Module 2

Administering Active Directory® Securely and Efficiently

Module Overview
• Work with Active Directory Administration Tools • Custom Consoles and Least Privilege • Find Objects in Active Directory • Use Windows PowerShell to Administer Active Directory

Lesson 1: Work with Active Directory Administration Tools
• Active Directory Administration Snap-Ins • What Is the Active Directory Administrative Center?

• Find Active Directory Administration Tools
• Demonstration: Perform Administrative Tasks by Using

Active Directory Administrative Tools

printers. and related services • Active Directory Domains and Trusts  Configure and maintain trust relationships and the domain and forest functional level • Active Directory Schema  Administer the Schema . groups. computers. network topology. and shared folders • Active Directory Sites and Services  Manage replication.Active Directory Administration Snap-Ins • Active Directory Users and Computers  Manage most common day-to-day objects. including users.

What Is the Active Directory Administrative Center? Task-oriented tool based upon Windows PowerShell .

Find Active Directory Administration Tools • Active Directory snap-ins are installed on a domain controller   Server Manager: Users and Computers.microsoft. then follow the instructions in the Setup Wizard Control Panel  Programs And Features  Turn Windows Features On Or Off  Remote Server Administration Tools • . Sites and Services Administrative Tools folder • Install the RSAT on a member client or server  Windows Server 2008 • Server Manager  Features  Add Feature  Remote Server Administration Tools  Windows Vista SP1. Windows 7 • • Download RSAT from www.com/downloads Double-click the file.

you will see: • How to perform administrative tasks by using Active Directory Users and Computers • How to perform administrative tasks by using Active Directory Administrative Center .Demonstration: Perform Administrative Tasks by Using Active Directory Administration Tools In this demonstration.

Run As Administrator. and User Account Control Control and Run As Administrator • Demonstration: Secure Administration with User Account .Lesson 2: Custom Consoles and Least Privilege • Demonstration: Create a Custom MMC Console for Administering Active Directory • Secure Administration with Least Privilege.

you will see: • How to create a custom MMC console with multiple snap-ins • How to register the Active Directory Schema snap-in • Where to save a custom console .Demonstration: Create a Custom MMC Console for Administering Active Directory In this demonstration.

Secure Administration with Least Privilege.Right-click 2.Enter the console and click Run As Administrator Use another account the user name and password for your administrative account .Click 3. Run As Administrator. and User Account Control • Maintain at least two accounts  A standard user account  An account with administrative privileges • Log on to your computer as a standard user  Do not log on to your computer with administrative credentials • Start administrative consoles with Run As Administrator 1.

you will see: • How to run a custom console as an administrator • Why it is important to save a custom console to a shared location .Demonstration: Secure Administration with User Account Control and Run As Administrator In this demonstration.

Lab A: Administer Active Directory by Using Administrative Tools • Exercise 1: Perform Basic Administrative Tasks by Using Administrative Tools • Exercise 2: Create a Custom Active Directory Administrative Console • Exercise 3: Perform Administrative Tasks with Least Privilege.Coleman_Admin Estimated time: 30 minutes Password Pa$$w0rd . and User Account Control Logon information Virtual machine Logon user name Administrative user name 6425C-NYC-DC1 Pat. Run As Administrator.Coleman Pat.

you are Pat Coleman. you are required to log on with nonprivileged credentials. and you have found yourself constantly opening multiple consoles from the Administrative Tools folder in Control Panel. Instead. an Active Directory administrator at Contoso. and you will no longer be permitted to log on to a system with credentials that have administrative privileges. the Contoso IT security policy is changing. Ltd.Lab Scenario • In this exercise. You are responsible for a variety of Active Directory support tasks. You have decided to build a single console that contains all the snap-ins you require to do your work. . Additionally. unless there is an emergency.

Lab Review • Which snap-in are you most likely to use on a day-to-day basis to administer Active Directory? • When you build a custom MMC console for administration in your enterprise. what snap-ins will you add? .

or Groups Dialog Box Computers • Options for Locating Objects in Active Directory Users and • Demonstration: Control the View of Objects in Active Directory Users and Computers • Demonstration: Use the Find Command • Determine Where an Object Is Located • Demonstration: Use Saved Queries • Demonstration: Find Objects by Using Active Directory Administrative Center .Lesson 3: Find Objects in Active Directory • Scenarios for Finding Objects in Active Directory • Demonstration: Use the Select Users. Computers. Contacts.

instead of browsing for the object . or computer  Perform a search to locate the object in Active Directory.Scenarios for Finding Objects in Active Directory • When you assign permissions to a folder or file  Select the group or user to which permissions are assigned • When you add members to a group  Select the user or group that will be added as a member • When you configure a linked attribute such as Managed By  Select the user or group that will be displayed on the Managed By tab • When you need to administer a user. group.

Computers. Service Accounts.Demonstration: Use the Select Users. Contacts. you will see: • How to select users with the Select dialog box . or Groups Dialog Box In this demonstration.

