Active Directory is a system management service. They are a much better alternative to local groups and allow you to create computer networks with efficient management and reliable data protection.
If you have not previously encountered the concept of Active Directory and do not know how such services work, this article is for you. Let's figure out what this concept means, what are the advantages of such databases and how to create and configure them for initial use.
Active Directory is a very convenient system management method. With Active Directory, you can efficiently manage your data.
These services allow you to create a single database managed by domain controllers. If you own an enterprise, run an office, in general, control the activities of many people who need to be united, such a domain will come in handy for you.
It includes all objects - computers, printers, faxes, user accounts, and more. The sum of the domains on which the data is located is called the "forest". The Active Directory base is a domain-based environment where the number of objects can be up to 2 billion. Can you imagine this scale?
That is, with the help of such a "forest" or database, it is possible to connect a large number of employees and equipment in the office, and without reference to the place - other users can also be connected in the services, for example, from the office of a company in another city.
In addition, several domains are created and merged within the framework of Active Directory - the larger the company, the more tools are needed to control its technology within the database.
Further, when creating such a network, one controlling domain is determined, and even with the subsequent presence of other domains, the original one still remains the "parent" - that is, only he has full access to information management.
Where is this data stored, and how does the domains exist? Controllers are used to create Active Directory. Usually there are two of them - if something happens to one, the information will be saved on the second controller.
Another option for using the database is if, for example, your company is collaborating with another, and you have to complete a common project. In this case, access of unauthorized persons to the domain files may be required, and here you can set up a kind of “relationship” between two different “forests”, open access to the required information without risking the security of the rest of the data.
In general, Active Directory is a tool for creating a database within a certain structure, regardless of its size. Users and all equipment are united into one "forest", domains are created, which are located on controllers.
It is also advisable to clarify that the services can only work on devices with Windows server systems. In addition, 3-4 DNS servers are created on the controllers. They serve the main zone of the domain, and in the event that one of them fails, other servers replace it.
After a brief overview of Active Directory for dummies, you are naturally interested in the question - why change a local group to a whole database? Naturally, here the field of possibilities is many times wider, and in order to find out other differences between these services for system management, let's take a closer look at their advantages.
Active Directory Benefits
The advantages of Active Directory are as follows:
- Using one resource for authentication. In this situation, you need to add all accounts on each PC that require access to general information. The more users and technicians, the more difficult it is to synchronize this data between them.
And so, when using services with a database, accounts are stored at one point, and the changes take effect immediately on all computers.
How it works? Each employee arriving at the office starts the system and logs into his account. The login request will be automatically submitted to the server and authentication will take place through it.
As for a certain order in keeping records, you can always divide users into groups - "Human Resources" or "Accounting".
It is even easier in this case to provide access to information - if you need to open a folder for employees from one department, you do it through the database. Together they get access to the required data folder, while the rest of the documents remain closed.
- Control over every member of the database.
If in a local group each member is independent, it is difficult to control it from another computer, then certain rules can be set in the domains in accordance with the company's policy.
As a system administrator, you can configure access settings and security settings, and then apply them for each user group. Naturally, depending on the hierarchy, one group can define more stringent settings, while others can be given access to other files and actions in the system.
In addition, when a new person joins the company, his computer will immediately receive the necessary set of settings, where components for work are included.
- Versatility in software installation.
By the way, about the components - with the help of Active Directory you can assign printers, install the necessary programs for all employees at once, set privacy parameters. In general, the creation of a database will significantly optimize work, monitor safety and unite users for maximum efficiency.
And if a company operates a separate utility or special services, they can be synchronized with domains and simplified access to them. How? If you combine all the products used in the company, the employee will not need to enter different logins and passwords to log into each program - this information will be shared.
Now that you understand the benefits and implications of using Active Directory, let's walk through the process of installing these services.
Using a database on Windows Server 2012
Installing and configuring Active Directory is not difficult, and is also easier than it seems at first glance.
To load the services, you first need to do the following:
- Change the name of the computer: click on "Start", open Control Panel, item "System". Select "Change parameters" and in Properties opposite the line "Computer name" click "Change", enter a new value for the host PC.
- Reboot at the request of the PC.
- Set your network settings like this:
- From the control panel, open the Networks and Sharing menu.
- Correct adapter settings. Right click on Properties and click on the Networking tab.
- In the window from the list, click on the Internet protocol at number 4, again click on "Properties".
- Enter the required settings, for example: IP address - 192.168.10.252, subnet mask - 255.255.255.0, main subgateway - 192.168.10.1.
- In the line "Preferred DNS server" specify the address of the local server, in "Alternative ..." - other addresses of DNS servers.
- Save changes and close windows.
Install the Active Directory roles like this:
- Open the "Server Manager" through the start.
- From the menu, select Add Roles and Features.
- The wizard will start, but you can skip the first description window.
- Check the line "Installing roles and features", move on.
- Select your computer to install Active Directory on it.
- From the list, mark the role that you want to load - for your case, this is "Active Directory Domain Services".
- A small window will appear prompting you to download the components necessary for the services - accept it.
