Active Directory Tips & Tricks

34
Active Directory Tips & Tricks Clay Walker

Transcript of Active Directory Tips & Tricks

Page 1: Active Directory Tips & Tricks

Active Directory Tips & TricksClay Walker

Page 2: Active Directory Tips & Tricks

BISD Network Overview - Infrastructure Windows 2003 Servers using AD 95% Clients = Windows XP SP2

5%=Windows 2000 Fiber connection to every campus (no

slow links) 5 Mbps DSL is primary ISP T1 (1/2 for data) directly to ESC for

services

Page 3: Active Directory Tips & Tricks

BISD Network Overview-User Environment Students 3rd – 12th have username and

passwords All home drives on servers (no data

stored on local PC) My Documents redirected to server Favorites redirected to server Ubiquity – except for some special

software (CAD, HR, Payroll, Student Data) all computers have same software

Page 4: Active Directory Tips & Tricks

BISD Network Overview-User Environment All users have h: drive (student and

adult) Enable quotas as needed

One R: drive acts as district shared folder Permissions control access to files

Q: drive for each campus for applications Login script maps correct share

Campus Shortcuts folder in q: Include shortcuts for:

Faculty Applications Student Applications Network Printers

Page 5: Active Directory Tips & Tricks

Access Based Enumeration

With ABE installed, users only see what they have permission to read and/or write.Administrator Logged In Sees: Student Logged in Sees:

Page 7: Active Directory Tips & Tricks

Active Directory Fundamentals Container – default for AD (Computers,

Users, Domain Controllers) Can not add group policies Can not add “sub-containers”

OU – Organizational Unit – created by Net Admin Able to nest Able to add group policies

Page 8: Active Directory Tips & Tricks

Why OU’s

Organization: allows easy access to information (<200 objects per OU)

Group policy application can be very specific or broad based

Page 9: Active Directory Tips & Tricks

BISD Key OU’s

Fac-Staff: Campuses, Principal, Secty, Supt

Servers (member servers) Students: Each grade level by grad

year SuperUsers W2K-Computers

Page 10: Active Directory Tips & Tricks

BISD W2k-Computers OU Student Computer

OU Teacher/others OU’s

at each campus Office OU’s at each

campus Secretary OU Servers NOT

included Laptops NOT

included

CampusAdmin CampusClassroom Laptop Library Search

Kiosks Secretary TechLab CentralOffice

Page 11: Active Directory Tips & Tricks

BISD Student Computer OU HS

HSLab1 HSLab2 HSLibrary

MS MSLab1...

Allows policies to be set by: District wide Just student computers Campus wide Lab specific

Page 12: Active Directory Tips & Tricks

BISD Students Accounts

Organized by graduation year Student usernames = grad year+first

initial +last name:07JSmith

Home directory = username In AD, have full name to allow net

admins to easily find info

Page 13: Active Directory Tips & Tricks

BISD Student Accounts

Export Students from WinSchool (SMS)

Parse data using Excel

Use command line to batch add names DSAdd or adduser mkdir cacls

Page 14: Active Directory Tips & Tricks

Tools MMC – Microsoft Management Console.

One stop shopping (add snapins) GPMC – Group Policy Management

Console Active Directory Sites and Services

(force replication) Remote Desktop (mstsc.exe /console) VNC on clients – AD integrated, turn off

Systray icon Quotas on home directories adminpak.msi (from 2003 SP1 server)

Page 15: Active Directory Tips & Tricks

MMCCreate a custom MMC with common tools used daily

Active Directory Users & Computers Active Directory Sites & Services (used for replication) DHCP DNS WINS (not used as much if any) GPMC Exchange System Manager IIS (maybe) Remote Desktop Anti-Virus Content Filter/traffic shaper

Page 17: Active Directory Tips & Tricks

Essential Command Line cacls - set permissions

(file/directory) takeown – take

ownership (file/directory)

Win2003 Resource Kit dsquery dsmod adduser

“gpupdate /force” – forces XP client to refresh Group Policies from DC“secedit /refreshpolicy machine_policy /enforce” – forces 2K client to refresh Group Policies from DC

Page 18: Active Directory Tips & Tricks

Group Policy Fundamentals

Group Policies can ONLY be applied to OU’s

If the user is an administrator on the local machine, most (if any) restrictions will NOT work

You can use Group Policies to open up enough of your PC’s so users DO NOT NEED to be local admins

Page 19: Active Directory Tips & Tricks

Group Policies Use GPMC from XP

SP2 to edit Setup Test OU Turn on Loopback Lockout registry* Install software Block “illegal”

software Set file permissions Set registry

permissions

Redirect My Documents

Set update policies (WSUS Server)

Run login scripts (map drives)

Lockdown Desktops Connect Network

Printers

Page 20: Active Directory Tips & Tricks

Software Restriction Policy 2 types

Path = specific filename and path (version irrelevant) Win2K & XP

Hash = “signature” (regardless of path or file name) – XP only

Need to have a sample file (exe)

