Active Directory is a directory service from Microsoft for Windows NT family operating systems.
This service allows administrators to use Group Policy to ensure consistency in user environment settings, software installation, updates, and more.
What is the essence of Active Directory and what tasks does it solve? Read on.
Peer-to-Peer and Multi-Rank Networking Principles
But another problem arises, what if user2 on PC2 decides to change his password? Then, if user1 changes the account password, user2 will not be able to access the resource on PC1.
Another example: we have 20 workstations with 20 accounts, which we want to grant access to some, for this we must create 20 accounts on the file server and provide access to the required resource.
And if there are not 20 but 200?
As you understand, network administration with this approach turns into a total hell.
Therefore, the workgroup approach is suitable for small office networks with no more than 10 PCs.
If there are more than 10 workstations in the grid, the approach becomes rationally justified, in which one network node is delegated the rights to perform authentication and authorization.
This site is the domain controller - Active Directory.
Domain controller
The controller keeps a database of accounts, i.e. it keeps records for both PC1 and PC2.
Now all accounts are registered once on the controller, and the need for local accounts loses its meaning.
Now, when a user logs into a PC by entering his username and password, this data is transmitted in a closed form to the domain controller, which performs the authentication and authorization procedures.
After that, the controller gives the user who logged in, something like a passport, with which he further works in the network and which he presents at the request of other computers on the grid, servers to whose resources he wants to connect.
Important! A domain controller is a computer running Active Directory that controls user access to network resources. It stores resources (such as printers, shared folders), services (such as email), people (user and user group accounts), computers (computer accounts).
The number of such saved resources can reach millions of objects.
The following versions of MS Windows can act as a domain controller: Windows Server 2000/2003/2008/2012 except for Web-Editions.
The domain controller, in addition to being the center of network authentication, is also the control center for all computers.
Immediately after turning on, the computer begins to contact the domain controller, long before the authentication window appears.
Thus, not only the user entering the login and password is authenticated, but also the client computer is authenticated.
Installing Active Directory
Let's look at an example of installing Active Directory on Windows Server 2008 R2. So, to install the Active Directory role, go to the "Server Manager":
Add the "Add Roles" role:
Select the Active Directory Domain Services role:
And we proceed with the installation:
Then we get a notification window about the installed role:
After installing the domain controller role, let's proceed with the installation of the domain controller itself.
Click "Start" in the program search field, enter the name of the DCPromo wizard, launch it and check the box for advanced installation settings:
Click "Next" from the proposed options, select the creation of a new domain and forest.
Enter the domain name, for example, example.net.
We write the NetBIOS domain name, without the zone:
We choose the functional level of our domain:
Due to the peculiarities of the functioning of the domain controller, we also install a DNS server.
Leave the locations of the database, log file, system volume unchanged:
Enter the domain administrator password:
We check the correctness of filling and if everything is in order, press "Next".
After that, the installation process will go, at the end of which a window will appear that informs about the successful installation:
Introduction to Active Directory
The report examines two types of computer networks that can be created using operating Microsoft systems: workgroup and Active Directory domain.
Any novice user, faced with the acronym AD, wonders what is Active Directory? Active Directory is a directory service developed by Microsoft for domain Windows networks... It is included in most Windows Server operating systems as a set of processes and services. Initially, the service only dealt with domains. However, since Windows Server 2008, AD has become the name for a wide range of directory-based identity services. This makes Active Directory a better place to learn for beginners.
Basic definition
The server that is running Active Directory Domain Services is called a domain controller. It authenticates and authorizes all users and computers in the Windows network domain, assigning and enforcing security policies for all PCs, and installing or updating software... For example, when a user logs on to a computer that is included in a Windows domain, Active Directory validates the provided password and determines whether the object is a system administrator or a standard user. It also allows you to manage and store information, provides authentication and authorization mechanisms, and sets up a framework for deploying other related services: certificate services, federated and lightweight directory services, and rights management.
Active Directory uses LDAP versions 2 and 3, Microsoft's version of Kerberos and DNS.
What is Active Directory? In simple words about the complex
Tracking network data is a tedious task. Even on small networks, users tend to have difficulty finding network files and printers. Without some kind of directory, medium and large networks cannot be managed and often have difficulty finding resources.
Previous versions of Microsoft Windows included services to help users and administrators find data. Networking is useful in many environments, but the obvious disadvantage is the awkward interface and its unpredictability. WINS Manager and Server Manager can be used to view the list of systems, but they were not available to end users. Administrators used User Manager to add and remove data of a completely different type of network object. These applications turned out to be ineffective for work in large networks and raised the question, why in the company Active Directory?
A directory, in its most general sense, is a complete list of objects. Phone book Is a type of directory that stores information about people, businesses and government organizations, andthey usually contain names, addresses and phone numbers. Asking the question Active Directory - what is it, in simple words it can be said that this technology is similar to a reference, but much more flexible. AD stores information about organizations, sites, systems, users, shares and any other network object.
