Module 2

Administering Active Directory Securely and Efficiently

Module Overview
Work with Active Directory Administration Tools Custom Consoles and Least Privilege Find Objects in Active Directory Use Windows PowerShell to Administer Active Directory

Lesson 1: Work with Active Directory Administration Tools

Active Directory Administration Snap-Ins What Is the Active Directory Administrative Center?

Find Active Directory Administration Tools

Demonstration: Perform Administrative Tasks by Using

Active Directory Administrative Tools

Active Directory Administration Snap-Ins

Active Directory Users and Computers

Manage most common day-to-day objects, including users, groups, computers, printers, and shared folders

Active Directory Sites and Services

Manage replication, network topology, and related services

Active Directory Domains and Trusts

Configure and maintain trust relationships and the domain and forest functional level

Active Directory Schema

Administer the Schema

What Is the Active Directory Administrative Center?

Task-oriented tool based upon Windows PowerShell

Find Active Directory Administration Tools

Active Directory snap-ins are installed on a domain

controller

Server Manager: Users and Computers, Sites and Services Administrative Tools folder

Install the RSAT on a member client or server

Windows Server 2008

Server Manager Features Add Feature Remote Server Administration Tools

Windows Vista SP1, Windows 7

Download RSAT from www.microsoft.com/downloads Double-click the file, then follow the instructions in the Setup Wizard Control Panel Programs And Features Turn Windows Features On Or Off Remote Server Administration Tools

Demonstration: Perform Administrative Tasks by Using Active Directory Administration Tools

In this demonstration, you will see:
How to perform administrative tasks by using Active

Directory Users and Computers

How to perform administrative tasks by using Active

Directory Administrative Center

Lesson 2: Custom Consoles and Least Privilege

Demonstration: Create a Custom MMC Console for

Administering Active Directory

Secure Administration with Least Privilege, Run As

Administrator, and User Account Control Control and Run As Administrator

Demonstration: Secure Administration with User Account

Demonstration: Create a Custom MMC Console for Administering Active Directory

In this demonstration, you will see:
How to create a custom MMC console with multiple

snap-ins

How to register the Active Directory Schema snap-in Where to save a custom console

Secure Administration with Least Privilege, Run As Administrator, and User Account Control
Maintain at least two accounts

A standard user account

An account with administrative privileges

Log on to your computer as a

standard user

Do not log on to your computer with administrative credentials

Start administrative consoles

with Run As Administrator

1.Right-click 2.Click 3.Enter

the console and click Run As Administrator Use another account the user name and password for your administrative account

Demonstration: Secure Administration with User Account Control and Run As Administrator
In this demonstration, you will see:
How to run a custom console as an administrator

Why it is important to save a custom console to a shared

location

Lab A: Administer Active Directory by Using Administrative Tools

Exercise 1: Perform Basic Administrative Tasks by Using

Administrative Tools

Exercise 2: Create a Custom Active Directory

Administrative Console

Exercise 3: Perform Administrative Tasks with Least

Privilege, Run As Administrator, and User Account Control

Logon information
Virtual machine Logon user name Administrative user name 6425C-NYC-DC1 Pat.Coleman Pat.Coleman_Admin

Estimated time: 30 minutes Password Pa$$w0rd

Lab Scenario
In this exercise, you are Pat Coleman, an Active Directory

administrator at Contoso, Ltd. You are responsible for a variety of Active Directory support tasks, and you have found yourself constantly opening multiple consoles from the Administrative Tools folder in Control Panel. You have decided to build a single console that contains all the snap-ins you require to do your work. Additionally, the Contoso IT security policy is changing, and you will no longer be permitted to log on to a system with credentials that have administrative privileges, unless there is an emergency. Instead, you are required to log on with nonprivileged credentials.

Lab Review
Which snap-in are you most likely to use on a day-to-day

basis to administer Active Directory?

When you build a custom MMC console for administration

in your enterprise, what snap-ins will you add?

Lesson 3: Find Objects in Active Directory

Scenarios for Finding Objects in Active Directory Demonstration: Use the Select Users, Contacts,

Computers, or Groups Dialog Box

Computers

Options for Locating Objects in Active Directory Users and Demonstration: Control the View of Objects in Active

Directory Users and Computers

Demonstration: Use the Find Command Determine Where an Object Is Located Demonstration: Use Saved Queries Demonstration: Find Objects by Using Active Directory

Administrative Center

Scenarios for Finding Objects in Active Directory

When you assign permissions to a folder or file

Select the group or user to which permissions are assigned

When you add members to a group

Select the user or group that will be added as a member

When you configure a linked attribute such as Managed By

Select the user or group that will be displayed on the Managed By tab

When you need to administer a user, group, or computer

Perform a search to locate the object in Active Directory, instead of browsing for the object

Demonstration: Use the Select Users, Contacts, Computers, Service Accounts, or Groups Dialog Box
In this demonstration, you will see:
How to select users with the Select dialog box

Options for Locating Objects

Sorting: Use column headings to find the objects based on the columns

Searching: Provide the criteria for which you want to search

Demonstration: Control the View of Objects in Active Directory Administrative Tools

In this demonstration, you will see:
How to add or remove columns in the details pane

How to sort objects based on columns in the details pane

Demonstration: Use the Find Command

In this demonstration, you will see:
How to search for objects in Active Directory by using the

Find command

Determine Where an Object is Located

1. 2.