Options for Locating Objects Sorting: Use column headings to find the objects based on the columns Searching: Provide the criteria for which you want to search .

Demonstration: Control the View of Objects in Active Directory Administrative Tools In this demonstration. you will see: • How to add or remove columns in the details pane • How to sort objects based on columns in the details pane .

you will see: • How to search for objects in Active Directory by using the Find command .Demonstration: Use the Find Command In this demonstration.

2. click View.Determine Where an Object is Located 1. 5. and then add the Published At column . 4. Open its Properties dialog box Click the Object tab View the Canonical name of object or • In the Find dialog box. Ensure that Advanced Features is enabled Find the object 3. click Choose Columns.

you will see: • How to create a saved query • How to distribute a saved query • Why saved queries are an efficient and effective tool for administration .Demonstration: Use Saved Queries In this demonstration.

Demonstration: Find Objects by Using Active Directory Administrative Center In this demonstration. you will see: • How to find objects by using the Active Directory Administrative Center Administrative Center • How to save queries by using the Active Directory .

Coleman_Admin Estimated time: 15 minutes Password Pa$$w0rd .Lab B: Find Objects in Active Directory • Exercise 1: Find Objects in Active Directory • Exercise 2: Use Saved Queries Logon information Virtual machine Logon user name Administrative user name 6425C-NYC-DC1 Pat.Coleman Pat.

Lab Scenario • Contoso now spans five geographic sites around the world. As your domain has become populated with so many objects. it has become more difficult to locate objects by browsing.000 employees. You are also asked to monitor the health of certain types of accounts. with over 1. You are tasked with defining best practices for locating objects in Active Directory for the rest of the team of administrators. .

Lab Review • In your work. what scenarios require you to search Active Directory? • What types of saved queries could you create to help you perform your administrative tasks more efficiently? .

0 • Overview of the Windows PowerShell Syntax • Windows PowerShell Cmdlets for Active Directory • Demonstration: Manage Users and Groups by Using PowerShell .Lesson 4: Use Windows PowerShell to Administer Active Directory • What Is Windows PowerShell? • Installation Requirements for Windows PowerShell 2.

it is not only a scripting language • PowerShell is an engine designed to run commands that perform administrative tasks.What Is Windows PowerShell? • Windows PowerShell is not a scripting language  At least. for example:    Creating user accounts Configuring services Deleting mailboxes • PowerShell provides a foundation that Microsoft GUI-based administrative tools can build upon   Actions can be accomplished in the command-line console Actions can also be invoked within GUIs by running PowerShell commands in the background .

NET Framework 2. Windows Vista.Installation Requirements for Windows PowerShell 2.0 • Active Directory Module for Windows PowerShell is included with Windows Server 2008 R2 • Active Directory Module for Windows PowerShell is installed with AD DS or AD LDS . Windows Server 2003.0 • Windows PowerShell is pre-installed by default in Windows Server 2008 R2 and Windows 7 • Windows PowerShell is a web download for Windows XP. and Windows Server 2008 with Service Pack 1 • Windows PowerShell requires Microsoft .

Overview of the Windows PowerShell Syntax All Windows PowerShell cmdlets use the same syntax Verb Noun Parameters Example Get Set ADUser ADUser <string> Get-Aduser Don Set-Aduser –Department “Marketing” Get Cmdlets can be pipelined to other cmdlets: ADUser -Filter Get-Aduser –Filter „Name –like “*”‟ Get-ADuser Don | Set_Aduser –Department “Marketing” .

Computer. and Group Management       Organizational Unit Management Password Policy Management Search and Modify Objects Forest and Domain Management Domain Controller and Operations Master Management Managed Service Account Management .Windows PowerShell Cmdlets for Active Directory • PowerShell provides cmdlets to assist in the following:  User.

Demonstration: Manage Users and Groups by Using Windows PowerShell In this demonstration. you will see how to: • Create a new OU • Create a new user • Move a user to a new OU • View group membership • Add members to a group • Set the password on a new user and enable the user account .

Lab C: Use Windows PowerShell to Administer Active Directory • Exercise: Use PowerShell Commands to Administer Active Directory Logon information Virtual machine Administrative user name Password 6425C-NYC-DC1 Contoso\Administrator Pa$$w0rd Estimated time: 15 minutes .

and changes need to be made to objects in Active Directory. delete. and you know that it is easier to view. You are an administrator of AD DS.Lab Scenario • Contoso is growing. . create. and modify objects by using Windows PowerShell.

Lab Review • Which common Active Directory cmdlet parameter is used to limit search results to matches based on attributes? to specify the attributes that you want in your query results? for an Active Directory object? • Which common Active Directory cmdlet parameter is used • How can you see a list of all attributes that are available .

Module Review and Takeaways • • Review Questions Tools • Windows Server 2008 R2 Features Introduced in this Module .

Sign up to vote on this title
UsefulNot useful