Active Directory

Active Directory stores all information and settings for deployment in a central
database. It allows administrators to assign policies, as well as deploy and update software.
Active Directory networks can vary from a small installation with a few computers, users, and
printers, to tens of thousands of users, many different network domains, and large server farms
spanning many geographical locations.

AD Manager Plus is an easy-to-use Windows Active Directory management and

reporting solution that helps AD administrators and help desk technicians with their day-to-day
activities. With a centralized and intuitive web-based UI, AD Manager Plus handles a variety of
complex tasks like bulk management of user accounts and other AD objects, delegating role-
based access to help desk technicians, and generating an exhaustive list of AD reports, some of
which are an essential requirement for satisfying compliance audits.

Active Directory (AD) is a Microsoft product that consists of several services that run on
Windows Server to manage permissions and access to networked resources.

Active Directory stores data as objects. An object is a single element, such as a user, group,
application or device, such as a printer. Objects are normally defined as either resources -- such
as printers or computers -- or security principals -- such as users or groups.

Active Directory categorizes objects by name and attributes. For example, the name of a user
might include the name string, along with information associated with the user, such as
passwords and Secure Shell (SSH) keys.

Active Directory (AD) is a Windows OS directory service that facilitates working with
interconnected, complex and different network resources in a unified manner.

Active Directory was initially released with Windows 2000 Server and revised with
additional features in Windows Server 2008. Active Directory provides a common interface for
organizing and maintaining information related to resources connected to a variety of network
directories. The directories may be systems-based (like Windows OS), application-specific or
network resources, like printers. Active Directory serves as a single data store for quick data
access to all users and controls access for users based on the directory's security policy.

Active Directory provides the following network services:

 Lightweight Directory Access Protocol (LDAP) – An open standard used to access other
directory services
  Security service using the principles of Secure Sockets Layer (SSL) and Kerberos-based
authentication
 Hierarchical and internal storage of organizational data in a centralized location for
faster access and better network administration
 Data availability in multiple servers with concurrent updates to provide better scalability

Active Directory is internally structured with a hierarchical framework. Each node in the
tree-like structure is referred to as an object and associated with a network resource, such as a
user or service. Like the database topic schema concept, the Active Directory schema is used to
specify attribute and type for a defined Active Directory object, which facilitates searching for
connected network resources based on assigned attributes. For example, if a user needs to use
a printer with color printing capability, the object attribute may be set with a suitable keyword,
so that it is easier to search the entire network and identify the object's location based on that
keyword.

A domain consists of objects stored in a specific security boundary and interconnected in a

tree-like structure. A single domain may have multiple servers – each of which is capable of
storing multiple objects. In this case, organizational data is stored in multiple locations, so a
domain may have multiple sites for a single domain. Each site may have multiple domain
controllers for backup and scalability reasons. Multiple domains may be connected to form a
domain tree, which shares a common schema, configuration and global catalog (used for
searching across domains). A forest is formed by a set of multiple and trusted domain trees and
forms the uppermost layer of the Active Directory.

The main service in Active Directory is Domain Services (AD DS), which stores directory
information and handles the interaction of the user with the domain. AD DS verifies access
when a user signs into a device or attempts to connect to a server over a network. AD DS
controls which users have access to each resource. For example, an administrator typically has
a different level of access to data than an end user.

Other Microsoft products, such as Exchange Server and SharePoint Server, rely on AD DS to
provide resource access. The server that hosts AD DS is the domain controller.

Active Directory services

Several other services comprise Active Directory. They are Lightweight Directory Services,
Certificate Services, Federation Services and Rights Management Services. Each service expands
the product's directory management capabilities.
Lightweight Directory Services (AD LDS) has the same codebase as AD DS, sharing similar
functionalities, such as the API. AD LDS, however, can run in multiple instances on one server
and holds directory data in a data store using Lightweight Directory Access Protocol (LDAP).

How to use the identity and access tool

LDAP is an application protocol used to access and maintain directory services over a network.
LDAP stores objects -- such as usernames and passwords -- in directory services -- such as Active
Directory -- and shares that object data across the network.