Ensure that Advanced Features is enabled Find the object

3.
4. 5.

Open its Properties dialog box

Click the Object tab View the Canonical name of object

or

In the Find dialog box, click View, click Choose Columns, and then add the Published At column

Demonstration: Use Saved Queries

In this demonstration, you will see:
How to create a saved query

How to distribute a saved query

Why saved queries are an efficient and effective tool for

administration

Demonstration: Find Objects by Using Active Directory Administrative Center

In this demonstration, you will see:
How to find objects by using the Active Directory

Administrative Center
Administrative Center

How to save queries by using the Active Directory

Lab B: Find Objects in Active Directory

Exercise 1: Find Objects in Active Directory Exercise 2: Use Saved Queries

Logon information
Virtual machine Logon user name Administrative user name 6425C-NYC-DC1 Pat.Coleman Pat.Coleman_Admin

Estimated time: 15 minutes Password Pa$$w0rd

Lab Scenario
Contoso now spans five geographic sites around the world,

with over 1,000 employees. As your domain has become populated with so many objects, it has become more difficult to locate objects by browsing. You are tasked with defining best practices for locating objects in Active Directory for the rest of the team of administrators. You are also asked to monitor the health of certain types of accounts.

Lab Review
In your work, what scenarios require you to search Active

Directory?

What types of saved queries could you create to help you

perform your administrative tasks more efficiently?

Lesson 4: Use Windows PowerShell to Administer Active Directory

What Is Windows PowerShell? Installation Requirements for Windows PowerShell 2.0

Overview of the Windows PowerShell Syntax

Windows PowerShell Cmdlets for Active Directory Demonstration: Manage Users and Groups by Using

PowerShell

What Is Windows PowerShell?

Windows PowerShell is not a scripting language

At least, it is not only a scripting language

PowerShell is an engine designed to run commands that

perform administrative tasks, for example:

Creating user accounts Configuring services Deleting mailboxes

PowerShell provides a foundation that Microsoft GUI-based

administrative tools can build upon

Actions can be accomplished in the command-line console Actions can also be invoked within GUIs by running PowerShell commands in the background

Installation Requirements for Windows PowerShell 2.0

Windows PowerShell is pre-installed by default in Windows

Server 2008 R2 and Windows 7

Windows PowerShell is a web download for Windows XP,

Windows Server 2003, Windows Vista, and Windows Server 2008 with Service Pack 1

Windows PowerShell requires Microsoft .NET Framework 2.0 Active Directory Module for Windows PowerShell is included

with Windows Server 2008 R2

Active Directory Module for Windows PowerShell is installed

with AD DS or AD LDS

Overview of the Windows PowerShell Syntax

All Windows PowerShell cmdlets use the same syntax

Verb

Noun

Parameters

Example

Get Set

ADUser ADUser

<string>

Get-Aduser Don Set-Aduser Department Marketing

Get

Cmdlets can be pipelined to other cmdlets: ADUser -Filter Get-Aduser Filter Name like *
Get-ADuser Don | Set_Aduser Department Marketing

Windows PowerShell Cmdlets for Active Directory

PowerShell provides cmdlets to assist in the following:

User, Computer, and Group Management

Organizational Unit Management

Password Policy Management Search and Modify Objects Forest and Domain Management Domain Controller and Operations Master Management Managed Service Account Management

Demonstration: Manage Users and Groups by Using Windows PowerShell

In this demonstration, you will see how to:
Create a new OU

Create a new user

Move a user to a new OU View group membership

Add members to a group

Set the password on a new user and enable the user

account

Lab C: Use Windows PowerShell to Administer Active Directory

Exercise: Use PowerShell Commands to Administer Active

Directory

Logon information
Virtual machine Administrative user name Password 6425C-NYC-DC1 Contoso\Administrator Pa$$w0rd

Estimated time: 15 minutes

Lab Scenario
Contoso is growing, and changes need to be made to

objects in Active Directory. You are an administrator of AD DS, and you know that it is easier to view, create, delete, and modify objects by using Windows PowerShell.

Lab Review
Which common Active Directory cmdlet parameter is used

to limit search results to matches based on attributes? to specify the attributes that you want in your query results? for an Active Directory object?

Which common Active Directory cmdlet parameter is used

How can you see a list of all attributes that are available

Module Review and Takeaways

Review Questions Tools

Windows Server 2008 R2 Features Introduced in this Module