308 Part III: Administering Windows Server 2008 Active Directory Figure 8-8 SCW domain controller services and firewall rules After configuring an SCW policy, you can apply the policy to the server where you configured the policy You can also apply that SCW policy to other computers with the same configuration by running use the Scwcmd tool to either directly apply the policy or to transform the policy into a Group Policy Object that can then be linked to the Domain Controllers OU For details on how to this, see Chapter 13 Caution Be careful when applying an SCW policy that was configured on one computer to other computers The SCW policy is specific to the computer where it was created, so if the other computers have a different configuration (for example, they are running other server roles or applications), the SCW policy may disable services or block firewall ports Ensure that all servers have the same configuration before applying the SCW policy Configuring the Default Domain Controllers Policy In addition to reducing the domain controller attack surface, you can also use Group Policy to increase the security of your domain controller deployment When you deploy a Windows Server 2008 domain, the following two default GPOs are created and applied to the domain and to the Domain Controllers OU: ■ Default Domain Policy, which is linked to the domain object and affects all users and computers in the domain (including computers that are domain controllers) through policy inheritance Chapter 8: ■ Active Directory Domain Services Security 309 Default Domain Controllers Policy, which is linked to the Domain Controllers OU This policy generally affects only domain controllers, because by default, computer accounts for domain controllers are kept in the Domain Controllers OU You can configure security policies using both the Default Domain Policy and the Default Domain Controller Policy By default, all polices defined at the domain level are inherited by OUs in the domain unless the policy inheritance is blocked or a policy linked to the OU contains settings that override the domain policies By applying domain controllers specific security settings in the Default Domain Controller Policy, or in another GPO linked to the Domain Controllers OU, you can apply security policy settings that are specific to domain controllers, but not to all users, groups, and computers in the domain Note This chapter is primarily concerned with domain controller security, so this chapter will focus on settings available in the Default Domain Controllers Policy For details on configuring the security settings in the Default Domain Policy, see Chapter 13 For details on configuring Group Policy, including configuring Group Policy links and inheritance, see Chapter 11, “Introduction to Group Policy.” Configuring Domain Controller Audit Policy Settings One of the key components in a domain controller security policy is auditing changes made on the domain controllers By auditing changes made on domain controllers, you can identify who is responsible for directory changes and when the changes were made Windows Server 2008 introduces some important changes to the auditing on domain controllers In Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit Directory Service Access, that controlled whether auditing for directory service events was enabled or disabled In Windows Server 2008, this policy is divided into four subcategories: ■ Directory Service Access ■ Directory Service Changes ■ Directory Service Replication ■ Detailed Directory Service Replication Note These subcategories are not visible through Group Policy Management Editor To view and configure the subcategories, use the Auditpol.exe command-line tool To view the current directory service access audit settings, type Auditpol /get /category:“ds access” 310 Part III: Administering Windows Server 2008 Active Directory From a security auditing perspective, the most important new feature is the Directory Service Changes subcategory This new subcategory adds the following functionality: ■ When you change an attribute on an object, AD DS logs the previous and current values of the attribute If the attribute has more than one value, only the values that change as a result of the modify operation are logged ■ When you create a new object, values of the attributes that are populated at the time of creation are logged If the user adds attributes during the create operation, those new attribute values are logged In most cases, AD DS assigns default values to attributes (such as samAccountName) The values of such system attributes are not logged ■ If an object is moved, the previous and new location (distinguished name) is logged for moves within the domain When an object is moved to a different domain, a create event is generated on the domain controller in the target domain ■ If an object is undeleted, the location where the object is moved to is logged In addition, if the user adds, modifies, or deletes attributes while performing an undelete operation, the values of those attributes are logged By default, the Audit directory service access audit category is not enabled in the Default Domain Controllers OU, but the Directory Service Access subcategory is enabled This audit policy logs when administrators access objects in AD DS, but the changes to those objects are not logged To enable the Directory Services Changes auditing, you can choose to enable the Audit directory service access option in the Default Domain Controllers Policy audit policy When you enable this option, all subcategories are also enabled To enable just the Directory Service Changes subcategory, you must use the Auditpol.exe command-line tool and run the following command: auditpol /set /subcategory:"directory service changes" /success:enable Windows Server 2008 also introduces subcategories under the other audit categories The categories, subcategories, and default settings for AD DS specific audit settings are listed in Table 8-3 To view these audit settings, type Auditpol /get /category:* at a command prompt Table 8-3 Configuring Domain Controller Audit Policy Settings Category Subcategory Default Setting Audit logon events Logon Success and Failure Audit logon events Logoff Success Account Lockout Success Audit logon events IPSec Main Mode, IPSec Extended Mode, IPSec Quick Mode No Auditing Audit logon events Special Logon Success Audit logon events Other Logon/Logoff events No Auditing Audit logon events Network Policy Server Success and Failure Chapter 8: Table 8-3 Active Directory Domain Services Security 311 Configuring Domain Controller Audit Policy Settings (continued) Category Subcategory Default Setting Audit policy change Audit Policy Change Success Audit policy change Authentication Policy Change Success Audit policy change Authorization Policy Change, MPSSVC Rule-Level No Auditing Policy Change, Filtering Platform Policy Change, Other Policy Change Events Audit account management User Account Management Success Audit account management Computer Account Management Success Audit account management Security Group Management Success Audit account management Distribution Group