Introduction to the basic concepts of Active Directory
Why does an organization need Active Directory? As mentioned in the introduction to Active Directory, a service stores information about network components. The Active Directory For Beginners tutorial states that it is allows clients to find objects in their namespace. This t A term (also called a console tree) refers to the area in which a network component can be located. For example, the table of contents for a book creates a namespace in which chapters can be mapped to page numbers.
DNS is a console tree that resolves hostnames to IP addresses like soPhone books provide a namespace for name resolution for phone numbers. How does this work in Active Directory? AD provides a console tree for resolving the names of network objects to the objects themselves andcan resolve a wide variety of objects, including users, systems and services on the network.
Objects and Attributes
Anything that Active Directory monitors is considered an object. We can say in simple words that this in Active Directory is any user, system, resource, or service. The common term object is used because AD is able to keep track of many elements, and many objects can share common attributes. What does it mean?
Attributes describe objects in the active directory of Active Directory, for example, all custom objects share attributes to store the user's name. This also applies to their description. Systems are also objects, but they have a separate set of attributes that include hostname, IP address, and location.
The set of attributes available for any particular type of object is called a schema. It makes the classes of objects different from each other. The schema information is actually stored in Active Directory. That this security protocol behavior is very important is indicated by the fact that the schema allows administrators to add attributes to object classes and distribute them across the network in all corners of the domain without restarting any domain controllers.
LDAP container and name
A container is a special type of object that is used to organize the operation of a service. It does not represent a physical entity like a user or a system. Instead, it is used to group other items together. Container objects can be nested within other containers.
Every item in AD has a name. These are not the ones you are used to, for example, Ivan or Olga. These are LDAP distinguished names. LDAP distinguished names are complex, but they allow any object within a directory to be uniquely identified, regardless of its type.
Term tree and site
A term tree is used to describe a set of objects in Active Directory. What is it? In simple terms, this can be explained using a tree association. When containers and objects are combined hierarchically, they tend to form branches - hence the name. A related term is a contiguous subtree, which refers to the unbreakable main trunk of a tree.
Continuing with the metaphor, the term forest describes a collection that is not part of the same namespace, but has a common schema, configuration, and global catalog. Objects in these structures are available to all users if security permits. Organizations with multiple domains should group trees into one forest.
A site is a geographic location as defined in Active Directory. Sites correspond to logical IP subnets and, as such, can be used by applications to find the closest server on the network. Using site information from Active Directory can significantly reduce WAN traffic.
Active Directory Management
Component of the Active Directory snap-in - Users. This is the most handy tool for Active Directory administration. It is directly accessible from the Administrative Tools program group on the Start menu. It replaces and improves Server Manager and User Manager from Windows NT 4.0.
Security
Active Directory plays an important role in the future of Windows networking. Administrators should be able to protect their directory from intruders and users while delegating tasks to other administrators. This is all possible using the Active Directory security model, which associates an access control list (ACL) with every container and object attribute in the directory.
High level control allows the administrator to provide individual users and groups have different permission levels for objects and their properties. They can even add attributes to objects and hide those attributes from certain groups of users. For example, you can set an ACL so that only managers can view the home phones of other users.
Delegated administration
A concept new to Windows 2000 Server is delegated administration. This allows you to assign tasks to other users without granting additional access rights. Delegated administration can be assigned through specific objects or contiguous directory subtrees. This is a much more efficient method of granting authority over networks.
V assigning all global domain administrator rights to someone, a user can only be given permissions within a specific subtree. Active Directory supports inheritance, so any new objects inherit the ACL from their container. 
The term "trusting relationship"
The term "trust" is still used but has different functionality. There is no distinction between unilateral and bilateral trusts. All Active Directory trusts are bidirectional. Moreover, they are all transitive. So, if domain A trusts domain B and B trusts C, then there is an automatic implicit trust relationship between domain A and domain C.
Auditing in Active Directory - what is it in simple terms? This is a security feature that allows you to determine who is trying to access objects, as well as how successful that attempt is.
Using DNS (Domain Name System)
A different DNS system is essential for any organization connected to the Internet. DNS provides name resolution between common names such as mspress.microsoft.com and raw IP addresses that network layer components use to communicate.
Active Directory makes extensive use of DNS technology to find objects. This is a significant change from previous Windows operating systems that require NetBIOS names to be resolved by IP addresses and rely on WINS or other NetBIOS name resolution techniques.
Active Directory works best when used with DNS servers under Windows control 2000. Microsoft has made it easy for administrators to migrate to Windows 2000 DNS servers by providing migration wizards that guide the administrator through the process.
Other DNS servers can be used. However, in this case, administrators will have to spend more time managing the DNS databases. What are the nuances? If you choose not to use Windows 2000 DNS servers, you must ensure that your DNS servers comply with the new DNS dynamic update protocol. Servers rely on dynamically updating their records to find domain controllers. It is not comfortable. After all, eIf dynamic updating is not supported, you have to manually update the databases. 