Can have multiple files in one policy

How to create a Hash Software Restriction

Create new policy Edit policy

Computer Configuration, Windows Settings, Security Settings, Software Restriction Policies

RC – New Software Restriction Policy

-> Additional Rules, RC New Hash Rule, Browse, OK

Allow time to replicate gpupdate /force

Page 21: Active Directory Tips & Tricks

Software Hash Video

Page 22: Active Directory Tips & Tricks

VBS Scripting

Use Microsoft MSDN Library Printer script came from

Enumerate printers Delete printers Add printers

Page 23: Active Directory Tips & Tricks

BISD Network Printers Use GPO to run VBS script to setup

printers for lab computers Only runs on student accounts Prevents printing across campus Students still have access to connect to

other printers if needed (campus shortcuts)

Algorithm: Deletes existing network printer connections Adds Lab Printer connections Sets B/W lab laser as default printer

Page 24: Active Directory Tips & Tricks

Network Printers/loopback Printer connections are User based When you want them to be “computer” based, you

have to enable loopback processing in GPO I recommend setting this on ALL computers

regardless

Page 25: Active Directory Tips & Tricks

WSUS

Windows Software Update Serviceshttp://www.microsoft.com/windowsserversystem/updateservices/default.mspx

Installed on a Win2003 Server This along with GPO settings, all PC’s

automatically updated when new updates released

Windows, Office and other M$ Software updates

Page 26: Active Directory Tips & Tricks

Internet Bandwidth

Monitor with MRTG http://people.ee.ethz.ch/~oetiker/webtools/mrtg/ Can be used for switches, routers, firewalls,

servers, etc.

Use bandwidth shaper to control We use Lightspeed Total Traffic Control (

www.lightspeedsystems.com) Consortium Pricing maybe available Brian Thomas ([email protected])

Best results by DHCP reservations for lab computers (specific ranges to labs)

Page 27: Active Directory Tips & Tricks

DHCP Reservations Setup DHCP scope

so there is a “Reservation only” area and a “Dynamic” area

Decide what is critical to manage (secondary labs’ bandwidth)

Assign IP addresses via reservations to above machines

0.0   Network

 

10.19.x.x Reservation

Only

10.0   Admin

20.0   ES

30.0   IS

40.0   MS

50.0   HS

60.0   ACE

70.0   Sp. Ed

80.0    

90.0    

100.0    

110.0    

120.0    

130.0    

140.0    

150.0    

160.0    

170.0    

180.0    

190.0    

200.0      

10.19.x.x Dynamic

210.0      

220.0      

230.0      

240.0      

250.0      

Page 28: Active Directory Tips & Tricks

Sysprep

Use correct sysprep: different versions for XP, XP SP2, Win2K, and Win2003

BISD’s (Mark Buckner) guide to building images: http://www.ntatd.org/index.php?module=documents&JAS_DocumentManager_op=viewDocument&JAS_Document_id=2

Sample sysprep.inf at above link

Page 29: Active Directory Tips & Tricks

VNC Install latest UltraVNC Option to authenticate with AD Add 2 Global Groups: VNC-ReadOnly, VNC-

FullControl Give VNC-FullControl R/W perms to PC Give VNC-ReadOnly View only perms to PC Add users to groups (default admins have

FullControl) Check box for Hide SysTrayIcon and turn off

remove Desktop Wallpaper

Page 30: Active Directory Tips & Tricks

Misc

Exchange: Distribution lists, only allow members to send to the list (ie HS faculty can not send to MS Dist List)

Filemon/regmon to monitor which files/registry keys are being accessed by programs www.sysinternals.com

Page 31: Active Directory Tips & Tricks

List Servers

Microsoft Windows Administration Very active list (400-500 messages per

week) http://www.sunbeltsoftware.com/community.cfm

Click on NTSYSADMIN List

North Texas Association of Technology Directors (NTATD) www.ntatd.org

Page 33: Active Directory Tips & Tricks

Resources Managing Disk Quotas

http://www.microsoft.com/technet/scriptcenter/topics/win2003/quotas.mspx

Enterprise Management with Group Policy Management Console

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Configure Automatic Updates by using Group Policy (WSUS Server)

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/WSUS/WSUSDeploymentGuideTC/51c8a814-6665-4d50-a0d8-2ae27e69ca7c.mspx

Sysprep http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/

en-us/prbc_cai_vnve.asp http://www.ntatd.org/index.php?

module=documents&JAS_DocumentManager_op=viewDocument&JAS_Document_id=2

Access Based Enumeration http://thelazyadmin.com/index.php?/archives/72-Access-Based-

Enumeration.html

Page 34: Active Directory Tips & Tricks

This presentation is available at:

www.ntatd.org/clay