Management, Application Group Management, Other Account Management Events No Auditing Audit account logon events Kerberos Service Ticket Operations Success Audit account logon events Other Account Logon Events No Auditing Audit account logon events Kerberos Authentication Service Success Audit account logon events Credential Validation Success In most cases, if the goal of your audit policy is to audit administrator activity in AD DS, you should accept the default domain controller audit settings If you are using the audit policy for other purposes, such as intrusion detection, you may want to also audit the failure of events such as logon events or account management events By default, if you enable auditing for any of the categories, auditing will also be enabled for all subcategories Note Configuring the audit policy is only the first step in enabling AD DS auditing After configuring the audit policy, you must configure the System Access Control List (SACL) on each object to enable auditing To this, enable auditing for the domain or OU object in Active Directory Users and Computers Configuring Domain Controller Event Log Policy Settings When you configure the audit settings for domain controllers, you should also consider changing the event log settings on the domain controllers In particular, you should increase the maximum size of the security log to accommodate the increased number of audited events that might be generated Table 8-4 lists the changes that are recommended for the Event Log settings on the Default Domain Controller Policy 312 Part III: Administering Windows Server 2008 Active Directory Table 8-4 Recommended Domain Controller Event Log Policy Settings Policy Default Setting Recommended Setting Comments Maximum securi- Not defined; by dety log size fault, maximum log size is 128 MB 131,072 KB Increased to accommodate security auditing that is enabled in the default domain controller Audit Policy Prevent local guests group from accessing application log Not defined Enabled Prevents members of the builtin group Guests from reading the application log events Prevent local guests group from accessing security log Not defined Enabled Prevents members of the builtin group Guests from reading the security log events Prevent local guests group from accessing system log Not defined Enabled Prevents members of the builtin group Guests from reading the system log events Retain security log Not defined (No change) Specifies the number of days the events are retained if the retention method for this log is By Days Retain system log Not defined (No change) Retention meth- Not defined od for security log Overwrite events as needed Overwrites the security log when the maximum log size is reached to ensure that the log contains the most recent security events and to ensure that logging continues Retention meth- Not defined od for system log Overwrite events as needed Overwrites the system log when the maximum log size is reached to ensure that the log contains the most recent security events and to ensure that logging continues Security Alert To ensure that you retain the audit information, you must archive the system and security logs regularly, and before they fill up If you accept the recommended settings for the retention method, the oldest events will be overwritten when the log files fill up If you use a retention method of Do Not Overwrite Events, new events will not be written to the log file when it has reached its maximum size Chapter 8: Active Directory Domain Services Security 313 Configuring Domain Controller User Rights Assignment Policy Settings User rights define what types of administrative or operations tasks users can perform on domain controllers In order to ensure domain controller security, you should configure the user rights assignment to limit which users can log on to and perform administrative tasks on domain controllers Important Most of the default settings for the domain controller user rights and security options are configured for optimal security Although most of the settings are configured as Not Defined in the Default Domain Controller Policy, almost all of the settings have a default value which meets security requirements To review the default value, access the setting properties and click on the Explain tab Because the default settings are configured to be secure, you not necessarily need to enable or disable most of the settings However, if you modify any of these settings at the domain level, they will be inherited by domain controllers in the Domain Controllers OU Before making any changes to the security settings at the domain level, you should configure the security settings in the Default Domain Controllers Policy to match the default setting or block policy inheritance at the Domain Controllers OU Table 8-5 lists the default and recommended policy settings for domain controller user rights assignment policies Default and Recommended Domain Controller User Rights Assignment Policy Settings Table 8-5 Policy Default Setting Recommended Setting Allow log on locally Account Operators Administrators Administrators Backup Operators Backup Operators Server Operators Print Operators Printers should not be installed on domain controllers, so Print Operators should not need to log on to domain controllers Account Operators should have the administration tools installed on their workstations rather than logging on to domain controllers Server Operators Shut down the system Comments Administrators Administrators Backup Operators Backup Operators Print Operators Server Operators See above Server Operators Load and unload device drivers Administrators Print Operators Administrators If no printers are installed on the domain controller, Print Operators should not be allowed modify device driver settings 314 Part III: Administering Windows Server 2008 Active Directory Default and Recommended Domain Controller User Rights Assignment Policy Settings (continued) Table 8-5 Policy Manage auditing and security log Recommended Setting Default Setting Administrators Depends on company requirements Comments In some organizations, users other than administrators may need to access and manage the security logs Create a group for this specific purpose and assign this right to that group Configuring Domain Controller Security Options Policy Settings The Default Domain Controllers Policy includes a large number of security settings that affect a wide variety of domain controller, network, file system, and user logon security configuration settings Although some of these settings will only affect domain controllers, other settings can also affect network connectivity for client computers Important Like the user rights settings, most of the security settings are configured as Not Defined in the Default Domain Controller Policy However, almost all of the settings have a default value Table 8-6 lists the security setting categories available in the policy Table 8-6 Security Setting Categories Category Description Accounts Use these settings to enable, disable, or rename the Administrator and Guest accounts, or to restrict access to the local accounts with