- Then you will be prompted to install other components - if you do not need them, just skip this step by clicking "Next".
- The setup wizard will display a window with descriptions of the services you are installing - read on and move on.
- A list of components that we are going to install will appear - check if everything is correct, and if so, press the appropriate button.
- Close the window when the process is complete.
- That's it - the services are loaded onto your computer.
Configuring Active Directory
To set up a domain service, you need to do the following:
- Run the configuration wizard of the same name.
- Click on the yellow pointer at the top of the window and select Promote Server Role to Domain Controller.
- Click on add a new "forest" and create a name for the root domain, then click "Next".
- Specify the forest and domain functional levels — most often they are the same.
- Come up with a password, but be sure to remember it. Proceed further.
- After that, you may see a warning that the domain is not delegated, and a proposal to check the domain name - you can skip these steps.
- In the next window, you can change the path to the database directories - do this if they do not suit you.
- Now you will see all the parameters that you are going to set - see if you have chosen them correctly and move on.
- The application will check if the prerequisites are met, and if there are no comments, or they are not critical, click "Install".
- After completing the installation, the PC will reboot itself.
You may also be wondering how to add a user to the database. To do this, use the "Active Directory Users or Computers" menu, which you will find in the "Administration" section of the control panel, or use the database settings menu.
To add a new user, right-click on the domain name, select “Create”, after “Subdivision”. You will see a window where you need to enter the name of the new department - it serves as a folder where you can collect users from different departments. In the same way, you will later create a few more divisions and correctly place all employees.
Next, when you have created the name of the department, right-click on it and select "New", after - "User". Now all that remains is to enter the necessary data and set the access settings for the user.
When a new profile is created, click on it by selecting the context menu and open "Properties". In the "Account" tab, remove the check mark next to "Block ...". That's all.
The general conclusion is that Active Directory is a powerful and useful system management tool that will help to unite all employee computers into one team. With the help of services, you can create a secure database and significantly optimize the work and synchronization of information between all users. If your company and any other place of work is connected with computers and the network, you need to combine accounts and monitor work and privacy, installing a database based on Active Directory will be a great solution.
Any novice user, faced with the acronym AD, wonders what is Active Directory? Active Directory is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, the service only dealt with domains. However, since Windows Server 2008, AD has become the name for a wide range of directory-based identity services. This makes Active Directory a better place to learn for beginners.
Basic definition
The server that is running Active Directory Domain Services is called a domain controller. It authenticates and authorizes all users and computers in the Windows network domain, assigning and enforcing security policies for all PCs, and installing or updating software. For example, when a user logs on to a computer that is included in a Windows domain, Active Directory validates the provided password and determines whether the object is a system administrator or a standard user. It also allows you to manage and store information, provides authentication and authorization mechanisms, and sets up a framework for deploying other related services: certificate services, federated and lightweight directory services, and rights management.
Active Directory uses LDAP versions 2 and 3, Microsoft's version of Kerberos and DNS.
What is Active Directory? In simple words about the complex
Tracking network data is a tedious task. Even on small networks, users tend to have difficulty finding network files and printers. Without some kind of directory, medium and large networks cannot be managed and often have difficulty finding resources.
Previous versions of Microsoft Windows included services to help users and administrators find data. Networking is useful in many environments, but the obvious disadvantage is the awkward interface and its unpredictability. WINS Manager and Server Manager can be used to view the list of systems, but they were not available to end users. Administrators used User Manager to add and remove data of a completely different type of network object. These applications turned out to be ineffective for work in large networks and raised the question, why in the company Active Directory?
A directory, in its most general sense, is a complete list of objects. A phone book is a type of directory that stores information about people, businesses, and government organizations, andthey usually contain names, addresses and phone numbers. Asking the question Active Directory - what it is, in simple terms, we can say that this technology is similar to a directory, but it is much more flexible. AD stores information about organizations, sites, systems, users, shares and any other network object.
Introduction to the basic concepts of Active Directory
Why does an organization need Active Directory? As mentioned in the introduction to Active Directory, a service stores information about network components. The Active Directory For Beginners tutorial states that it is allows clients to find objects in their namespace. This t A term (also called a console tree) refers to the area in which a network component can be located. For example, the table of contents for a book creates a namespace in which chapters can be mapped to page numbers.
DNS is a console tree that resolves hostnames to IP addresses like soPhone books provide a namespace for name resolution for phone numbers. How does this work in Active Directory? AD provides a console tree for resolving the names of network objects to the objects themselves andcan resolve a wide variety of objects, including users, systems and services on the network.
Objects and Attributes
Anything that Active Directory monitors is considered an object. We can say in simple words that this in Active Directory is any user, system, resource, or service. The common term object is used because AD is able to keep track of many elements, and many objects can share common attributes. What does it mean?
Attributes describe objects in the active directory of Active Directory, for example, all custom objects share attributes to store the user's name. This also applies to their description. Systems are also objects, but they have a separate set of attributes that include hostname, IP address, and location.