Windows domains and internet domains are now fully compatible. For example, a name such as mspress.microsoft.com will identify the Active Directory domain controllers responsible for the domain, so any client with DNS access can find the domain controller.Clients can use DNS resolution to look up any number of services because Active Directory servers publish the list of addresses in DNS using new dynamic update functionality. This data is identified as a domain and published through service resource records. SRV RRs follow the format service.protocol.domain.
Active Directory servers provide LDAP service to host the object, and LDAP uses TCP as the underlying transport protocol. Therefore, a client looking for an Active Directory server in the mspress.microsoft.com domain will look for the DNS record for ldap.tcp.mspress.microsoft.com.
Global catalog
Active Directory provides a global catalog (GC) andprovides a single source for finding any object on the organization's network.
The Global Catalog is a service in Windows 2000 Server that allows users to find any objects that have been granted access. This functionality is far superior to that of the Find Computer application included in previous versions Windows. After all, users can search for any object in Active Directory: servers, printers, users and applications.
Alexander Emelyanov
Administering accounts in an Active Directory domain
One of the most important tasks of an administrator is to manage local and domain accounts: audit, quoting and differentiation of user rights depending on their needs and company policy. What does Active Directory have to offer in this regard?
As a continuation of this series of articles on Active Directory, today we will talk about the central link in the administration process - managing user credentials within the domain. We will consider:
- creating and managing accounts;
- types of user profiles and their application;
- security groups in AD domains and their combinations.
Ultimately, you can use these materials to build a working infrastructure or modify an existing one that will meet your requirements.
Looking ahead, I will say that the topic is closely related to the application of group policies for administrative purposes. But due to the vastness of the material devoted to them, it will be disclosed in the next article.
Introducing Active Directory - Users and Computers
After you have installed your first controller in the domain (thus you actually organized the domain), five new elements appear in the "Administration" section (see Figure 1).
To manage AD objects, Active Directory - Users and Computers (ADUC - AD Users and Computers, see Fig. 2) is used, which can also be called through the Run menu via DSA.MSC.
With ADUC, you can create and delete users, assign login scripts to an account, and manage group memberships and group policies.
There is also the option to manage AD objects without going directly to the server. It is provided by the ADMINPAK.MSI package located in the% SYSTEM_DRIVE% \ Windows \ system32 directory. By deploying it on your machine and giving yourself domain administrator rights (if there were none), you will be able to administer the domain.
When we open ADUC, we will see our domain branch containing five containers and organizational units.
- Builtin... This contains the built-in local groups that are found on any server machine, including domain controllers.
- Users and Computers... These are the containers that, by default, host users, groups, and computer accounts when installing over Windows NT. But to create and store new accounts, there is no need to use only these containers, a user can even be created in a domain container. When a computer is added to a domain, it appears in the Computers container.
- Domain Controllers... It is an Organizational Unit (OU) that contains domain controllers by default. When a new controller is created, it appears here.
- ForeignSecurityPrincipals... This is the default container for objects from trusted external domains.
It is important to remember that GPOs are bound exclusively to a domain, OU, or site. Consider this when creating your domain's administrative hierarchy.
Entering the computer into the domain
The procedure is performed directly on the local machine that we want to connect.
Select "My Computer -> Properties -> Computer Name", click the "Change" button and select "Domain" from the "Member" menu. We enter the name of the domain to which we want to add our computer, and then prove that we have the rights to add workstations to the domain by entering the authentication data of the domain administrator.
Create a domain user
To create a user, you need to select any container in which it will be located, right-click on it and select "New -> User". The New User Wizard will open. Here you can specify many of its attributes, from username and domain login time frames to settings for terminal services and remote access... After completing the wizard, you will receive a new domain user.
It should be noted that in the process of creating a user, the system may “swear” about insufficient password complexity or its brevity. You can mitigate the requirements by opening the "Default Domain Security Settings" and then "Security Settings -> Account Policies -> Password Policy".
Let us create the user Ivan Ivanov in the Users container (User Logon Name: [email protected]). Whereas on NT 4 systems this name was only a decoration, in AD it is part of an LDAP-formatted name, which looks like this in its entirety:
cn = "Ivan Ivanov", cn = "Users", dc = "hq", dc = "local"
Here cn is the container name, dc is the domain component. LDAP object descriptions are used to execute WSH scripts ( Windows Script Hosts) or for programs that use the LDAP protocol to communicate with Active Directory.
To enter the domain, Ivan Ivanov will have to use a name in the UPN format (Universal Principal Name): [email protected] Also, in AD domains, the spelling of the name in the old NT 4 format (before Win2000), in our case HQ \ Ivanov, will be clear.
