Active Directory Tips

1
Active Directory Tips Tricks

• Clay Walker

2
BISD Network Overview - Infrastructure

• Windows 2003 Servers using AD
• 95 Clients Windows XP SP2 5Windows 2000
• Fiber connection to every campus (no slow links)
• 5 Mbps DSL is primary ISP
• T1 (1/2 for data) directly to ESC for services

3
BISD Network Overview-User Environment

• Students 3rd 12th have username and passwords
• All home drives on servers (no data stored on
  local PC)
• My Documents redirected to server
• Favorites redirected to server
• Ubiquity except for some special software (CAD,
  HR, Payroll, Student Data) all computers have
  same software

4
BISD Network Overview-User Environment

• All users have h drive (student and adult)
• Enable quotas as needed
• One R drive acts as district shared folder
• Permissions control access to files
• Q drive for each campus for applications
• Login script maps correct share
• Campus Shortcuts folder in q
• Include shortcuts for
• Faculty Applications
• Student Applications
• Network Printers

5
Access Based Enumeration

• With ABE installed, users only see what they have
  permission to read and/or write.

Administrator Logged In Sees
Student Logged in Sees
6
Access Based Enumeration

• Windows 2003 Server only
• Installed on server that shares the files
• Quick and easy to install and configure
• http//www.microsoft.com/downloads/details.aspx?Fa
  milyID04a563d9-78d9-4342-a485-b030ac442084displa
  ylangen

7
Active Directory Fundamentals

• Container default for AD (Computers, Users,
  Domain Controllers)
• Can not add group policies
• Can not add sub-containers
• OU Organizational Unit created by Net Admin
• Able to nest
• Able to add group policies

8
Why OUs

• Organization allows easy access to information
  (lt200 objects per OU)
• Group policy application can be very specific or
  broad based

9
BISD Key OUs

• Fac-Staff Campuses, Principal, Secty, Supt
• Servers (member servers)
• Students Each grade level by grad year
• SuperUsers
• W2K-Computers

10
BISD W2k-Computers OU

• Student Computer OU
• Teacher/others OUs at each campus
• Office OUs at each campus
• Secretary OU
• Servers NOT included
• Laptops NOT included

• CampusAdmin
• CampusClassroom
• Laptop
• Library Search Kiosks
• Secretary
• TechLab
• CentralOffice

11
BISD Student Computer OU

• HS
• HSLab1
• HSLab2
• HSLibrary
• MS
• MSLab1...

• Allows policies to be set by
• District wide
• Just student computers
• Campus wide
• Lab specific

12
BISD Students Accounts

• Organized by graduation year
• Student usernames grad yearfirst initial last
  name
• 07JSmith
• Home directory username
• In AD, have full name to allow net admins to
  easily find info

13
BISD Student Accounts

• Export Students from WinSchool (SMS)
• Parse data using Excel
• Use command line to batch add names
• DSAdd or adduser
• mkdir
• cacls

14
Tools

• MMC Microsoft Management Console. One stop
  shopping (add snapins)
• GPMC Group Policy Management Console
• Active Directory Sites and Services (force
  replication)
• Remote Desktop (mstsc.exe /console)
• VNC on clients AD integrated, turn off Systray
  icon
• Quotas on home directories
• adminpak.msi (from 2003 SP1 server)

15
MMC

• Create a custom MMC with common tools used daily
• Active Directory Users Computers
• Active Directory Sites Services (used for
  replication)
• DHCP
• DNS
• WINS (not used as much if any)
• GPMC
• Exchange System Manager
• IIS (maybe)
• Remote Desktop
• Anti-Virus
• Content Filter/traffic shaper

16
Admin Tools

• Adminpak.msi
• http//www.microsoft.com/downloads/details.aspx?Fa
  milyIDC16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3displa
  ylangen
• c\windows\system32 folder on server
• Install specific tools from the adminpak
• http//www.petri.co.il/extract_specific_tools_from
  _adminpak_msi.htm

17
Essential Command Line

• cacls - set permissions (file/directory)
• takeown take ownership (file/directory)

• Win2003 Resource Kit
• dsquery
• dsmod
• adduser

gpupdate /force forces XP client to refresh
Group Policies from DC secedit /refreshpolicy
machine_policy /enforce forces 2K client to
refresh Group Policies from DC
18
Group Policy Fundamentals

• Group Policies can ONLY be applied to OUs
• If the user is an administrator on the local
  machine, most (if any) restrictions will NOT work
• You can use Group Policies to open up enough of
  your PCs so users DO NOT NEED to be local admins

19
Group Policies

• Use GPMC from XP SP2 to edit
• Setup Test OU
• Turn on Loopback
• Lockout registry
• Install software
• Block illegal software
• Set file permissions
• Set registry permissions

