For example, such includes the user name, its login. But the attributes of the PC account may be the name of this computer and its description.

"Officer" - an object that has the attributes "FULL NAME", "Position" and "Tabn".

Container and LDAP name

Container - type of objects that can consist of other objects. Domain, for example, may include account objects.

Their main appointment - ordering objects By type of signs. Most often, the containers are used to group objects with the same attributes.

Almost all containers displays a set of objects, and resources are displayed by a unique Active Directory object. One of the main types of AD containers is an organization module, or OU (Organizeal Unit). Objects that are placed in this container belong only to the domain in which they are created.

Lightweight Directory Access Protocol (LightWeight Directory Access Protocol, LDAP) is the main TCP / IP connection algorithm. It is designed to reduce the number of nuances while accessing the catalog services. Also, in LDAP installed actions used to request and edit directory data.

Tree and site

Domain Tree is a structure, a set of domains having general scheme and the configuration that form the overall namespace and are associated with trust relationships.

The domain forest is a totality of trees associated between themselves.

The site is a set of devices in IP subnets representing a physical network model whose planning is made regardless of the logical representation of its construction. Active Directory has the ability to create a n-number number of sites or unite N-number domains under one site.

Installing and configuring Active Directory

We now turn directly to the Active Directory configuration on example Windows Server 2008 (on other versions of the procedure identical):

Press the "OK" button. It is worth noting that such values \u200b\u200bare not required. You can use the IP address and DNS from your network.

  • Next, you need to go to the "Start" menu, select "Administration" and "".
  • Go to "Role", select the field " Add a role”.
  • Select "Active Directory Domain Services" item twice "Next", and after "install".
  • Wait for the installation.
  • Open the "Start" menu - " Perform". In the field enter dcpromo.exe.
  • Click "Next".
  • Select item " Create new domain In the new forest"And press" Next "again.
  • In the next window, enter the name, click "Next".
  • Choose compatibility Mode (Windows Server 2008).
  • In the next window, leave everything by default.
  • Run configuration windowDNS.. Since it was not used on the server before, delegation was not created.
  • Select a directory for installation.
  • After this step you need to ask administration Password.

For reliability, the password must comply with such requirements:


After AD completes the process of configuring components, you must restart the server.



Configuration is complete, equipped and role is set to the system. You can install AD only on Windows Server family, regular versions, such as 7 or 10, can only be installed to install the control console.

Administration in Active Directory

By default, in Windows Server, the Active Directory Users and Computers Console works with a domain to which the computer belongs. You can access the objects of computers and users in this domain through the console tree or connect to another controller.

The means of the same console allow you to view extra options Objects and search for them, you can create new users, groups and change from permission.

By the way, there is 2 types of groups In the asset directories - safety and distribution. Security groups are responsible for delimiting the rights of access to objects, they can be used as distribution groups.

Distribution groups cannot distinguish between rights, but are used mainly to distribute messages on the network.

What is delegation ad

Delegation itself is transfer of part of permissions and control from the parent object another responsible side.

It is known that each organization has several system administrators at its headquarters. Different tasks Must be naked on different shoulders. In order to apply changes, it is necessary to have rights and permissions that are divided into standard and special. Special - applicable to a specific object, and standard are a set consisting of existing permissions that make individual functions available or inaccessible.

Installation of trust relationships

In AD there are two types of trust relationships: "unidirectional" and "bidirectional". In the first case, one domain trusts another, but not the opposite, respectively, the first has access to the resources of the second, and the second does not have access. In the second form of confidence "mutual". There are also "outgoing" and "incoming" relationships. In the outgoing - the first domain trusts the second, thus allowing users to use the resources of the first.

When installing, procedures should be carried out:

  • Check Network links between the kotrollars.
  • Check the settings.
  • Tune Name resolution for external domains.
  • Create communication from the trust domain.
  • Create a connection from the controller to which confidence is addressed.
  • Check the created one-way relationship.
  • If a nevability arises In the establishment of bilateral relations - to make installation.

Global catalog

This is a domain controller that stores copies of all forest objects. It gives users and programs the ability to look for objects in any domain of the current forest with attribute detection toolsincluded in the global directory.

The global catalog (GC) includes a limited set of attributes for each forest object in each domain. Data it receives from all partitions of the domain catalog in the forest, they are copied using the standard Active Directory service replication process.

The scheme determines whether the attribute will be copied. There is an opportunity configuration additional features that will be created re-in the global directory using the Active Directory schema. To add an attribute to a global directory, you need to select the replication attribute and use the "Copy" option. After that, the attribute replication will be created in the global directory. Attribute parameter value ismemberFPartialattributeset. will be the truth.

In order to location Global directory, you need to enter in the command prompt:

Dsquery Server -isgc.

Data Replication in Active Directory

Replication is a copy procedure, which is carried out if you need to store the same topical information that exist on any controller.