The set of attributes available for any particular type of object is called a schema. It makes the classes of objects different from each other. The schema information is actually stored in Active Directory. That this behavior of the security protocol is very important is indicated by the fact that the schema allows administrators to add attributes to object classes and distribute them across the network in all corners of the domain without restarting any domain controllers.
LDAP container and name
A container is a special type of object that is used to organize the operation of a service. It does not represent a physical entity like a user or a system. Instead, it is used to group other items together. Container objects can be nested within other containers.
Every item in AD has a name. These are not the ones you are used to, for example, Ivan or Olga. These are LDAP distinguished names. LDAP distinguished names are complex, but they allow any object within a directory to be uniquely identified, regardless of its type.
Term tree and site
A term tree is used to describe a set of objects in Active Directory. What's this? In simple terms, this can be explained using a tree association. When containers and objects are combined hierarchically, they tend to form branches - hence the name. A related term is a contiguous subtree, which refers to the unbreakable main trunk of a tree.
Continuing with the metaphor, the term forest describes a collection that is not part of the same namespace, but has a common schema, configuration, and global catalog. Objects in these structures are available to all users if security permits. Organizations with multiple domains should group trees into one forest.
A site is a geographic location as defined in Active Directory. Sites correspond to logical IP subnets and, as such, can be used by applications to find the closest server on the network. Using site information from Active Directory can significantly reduce WAN traffic.
Active Directory Management
Component of the Active Directory snap-in - Users. It is the most convenient tool for administering Active Directory. It is directly accessible from the Administrative Tools program group on the Start menu. It replaces and improves Server Manager and User Manager from Windows NT 4.0.
Safety
Active Directory plays an important role in the future of Windows networking. Administrators should be able to protect their directory from intruders and users while delegating tasks to other administrators. This is all possible using the Active Directory security model, which associates an access control list (ACL) with every container and object attribute in the directory.
The high level of control allows the administrator to grant individual users and groups different levels of permissions on objects and their properties. They can even add attributes to objects and hide those attributes from certain groups of users. For example, you can set an ACL so that only managers can view the home phones of other users.
Delegated administration
A concept new to Windows 2000 Server is delegated administration. This allows you to assign tasks to other users without granting additional access rights. Delegated administration can be assigned through specific objects or contiguous directory subtrees. This is a much more efficient method of granting authority over networks.
V assigning all global domain administrator rights to someone, a user can only be given permissions within a specific subtree. Active Directory supports inheritance, so any new objects inherit the ACL from their container. 
The term "trusting relationship"
The term "trust" is still used but has different functionality. There is no distinction between unilateral and bilateral trusts. All Active Directory trusts are bidirectional. Moreover, they are all transitive. So, if domain A trusts domain B and B trusts C, then there is an automatic implicit trust relationship between domain A and domain C.
Auditing in Active Directory - what is it in simple terms? This is a security feature that allows you to determine who is trying to access objects, as well as how successful that attempt is.
Using DNS (Domain Name System)
A different DNS system is essential for any organization connected to the Internet. DNS provides name resolution between common names such as mspress.microsoft.com and raw IP addresses that network layer components use to communicate.
Active Directory makes extensive use of DNS technology to find objects. This is a significant change from previous Windows operating systems that require NetBIOS names to be resolved by IP addresses and rely on WINS or other NetBIOS name resolution techniques.
Active Directory works best when used with Windows 2000 DNS servers. Microsoft has made it easy for administrators to migrate to Windows 2000 DNS servers by providing migration wizards that guide the administrator through the process.
Other DNS servers can be used. However, in this case, administrators will have to spend more time managing the DNS databases. What are the nuances? If you choose not to use Windows 2000 DNS servers, you must ensure that your DNS servers comply with the new DNS dynamic update protocol. Servers rely on dynamically updating their records to find domain controllers. It is not comfortable. After all, eIf dynamic updating is not supported, you have to manually update the databases. 
Windows domains and internet domains are now fully compatible. For example, a name such as mspress.microsoft.com will identify the Active Directory domain controllers responsible for the domain, so any client with DNS access can find the domain controller.Clients can use DNS resolution to look up any number of services because Active Directory servers publish the list of addresses in DNS using new dynamic update functionality. This data is identified as a domain and published through service resource records. SRV RRs follow the format service.protocol.domain.
Active Directory servers provide LDAP service to host the object, and LDAP uses TCP as the underlying transport protocol. Therefore, a client looking for an Active Directory server in the mspress.microsoft.com domain will look for the DNS record for ldap.tcp.mspress.microsoft.com.
Global catalog
Active Directory provides a global catalog (GC) andprovides a single source for finding any object on the organization's network.
The Global Catalog is a service in Windows 2000 Server that allows users to find any objects that have been granted access. This functionality is far superior to that of the Find Computer application included with previous versions of Windows. After all, users can search for any object in Active Directory: servers, printers, users and applications.