When a user account is created, it is automatically assigned a security identifier (SID, Security Identifier) - a unique number by which the system identifies users. This is very important to understand, as deleting an account also deletes its SID and is never reused. And each new account will have its own new SID, which is why it will not be able to get the rights and privileges of the old one.
The account can be moved to another container or OU, disabled or, conversely, enabled, copied or changed the password. Copying is often used to create multiple users with the same parameters.
User work environment
Credentials stored centrally on the server allow users to uniquely identify themselves to the domain and gain appropriate rights and access to the work environment. All operating systems of the Windows NT family use a user profile to create a working environment on a client machine.
Local profile
Let's consider the main components of a user profile:
- A registry key corresponding to a specific user ("hive" or "hive"). In fact, the data for this registry branch is stored in the NTUSER.DAT file. It is located in the% SYSTEMDRIVE% \ Documents and Settings \ User_name folder, which contains the user profile. Thus, when a particular user logs on to the system, the NTUSER.DAT "hive" from the folder containing his profile is loaded into the HKEY_CURRENT_USER registry key. And all changes to the settings of the user environment for the session will be saved in this "hive". The NTUSER.DAT.LOG file is a transaction log that exists to protect the NTUSER.DAT file. However, you are unlikely to find it for the Default User because it is a template. More on this later. The administrator has the ability to edit the "hive" of a specific user directly from his work environment. To do this, using the REGEDIT32 registry editor, he must load the "hive" into the HKEY_USERS section, and then, after making the changes, unload it.
- File system folders containing custom preference files. They are located in a special directory% SYSTEMDRIVE% \ Documents and Settings \ User_name, where User_name is the name of the user who is logged on to the system. This is where desktop items, startup items, documents, etc. are stored.
When a user logs in for the first time, the following happens:
- The system checks if a local profile for this user exists.
- Not finding it, the system contacts the domain controller to find the default domain profile, which should be located in the Default User folder on the NETLOGON share; if the system detects this profile, it is copied locally on the machine to the% SYSTEMDRIVE% \ Documents and Settings folder with the username, otherwise it is copied from the local% SYSTEMDRIVE% \ Documents and Settings \ Default User folder.
- A custom hive is loaded into the HKEY_CURRENT_USER registry key.
- When you log out, all changes are saved locally.
In the end work environment a user is a combination of his work profile and the All Users profile, which contains the settings common to all users of this machine.
Now a few words about creating a default profile for a domain. Create a dummy profile on your machine, customize it according to your needs or corporate policy requirements. Then log out and log back in as a domain administrator. Create the Default User folder on the NETLOGON server share. Then, using the User Profiles tab in the System applet (see Figure 3), copy your profile to this folder and grant the rights to use it to the Domain Users group or some other suitable security group. That's it, the default profile for your domain has been created.
Movable profile
As a flexible and scalable technology, Active Directory allows you to work in your enterprise environment with roaming profiles, which we will discuss next.
At the same time, it will be appropriate to talk about folder redirection as one of the features of IntelliMirror technology for providing fault tolerance and centralized storage of user data.
Roaming profiles are stored on the server. The path to them is specified in the domain user settings (see Fig. 4).
If you wish, you can specify roaming profiles for several users at the same time by selecting several users, and in the properties in the "Profile" tab specify% USERNAME% instead of the folder with the username (see Figure 5).
The first login process for a user with a roaming profile is similar to the one described above for a local one, with a few exceptions.
First, since the path to the profile is specified in the user object, the system checks for a cached local copy of the profile on the machine, then everything is as described.
Secondly, upon completion of work, all changes are copied to the server, and if group policies do not specify to delete the local copy, they are saved on this machine. If the user already had a local copy of the profile, then the server and local copies of the profile are compared, and they are merged.
IntelliMirror technology on Windows systems latest versions allows you to redirect certain user folders, such as "My Documents", "My Pictures", etc., to network resource.
Thus, for the user, all changes made will be absolutely transparent. By saving documents to the "My Documents" folder, which will knowingly be redirected to a network resource, he will not even suspect that everything is being saved to the server.
You can configure redirection either manually for each user, or using group policies.
In the first case, you need to click on the "My Documents" icon on the desktop or in the "Start" menu with the right mouse button and select properties. Then everything is extremely simple.
In the second case, you need to open the group policy of the OU or domain for which we want to apply redirection, and expand the hierarchy "User Configuration -> Windows configuration"(See fig. 6). Further, redirection is configured either for all users or for specific OU or domain security groups to which this group policy will be applied.
By using folder redirection to work with roaming user profiles, you can achieve, for example, a reduction in profile load time. This is provided that the roaming profile is always loaded from the server without using a local copy.
A story about folder redirection would be incomplete without mentioning offline files. They allow users to work with documents even when they are not connected to the network. Synchronization with server copies of documents occurs the next time the computer is connected to the network. Such an organization scheme will be useful, for example, for laptop users working both within the framework of local network and at home.