blank passwords Audit Use to configure global audit settings This category contains two settings that require some consideration: ■ ■ DCOM Force audit policy subcategory settings (Windows Vista or later) If you enable this option, you force all audit settings to be made at the subcategory level rather than have the subcategory inherit the category settings Shut down system immediately if unable to log security audits Enabling this option means that the domain controller will be shut down if a security audit cannot be logged In most cases, you should disable this setting to avoid domain controller shut downs Use to enable or disable users from launching DCOM applications remotely or locally Chapter 8: Table 8-6 Active Directory Domain Services Security 315 Security Setting Categories (continued) Category Description Devices Use to configure access to devices such as CD-ROMs or floppy disks or to restrict users from installing print drivers on print servers Domain controller Use to set restrictions on server operators scheduling tasks using the AT command, configure LDAP signing, and configure the domain controller to refuse password changes from member computers Domain member Use to configure network security settings and configure settings for setting computer passwords Interactive logon Use to set restrictions on the interactive logon process on the domain controllers Options include: ■ Clearing the last user logon name ■ Configuring logon messages when users log on to the domain ■ Configuring smart card requirements Microsoft network client Use to configure requirements for digitally signing network communications for client computers Microsoft network server Use to configure settings for digitally signing network communications and for disconnecting users when their logon hours expire Network access Use to configure a wide variety of network access settings including whether to allow anonymous enumeration of SAM accounts and configuring options for connecting to shares Recovery console Use to define who can access the recovery console, and if floppy drives and other drives are accessible from the recovery console Shutdown Use to configure if users can shutdown the computer without logging on and if the virtual memory pagefile should be cleared at shut down System cryptography Use to enforce security requirements for keys stored on computers, and for algorithms used to create secure keys System objects Use to set security requirements for Windows system objects System settings Use to configure additional subsystems, such as POSIX, and to enable certificate rules for software restriction policies User Account Control Use to configure how user account control settings will be applied to Windows Vista client computers More Info For details on all of the security settings available in Windows Server 2008, download the Group Policy Settings Reference Windows Vista spreadsheet located at http://www.microsoft.com/downloads/details.aspx?FamilyID=41dc179b-3328-4350-ade1c0d9289f09ef&displaylang=en 316 Part III: Administering Windows Server 2008 Active Directory Implementing SMB Signing Windows Server 2008 supports SMB signing as a means to ensure that all file share access on domain controllers is encrypted Computers in the same domain as the domain controller access file shares during the user logon process to access logon scripts and profiles in the Netlogon share Group Policy objects are accessed through the SYSVOL share For these reasons, all domain controllers should take advantage of SMB signing to improve security Table 8-7 describes the Security Options policy settings for SMB signing Table 8-7 Security Options Policy Settings for SMB Packet Signing SMB Setting Explanation Microsoft network client: Digitally sign communications (always) The domain controller requires SMB signing when initiating SMB requests with other domain controllers, member servers, or workstations The domain controller refuses to communicate with other systems that not support SMB signing For enhanced security, enable this Group Policy setting Microsoft network client: Digitally sign communications (if server agrees) The domain controller negotiates SMB signing when initiating SMB requests with other domain controllers, member servers, or workstations The domain controller requests SMB signing, but it will communicate with other systems that not support SMB signing Enable this option only if you have Windows 95 and earlier operating systems Microsoft network server: Digitally sign communications (always) The domain controller requires SMB signing when receiving SMB requests from other domain controllers, member servers, or workstations The domain controller refuses to communicate with other systems that not support SMB signing For enhanced security, enable this Group Policy setting This option is enabled by default in the Default Domain Controllers Policy Microsoft network server: Digitally sign communications (if client agrees) The domain controller negotiates SMB signing when receiving SMB requests with other domain controllers, member servers, or workstations The domain controller requests SMB signing, but it will communicate with other systems that not support SMB signing This option is enabled by default in the Default Domain Controllers Policy Note You can also enforce these options by applying an SCW policy to the domain controllers When you run the SCW, you have the option of configuring registry settings on the server to enforce SMB security Figure 8-9 shows the interface If you select both options, SMB signing will be enforced on the server Chapter 8: Figure 8-9 Active Directory Domain Services Security 317 Configuring SMB signing by using the SCW Configuring SYSKEY By default, the AD DS data store is encrypted when it is stored on the domain controller hard disk This provides a level of security if an attacker gains access to the physical hard disk on which the data store is located The data is encrypted by using the system key (SYSKEY) in Windows Server 2008 You can use the SYSKEY tool to provide an extra level of security when domain controllers start up SYSKEY gives you three options for configuring the startup key: ■ Store Startup Key Locally This option creates a machine-generated random key stored on the local system by using a complex encryption algorithm This is the default configuration of Syskey.exe, and it provides strong encryption of password information in the registry Because the System Key is stored on the local system, this method allows for unattended system restarts ■ Password Startup This option requires an administrator-chosen password to derive the System Key If you select this option, an administrator must enter System Key password during system startup ■ Store Startup Key on Floppy Disk This option creates a machine-generated random key that stored on a floppy disk The floppy disk with the System Key must be inserted into the floppy drive to start the domain controller Configuring SYSKEY to use a password or floppy disk to start may provide an additional level of security for domain controllers that are not physically secure However, this option also requires