It produces without the participation of the operator. There are such types of replica content:

  • Data replicas are created from all existing domains.
  • Replica data schemes. Since the data scheme is one for all forest objects of active directory, its replicas are stored on all domains.
  • Configuration data. Shows the construction of copies among controllers. Details are distributed to all forest domains.

The main types of replicas are intracelain and intersloval.

In the first case, after changes, the system is waiting, then notifies the partner about creating a replica to complete the changes. Even in the absence of change, the replication process occurs after a certain period of time automatically. After applying critical changes to catalogs, replication occurs immediately.

Replication procedure between nodes occurs in the intervals Minimum network load, it avoids information loss.

In the November issue of computer, we have acquainted you with key opportunities Windows PowerShell - new command line and scenario language microsoft.. Today we will consider the use of this environment to administer the corporate directory of Active Directory (AD).

Briefly about PowerShell

Windows PowerShell is a new command line and a script language from Microsoft. PowerShell is a component of Windows Server 2008 (you just need to select it in Server Manager) and is available for download from the www.microsoft.com/powerShell page for Windows XP, Windows Server 2003 and Windows Vista.

If you are not familiar with Windows PowerShell, we recommend that you first read the article "Windows PowerShell. Briefly about the main thing. "In ComputerPress No. 11'2007. In this publication, we will limit ourselves to a brief repetition of the basics and we will immediately move on to the main topic of the article.

So, PowerShell commands are called cmdlets (CMDLET) and consist of a verb (for example, Get, Set, New, Remove, Move, Connect) and a noun in a single number describing an object of action. There is a hyphen between them. It turns out something like: Get-Process, Stop-Service, etc.

Teams, as a rule, are associated with a conveyor denoted by a vertical feature (|). This sign means that the entire collection of objects from the previous command is transmitted to the next one.

Such object orientation is very convenient because it makes it easy to operate objects and link the teams together. In this article we will tell how this approach facilitates the management of the corporate directory based on Active Directory.

Ways to work with Active Directory

Directory Active Directory is the basis of corporate networks on windows database Server 2000, 2003 and 2008. It is there that everything is stored accounts users, information about groups, network computers, email boxes and many other things.

All these wealth must be managed, for which the corresponding toolkit, which is part of Windows Server, is intended, but it is PowerShell that makes it easy to automate mass actions aimed at a large number of objects.

There are three main ways to work with Active Directory in Windows PowerShell:

  • using the Active Directory Service Interfaces interface (ADSI), this method is the most difficult, but works in any PowerShell installation and does not require additional modules. It is also closest to the control method that was used in the VBScript scenario language;
  • using the Active Directory provider included in the PowerShell extension, this method allows you to connect a directory in the form of a disk on your computer and navigate through it using the appropriate commands: DIR, CD, etc. This method requires installing an additional module from CodePlex;
  • using the Active Directory cmdlets, this is the most convenient way to manipulate the directory objects, but it also requires additional installation of the corresponding modules.

ADSI

Active Directory Service Interfaces (ADSI) is familiar to everyone who tried to write scripts in the VBScript language. In PowerShell, this interface is implemented using the so-called adapter. When specifying in square brackets The name of the adapter (ADSI) and the path to the object in the LDAP query directory (LightWeight Directory Access Protocol - the protocol of working with directories, which supports both AD), we get access to an object from the directory and can further call it methods .

For example, be connected to one of the directory containers and create a new user account in it.

$ OBJOU \u003d "LDAP: // MYDC: 389 / OU \u003d CTO, DC \u003d Employees, DC \u003d TestDomain, DC \u003d Local"

So, now we have a $ OBJOU variable contains information about the container (variable names in PowerShell start from the dollar icon).

Call the method Create. And create a new user in the container:

$ Objuser \u003d $ objou.create ("User", "CN \u003d Dmitry Sotnikov")

Now we can set various attributes:

$ objuser.put ("samaccountname", "dsotnikov")

Finally, we specify the directory that these changes should be applied:

$ objuser.setinfo ()

The advantages of using the ADSI adapter are:

  • its presence in any delivery PowerShell. If you have installed PowerShell and there is a directory with which you need to work - you have everything you need;
  • apply an approach close to VBScript. If you have a rich experience with the directory in the VBScript scenario language or in Annexes.net, you can feel confidently using this approach.

Unfortunately, the method has flaws:

  • difficulty is the most difficult way to work with the directory. Write the way to the object in the form of a LDAP request is nontrivial. For any work with attributes, you need to specify their internal names, and therefore it is necessary to remember that the attribute denoting the city's city is called not "City", but "L", etc.;
  • bulkness - as seen from the example, the simplest operation of creating one account occupies at least four lines, including service operations for connecting to the container and applying changes. Thus, even relatively simple operations become similar to complex scenarios.

AD provider

PowerShell allows you to represent various systems in the form of additional disks of the computer using the so-called providers. For example, the PowerShell delivery includes a registry provider and we can move on the registry using familiar and favorite CD and DIR commands (for unix lovers, the LS team is also supported).