The disadvantages of roaming profiles include the following:
- a situation may arise when, for example, shortcuts of some programs will exist on the user's desktop, but on another machine where the owner of the roaming profile wants to work, such programs are not installed, so some of the shortcuts will not work;
- many users are in the habit of storing documents, as well as photos and even videos on the desktop, as a result, each time a roaming profile is loaded from the server, additional network traffic is generated, and the profile itself takes a very long time to load; to solve the problem, use NTFS permissions to limit the saving of "garbage" on the desktop;
- every time a user logs on to the system, a local profile is created for him (more precisely, the profile from the server is copied locally), and if he changes working machines, then such "garbage" remains on each of them; this can be avoided by configuring group policies in a certain way ("Computer Configuration -> Administrative Templates -> System -> User Profiles", "Delete cached copies of roaming profiles" policy).
Introducing an existing user to the domain
Often, when deploying a directory service in an existing workgroup-based network, the question arises of adding a user to the domain without losing the settings of his work environment. This can be achieved using roaming profiles.
Create a folder with the username on a shared network resource (for example, Profiles) on the server and give it write permissions for the Everyone group. Let it be called HQUser, and the full path to it looks like this: \\ Server \ Profiles \ HQUser.
Create a domain user that will correspond to the user on your local network, and specify \\ Server \ Profiles \ HQUser as the path to the profile.
On the computer containing the local profile of our user, you need to log in under account administrator and using the User Profiles tab of the System applet, copy it to the \\ Server \ Profiles \ HQUser folder.
It is easy to understand that the next time we log into the system under a new domain account, our user will load his work profile from the server, and the administrator will only have to decide whether to leave this profile roaming or make it local.
Quotas
Very often users upload unnecessary information network drives... To avoid constant requests to clean your personal folders from unnecessary garbage (for some reason it is always necessary), you can use the quota mechanism. Starting from Windows 2000 it can be done by standard means on NTFS volumes.
To enable the quota mechanism and configure it, go to the properties of the local volume and open the Quota tab (see Fig. 7).
You can also view the data on the occupied disk space and configure quotas separately for each user (see Figure 8). The system calculates the occupied disk space based on data about the owner of the objects, summing up the amount of files and folders belonging to him.
User groups in AD
Managing users within a domain is easy. But when you need to configure access to certain resources for several dozen (or even hundreds) users, it can take a lot of time to distribute access rights.
And if there is a need to subtly delimit the rights of members of several domains within a tree or forest, the administrator is faced with a task akin to tasks from set theory. The use of groups comes to the rescue here.
The main characterization of groups found within a domain was given in a previous article on the architecture of a directory service.
As a reminder, domain local groups can include users in their own domain and other domains in the forest, but their scope is limited to the domain to which they belong.
Global groups can include only users of their own domain, but it is possible to use them to provide access to resources both within their own and other domains in the forest.
Universal groups, as their name suggests, can contain users from any domain and can also be used to provide forest-wide access. It does not matter in which domain the universal group will be created, the only thing worth considering is that when you move it, the access rights will be lost and they will need to be reassigned.
To understand the above and the basic principles of nesting groups, consider an example. Suppose we have a forest containing two domains HQ.local and SD.local (which one is the root in this case does not matter). Each of the domains contains resources to which you want to grant access and users (see Figure 9).
From fig. 9, you can see that all users in the forest must have access to the Docs and Distrib resources (green and red lines), so we can create a universal group containing users from both domains and use it when specifying permissions to access both resources. Alternatively, we can create two global groups in each domain, which will contain only users of our domain, and include them in the universal group. Any of these global groups can also be used to assign rights.
Only users from the HQ.local domain (blue lines) should have access to the Base directory, so we will include them in the local domain group, and we will grant access to this group.
Both members of the HQ.local domain and members of the SD.local domain will be allowed to use the Distrib directory (orange lines in Figure 9). Therefore, we can add the Manager and Salary users to the global group of the HQ.local domain, and then add this group to the local group of the SD.local domain together with the IT user. Then this local group and grant access to the Distrib resource.
Now we will take a closer look at the nesting of these groups and consider another type of groups - built-in local domain groups.
The table shows which groups can be nested in which. Here, horizontally, there are groups in which vertical groups are nested. Plus means that one type of group can be nested in another, minus - not.
On some resource on the Internet dedicated to Microsoft certification exams, I saw a mention of such a formula - AGUDLP, which means: Accounts are placed in global groups (Global), which are placed in universal (Universal), which are placed in local domain groups (Domain Local), to which permissions are applied. This formula fully describes the possibility of nesting. It should be added that all these types can be nested in local groups of a single machine (local domains exclusively within their own domain).
Domain group nesting
|
Nesting |
Local groups |
Global Groups |
Universal groups |
|
Account |
|||
|
Local groups |
+ (excluding built-in local groups and only within its own domain) |
||
|
Global Groups |
+ (only within your own domain) |
||
|
Universal groups |
Built-in domain local groups are located in the Builtin container and are actually machine local groups, but only for domain controllers. And unlike domain local groups, they cannot be moved from the Users container to other organizational units.