• Redirect My Documents
• Set update policies (WSUS Server)
• Run login scripts (map drives)
• Lockdown Desktops
• Connect Network Printers

20
Software Restriction Policy

• 2 types
• Path specific filename and path (version
  irrelevant) Win2K XP
• Hash signature (regardless of path or file
  name) XP only
• Need to have a sample file (exe)
• Can have multiple files in one policy

• How to create a Hash Software Restriction
• Create new policy
• Edit policy
• Computer Configuration, Windows Settings,
  Security Settings, Software Restriction Policies
• RC New Software Restriction Policy
• -gt Additional Rules, RC New Hash Rule, Browse, OK
• Allow time to replicate
• gpupdate /force

21
Software Hash Video
22
VBS Scripting

• Use Microsoft MSDN Library
• Printer script came from
• Enumerate printers
• Delete printers
• Add printers

23
BISD Network Printers

• Use GPO to run VBS script to setup printers for
  lab computers
• Only runs on student accounts
• Prevents printing across campus
• Students still have access to connect to other
  printers if needed (campus shortcuts)
• Algorithm
• Deletes existing network printer connections
• Adds Lab Printer connections
• Sets B/W lab laser as default printer

24
Network Printers/loopback

• Printer connections are User based
• When you want them to be computer based, you
  have to enable loopback processing in GPO
• I recommend setting this on ALL computers
  regardless

25
WSUS

• Windows Software Update Services
• http//www.microsoft.com/windowsserversystem/updat
  eservices/default.mspx
• Installed on a Win2003 Server
• This along with GPO settings, all PCs
  automatically updated when new updates released
• Windows, Office and other M Software updates

26
Internet Bandwidth

• Monitor with MRTG
• http//people.ee.ethz.ch/oetiker/webtools/mrtg/
• Can be used for switches, routers, firewalls,
  servers, etc.
• Use bandwidth shaper to control
• We use Lightspeed Total Traffic Control
  (www.lightspeedsystems.com)
• Consortium Pricing maybe available
• Brian Thomas (brian_at_lightspeedsystems.com)
• Best results by DHCP reservations for lab
  computers (specific ranges to labs)

27
DHCP Reservations

• Setup DHCP scope so there is a Reservation only
  area and a Dynamic area
• Decide what is critical to manage (secondary
  labs bandwidth)
• Assign IP addresses via reservations to above
  machines

28
Sysprep

• Use correct sysprep different versions for XP,
  XP SP2, Win2K, and Win2003
• BISDs (Mark Buckner) guide to building images
  http//www.ntatd.org/index.php?moduledocumentsJA
  S_DocumentManager_opviewDocumentJAS_Document_id
  2
• Sample sysprep.inf at above link

29
VNC

• Install latest UltraVNC
• Option to authenticate with AD
• Add 2 Global Groups VNC-ReadOnly,
  VNC-FullControl
• Give VNC-FullControl R/W perms to PC
• Give VNC-ReadOnly View only perms to PC
• Add users to groups (default admins have
  FullControl)
• Check box for Hide SysTrayIcon and turn off
  remove Desktop Wallpaper

30
Misc

• Exchange Distribution lists, only allow members
  to send to the list (ie HS faculty can not send
  to MS Dist List)
• Filemon/regmon to monitor which files/registry
  keys are being accessed by programs
  www.sysinternals.com

31
List Servers

• Microsoft Windows Administration
• Very active list (400-500 messages per week)
• http//www.sunbeltsoftware.com/community.cfm
• Click on NTSYSADMIN List
• North Texas Association of Technology Directors
  (NTATD)
• www.ntatd.org

32
Other Cool Tools (non-admin)

• Microsoft FREE software
• Producer for Power Point 2003
• Microsoft Photo Story
• Windows Media Encoder

33
Resources

• Managing Disk Quotas
• http//www.microsoft.com/technet/scriptcenter/topi
  cs/win2003/quotas.mspx
• Enterprise Management with Group Policy
  Management Console
• http//www.microsoft.com/windowsserver2003/gpmc/de
  fault.mspx
• Configure Automatic Updates by using Group Policy
  (WSUS Server)
• http//www.microsoft.com/technet/prodtechnol/windo
  wsserver2003/library/WSUS/WSUSDeploymentGuideTC/51
  c8a814-6665-4d50-a0d8-2ae27e69ca7c.mspx
• Sysprep
• http//www.microsoft.com/resources/documentation/W
  indows/XP/all/reskit/en-us/prbc_cai_vnve.asp
• http//www.ntatd.org/index.php?moduledocumentsJA
  S_DocumentManager_opviewDocumentJAS_Document_id
  2
• Access Based Enumeration
• http//thelazyadmin.com/index.php?/archives/72-Acc
  ess-Based-Enumeration.html

34

• This presentation is available at
• www.ntatd.org/clay