A fundamental component of Domain Services in every organization are Security Principals (originally called Security Principal), which provide users, groups, or computers that need access to certain resources on the network. It is to objects such as security principals that you can grant permissions to access resources on the network, with each principal being assigned a unique security identifier (SID) during object creation, which consists of two parts. Security ID SID called a numeric representation that uniquely identifies a security principal. The first part of such an identifier is domain id... Because security principals are located in the same domain, all such objects are assigned the same domain identifier. The second part of the SID is relative identifier (RID) which is used to uniquely identify the security principal with respect to the agency that issues the SID.
Although most organizations only plan and deploy a Domain Services infrastructure once and rarely make changes to most objects, an important exception to this rule is security principals that need to be added, changed, and removed periodically. User accounts are one of the fundamental components of identification. Basically, user accounts are physical entities, mostly people, who are employees of your organization, but there are exceptions where user accounts are created for some applications as services. User accounts play a critical role in enterprise administration. These roles include:
- Identity of users, since the created account allows you to log into computers and domains with exactly the data the authenticity of which is verified by the domain;
- Domain resource access permissions that are assigned to a user to grant access to domain resources based on explicit permissions.
User account objects are among the most common objects in Active Directory. It is user accounts that administrators must pay special attention to, since users tend to come to work in an organization, move between departments and offices, get married, get married, get divorced and even leave the company. Such objects are a set of attributes, and only one user account can contain over 250 different attributes, which is several times more than the number of attributes on workstations and computers running Linux. When you create a user account, a limited set of attributes is created, and only then you can add user credentials such as organizational information, user addresses, phone numbers, and more. Therefore, it is important to note that some attributes are obligatory and the rest - optional... In this article, I will talk about the key methods for creating user accounts, some optional attributes, and also describe the tools to automate the routine actions associated with creating user accounts.
Create Users Using Active Directory Users and Computers
In the overwhelming majority of cases, system administrators prefer to use the snap-in, which is added to the folder "Administration" immediately after installing the role Active Directory Domain Services and promoting the server to a domain controller. This method is most convenient because it uses a graphical user interface to create security principals and the Create User Account Wizard is very easy to use. The disadvantage of this method is that when creating a user account, you cannot immediately set most of the attributes, and you will have to add the necessary attributes by editing the account. To create a custom account, follow these steps:
- In field "Name" enter your username;
- In field "Initials" enter his initials (most often, initials are not used);
- In field "Surname" enter the surname of the user being created;
- Field "Full name" used to create attributes of the generated object such as the Common Name CN and displaying the properties of the name. This field must be unique in the entire domain, and is filled in automatically, and you should only change it if necessary;
- Field "User login name" is required and intended for the user's domain login. Here you need to enter the username and from the drop-down list select the UPN suffix, which will be located after the @ symbol;
- Field User Login Name (Pre-Windows 2000) intended for the login name for systems earlier than the Windows 2000 operating system. In recent years, organizations have less and less owners of such systems, but this field is required, since some software uses this attribute to identify users;
After filling in all the required fields, click on the button "Further":
Rice. 2. Dialog box for creating a user account
Rice. 3. Creating a password for the created account
Creating users from templates
Organizations typically have many divisions or departments that include your users. In these departments, users have similar properties (for example, department name, position, office number, etc.). For the most efficient management of user accounts from one department, for example, using group policies, it is advisable to create them within the domain in special departments (in other words, containers) based on templates. Account template is an account that first appeared in the days of Windows NT operating systems, in which the attributes common to all created users are pre-populated. To create a user account template, follow these steps:
- Are common... This tab is intended for filling in individual user-defined attributes. These attributes include the user's first and last name, a short description for the account, the user's contact phone number, room number, their email account, and website. Due to the fact that this information is individual for each individual user, the data filled in on this tab is not copied;
- The address... On the current tab, you can fill in the mailbox, city, state, postal code and country of residence of users who will be created based on this template. Since each user does not usually have the same street names, the data from this field cannot be copied;
- Account... In this tab, you can specify the exact time of user login, computers that users will be able to access, account parameters such as storing passwords, encryption types, etc., as well as the expiration date of the account;
- Profile... The current tab allows you to specify the path to the profile, the login script, the local path to the home folder, as well as network drives where the account's home folder will be located;
- Organization... On this tab, you can specify the position of employees, the department in which they work, the name of the organization, as well as the name of the head of the department;
- Group members... The main group and group memberships are listed here.
These are the main tabs that are filled in when you create account templates. In addition to these six tabs, you can also fill in information in 13 tabs. Most of these tabs will be covered in subsequent articles in this series.