A correct understanding of the account administration process will allow you to create a well-defined working environment enterprise, providing flexibility of management, and most importantly - fault tolerance and domain security. In the next article, we'll talk about Group Policy as a tool for creating a custom environment.
Application
Domain authentication nuances
When using local profiles, a situation may arise when a domain user tries to log on to a workstation that has his local profile, but for some reason does not have access to the controller. Surprisingly, the user will successfully authenticate and be allowed to work.
This situation occurs because user credentials are cached and can be corrected by making changes to the registry. To do this, in the HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ Current Version \ Winlogon folder, create (if there is none) an entry with the name CachedLogonCount, data type REG_DWORD and set its value to zero. You can achieve a similar result with Group Policy.
- Emelyanov A. Principles of building Active Directory domains, // "System Administrator", No. 2, 2007 - pp. 38-43.
In contact with
In the November issue of ComputerPress, we introduced you to the key features Windows PowerShell- a new command line environment and scripting language from Microsoft. Today we will look at using this environment to administer a corporate Active Directory (AD) directory.
PowerShell at a glance
Windows PowerShell is a new command line and scripting language from Microsoft. PowerShell is a component of Windows Server 2008 (you just need to select it in Server Manager) and is available for download from www.microsoft.com/powershell for Windows XP, Windows Server 2003 and Windows Vista.
If you are not familiar with Windows PowerShell, we recommend that you first read the article “Windows PowerShell. Briefly about the main thing "in ComputerPress № 11'2007. In this publication, we will restrict ourselves to just a brief review of the basics and go straight to the main topic of the article.
So, PowerShell commands are called cmdlets and consist of a verb (for example, get, set, new, remove, move, connect) and a singular noun describing the action object. A hyphen is inserted between them. It turns out something like: get-process, stop-service, etc.
Commands are usually linked by a pipe denoted by a pipe (|). This sign means that the entire collection of objects from the previous command is passed to the input of the next one.
This object orientation is very convenient because it makes it easy to manipulate objects and link commands together. In this article, we'll show you how this approach makes it easier to manage your corporate directory based on Active Directory.
How to work with Active Directory
The Active Directory is the foundation corporate networks based on Windows Server 2000, 2003 and 2008. This is where all user accounts, information about groups, network computers, e-mail boxes and much more are stored.
All this wealth needs to be managed, for which the corresponding toolkit, included in Windows Server, is intended, but it is PowerShell that makes it easy to automate bulk actions aimed at a large number of objects.
There are three main ways to work with Active Directory in Windows PowerShell:
- Using Active Directory Service Interfaces (ADSI) - This is the most complex method, but works in any PowerShell installation and does not require additional modules. It is also closest to the control method used in the VBScript scripting language;
- using the Active Directory provider included with PowerShell extensions - this method allows you to mount a directory in the form of a disk on your computer and navigate through it using the appropriate commands: dir, cd, etc. This method requires the installation of an additional module from the codeplex website;
- using the Active Directory management cmdlets is the most convenient way to manipulate directory objects, but it also requires additional installation of the corresponding modules.
ADSI
Active Directory Service Interfaces (ADSI) is familiar to anyone who has tried to write scripts in VBScript. PowerShell implements this interface using a so-called adapter. By specifying in square brackets the name of the adapter (ADSI) and the path to the object in the directory in the LDAP query language (Lightweight Directory Access Protocol - a directory protocol that AD also supports), we get access to the object from the directory and can continue to call its methods ...
For example, let's connect to one of the directory containers and create a new user account in it.
$ objOU = "LDAP: // mydc: 389 / ou = CTO, dc = Employees, dc = testdomain, dc = local"
So now we have the $ objOU variable containing information about the container (variable names in PowerShell start with a dollar sign).
Let's call the method Create and create a new user in the container:
$ objUser = $ objOU.Create (“user”, “cn = Dmitry Sotnikov”)
We can now set various attributes:
$ objUser.Put ("sAMAccountName", "dsotnikov")
And finally, we will indicate the directories that these changes should be applied:
$ objUser.SetInfo ()
The advantages of using an ADSI adapter are:
- its presence in any PowerShell distribution. If you have PowerShell installed and have a directory to work with, you have everything you need;
- taking an approach similar to VBScript. If you have a lot of experience working with a directory in the VBScript scripting language or in .NET applications, you should feel confident using this approach.
Unfortunately, the method also has disadvantages:
- complexity is the most difficult way to work with a directory. Writing the path to an object as an LDAP query is not trivial. For any work with attributes, you need to specify their internal names, which means you need to remember that the attribute denoting the user's city is called not "City", but "l", etc .;
- cumbersome - as you can see from the example, the simplest operation of creating one account takes at least four lines, including the overhead of connecting to the container and applying changes. Thus, even relatively simple operations become like complex scenarios.