The Active Directory provider is not in PowerShell, but you can install it, going to the PowerShell Extensions Project website - PowerShell Community Extensions: http://www.codeplex.com/powershellcx.

This is an open source project, which adds a large number of teams to the PowerShell system, and in addition, sets the AD provider.

Using Active Directory Provider

After installing extensions, typing get-psdrive, we see that former discs Added disk on the current active directory.

Now we can go to this directory by typing a CD and specifying the domain name, and in any container use the DIR command to see its contents.

In addition, you can call other familiar file management commands (for example, DEL).

The undoubted advantages of using the provider can be attributed:

the naturalness of the representation of the structure of the directory is the AD directory by its nature hierarchychny and is similar to the file system;

the convenience of finding objects is to apply CD and DIR much more convenient than making a query in LDAP.

The disadvantages are striking:

  • the complexity of making changes to objects - the provider helps to easily reach the object, but to change something, we again have to use all the same directories as in the ADSI method, and for this you need to operate at a low level of service methods and attributes AD;
  • the need for additional installation - the provider is not included in PowerShell, and it is necessary to download and install PowerShell extensions;
  • third-day origin - PowerShell extensions are not a Microsoft product. They are created by project enthusiasts. You are free to use them, but for technical support We will have to contact Microsoft, but to the project site.

AD cmdlets

In addition to the provider described above, there is a set of cmdlets to work with AD (often called AD CMDLETS or QAD CMDLETS), available from http://www.quest.com/ActiverRes_Server/arms.aspx.

Camcles consist of standard verbs of operations (GET-, SET-, RENAME-, REMOVE-, NEW, MOVE-, CONNECT-) and nouns with QAD prefix (-qaduser, -qadgroup, -qadcomputer, -qadobject).

For example, to create a new read user, you will need to execute such a command:

The advantages of this approach are:

  • easy - the use of cmdlets hides the complexity of the directory, its schemes and internal attributes. You work with directory objects at the level of understandable object names (User, Group, Computer), their properties (Name, Password, City, Department) and Action on them (Get, Set, Remove, Move, New);
  • briefness and expressiveness - as we have seen, most of the actions using cmdlets can be expressed in the form of simple and natural single-line operations.
  • the need for additional installation - cmdlets, like the provider, are not included in PowerShell, and you need to download and install the appropriate library;
  • third-day origin - cmdlets for working with AD are not a product of Microsoft. They are created by Microsoft Partner - Quest Software. You are free to apply them, but technical support will have to contact Microsoft, but on the Active Directory forums on the PowerGui.org website.

In our opinion, these disadvantages with more than compensate for simplicity and naturalness in use, so practical examples Will be given using this particular approach.

Managing Active Directory.

Let's see how PowerShell allows you to perform basic operations for working with the AD directory:

  • receiving the information;
  • changing properties;
  • working with groups;
  • creating new objects;
  • changing the structure of the directory

Receiving the information

Obtaining information is carried out in PowerShell using the GETI Glagol cmdlets.

For example, to get a list of all users, score:

For groups:

For computers records:

If you need not all records, but some specific, you can choose them with command parameters.

Getting a list of users

All groups from the container Users:

Get-Qadgroup -Searchroot Scorpio.Local / Users

All users from the Moscow office sales department, whose names begin on the letter A:

Get-Qaduser -city Moscow -Department Sales -Name A *

At the same time, you can tell PowerShell'y, in what form you want to see the information received.

Table with names, cities and departments of employees:

Get-Qaduser | Format-Table Name, City, Department

The same with sorting by cities:

Get-Qaduser | Sort City | Format-Table DisplayName, City, Department

Sorting values \u200b\u200band selection of output fields

For the list view of the same information, we simply use the Format-List command:

Get-Qaduser | Format-List Name, City, Department

Export information to the CSV file (Comma-Separated Values \u200b\u200b- Values \u200b\u200bvia comma):

Get-Qaduser | SELECT NAME, CITY, DEPARTMENT | Out-CSV Users.csv

Create a report in HTML format:

Get-Qaduser | SELECT NAME, CITY, DEPARTMENT | Convertto-html | Out-File Users.html

Thus, one line of a simple PowerShell command you can create complex reports in a convenient format for you.

PowerShell allows you to change the attributes of the set
entries of one command

Change properties

After we have mastered information from the directory, it's time to change something in it.

The properties of objects can be manipulated using the set- * commands.

For example, change my phone:

Set-Qaduser 'Dmitry Sotnikov' -Phone '111-111-111'

But, of course, the massive changes are more interesting. To do this, we can use the PowerShell conveyor, that is, to receive a list of objects you need using the Get- commands and send them to the SET command to make changes.

For example, our Perm office moved to a new room. Take all users perm and assign them a new phone number:

Get-Qaduser -City Perm | SET-QADUSER -PHONENUMBER '+ 7-342-1111111'

For more complex manipulations, you can use the Foreach-Object cmdlet. For example, each user will assign a description consisting of its department and the city:

Get-Qaduser | Foreach-Object (SET-Qaduser $ _ -Description (S_.CITY + "" + $ _. Department))

The $ _ variable in this example indicates the current object of the collection.