that an administrator who knows the password be present or that the floppy disk be Chapter 10: Managing Active Directory Objects 381 Figure 10-7 Searching for printers in Active Directory Figure 10-8 Configuring printer settings using the Group Policy Object Editor Some of the options that you can configure using Group Policy manage printer pruning The pruning service on a domain controller automatically deletes printer objects from Active Directory if the printer objects become obsolete For example, if a printer is removed from a print server, or if the printer is no longer shared on the server, printer pruning will remove the printer object By default, the pruning service on one of the Active Directory domain controllers tries to contact each print server every eight hours to confirm the validity of the printer information If the print server does not respond, the printer object is deleted from Active Directory Each time a print server running Windows 2000 or later restarts, it 382 Part III: Administering Windows Server 2008 Active Directory automatically republishes the shared printers on the server in Active Directory You can configure the printer pruning parameters by using the Group Policy Object Editor Table 10-8 describes Group Policy settings for managing printer objects Table 10-8 Printer Object Management GPO Settings GPO Setting Description Automatically publish new printers in Active Directory When this option is enabled, shared printers are automatically published in Active Directory Allow pruning of published printers When this option is enabled, printer objects in Active Directory are removed by the pruning service on a domain controller when the computer that published the printer does not respond to contact requests Prune printers that are not automatically republished This option applies only to printers that were not created automatically (published), such as those created with Pubprn.vbs or manually created by using Active Directory Users And Computers This can be configured for Never, Only if print server is found, or Whenever printer is not found Directory pruning interval Specifies how often the pruning service on a domain controller verifies that printers are operational This option is only relevant if pruning of printers is enabled The default pruning interval is eight hours Directory pruning priority Specifies the priority of the thread that performs directory pruning on domain controllers The default priority is normal Directory pruning retry Specifies how many additional attempts are made to contact a printer before it is pruned The default value is two retries Log directory pruning retry events When this option is enabled, attempts to contact printers by the pruning thread are recorded in the event log Allow printers to be published When this option is enabled, the option List in directory is available on the Sharing tab in a printer’s properties When this option is disabled, then the computer cannot publish printers This setting overrides Automatically publish new printers in Active Directory Check published state Specifies how often a computer verifies that its published printers are in Active Directory By default, printers are checked only at startup Chapter 10: Managing Active Directory Objects 383 Printer Location Tracking One of the most interesting options in Active Directory for managing printer objects is the option to automatically pre-populate the printer location setting for users when they browse for a printer Many companies with multiple locations have employees who travel between company locations Most companies have meeting rooms that are in different parts of the building Whenever users move from one part of the company to another, they usually need to be able to print, regardless of their location If users are unfamiliar with where the printers are in their current location, it can often take some time to find the closest printer You can simplify this search for printers by assigning each printer a location in Active Directory and then using the user’s location to present a list of printers that are close to the user This functionality is based on the site configuration in Active Directory To enable printer location tracking, perform the following steps: Open the Active Directory Sites And Services administrative tool and locate the subnet object where you will enable printer tracking Right-click the subnet object and select Properties Click the Location tab and enter the location value for this subnet The location entry should be in the location/sublocation format (for example, HeadOffice/ 3rdFloor) Use the Group Policy Object Editor to enable the Pre-Populate Printer Search Location Text policy for a selected container In most cases, you will this at the domain level On your print server, access the Properties sheet for each printer On the General tab, you can fill in the printer location If you have completed the first two steps of this procedure, you can click Browse to locate the printer location You can add more details to the printer location so that the printer location is more specific (for example, HeadOffice/3rdFloor/Outside Meeting Room 5) After you have enabled printer location tracking, users can easily locate the printer closest to them When the user starts the Add Printer Wizard and searches for a printer in Active Directory, the Location attribute is filled in based on the user’s current subnet Figure 10-9 shows the interface on a Windows Vista client The user can then click Browse for a more specific printer location 384 Part III: Administering Windows Server 2008 Active Directory Figure 10-9 Searching for printer objects in Active Directory using the Location attribute You can configure printer location tracking parameters by using the Group Policy Object Editor Table 10-9 describes Group Policy settings for managing printer location tracking Table 10-9 Printer Location Tracking GPO Settings GPO Setting Description Computer location Used to override the default location value used when searching for printers The default value is defined in the subnet object for the site in Active Directory Pre-populate printer search location text Configures the Add Printer Wizard to search for printers based on the location defined in the local Active Directory subnet object Users are also able to browse for printers by location By default, the Add Printer Wizard locates printers based on IP address and subnet mask of the client Managing Published Shared Folders Another object that you can publish to Active Directory is a shared folder object To publish a shared folder on Active Directory, locate the Active Directory container where you want to publish the shared folder Right-click the container, point to New, and click Shared Folder Then type a name for the Active Directory object as well as the UNC for the shared folder After you create the shared folder object in Active Directory, users can browse for the shared Chapter 10: Managing Active Directory Objects 385 folder or search Active Directory for the object After the users locate the object in Active Directory, they can right-click on the object and map a drive to