Rice. 5. Dialog box for copying user account
Creating users using command line tools
As with most things, the Windows operating system has command line utilities with similar functionality to the snap-in graphical user interface Active Directory Users and Computers... Such commands are called DS commands because they begin with the letters DS. To create security principals, use the command Dsadd... After the command itself, there are modifiers that define the type and DN of the object. In the case of creating user accounts, you need to specify the modifier user which is the type of the object. After the object type, you must enter the DN name of the object itself. The Distinguished Name (DN) of an object is a result set that contains the distinguished name. The DN is usually followed by the UPN username or login name of previous versions of Windows. If the DN name contains spaces, then the name must be enclosed in quotation marks. The command syntax is as follows:
Dsadd user DN_name –samid account_name –UPN_name –pwd password –additional parameters
41 parameters can be used with this command. Let's consider the most common ones:
-samid- user account name;
-upn- the login name of the pre-Windows 2000 user;
-fn- username, which is filled in the field in the graphical interface "Name";
-mi- the initial of the user;
-ln- the surname of the user, specified in the "Surname" field of the wizard for creating a user account;
-display- specifies the user's full name, which is automatically generated in the user interface;
-empid- employee code that is created for the user;
-pwd- a parameter defining a user password. In the event that you specify an asterisk (*), you will be prompted to enter the user's password in the protected from viewing mode;
-desc- a short description for the user account;
-memberof- a parameter that determines the user's membership in one or more groups;
-office- the location of the office where the user works. In account properties, this setting can be found under the tab "Organization";
-tel- contact phone number of the current user;
-email- the user's email address, which can be found in the tab "Are common";
-hometel- parameter indicating the user's home telephone number;
-mobile- phone number of the mobile user;
-fax- fax machine number used by the current user;
-title- the position of the user in the given organization;
-dept- this parameter allows you to specify the name of the department in which this user works;
-company- the name of the company in which the created user works;
-hmdir- the user's main directory, in which his documents will be located;
-hmdrv- the path to the network drive where the account's home folder will be located
-profile- user profile path;
-mustchpwd- this parameter indicates that the next time the user logs in to the system, he is obliged to change his password;
-canchpwd- a parameter that determines whether the user should change his password. If parameter value specifies "Yes", then the user will have the option to change the password;
-reversiblepwd- the current parameter defines the storage of the user's password using reverse encryption;
-pwdneverexpires Is a parameter indicating that the password will never expire. In all these four parameters, only "Yes" or "No";
-acctexpires- a parameter that determines after how many days the account will expire. A positive value represents the number of days after which the account will expire, while a negative value means that it has already expired;
-disabled- indicates that the account has already been disabled. The values for this parameter are also "Yes" or "No";
-q- indication of the quiet mode for command processing.
Usage example:
Dsadd user “cn = Alexey Smirnov, OU = Marketing, OU = Users, DC = testdomain, DC = com” -samid Alexey.Smirnov -upn Alexey.Smirnov -pwd * -fn Alexey -ln Smirnov -display “Alexey Smirnov” - tel “743-49-62” -email [email protected]-dept Marketing -company TestDomain -title Marketer -hmdir \\ dc \ profiles \ Alexey.Smirnov -hmdrv X -mustchpwd yes -disabled no
Rice. 6. Creating a user account using the Dsadd utility
Create Users Using CSVDE Command
Another command line utility CSVDE allows you to import or export Active Direcoty objects presented as a cvd file - a comma-delimited text file that can be created using a spreadsheet processor Microsoft Excel or the simplest text editor Notepad. In this file, each object is represented by one line and must contain the attributes that are listed on the first line. It is worth paying attention to the fact that using this command you cannot import user passwords, that is, immediately after the import operation is completed, user accounts will be disabled. An example of such a file is as follows:
Rice. 7. Presentation of the CSV file
The command syntax is as follows:
Csvde –i –f filename.csv –k
- -i... The parameter that is responsible for the import mode. If you do not specify this parameter, then this command will use the default export mode;
- -f
- -k
- -v
- -j
- -u... An option to use Unicode mode.
An example of using the command:
Csvde -i -f d: \ testdomainusers.csv -k
Rice. 8. Importing user accounts from a CSV file
Importing Users Using LDIFDE
The Ldifde command line utility also lets you import or export Active Directory objects using the Lightweight Directory Access Protocol Data Interchange File (LDIF) file format. This file format consists of a block of lines that form a specific operation. Unlike CSV files, in this file format, each individual line is a set of attributes, followed by a colon and the actual value of the current attribute. As in the CSV file, the first line must be the DN attribute. It is followed by a changeType string that indicates the type of operation (add, change, or delete). In order to learn to understand this file format, you need to learn at least the key attributes of security principals. An example is provided below:
Rice. 9. Example LDF file
The command syntax is as follows:
Ldifde -i -f filename.csv -k
- -i... The parameter that is responsible for the import mode. If you do not specify this parameter, then this command will use the default export mode;
- -f... A parameter that identifies the name of the file to be imported or exported;
- -k... The parameter intended to continue the import, skipping all possible errors;
- -v... A parameter using which you can display detailed information;
- -j... The parameter responsible for the location of the log file;
- -d... A parameter specifying the root of the LDAP search;
- -f... Parameter for the LDAP search filter;
- -p... Represents the area or depth of the search;
- -l... Designed to specify a comma-separated list of attributes that will be included in the export of the resulting objects;
Creating users with VBScript
VBScript is one of the most powerful tools for automating administrative tasks. This tool allows you to create scripts designed to automate most of the actions that can be performed through the user interface. VBScript scripts are text files that users can usually edit with ordinary text editors (such as Notepad). And to execute scripts, you just need to double-click on the icon of the script itself, which will open using the Wscript command. There is no specific command to create a user account in VBScript, so you first need to connect to the container, then use the Active Directory Services Interface (ADSI) adapter library using the Get-Object statement, where an LDAP query string is executed that provides the protocol moniker LDAP: // with the DN name of the object. For example, Set objOU = GetObject (“LDAP: // OU = Marketing, OU = Users, dc = testdomain, dc = com”). The second line of code activates the unit's Create method to create an object of a specific class with a specific distinguished name, for example, Set objUser = objOU.Create (“user”, ”CN = Yuri Soloviev”). The third line is the Put method, where you need to specify the name of the attribute and its value. The last line of this script confirms the changes made, that is, objUser.SetInfo ().