PowerShell provides opportunities for convenient work.
With user groups

Working with groups

Working with groups and membership in them is another mass operation that you often want to automate. PowerShell provides such an opportunity.

Getting members of the group is made using the GET-QADGroupMember cmdlet:

Get-Qadgrubmember Managers

Add an object to the group is also easy:

Add-QadgroupMember Scorpio \\ Managers -Member Dsotnikov

Similarly, removal from the group is carried out using the Remove-QadGroupMember cmdlets.

But, of course, mass manipulations are most useful. Add all managers to the appropriate group:

Get-Qaduser -title Manager | Add-QadgroupMember Scorpio \\ Managers

Copy the membership in the group:

Get-QadgroupMember Scorpio \\ Managers | Add-QadgroupMember Scorpio \\ Managers_Copy

Use the filter to copy not all group members, but only those who are responsible certain criterion (For example, located in the right region):

Get-QadgroupMember Scorpio \\ Managers | Where ($ _. City -eq 'ekaterinburg') | Add-QadgroupMember Scorpio \\ Ekaterinburg_Managers

Please note how we filtered users using the WHERE and logical condition (logical operator -EQ is an equality operator in PowerShell, from English.equals).

Creating objects

Creating objects as we have already seen, carried out by teams new:

New-Qaduser -ParentContainer Scorpio.Local / Employees -name 'Dmitry Sotnikov'

New-Qadgroup -ParentContainer Scorpio.Local / Employees -name 'Managers' -Type Security -Scope Global

You can install any other attributes in the process of creating a record:

New-Qaduser -ParentContainer Scorpio.Local / Employees -name 'Dmitry Sotnikov' -samaccountname dsotnikov -city 'Saint-Petersburg' -Password ' [Email Protected]

To activate the record, simply send it to the conveyor in Enable-Qaduser (do not forget to set the password - otherwise the operation will not pass):

New-Qaduser -ParentContainer Scorpio.Local / Employees -name 'Dmitry Sotnikov' -Password ' [Email Protected]'| Enable-Qaduser.

Import-CSV New_users.csv | Foreach-Object (new-qaduser -parentcontainer scorpio.local / users -name ($ _. Familia + ',' + $ _. IMYA) -SamacCountname ($ _. IMYA + $ _. Familia) -Department $ _. Department -Title $ _. Title)

Please note that we are on the fly on the name of the account from the last name and the username.

Example of using the import file
Record

Changing the structure of the directory

Finally, of course, you can manage the structure of the directory.

For example, you can create new containers:

New-Qadobject -Type OrganizationUnit -ParentContainer Scorpio.Local -Name Newou

and move objects in them one by one:

Move-Qadobject MyServer -To Scorpio.local / Servers

or wholesale:

Get-Qaduser -Disabled | Move-Qadobject -To Scorpio.Local / Disabled

Import file and create new accounts

We can easily select accounts that satisfy
a certain criterion, and move them to another container

And much more

MMA reviewed only a small part of the scripts for managing an active directory. To obtain full list CLAMM FOR AD, Run the command:

Get-Command * -qad *

To get a certificate for any team:

Get-Help Get-Qaduser

To find out which properties there is an objective object with the command:

Get-User | Get-Member.

PowerShell features are practically endless, but at the same time find them enough.

Conclusion

Kcak We saw PowerShell is an excellent Active Directory. Part of the properties (ADSI) is available in any PowerShell setting. Some (provider and cmdlets) require additional modules. All of them provide huge opportunities to automate the management of your corporate directory, and therefore reduce the risks, get rid of the routine and increase your efficiency at work.

The main thing is that these technologies are already available and able to help you in the administration of entrusted systems today. In conclusion, we quote the system administrator CJSC Evrasfinance CJSC Vasily Guseva: "In our company, as well as everywhere, Active Directory is one of the most used and critical services. With PowerShell and AD Cmdlets, many tasks have become easier to perform through the command line than via ADUC (Active Directory Users and Computers. - Approx. Red.). Never still automation Active Directory was so easy and accessible. "

Alexander Emelyanov

Administer Accounts in Active Directory Domain

One of the most important tasks of the administrator is to manage local and domain accounts: audit, quotation and delimitation of user rights depending on their needs and company policies. What can offer Active Directory in this regard?

In continuation of the Active Directory Cycle Cycle today, we will talk about the central link in the administration process - managing user accounting data within the domain. We will consider:

  • creating accounts and management of them;
  • types of user profiles and their use;
  • security groups in AD domains and their combinations.

Ultimately, you can apply these materials to build a work infrastructure or refinement of an existing one that will meet your requirements.

Looking ahead, I will say that the topic is closely related to the application of group policies for administrative purposes. But due to the vastness of the material dedicated to them, it will be disclosed within the following article.