the shared folder The primary advantage of publishing a shared folder to Active Directory is so that users can search for shares in Active Directory based on a variety of properties When you create a shared folder object, you can provide a description for the shared folder Figure 10-10 shows the interface After creating the shared folder, you can open its Properties sheet to provide keywords associated with the shared folder When clients need to locate the shared folder, they can search Active Directory using an argument based on the object name, keywords, or description Figure 10-10 Publishing a shared folder in Active Directory The most significant limitation with publishing shared folders in Active Directory is that if you ever move the shared folder to another server, any client with a drive permanently mapped to that shared folder will find that the mapping no longer works This is because when you map a drive to a shared folder in Active Directory, the drive mapping on the client is still based on the UNC path to the share For example, you may create and publish a shared folder called SalesInfo that points to \\SEA-SRV1\SalesInfo When a user browses to that shared folder in Active Directory and maps a drive, the drive mapping uses the \\SEASRV1\SalesInfo syntax If you ever move the folder to another server, the drive mapping will fail even if you change the Active Directory object to point to the new location This limitation of publishing shared folders can be overcome if you use Distributed File System (DFS) DFS can provide a namespace (UNC path) that is fault tolerant and allows data to be moved from server to server without clients losing connectivity 386 Part III: Administering Windows Server 2008 Active Directory Automating Active Directory Object Management Windows Server 2008 includes graphical utilities, such as Active Directory Users And Computers, for managing Active Directory objects Graphical utilities make it easy to create and edit Active Directory objects by providing wizards and structure for object creation For example, when creating a new user object by using Active Directory Users And Computers, the wizard asks you for all the necessary information such as full first name, last name, and user logon name This avoids the need for you to remember details such as the property names Graphical utilities have limited support for making bulk changes to Active Directory objects For example, you can modify only a few user properties when multiple users are selected in Active Directory Users And Computers As well, graphical utilities typically not have the ability to automate management of Active Directory objects For example, an application cannot use Active Directory Users And Computers to create new user objects To make bulk changes to Active Directory objects and automate management of Active Directory objects, you must use tools that are designed for that purpose The tools included in Windows Server 2008 include command-line tools, LDIFDE, CSVDE, VBScript support, and Windows PowerShell Command-Line Tools for Active Directory Management The Windows Support tools for Windows 2000 Server and Windows Server 2003 included a number of command-line tools for managing Active Directory objects In Windows Server 2008, these tools are installed when the AD DS role is added rather than as a separate downloadable component Command-line tools for managing Active Directory are most useful in batch files A batch file is a text file with the BAT file extension (.bat) Each line in the batch file is a command The contents of the batch file are interpreted by Cmd.exe Consequently, you can use any command in a batch file that you could at a command prompt Batch files also offer the ability to more complex processing such as displaying menus You can use batch files to automate processes that are performed on many objects at a time For example, you could create a batch file that modifies the address information for all users in an OU when the department changes locations You can also automate tasks that need to be performed on a regular basis by running the batch file as a scheduled task Table 10-10 lists the command line tools available for managing Active Directory objects in Windows Server 2008 Chapter 10: Table 10-10 Managing Active Directory Objects 387 Command-Line Tools for Active Directory Management Tool Description Dsadd Used to add objects to Active Directory You can add computer objects, contacts, groups, OUs, and users You can also add a quota specification to an Active Directory partition A quota specification limits the number of objects a security principal, such as a user, can own in the partition Dsmod Used to modify objects in Active Directory You can modify computer objects, contacts, groups, OUs, users, and quota specifications You can also modify the properties of a domain controller or Active Directory partition You can pipe output from the Dsquery command as input to this command Dsmove Used to move and rename objects in Active Directory This utility can only move objects within a domain Dsrm Used to remove objects from Active Directory In addition to removing individual objects, you can remove a container and its contents Dsquery Used to find objects in Active Directory with specific properties For commonly used object types, there are options you can use at a command line for certain properties Dsquery can also be used to perform LDAP queries, which allow you to find any object type and any object attribute The results of a Dsquery command can be piped to other commands, such as Dsmod, Dsget, Dsmove, and Dsrm Dsget Used to view the properties of an object in Active Directory By default, the properties are displayed on screen, but they can be redirected to a file for further evaluation Note Use the /? option with each command-line tool to view additional information about how to use each tool and the syntax for each tool Using LDIFDE and CSVDE Windows Server 2008 includes LDIFDE and CSVDE to perform bulk imports and exports of information from Active Directory Each tool reads information from a data file and then creates or modifies Active Directory objects as dictated by the data file The main difference between the two tools is the format of the data CSVDE uses data in a comma-separated values (CSV) file, whereas LDIFDE uses data in LDAP directory interchange format (LDIF) The tool you select to use will be based on the format of your data For example, if an organization has a human resources application that exports data about new hires in LDIF format, then LDIFDE should be used However, if a school has a list of new students in a Microsoft Office Excel spreadsheet that can be easily saved as a CSV file, then CSVDE should be used to create the new students 388 Part III: Administering Windows Server 2008 Active Directory LDIFDE LDIF is a proposed standard data format as defined in RFC 2849 It is commonly used for importing and exporting data from directories, including Active Directory and other Lightweight Directory Access Protocol (LDAP) directories The data in an LDIF file contains multiple entries separated by a blank line Each entry has