Usage example:
Set objOU = GetObject (“LDAP: // OU = Marketing, OU = Users, dc = testdomain, dc = com” Set objUser = objOU.Create (“user”, ”CN = Yuri Soloviev”) objUser.Put “sAMAccountName” , ”Yuriy.Soloviev” objUser.Put “UserPrincipalName” [email protected]"ObjUser.Put" givenName "," Yuri "objUser.Put" sn "Soloviev" objUser.SetInfo ()
Creating Users with PowerShell
Windows Server 2008 R2 introduces the ability to manage Active Directory objects using Windows PowerShell. PowerShell is considered the most powerful command line shell developed on the basis of the .Net Framework and designed to manage and automate the administration of Windows operating systems and applications that run on these operating systems. PowerShell includes over 150 command-line tools, called cmdlets, that provide the ability to manage computers in your enterprise from the command line. This shell is a component of the operating system.
To create a new user in the Active Directory domain, use the New-ADUser cmdlet, most of whose property values can be added by using the parameters of this cmdlet. The –Path parameter is used to display the LDAP name. This parameter specifies the container or organizational unit (OU) for the new user. If the Path parameter is not specified, the cmdlet creates a user object in the default container for user objects in this domain, that is, in the Users container. To specify the password, use the –AccountPassword parameter with the value (Read-Host -AsSecureString "Password for your account"). Also, be sure to pay attention to the fact that the value of the –Country parameter is exactly the code of the country or region of the language selected by the user. The syntax for the cmdlet is as follows:
New-ADUser [-Name]
As you can see from this syntax, it makes no sense to describe all the parameters, since they are identical to the attributes of the security principal and do not need explanation. Let's look at an example of use:
New-ADUser -SamAccountName "Evgeniy.Romanov" -Name "Evgeniy Romanov" -GivenName "Evgeniy" -Surname "Romanov" -DisplayName "Evgeniy Romanov" -Path "OU = Marketing, OU = Users, DC = testdomain, DC = com "-CannotChangePassword $ false -ChangePasswordAtLogon $ true -City" Kherson "-State" Kherson "-Country UA -Department" Marketing "-Title" (! LANG: Marketer" -UserPrincipalName "!} [email protected]"-EmailAddress" [email protected]"-Enabled $ true -AccountPassword (Read-Host -AsSecureString" AccountPassword ")
Rice. 10. Creating a user account using Windows PowerShell
Conclusion
In this article, you learned about the concept of a security principal and the role of user accounts in a domain environment. The main scenarios for creating user accounts in an Active Directory domain were discussed in detail. You have learned how to create custom accounts using the snap-in Active Directory Users and Computers using templates, command line utilities Dsadd, CSVDE and LDIFDE. You also learned about the VBScript scripting language and Windows PowerShell command line method for creating user accounts.
Group Policy is a hierarchical infrastructure that allows the network administrator in charge of Microsoft's Active Directory to implement specific configurations for users and computers. Group Policy can also be used to define user, security, and network policies at the machine level.
Definition
Active Directory groups help administrators define settings for what users can do on the network, including the files, folders, and applications they can access. Collections of user and computer settings are called GPOs and are administered from a central interface called the Operations Console. Group Policy can also be controlled using command line tools such as gpresult and gpupdate.
Active Directory is new to Windows 2000 Server and has been enhanced in 2003 to make it an even more important part of the operating system. Windows Server 2003 AD provides a single link, called a directory service, for all objects on the network, including users, groups, computers, printers, policies, and permissions.
For a user or administrator, configuring Active Directory provides a single hierarchical view from which all network resources can be managed.
Why implement Active Directory
There are many reasons for implementing this system. First of all, Microsoft Active Directory is generally considered a significant improvement over Windows NT Server 4.0 domains or even stand-alone server networks. AD has a centralized administration mechanism across the entire network. It also provides redundancy and fault tolerance when deploying two or more domain controllers in a domain.
The service automatically manages communication between domain controllers to keep the network viable. Users have access to all resources on the network for which they are authorized using single sign-on. All resources on the network are protected by a robust security mechanism that verifies user identity and resource authority for each access.
Even with the improved security and control of Active Directory, most of its functionality is invisible to end users. As such, migrating users to the AD network requires a little retraining. The service offers a means to quickly promote and de-rank domain controllers and member servers. The system can be managed and protected using Active Directory Group Policies. It is a flexible hierarchical organizational model that allows you to easily manage and detail the specific delegation of administrative responsibilities. AD is capable of managing millions of objects within a single domain.