AD provider
PowerShell allows you to represent various systems as additional disks on your computer using so-called providers. For example, PowerShell comes with a registry provider and we can navigate the registry using the cd and dir commands we all know and love (for UNIX lovers, the ls command is also supported).
There is no Active Directory provider in PowerShell, but you can install it by going to the PowerShell Community Extensions project site: http://www.codeplex.com/PowerShellCX.
It is an open source project that adds a large number of commands to PowerShell and also installs an AD provider.
Using an Active Directory Provider
After installing the extensions, typing Get-PSDrive, we see that the current active directory has been added to the old drives.
Now we can go into this directory by typing cd and specifying the domain name, and in any container use the dir command to see its contents.
In addition, you can call other familiar file management commands (for example, del).
The undoubted advantages of using a provider include:
natural presentation of the directory structure - the AD directory is inherently hierarchical and similar to the file system;
convenience of finding objects - using cd and dir is much more convenient than composing a query in LDAP.
The disadvantages are striking:
- the complexity of making changes to objects - the provider helps to easily get to the object, but in order to change something, we again have to use all the same director objects as in the ADSI method, and for this we need to operate at a low level of AD service methods and attributes;
- the need for additional installation - the provider is not included in PowerShell, and to use it, you need to download and install PowerShell extensions;
- Third Party Origin - PowerShell Extensions are not a Microsoft product. They are created by project enthusiasts. You are free to use them, but for technical support you will have to contact not Microsoft, but the project site.
AD cmdlets
In addition to the provider described above, there is a set of cmdlets (often also called AD cmdlets or QAD cmdlets) for working with AD, available from the site http://www.quest.com/activeroles_server/arms.aspx.
Cmdlets consist of standard operation verbs (get-, set-, rename-, remove-, new-, move-, connect-) and nouns with the QAD prefix (-QADUser, -QADGroup, -QADComputer, -QADObject).
For example, to create a new even user account, you need to run the following command:
The advantages of this approach are as follows:
- simplicity - using cmdlets hides from you the complexity of the directory, its schema and internal attributes. You work with directory objects at the level of understandable object names (user, group, computer), their properties (name, password, city, department) and actions on them (get, set, remove, move, new);
- conciseness and expressiveness - as we've seen, most of the actions with cmdlets can be expressed as simple and natural one-line operations.
- the need for additional installation - cmdlets, like the provider, are not included in PowerShell, and to use them, you need to download and install the appropriate library;
- Third party origin - AD cmdlets are not a Microsoft product. They are created by Microsoft partner Quest Software. You are free to use them, but for technical support you will not have to contact Microsoft, but the forums for working with Active Directory on the PowerGUI.org site.
In our opinion, these shortcomings are more than offset by simplicity and naturalness in use, so that practical examples will be given using this particular approach.
Active Directory Management
Let's take a look at how PowerShell allows you to perform basic AD operations:
- receiving the information;
- changing properties;
- work with groups;
- creation of new objects;
- changing directory structure
Receiving the information
Getting information is done in PowerShell using cmdlets with the Get verb.
For example, to get a list of all users, type:
For groups:
For computer records:
If you do not need all the records, but some specific ones, you can select them using the command parameters.
Getting a list of users
All groups from the Users container:
Get-QADGroup -SearchRoot scorpio.local / users
All users from the sales department of the Moscow office, whose names begin with the letter A:
Get-QADUser -City Moscow -Department Sales -Name a *
In this case, you can tell PowerShell in what form you want to see the information received.
Table with names, cities and divisions of employees:
Get-QADUser | Format-Table Name, City, Department
Same thing with sorting by city:
Get-QADUser | Sort City | Format-Table DisplayName, City, Department
Sorting values and selecting fields for output
To list the same information, simply use the Format-List command:
Get-QADUser | Format-List Name, City, Department
Export information to a CSV file (comma-separated values):
Get-QADUser | Select Name, City, Department | Out-CSV users.csv
Create HTML report:
Get-QADUser | Select Name, City, Department | ConvertTo-HTML | Out-File users.html
Thus, with one line of a simple PowerShell command, you can create complex reports in a format that is convenient for you.
PowerShell lets you change set attributes
records in one command
Modifying properties
After we got used to getting information from the directory, it's time to change something in it.
The properties of objects can be manipulated using the Set- * commands.
For example, let's change my phone:
Set-QADUser ‘Dmitry Sotnikov’ -Phone ’111-111-111’
But, of course, the mass changes are much more interesting. To do this, we can use the PowerShell pipeline, that is, get a list of the objects we need using Get- commands and send them to the Set- command to make changes.