multiple lines with specific information Dn is used to specify the object being modified Changetype is used to specify the action being taken Valid values for changetype are add, modify, and delete A “-” is used to separate multiple attributes for a single object and is also required at the end of each entry when the changetype is set to modify The following LDIF file modifies two attributes of the Paul West user object: dn: CN=Paul West,OU=Accounting,DC=Adatum,DC=com changetype: modify replace: physicalDeliveryOfficeName physicalDeliveryOfficeName: 315 replace: title title: HR Manager - LDIFDE can be useful in a number of scenarios: ■ Bulk modification of user accounts To this, export the selected user accounts to an LDIF file, modify the LDIF as necessary for importing, and then import the LDIF file Modification of the LDIF file after export requires more than a simple search and replace of the attribute value you want to modify The changetype value is set to add during an export, and this must be modified to change after the export is complete and before the import is performed The attribute values must also be modified to the format necessary for import ■ Moving user accounts to a new domain ■ In addition to the dn and changetype lines, the minimum attributes that must be provided when creating a new user are cn=displayname and objectClass=user The samAccountName=logonname attribute should also be included, but will be randomly generated if not included Newly created users are disabled You can also set a password for new users with the unicodePwd attribute if your connection to the server is encrypted by using SSL User accounts in one domain can be exported to an LDIF file and then imported into a new domain The users will not maintain existing security identifiers (SIDs) However, users can be added to appropriate groups as part of the import process Bulk creation of new users You should limit the export of user information to only those objects and attributes you want to modify For example, if the accounting department has moved to a new location, export only user objects in the Accounting OU and only the address attributes that are being modified As part of the export process, you can define a filter that lets you limit the Active Chapter 10: Managing Active Directory Objects 389 Directory objects that are exported to certain objects classes and objects with specific attribute values You can also specify a RootDN that defines which OU the LDAP query applies to Only objects within the RootDN will be returned A scope defines how many levels within the RootDN are searched More Info For more information about using LDIFDE to perform bulk operations, see the “Step-by-Step Guide to Bulk Import and Export to Active Directory” on the Technet Web site at http://technet.microsoft.com/en-us/library/Bb727091.aspx CSVDE CSVDE is useful in cases in which data is not readily available in LDIF format Many applications are able to export data as a CSV file, but not as an LDIF file Each line in the CSV file used by CSVDE is an individual entry that will be processed by CSVDE This line is a list of the attribute values to be added or modified No action is defined in the file, since unlike LDIFDE, CSVDE always creates a new object for each line in the CSV file The first line in the CSV file is a header that defines which attribute corresponds with each value in the lines below When using CSVDE to export data, the same options for filtering data exist as for LDIFDE You can filter output based on object class and attributes You can perform an export without any filtering of attributes to create a CSV file that shows you the proper names for all of the attributes in the header of the CSV file CSVDE will export only attributes that have a value in at least one object More Info For more information about CSVDE syntax and options, see “CSVDE” on the Technet Web site at http://technet2.microsoft.com/windowsserver/en/library/1050686f-346441af-b7e4-016ab0c4db261033.mspx?mfr=true or use the /? option to view CSVDE help Using VBScript to Manage Active Directory Objects Batch files are a simple implementation of scripting that can be used in Windows Server 2008 However, if you create scripts using a scripting language such as VBScript, then you can perform much more complex tasks Some benefits of using scripting to manage Active Directory objects are: ■ Running a script is typically faster than performing the same task in a graphical tool ■ Scripts are reusable The initial development of a script takes longer than a graphical tool, but after the script is completed, it can be reused many times with slight modifications to suit new circumstances ■ Scripts can reduce or eliminate human error By reusing a single tested script, you can avoid errors that may be introduced when repetitive processes are performed manually Scripts can also validate information that is entered 390 Part III: Administering Windows Server 2008 Active Directory ■ Scripts can manipulate all available object attributes Graphical tools allow you to modify only certain object attributes A script has no such limitations ■ Scripts can be scheduled Scheduling a script to run is useful for performing routine maintenance For example, you can move all disabled user accounts to a specific OU each week Active Directory Scripting Components Scripting in Windows Server 2008 is supported by Windows Script Host (WSH) There are two run-time environments for WSH: Wscript.exe is a Windows-based run time for graphical applications and Cscript.exe is a command-line based run time that writes output to a command prompt Wscript.exe is the default run time used when you double-click a script Windows Script Host supports using both VBScript and JScript as scripting languages In most cases, those with less scripting experience prefer to use VBScript Most scripting examples available on the Microsoft Web site also use VBScript VBScripts typically end in the vbs file extension However, the vbe file extension is also used for VBScripts Files with the wsf file extension are a generic Windows Script Host file that can contain a combination of VBScript and JScript A scripting interface is an abstract layer that allows you to access information from a data source Active Directory Service Interfaces (ADSI) is the most commonly used scripting interface to access Active Directory objects By using ADSI, you can create, modify, and delete Active Directory objects ActiveX Data Objects (ADO) can also be used to access Active Directory objects However, ADO can only be used to query Active Directory objects, not modify them When performing a query, the primary difference between ADSI and ADO is that the result set from an ADO query is flat A list of users is returned as a single list rather than hierarchically organized by domain or OU Windows Management Instrumentation (WMI) is a scripting interface that is the Microsoft implementation of Web-Based Enterprise Management (WBEM) initiative, which is a standardized way to manage network and computer resources In addition to manipulating Active Directory objects, WMI enables you to query, change, and monitor configuration