Acquaintance with Active Directory - Users and Computers

After you have installed your first controller in the domain (you actually organize a domain), five new elements appear in the Administration section (see Fig. 1).

To manage AD objects, Active Directory is used - users and computers (aduc - ad users and computers, see Fig. 2), which can also be called through the "Run" menu by means of DSA.msc.

Using ADUC, you can create and delete users, assign login scripts to account, manage membership in groups and group policies.

There is also the ability to manage AD objects without accessing the server directly. It provides the AdminPak.msi package, located in the% System_Drive% \\ Windows \\ System32 directory. By turning it on his car and endowered himself the rights of the domain administrator (if there were no), you can administer the domain.

When opening ADUC, we will see the branch of our domain containing five containers and organizational units.

  • Builtin.. This contains built-in local groups that are on any server machine, including domain controllers.
  • Users and Computers. These are containers in which by default users, groups and accounts of computers when installing the system over Windows NT. But to create and store new accounts, there is no need to use only these containers, you can create a user even in a domain container. When you turn on the computer to the domain, it appears in the Computers container.
  • Domain Controllers.. This organizational unit (OU, ORGANIZATIONAL UNIT), containing the default domain controllers. When creating a new controller, it appears here.
  • ForeignSecurityPrincipals.. This is the default container for objects from external trusted domains.

It is important to remember that group policies are tied exclusively to the domain, OU or site. This must be taken into account when creating an administrative hierarchy of your domain.

We enter a computer in the domain

The procedure is performed directly on the local machine that we want to connect.

Choose "My Computer -\u003e Properties -\u003e Computer Name," press the "Change" button and in the "Member" menu select "Domain". We enter the domain name in which we want to add our computer, and then we prove that we have rights to add workstations to the domain by entering the domain administrator authentication data.

Create a domain user

To create a user, you need to select any container in which it will be located, click on it with the right mouse button and select "Create -\u003e User". The user creation wizard opens. Here you can specify a variety of its attributes, starting with the username and temporary logging frames in the domain and ending with the settings for terminal services and remote access. Upon completion of the Wizard, you will receive a new domain user.

It should be noted that in the process of creating a user, the system can "swear" on the insufficient complexity of the password or its brevity. You can mitigate the requirements by opening the Domain Security Policy (Default Domain Security Settings) and then "Security Settings -\u003e Account Policies -\u003e Password Policy.

Let we have created the user Ivan Ivanov in the USERS container (User Logon Name: [Email Protected]). If in NT 4 systems, only the role of the decoration played, then in AD it is part of the name in LDAP format, which looks entirely like this:

cn \u003d "Ivan Ivanov", cn \u003d "users", dc \u003d "hq", dc \u003d "local"

Here CN - CONTAINER NAME, DC - DOMAIN COMPONENT. Descriptions of LDAP objects are used to execute WSH scripts (Windows Script hosts) or for programs using the LDAP protocol to communicate with Active Directory.

To enter the domain, Ivan Ivanov will have to use the name in UPN format (Universal Principal Name): [Email Protected] Also in the AD domains will be clear to writing the name in the old format NT 4 (before Win2000), in our case HQ \\ Ivanov.

When creating a user account, it is automatically assigned the security identifier (SID, Security Identifier) \u200b\u200bis a unique number by which the system and defines users. It is very important to understand, since when you delete an account, its SID is deleted and is never used again. And each new account will have its new SID, which is why it will not be able to get the rights and privileges of the old.

An account can be moved to another container or OU, disable or, on the contrary, enable, copy or swap password. Copy is often used to create multiple users with the same parameters.

Working environment of the user

The credentials stored centrally on the server allow users to unambiguously identify themselves in the domain and receive relevant rights and access to the working environment. All operating systems of the Windows NT family are used to create a working environment on the client machine user profile.

Local profile

Consider the main components of the user profile:

  • Registry partition corresponding to a specific user ("hive" or "Hive").In fact, the data of this line of the registry is stored in the ntuser.dat file. It is located in the% SystemDrive% \\ Documents and Settings \\ user_name folder, which contains a user profile. Thus, when the specific user logs in the system in the HKEY_CURRENT_USER registry section, the "hive" of NTUSER.DAT is loaded from the folder containing its profile. And all the changes to the user environment settings for the session will be maintained in this "hive". The ntuser.dat.log file is a transaction log that exists to protect the NTUSER.DAT file. However, for the user Default User, you can hardly find it because it is a template. About this next. The administrator has the ability to edit the "hive" of a specific user directly from its working environment. To do this, using the REGEDIT32 registry editor, it must load "hive" in the HKEY_USERS section, and then after making changes to unload it.
  • Folders file Systemcontaining custom settings files. They are located in a special Catalog% SystemDrive% \\ Documents and Settings \\ user_name, where user_name is the name of the user logged in. It is stored here the elements of the desktop, the elements of the startup, documents, etc.