Main sections
Active Directory Group Policy Books are organized using four types of partitions or container structures. These four OUs are forests, domains, organizational units, and sites:
A forest is a collection of each object, its attributes and syntax.
Domain is a set of computers that share a common set of policies, the name and database of their members.
Organizational units are containers in which domains can be grouped. They create a hierarchy for the domain and create the structure of the company in a geographic or organizational setting.
Sites are physical groupings that are independent of the scope and structure of organizational units. Sites distinguish between locations connected by low and high speed connections and are identified by one or more IP subnets.
Forests are not limited by geography or network topology. A single forest can contain multiple domains, each with a common schema. Domain members in the same forest do not even need a dedicated LAN or WAN connection. A single network can also be home to several independent forests. In general, one forest should be used for each legal entity. However, additional scaffolds may be desirable for testing and research purposes outside the production forest.
Domains
Active Directory domains serve as containers for security policies and administrative assignments. By default, all objects in them are subject to Group Policy. Likewise, any administrator can manage all objects within a domain. In addition, each domain has its own unique database. Thus, authentication is done based on the domain. Once a user account is authenticated, that account is granted access to resources.
One or more domains are required to configure Group Policy in Active Directory. As mentioned earlier, an AD domain is a collection of computers that share a common set of policies, a name, and a database of their members. A domain must have one or more servers that serve as domain controllers (DCs) and store the database, maintain policies, and provide authentication for logins.
Domain controllers
In Windows NT, Basic Domain Controller (PDC) and Backup Domain Controller (BDC) were roles that could be assigned to a server on a network of computers that were running the Windows operating system. Windows used the idea of a domain to control access to a set of network resources (applications, printers, etc.) for a group of users. The user only needs to log on to the domain to access resources that may be located on several different servers on the network.
One server, known as the primary domain controller, managed the primary user database for the domain. One or more servers have been designated as backup domain controllers. The primary controller periodically sent copies of the database to the backup domain controllers. The standby domain controller can log on as the primary domain controller in the event that the PDC server fails, and can also help balance the workload if the network is busy enough.
Delegating and Configuring Active Directory
In Windows 2000 Server, while the domain controllers were retained, the PDC and BDC server roles were largely replaced by Active Directory. It is no longer necessary to create separate domains to separate administrative privileges. Within AD, you can delegate administrative privileges based on organizational units. Domains are no longer capped at 40,000 users. AD domains can manage millions of objects. Since there are no more PDCs and BDCs, the Active Directory Group Policy configuration applies multi-master replication and all domain controllers are peer-to-peer.
Organizational structure
Organizational units are much more flexible and easier to manage than domains. Organizational units give you almost unlimited flexibility as you can move, delete, and create new units as needed. However, domains are much more restrictive in their structure settings. Domains can be deleted and re-created, but this process destabilizes the environment and should be avoided whenever possible.
Sites are collections of IP subnets that have fast and reliable communication between all hosts. Another way to create a site is with a LAN connection, but not a WAN connection, as WAN connections are significantly slower and less reliable than LAN connections. By using sites, you can control and reduce the amount of traffic that goes through your slow WAN links. This can result in more efficient traffic flow for performance tasks. It can also reduce WAN costs for pay-per-bit services.
Infrastructure Wizard and Global Catalog
Other key components of Windows Server in Active Directory include the Infrastructure Wizard (IM), which is a fully functional FSMO (Flexible Single Operations Wizard) service responsible for an automatic process that captures obsolete links, known as phantoms, in the Active Directory database.
Phantoms are created on DCs that require cross-referencing between an object within its own database and an object from another domain in the forest. This happens, for example, when you add a user from one domain to a group in another domain in the same forest. Phantoms are considered obsolete when they no longer contain updated data that results from changes made to the foreign object represented by the phantom. For example, when the target is renamed, moved, transferred between domains, or deleted. The Infrastructure Master is solely responsible for finding and fixing obsolete phantoms. Any changes made as a result of the "fix" process must then be replicated to other domain controllers.
The Infrastructure Wizard is sometimes confused with the global catalog (GC), which maintains a partial, read-only copy of every domain in the forest and, among other things, is used for general purpose group storage and logon processing. Since GCs store a partial copy of all objects, they can create cross-domain references without the need for phantoms.
Active Directory and LDAP
Microsoft includes LDAP (Lightweight Directory Access Protocol) as an integral component of Active Directory. LDAP is a software protocol that allows anyone to find organizations, individuals, and other resources such as files and devices on a network, whether on the public Internet or on a corporate intranet.
On TCP / IP networks (including the Internet), the Domain Name System (DNS) is a directory system used to map a domain name to a specific network address (unique location on a network). However, you may not know the domain name. LDAP allows you to search for people without knowing where they are (although more information will help in your search).
The LDAP directory is organized in a simple hierarchical hierarchy with the following levels:
Organizations.