settings on desktop and server systems, applications, networks, and other enterprise components Creating and Running a VBScript When you create a VBScript, only a simple text editor such as Notepad is required The only requirement is to save the script with the vbs or vbe file extension However, there are script editors that can simplify the process of creating a script A script editor is able to verify syntax in the script so that you can correct errors during the writing process instead of having to address errors only after you run the script Script editors also typically provide code completion and syntax coloring Chapter 10: Managing Active Directory Objects 391 Binding to an Object The first step for manipulating an Active Directory object in a VBScript is binding to an Active Directory object “Binding to an object” is another way of saying connecting to an object If you are creating a new object, you bind to the container the object will be created in If you are modifying an existing object, you bind to the object you are modifying When you bind to an object, it is stored in a local cache on the computer where the script is running VBScript is an object-based scripting language This allows you to work with objects in Active Directory as a single unit and perform actions on an entire object as well as on object properties When you bind to an Active Directory object, that object is placed into a variable that represents the object You then manipulate the variable rather than the object The following code is an example of binding to an Active Directory OU The variable acctOU is set as an in-memory instance of the Accounting OU Notice that the Accounting OU is defined by an LDAP path: Set acctOU = GetObject("LDAP://OU=Accounting,dc=adatum,dc=com") Creating an Object Creating a new object requires that a new variable be created with the information about the new object The new object is created by using the Create method on the variable for the container Methods are actions that an object can perform Table 10-11 lists some commonly used methods available for Active Directory objects through the ADSI interface Table 10-11 VBScript Methods for Managing Active Directory Objects Method Description Create Used to create new objects Get Used to retrieve the value of an object attribute GetEx Used to retrieve values as an array Typically used for multivalued attributes Put Used to place a new value in an object attribute PutEx Use to place a new value in an object attribute with advanced options This method allows you to manage the values of a multivalued attribute SetInfo Used to save the changes to a new or modified object The following code is an example of creating a new user in the Accounting OU The variable newUser is set equal to the new user object Paul West Then the sAMAccountName attribute of the newUser variable is set to be Paul: Set newUser = acctOU.create("User","cn=Paul West") newUser.Put "sAMAccountName","Paul" When you create a new object, you must define all of the mandatory attributes for that object class In this case, defining cn and sAMAccountName are sufficient to create a new user object Other necessary attributes such as the SID are generated automatically by the system 392 Part III: Administering Windows Server 2008 Active Directory Saving Changes When you manipulate objects by using a script, the changes are made only to the locally cached version of that object These changes must be saved to Active Directory by using the following code: newUser.SetInfo The SetInfo method saves changes only for a single object If you have modified multiple objects in your script, then you must use the SetInfo method for each object In some cases, you must use SetInfo for one object before modifying another For example, you use SetInfo for a newly created user before you can add that user to a group, because the user does not exist in the directory and therefore cannot be referenced by the group until SetInfo is used to create the user in Active Directory Modifying an Existing Object The following code demonstrates how to modify the properties of a user account The variable modUser is set equal to the Paul West user object and then the givenName, sn, and displayName attributes of the objects are modified Finally, the modifications in cache are saved to Active Directory Set modUser = GetObject("LDAP://cn=Paul West,OU=Accounting,DC=Adatum,DC=com") modUser.Put "givenName","Paul" modUser.Put "sn","West" modUser.Put "displayName","Paul West" modUser.SetInfo More Info For more information about using VBScript to manage Active Directory objects, visit the Getting Started page of the TechNet Script Center at http://www.microsoft.com/ technet/scriptcenter/hubs/start.mspx For more examples of VBScripts that can be used to manage Active Directory objects, visit the Active Directory page of the Script Repository at http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx?mfr=true Using Windows PowerShell to Manage Active Directory Objects Windows PowerShell is a new scripting and command-line environment included in Windows Server 2008 that you can use for administering Windows systems You must install Windows PowerShell as a feature; it is not installed by default Windows PowerShell can also be downloaded for Windows XP SP2, Windows Vista, and Windows Server 2003 The Windows PowerShell commands can be used directly from a command prompt or in a script The command shell PowerShell.exe provides the environment for running Windows PowerShell commands in the same way that Cmd.exe provides the environment for running traditional command-line utilities Windows PowerShell scripts are text files with Windows PowerShell commands in the same way that batch files are text files with commands that can be run from a command line Windows PowerShell scripts have the ps1 file extension Chapter 10: Managing Active Directory Objects 393 Some Microsoft Management Console (MMC) snap-ins use Windows PowerShell to perform tasks For example, the Exchange Management Console for managing Microsoft Exchange Server 2007 requires Windows PowerShell More Info For more information about Windows PowerShell, visit the Windows PowerShell page on the Microsoft Web site at http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx Cmdlet Syntax A cmdlet is a command used in Windows PowerShell Each cmdlet is composed of a verb-noun pair separated by a dash The verb describes the action to be taken and the noun describes what the action is to be taken on Some of the common verbs used in cmdlets are Get, Set, New, and Remove In most cases, additional parameters are added to the cmdlet to provide additional information The parameters are preceded by a dash The following example shows the syntax for using a cmdlet: Verb-noun –parametername parametervalue –parametername The following example shows a command that uses the Get-Help cmdlet to display help information for the Get-Service cmdlet The -Name parameter is used to indicate the name of the cmdlet that information is desired for The -Detailed parameter is used to indicate that a detailed listing of information is desired rather than a summary: Get-Help –Name