If the user first enters the system, the following happens:

  1. The system checks whether the local profile of this user exists.
  2. Having found it, the system refers to the domain controller in the search for the default domain profile, which should be located in the Default User folder on common resource Netlogon; If the system has detected this profile, it is copied locally to the machine in the% SystemDrive% \\ Documents and Settings folder with the user name, otherwise it is copied from the local system% SystemDrive% \\ Documents and Settings \\ Default User.
  3. The user "hive" registry session is loaded in the HKEY_CURRENT_USER registry section.
  4. When leaving the system, all changes are saved locally.

Ultimately, the user's work environment is the combination of its working profile and the All Users profile, which contains common to all users of this setting machine.

Now a few words about creating a default profile for a domain. Create a fictitious profile on your car, configure it according to your needs either with corporate policy requirements. Then leave the system and go back as a domain administrator. On the Shared Netlogon server resource, create a Default User folder. Next, using the User Profiles tab in the System Applet (see Fig. 3) Copy your profile to this folder and provide the rights to use the Domain Users group or any other suitable group security. Everything, the default profile for your domain is created.

Transferred profile

Active Directory As a flexible and scalable technology allows you to work in an environment of your enterprise with moved profiles that we will look at further.

At the same time, it will be appropriate to tell about the redirection of folders as one of the features of Intellimirror technology to ensure fault tolerance and centralized storage of user data.

Transferred profiles are stored on the server. The path to them is specified in the settings of the domain user (see Fig. 4).

If you wish, you can specify the moved profiles for several users at the same time, highlighting multiple users, and in the properties in the Profile tab, specify% username% instead of the folder with the username (see Fig. 5).

The process of the first login to the system that has a moved profile, akin to the one described above for local, for some exceptions.

First, since the path to the profile in the user object is specified, the system checks the presence of a cached local copy of the profile by car, then everything as described.

Secondly, upon completion, all changes are copied to the server, and if group policies are not specified to delete a local copy, stored on this machine. If the user has already had a local profile copy, the server and local copies of the profile are compared and combined them.

Technology Intellimirror B. windows systems recent versions allows redirection defined folders users, such as "My Documents", "My Pictures", etc., on a network resource.

Thus, for the user, all the changes made are absolutely transparent. By saving documents to the "My Documents" folder, which will be deliberately redirected to the network resource, it will not even suspect that everything is saved to the server.

You can configure redirection as manually for each user and using group policies.

In the first case, you need to click on the "My Documents" icon on the desktop or in the "Start" menu with the right mouse button and select Properties. Further everything is extremely simple.

In the second case, you need to open an OU group policy or a domain for which we want to apply redirection, and disclose the Hierarchy "User Configuration -\u003e Windows configuration"(See Fig. 6). Next, the redirection is configured or for all users or for certain OU security groups or a domain to which this group policy will be applied.

Using folder redirection to work with the movable user profiles, you can achieve, for example, to reduce the profile loading time. This is provided that the moving profile is always loaded from the server without using a local copy.

The story of folder redirection technology would be incomplete without mentioning standalone files. They allow users to work with documents even in the absence of a network connection. Synchronization with server copies of documents occurs when the computer is next connected to the network. Such an organization scheme will be useful, for example, users of laptops working both within the local network and at home.

The disadvantages of the moving profiles include the following:

  • there may be a situation where, for example, on the user's desktop, there will be labels of some programs, and on another machine, where it will notice the owner of a moving profile of such programs, respectively, part of the shortcuts will not work;
  • many users have the habit of storing documents, as well as photos and even video on the desktop, as a result, when loading a moving profile from the server, each time is created additional traffic on the network, and the profile itself is loaded for a very long time; To solve the problem, use NTFS permissions to limit the preservation of "garbage" on the desktop;
  • every time the user enters the system, a local profile is created for it (more precisely, the profile from the server is copied locally), and if the working machines change, then each of them remains such "garbage"; This can be avoided by configuring multiple group policies ("Computer Configuration -\u003e Administrative Templates -\u003e System -\u003e User Profiles", "Delete Cached Copies of Roaming Profiles").

Introduction of an existing user in the domain

Often when the directory service is deployed in the already existing network on the basis of working groups, the issue of introducing a user to the domain without losing the settings of its working medium. This can be achieved using moving profiles.

Create on a network resource (for example, profiles) on the server folder with the username and set a write permission for it for the EveryOne group. Let it be called hquser, and the full path to it looks like this: \\\\ Server \\ Profiles \\ HQUser.

Create a domain user who will match the user of your local network, and as a path to the profile, specify \\\\ Server \\ PROFILES \\ HQUSER.

On a computer containing the local profile of our user, you need to enter the administrator account and using the User Profiles tab of the SYSTEM applet copy it to the \\\\ Server \\ Profiles \\ HQUser folder.

It is easy to understand that the next time you enter the system under a new domain account, our user will load its working profile from the server, and the administrator will remain only to decide whether to leave this profile or to make local.

Quitting

Very often, users are loaded with unnecessary network discs. To avoid permanent requests to clean your personal folders from unnecessary garbage (for some reason it always turns out to be necessary), you can use the quota mechanism. Starting with Windows 2000, this can be made by standard means on NTFS volumes.