For example, our Perm office has moved to new premises. Take all Perm users and assign them new number phone:
Get-QADUser -City Perm | Set-QADUser -PhoneNumber '+ 7-342-1111111'
For more complex manipulations, you can use the ForEach-Object cmdlet. For example, let's assign a description for each user, consisting of his department and city:
Get-QADUser | ForEach-Object (Set-QADUser $ _ -Description (S_.City + "" + $ _. Department))
Variable $ _ in this example denotes the current collection object.
PowerShell provides a seamless experience
with user groups
Working with groups
Working with groups and their membership is another massive operation that you often want to automate. PowerShell provides this capability.
The group members are retrieved using the Get-QADGroupMember cmdlet:
Get-QADGroubMember Managers
Adding an object to a group is also easy:
Add-QADGroupMember Scorpio \ Managers -Member dsotnikov
Similarly, removal from a group is done using the Remove-QADGroupMember cmdlets.
But, of course, the most useful is massive manipulation. Add all managers to the appropriate group:
Get-QADUser -Title Manager | Add-QADGroupMember Scorpio \ Managers
Let's copy the group membership:
Get-QADGroupMember Scorpio \ Managers | Add-QADGroupMember Scorpio \ Managers_Copy
We use a filter to copy not all members of the group, but only those who meet a certain criterion (for example, located in the required region):
Get-QADGroupMember Scorpio \ Managers | where ($ _. City -eq ‘Ekaterinburg’) | Add-QADGroupMember Scorpio \ Ekaterinburg_Managers
Notice how we filtered the users using the where command and a boolean condition (the boolean operator -eq is the equality operator in PowerShell, from English equals).
Object creation
The creation of objects, as we have already seen, is carried out by the New commands:
New-QADUser -ParentContainer scorpio.local / Employees -Name ‘Dmitry Sotnikov’
New-QADGroup -ParentContainer scorpio.local / Employees -Name ‘Managers’ -Type Security -Scope Global
You can set any other attributes while creating a record:
New-QADUser -ParentContainer scorpio.local / Employees -Name ‘Dmitry Sotnikov’ -samAccountName dsotnikov -City ‘Saint-Petersburg’ -Password ’ [email protected]’
To activate a recording, simply pipe it to Enable-QADUser (remember to set a password, otherwise the operation will fail):
New-QADUser -ParentContainer scorpio.local / Employees -Name ‘Dmitry Sotnikov’ -Password ’ [email protected]’| Enable-QADUser
Import-CSV new_users.csv | ForEach-Object (New-QADUser -ParentContainer scorpio.local / users -Name ($ _. Familia + ',' + $ _. Imya) -samAccountName ($ _. Imya + $ _. Familia) -Department $ _. Department -Title $ _. Title)
Please note that we compose the account name from the user's last name and first name on the fly.
Example of using an import file
records
Changing the directory structure
Finally, of course, you can control the directory structure.
For example, you can create new containers:
New-QADObject -type OrganizationUnit -ParentContainer scorpio.local -Name NewOU
and move objects into them one by one:
Move-QADObject MyServer -To scorpio.local / servers
or wholesale:
Get-QADUser -Disabled | Move-QADObject -To scorpio.local / Disabled
Import the file and create new accounts
We can easily select accounts that satisfy
a certain criterion, and move them to another container
And much more
MM We have covered only a small part of the active directory management scenarios. For a complete list of cmdlets for AD, run the command:
Get-Command * -QAD *
To get help for any command:
Get-Help Get-QADUser
To find out what properties the object issued by the command has:
Get-User | Get-Member
PowerShell's possibilities are almost endless, but easy to find.
Conclusion
As we've seen, PowerShell is a great tool for managing Active Directory. Some of the properties (ADSI) are available in any PowerShell installation. Some (provider and cmdlets) require additional modules. All of them provide tremendous opportunities to automate the management of your corporate directory, which means, reduce risks, get rid of routine and increase your efficiency at work.
The main thing is that these technologies are already available and can help you administer the entrusted systems today. In conclusion, let us quote Vasily Gusev, system administrator of EvrazFinance Management Company CJSC: “In our company, as elsewhere, Active Directory is one of the most used and critical services. PowerShell and AD Cmdlets have made many tasks easier to complete through command line rather than through ADUC (Active Directory Users and Computers. - Approx. ed.). Automating Active Directory has never been easier and more affordable. ”
Lesson 7. Administering Active Directory.
The Active Directory administration process consists of managing:
- Active Directory domains
- domain directory structure;
- domain objects (users, contacts, computers, groups, printers, etc.);
- Active Directory sites and networks;
- data replication.
All these tasks are solved using three management consoles installed during the installation of Active Directory on a domain controller:
- Active Directory Domains and Trusts
- Active Directory Users and Computers
- Active Directory Sites and Services
These consoles can be installed on other computers in the domain as part of the administrative utilities package.
Description of Active Directory objects.
All Active Directory management consoles use the same set of icons to display directory objects. Below are all the main Active Directory objects and their corresponding icons. This information will help you navigate the Active Directory more easily.
Icon | An object | Description |