Organizational units (departments).
Individuals (including people, files, and shared resources such as printers).
The root directory (source location or source of the tree).
The LDAP directory can be distributed to many servers. Each server can have a replicated version of a shared directory that is synchronized periodically.
It is important for every administrator to understand what LDAP is. Because finding information in Active Directory and the ability to create LDAP queries is especially useful when finding information stored in an AD database. For this reason, many administrators place a lot of emphasis on mastering the LDAP search filter.
Group Policy and Active Directory Management
It's hard to discuss AD without mentioning Group Policy. Administrators can use Group Policy in Microsoft Active Directory to define settings for users and computers on the network. These settings are configured and stored in so-called Group Policy Objects (GPOs), which are then linked to Active Directory objects, including domains and sites. This is the main mechanism for applying changes to computers to users in a Windows environment.
Thanks to Group Policy Management, administrators can globally configure desktop settings on user computers, restrict / allow access to certain files and folders on the network.
Applying group policies
It is important to understand how GPOs are used and applied. For them, the following order is acceptable: first, local machine policies are applied, then site policies, then domain policies, and then policies applied to individual organizational units. A user or computer object can only belong to one site and one domain at a time, so they will only receive GPOs that are associated with that site or domain.
Object structure
GPOs are split into two distinct parts: the Group Policy Template (GPT) and the Group Policy Container (GPC). A GPO template is responsible for storing certain settings created in a GPO and is essential to its success. It stores these settings in a large folder and file structure. For the settings to be successfully applied to all user and computer objects, GPT must be replicated to all controllers in the domain.
The Group Policy container is part of a GPO stored in Active Directory that resides on every domain controller in a domain. The GPC is responsible for maintaining links to client extensions (CSEs), the GPT path, paths to software installation packages, and other referenced aspects of the GPO. The GPC does not contain much information related to the corresponding GPO, but it is required for the functionality of the GPO. When software installation policies are configured, GPC helps maintain the links associated with the GPO and stores other relational links and paths stored in the object's attributes. Knowing the structure of the GPC and how to access the hidden information stored in attributes will pay off when you need to identify a Group Policy issue.
In Windows Server 2003, Microsoft released its Group Policy Management solution as a data federation tool in the form of a snap-in known as the Group Policy Management Console (GPMC). GPMC provides a GPO-centric management interface that greatly simplifies the administration, management, and location of GPOs. Through GPMC, you can create new GPOs, modify and edit objects, cut / copy / paste GPOs, back up objects, and execute the resulting set of policies.
Optimization
As the number of GPOs controlled increases, performance affects the machines on the network. Tip: If performance degrades, limit the object's network settings. The processing time increases in direct proportion to the number of individual settings. Relatively simple configurations, such as desktop settings or Internet Explorer policies, may not take long, while software folder redirects can severely strain the network, especially during peak periods.
Split the custom GPOs and then disable the unused portion. One of the best practices for both improving productivity and reducing management confusion is to create separate objects for parameters that will apply to computers and separate to users.
Administrators of Windows networks cannot avoid getting acquainted with. This overview article will focus on what Active Directory is and what they are eaten with.
So, Active Directory is Microsoft's implementation of a directory service. Directory service in this case means a software package that helps a system administrator to work with such network resources as shared folders, servers, workstations, printers, users and groups.
Active Directory has a hierarchical structure of objects. All properties are divided into three main categories.
- User and computer accounts;
- Resources (such as printers);
- Services (such as email).
Each object has a unique name and a number of characteristics. Objects can be grouped.
User properties Active Directory has a forest structure. The forest has several trees that contain domains. Domains, in turn, contain the aforementioned objects.
Active Directory structure Typically, objects in a domain are grouped into organizational units. Subdivisions are used to build a hierarchy within a domain (organizations, territorial subdivisions, departments, etc.). This is especially important for geographically dispersed organizations. When building the structure, it is recommended to create as few domains as possible, creating, if necessary, separate divisions. It is on them that it makes sense to apply group policies.
Workstation properties Another way to structure your Active Directory is sites... Sites are a way of physically grouping them together, not logically, based on network segments.
As mentioned, every object in Active Directory has a unique name. For example a printer HPLaserJet4350dtn which is in subdivision Lawyers and in the domain primer.ru will have a name CN = HPLaserJet4350dtn, OU = Lawyers, DC = primer, DC = ru. CN Is a common name, OU- subdivision, DC- the class of the domain object. An object name can have many more parts than in this example.
Another form of writing the name of an object looks like this: primer.ru/Lawyers/HPLaserJet4350dtn... Also, each object has a globally unique identifier ( GUID) is a unique and unchanging 128-bit string that is used in Active Directory for search and replication. Some objects also have a UPN ( UPN) in the format object @ domain.
Here's an overview of what Active Directory is and what they are for on Windows-based LANs. Finally, it makes sense to say that the administrator has the ability to work with Active Directory remotely through Remote Server Administration Tools for Windows 7 (KB958830)(Download) and Remote Server Administration Tools for Windows 8.1 (KB2693643) (Download).