Certificate Services (AD CS) generates, manages and shares certificates. A certificate uses
encryption to enable a user to exchange information over the internet securely with a public
key.

Active Directory Federation Services (AD FS) authenticates user access to multiple applications -
- even on different networks -- using single sign-on (SSO). As the name indicates, SSO only
requires the user to sign on once rather than use multiple dedicated authentication keys for
each service.

Rights Management (AD RMS) controls information rights and management. AD RMS encrypts
content, such as email or Word documents, on a server to limit access.

Major features in Active Directory Domain Services

Active Directory Domain Services uses a tiered layout consisting of domains, trees and forests
to coordinate networked elements.

A domain is a group of objects, such as users or devices, that share the same AD database.
Domains have a domain name system (DNS) structure.

Active Directory's Group Policy Management console gives admins a tool to customize user and
computer settings in their organization.

A tree is one or more domains grouped together. The tree structure uses a contiguous
namespace to gather the collection of domains in a logical hierarchy. Trees can be viewed as
trust relationships where a secure connection, or trust, is shared between two domains.
Multiple domains can be trusted where one domain can trust a second, and the second domain
can trust a third. Because of the hierarchical nature of this setup, the first domain can implicitly
trust the third domain without needing explicit trust.

A forest is a group of multiple trees. A forest consists of shared catalogs, directory schemas,
application information and domain configurations. The schema defines an object's class and
attributes in a forest. In addition, global catalog servers provide a listing of all the objects in a
forest.

Organizational Units (OUs) organize users, groups and devices. Each domain can contain its own
OU. However, OUs cannot have separate namespaces, as each user or object in a domain must
be unique. For example, a user account with the same username cannot be created.

Active Directory versus Workgroup

Workgroup is another Microsoft program that connects Windows machines over a peer-to-peer
network. Workgroup allows these machines to share files, internet access, printers and other
resources over the network. Peer-to-peer networking removes the need for a server for
authentication.

Main competitors to Active Directory

Other directory services on the market that provide similar functionality to AD include Red Hat
Directory Server, Apache Directory and OpenLDAP.

Red Hat Directory Server manages user access to multiple systems in Unix environments.
Similar to AD, Red Hat Directory Server includes user ID and certificate-based authentication to
restrict access to data in the directory.

Apache Directory is an open source project that runs on Java and operates on any LDAP server,
including systems on Windows, macOS and Linux. Apache Directory includes a schema browser
and an LDAP editor/browser. Apache Directory supports Eclipse plug-ins.

OpenLDAP is a Windows-based open source LDAP directory. OpenLDAP enables users to

browse, search and edit objects in an LDAP server. OpenLDAP also features copying, moving
and deleting of trees in the directory, as well as enabling schema browsing, password
management, LDAP SSL support, and more.

||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
How to Get AD Users Password Expiration Date

Method 1: Using Net User command to Display User Expiration Date

This first method uses the net user command that is built into windows. This command is used
to add, remove and make changes to user and computer accounts.

To determine when the password will expire for a single account open the command prompt
and type the following command:

Net user USERNAME /domain

In the below screenshot is an example for the user mfoster. In addition to displaying the
password expires date it also provides other useful information such as password last set, when
the password can be changed, if the account is active and so on.

 Bulk import users tool

 Inactive Computer Account Removal Tool
 Inactive User Account Removal Tool

Method 2: Using PowerShell To List All Users Password Expiration Date

To query user information with PowerShell you will need to have the AD module installed. If
you have the RSAT tools loaded then you are good to go.

To find the date the password was last set, run this command.
get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name,
passwordlastset, Passwordneverexpires

In the screenshot below you can see it returns all users, password last set date and if the
password never expires.

To display the expiration date rather than the password last set date, use this command.

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties
"DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property
"Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-
UserPasswordExpiryTimeComputed")}}

Above command https://blogs.technet.microsoft.com/poshchap/2014/02/21/one-liner-get-a-

list-of-ad-users-password-expiry-dates/and source:

To export any of the PowerShell results to a CSV just add | export-csv FILEPATH to the end.

I told you this was going to be easy. The PowerShell commands you can literally copy and past
and they should work in your environment. The Net User command just requires you to enter
in an AD user account to query.

||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||