To enable the quota and configuration mechanism, you need to go to the local volume properties and open the Quota tab (Quota) (see Fig. 7).

You can also see the data on the occupied disk space and configure quotas separately for each user (see Fig. 8). The system calculates the occupied disk space based on object owner data, summing up the amount of files belonging to it and folders.

User Groups in AD

User management within the domain - the task is simple. But when you need to configure access to certain resources for several dozen (or hundreds) users, a lot of time may leave for distribution of access rights.

And if there is a need to subtly delimit the rights to participants from several domains within the tree or forest, the task of the tasks from the theory of sets arises before the administrator. The use of groups comes to the rescue.

The main characteristic of groups encountered within the domain was given in the last article on the architecture of the directory service.

Let me remind you that local domain groups may include users of their domain and other domains in the forest, but its area is limited to the domain to which it belongs.

Global groups may include only users of their domain, but there is the possibility of using them to provide access to resources both within their own and other domain in the forest.

Universal groups, corresponding to their name, can contain users from any domain and also be used to provide access within the entire forest. It does not matter if the domain universal group will be created, the only one, it is worth considering that when it moves, access rights will be lost and they will need to reassign newly.

To understand the above and basic principles of groups of groups described above, consider an example. Let us have a forest containing two hq.local and sd.local domain (which of them is root in this case, it does not matter). Each of the domains contains resources to which access, and users need to be provided (see Fig. 9).

From fig. 9 It can be seen that all users in the forest (green and red lines) must have access to DOCS and DISTRIB resources, so we can create a universal group containing users from both domains and use it when specifying permissions for access to both resources. Either we can create two global groups in each domain that users will contain only their domain, and include them in a universal group. Any of these global groups can also be used to assign rights.

Access to the BASE directory must have users only from the HQ.local domain (blue lines), so we will include them in the local domain group, and this group will provide access.

The Distrib catalog will have the right to use both the members of the HQ.Local domain and the members of the SD.Local domain (orange lines in Fig. 9). Therefore, MANAGER and SALARY users can add HQ.Local to the global domain group, and then add this group to the local SD.Local domain group along with IT user. Then this local group and provide access to the DISTRIB resource.

Now we will look at the nesting of these groups more and consider another type of group - built-in local domain groups.

The table shows which groups to which may be embedded. Here, horizontals are located groups in which groups located vertically are invested. Plus, it means that one type of groups can be invested in another, there is no minus.

On a resource on the Internet on the Microsoft certification exams, I saw a mention of such a formula - AGUDLP, which means: Accounts are placed in global groups (Global), which are placed in universal (Universal), which are placed in local Domain groups (Domain Local) to which permissions) are applied. This formula fully describes the possibility of nesting. It should be added that all these species can be embedded in local groups of a single car (local domains exclusively within their domain).

Domain group nesting

Nesting

Local groups

Global groups

Universal groups

Account

Local groups

+ (with the exception of built-in local groups and only within its own domain)

Global groups

+ (only within its own domain)

Universal groups

Built-in local domain groups are located in Builtin container and are actually local machine groups, but only for domain controllers. And, unlike local domain groups, the Users container cannot be moved to other organizational units.

The correct understanding of the account administration process will allow you to create a clearly configured working environment of the enterprise, ensuring management flexibility, and most importantly - the fault tolerance and security of the domain. In the next article we will talk about group politicians as a tool for creating a user environment.

application

Nuances of domain authentication

When using local profiles, a situation may occur when the domain user tries to enter workstationwhich has its local profile, but for some reason does not have access to the controller. Surprisingly, the user successfully passes authentication and will be allowed to work.

Such a situation arises due to the caching of the user's mandate and can be corrected by making changes to the registry. To do this, in the HKEY_LOCAL_MACHINE \\ Software \\ Microsoft \\ Windows NT \\ Software \\ Microsoft \\ Windows NT \\ Current Version \\ WinLogon (if there is no) entry with the name CachedLogonCount, the REG_DWORD data type and set its value to zero. A similar result can be achieved using group policies.

  1. Emelyanov A. Principles Construction of domains Active Directory, // " System Administrator", №2, 2007 - P. 38-43.

In contact with

After installing Active Directory, you can proceed to creating objects and control them.

6.5.1. Creating divisions and objects in them

6.5.1.1. Creating Organizational Divisions (OP)

OP can create within the domain, the domain controller object or other op (Fig. 6.3). In the created OP, you can add objects.

To create an OP, it is necessary to have authority to add divisions to the parent OP, a domain or the Domain Controller node, where the OP will be created. By default, such powers are given to the Administrators group.

persons).

You can not create an OP in most standard containers

nerkov, such as Computers or Users.

Fig. 6.3. OP Department of Oti in the Domain Controller node

OP are created to simplify network administration. The structure of the OP should be based on specific tasks hell-

ministry. You can easily change the structure of the OP or move objects between the OP.