Get-Service -Detailed Accessing Active Directory Objects Windows PowerShell does not include any cmdlets that are specific to managing Active Directory objects However, there are two interfaces that can be used to access Active Directory objects for manipulation System.DirectoryServices.DirectoryEntry is a class object in the Microsoft Net Framework that can be used to access all possible Active Directory functions from within Windows PowerShell [ADSI] is a type accelerator to System.DirectoryServices.DirectoryEntry that simplifies access to Active Directory The use of [ADSI] is similar to how Active Directory objects are accessed and modified by using VBScript Both of these methods can be used in combination For example, you can connect to an object by using [ADSI] and then use DirectoryEntry commands to manipulate it The remainder of this section will use [ADSI] because it is simpler to use and understand More Info For more information about using the DirectoryEntry object and how it compares to [ADSI], see “Benp’s Basic Guide to Managing Active Directory Objects with PowerShell” on the Technet Blogs Web site at http://blogs.technet.com/benp/archive/2007/03/ 05/benp-s-basic-guide-to-managing-active-directory-objects-with-powershell.aspx 394 Part III: Administering Windows Server 2008 Active Directory The process for accessing Active Directory objects in Windows PowerShell is approximately the same as when using VBScript, but with slightly different syntax First, you must bind the selected Active Directory objects, make the changes you desire, and then commit the changes The most common methods used by [ADSI] are Create(), Get() Put(), Delete(), and SetInfo() The following example creates a new user in the Accounting OU The variable $acctOU is used to create a binding with the Accounting OU The $newUser variable is used to create the new user Paul West Notice that the SetInfo method must be used to commit the new user before the sAMAccoutName attribute is defined and committed This is different than the process used in the VBScript example $acctOU = [ADSI] 'LDAP://OU=Accounting,DC=Adatum,DC=com' $newUser = $acctOU.create('User','CN=Paul West') $newUser.setinfo() $newUser.sAMAccountName = 'Paul' $newUser.setinfo() Using CSV Files You can use the Import-Csv cmdlet to load data from CSV file into a variable The most likely scenario for using this is the bulk creation of objects in Active Directory The CSV file must have a header row that describes each column of data, but unlike a data file for the CSVDE utility, the header row descriptions not need to match the name of the object attributes exactly The header row descriptions are used only to reference the data that is imported For example, the header row could use the description LoginName for the data that is eventually used as the sAMAccountName attribute If you not want to use all data in a CSV file, you can filter the data by using the WhereObject cmdlet This cmdlet allows you to specify a filter based on the data in the CSV file The following example filters the contents of Users.csv to use only rows where the department is Accounting More complex queries can be created by adding additional criteria to the filter After the specified rows are stored in the $users variable, then the data can be used to create new users or further manipulated $users = Import-Csv C:\Users.csv | Where-Object {$_.department –eq "Accounting"} Exchange Management Shell Commands The Exchange Management Shell is an extension to Windows PowerShell that is included with Microsoft Exchange Server 2007 It includes some cmdlets that can be used to manage Active Directory users and groups Some of the cmdlets for managing Active Directory objects are listed in Table 10-12 There are additional cmdlets that are specific to mailbox-enabled users, mail-enabled users, mail-enabled contacts, and distribution groups For example, the New-Mailbox cmdlet can be used to create new users with an Exchange mailbox Chapter 10: Table 10-12 Managing Active Directory Objects 395 Exchange Management Shell Cmdlets Cmdlet Description Get-User Retrieves a list of users matching specified criteria Several parameters are included for filtering users based on organizational unit, company name, or department There is also a generic filter parameter that allows you to use a wide variety of other user attributes as filters Set-User Modifies characteristics of the specified user Lists of users retrieved by the Get-User cmdlet can be piped to this cmdlet Get-Group Retrieves a list of groups matching specified criteria Set-Group Modifies a limited number of characteristics for the specified group Get-Contact Retrieves a list of contacts matching specified criteria Set-Contact Modifies characteristics of the specified contacts Lists of contacts retrieved by the Get-Contact cmdlet can be piped to this cmdlet Summary This chapter provided an overview of the most common Windows Server 2008 Active Directory objects and procedures for administering Active Directory objects A great deal of your administrative effort will be spent administering these objects In particular, you will be administering group and user accounts as employees join and leave your company, or as you create new groups to secure network resources Determining an effective strategy for group types and scopes is essential You will also spend your time administering objects such as computer objects, printer objects, or shared folder objects Windows Server 2008 provides many opportunities to automate the management of Active Directory objects These include command-line tools, CSVDE, and LDIFDE For more advanced tasks, you can use either VBScript or Windows PowerShell Best Practices ■ Use Ldp.exe and Adsiedit.msc to modify object attributes that are not visible standard administrative tools such as Active Directory Users And Computers Use caution when directly editing objects ■ Use UPNs to simplify logon in multidomain environments Users can log on at any computer without selecting the appropriate domain in the logon box ■ When selecting a service account, use the account with the least permissions possible The LOCAL SERVICE account has the least permissions The NETWORK SERVICE can access network resources as the local computer account SYSTEM has full access to the local computer and can access network resources as the local computer account ... technet2 .microsoft. com/windowsserver/en/library/74d5869 7-9 70a-45db-9139ebcd3db 051 181033.mspx?mfr=true ■ “Troubleshooting Kerberos,” available at http://technet2 .microsoft. com/windowsserver/ en/library/26ce2e7f -5 2 d 6-4 42 5- 8 8cc- 157 3bc5e646d1033.mspx?mfr=true... http://www .microsoft. com/downloads/details.aspx?FamilyID=41dc179b-332 8-4 350 -ade1c0d9289f09ef&displaylang=en 316 Part III: Administering Windows Server 2008 Active Directory Implementing SMB Signing Windows. .. http://technet2 .microsoft. com/ windowsserver/en/library/74d5869 7-9 70a-45db-9139-ebcd3db 051 181033.mspx?mfr=true ■ “Authorization and Access Control Technologies,” available at http:// technet2 .microsoft. com/windowsserver/en/library/74d5869 7-9 70a-45db-9139ebcd3db 051 181033.mspx?mfr=true