OP are created in the following cases:

to provide administrative powers to other users or administrators;

to group objects over which similar administrative operations are performed; This facilitates the search for similar network resources and their service - so, can be combined in one ops all objectsUser for temporary employees;

to limit the visibility of network resources to the Active Directory storage, users will see only those objects to which access; Permissions for OP can be easily changed by limiting access to confidential information.

6.5.1.2. Adding objects in op

To add objects to the OP, you must have in it with appropriate authority. By default, such rights provided to the Administrators group. The varieties of the objects being created depend on the rules of the scheme used by the wizard or snap. Some object attributes can be defined only after its creation.

6.5.2. Control objects Active Directory

Managing Active Directory objects includes searching for objects, change them, destruction or movement. In the last two cases, you need to have appropriate permissions for the object or for the OP, where you move the object. By default, all members of the Administrators group have these powers.

6.5.2.1. Search for objects

The global catalog (GC) contains a partial replica of the entire catalog and stores information about all objects in the domain or forest tree. Therefore, the user can find an object regardless of its location in the domain or forest. The content of the GC is automatically generated by information from the domains that make up the directory.

To search for objects, open the snap-in, the shortcut of which is in the group of programAdnistrative Tools. In the console tree, right-click

use the domain or OP mouse button and select the Find (Find) command in the context menu. A dialog box opens

(Search) (Fig. 6.4).

Fig. 6.4. Find dialog box

If you reveal the context menu of the object Shared Folder (Shared Folder)and choose the commandFind

(Find), Windows Explorer search will be launched, and you can search for shared folder Files and subfolders.

The Find Dialog box includes search options in the GC, allowing you to find accounts, groups and printers.

6.5.2.2. Change attribute values

and removal of objects

To change the attribute values, open the AC

tIVE Directory Users and Computers and select an instance of object

that. In the Action menu, select Comproperties. In the properties dialog box

eCTA Change the desired object attributes. Then make amendments to the object's description, for example, modify the User object to change the name, location and email address of the user. If objects are no longer needed, delete them for security purposes: opening the equipment ofactive Directory Users and

Computers, highlight an instance of the object being deleted, and then in the Tools menu, select Delete

(Delete).

6.5.2.3. Move objects

In the Active Directory Storage, you can move objects, for example, between OP to reflect the changes in the structure of the enterprise when the employee is transferred from one department to

goy. To do this, opening the snap Active Directory Users and Com-

puters, select the moving object, select Move (Move) and

specify the new location of the object.

6.5.3. Access control to Active Directory objects

To control access to Active Directory objects, an object-oriented protection model is used, such a NTFS protection model.

Each Active Directory object has a security descriptor that determines who has the right to access the object and the type of access. Windows Server uses security descriptors to control access to objects.

To simplify administration, it is possible to group objects with the same security requirements in the OP and assign access permissions for the entire OP and all objects in it.

6.5.3.1. Active Directory Permissions Management

Active Directory permissions provide resource protection, allowing you to manage access to instances of objects or object attributes and determine the view of the access provided.

Active Directory Protection

The administrator or owner of the object must assign an access authorization object before users can access this object. Windows Server stores access control list (ACCESS CONTROL LIST, ACL) for each

the object Active Directory.

ACL object includes a list of users that are allowed to access the object, as well as a set of permissible objects.

You can use permissions for destination administrative authority a specific user or group in relation to OP, the Hierarchy of the OP or separate object without appointing administrative permits for

anctive directory objects.

Access permissions to object

Depend on the type of object - for example, the resolution of the Reset Password is permissible for objectsUser, but not for objects

Computer.

The user can be a member of several groups with different permissions for each of them providing different levels Access to objects. When you assign permission to access the object, a member of the group, endowed with other permissions, the effective rights of the user will develop from its permissions and permissions of the Group.

You can provide or cancel permissions. Canceled permits for users and groups of more priority issued permits.

If the user is prohibited to access the object, it will not receive access to it even as a member of the Plenipotentiary Group.

Assignment of Active Directory Permissions

Configure the permissions of objects and their attributes allows tooling Active Directory Users and Computers. Appoint

solutions can also be on the tab. Securitythe object properties dialog box.

To fulfill most administrative tasks, there are enough standard permissions.



Did you like the article? Share it
Recommended articles on the topic
Cellular - what it is on the iPad and what's the differenceCellular - what it is on the iPad and what's the difference
Go to digital television: What to do and how to prepare?Go to digital television: What to do and how to prepare?
Social polls work on the InternetSocial polls work on the Internet
Visitors are now discussing
Sending mail is blocked, how to unlock?Sending mail is blocked, how to unlock? Android
Savin recorded a video message to the TyumentsSavin recorded a video message to the Tyuments Tenda.
Menu of Soviet tables What was the name of Thursday in Soviet canteensMenu of Soviet tables What was the name of Thursday in Soviet canteens ASUS
How to make B.How to make in the "Word" list alphabetically: useful tips Android