5.2.1 Automate the creation of Active Directory accounts
Ways to manage users:
Active Directory Administrative Center
Active Directory Users and Computers
dsadd.exe command line
new-aduser powershell
csvde.exe command line
LDIFDE.exe command line
5.2.2 create, copy,
configure, and delete users and computers
Poweshell module = ActiveDirectory
Create User:
ADAC: Drill down to the OU you want to create in. In the right pane, under Users, select New User.
(you can also select the OU location for user in the new user page)
ADUC right click OU and new User
Powershell:
new-aduser -name"John Doe" -givenname "John" -surname "Doe" -displayname "John Doe"
-samaccountname "jdoe" -userprincipalname "jdoe@contoso.com" -enabled $true
-accountpassword (convertto-securestring -string "password" -asplaintext -force)
Copy User
ADAC: Not supported in ADAC
ADUC: right click user and Copy user.
Powershell: no specific cmdlets provided for this.
Configure User
ADAC: right click user, properties
ADUC right click user, properties
Powershell: set-aduser
Delete User
ADAC: right click, delete
ADUC: right click delete
Powershell: remove-aduser -identity "cn=John Doe,ou=Accounting,dc=contoso,dc=com"
Creating Computers:
ADUC and ADAC: Right click Ou and New-Computer
dsadd computer "cn=testpc,cn=computers,dc=contoso,dc=com"
new-adcomputer -name testpc -path "cn=computers,dc=contoso,dc=com"
Add new computer to domain with
GUI: right click computer, properties
netdom join testpc /domain:contoso.com
add-computer -computername testpc -domainname contoso.com
5.2.3 configure templates
Templates can be created in the ADUC because of the copy function. You create a user object and call it Default Template, for example. Clear the "user must change password at next logon" and check the "Disable account". Change the properties you want to use as template. Now you can just right click copy this user.
5.2.4 perform
bulk Active Directory operations
Create a CSV with a header line that contains "columns" with AD attributes to be imported into new records
Use the objectclass attribute to specify the type of object ie user
csvde.exe -i -f filenametoimport.csv
You can only add or read records with CSVDE
LDIFDE.exe has 3 types of functions: add, modify, delete. The format of the data file is LDAP Data Interchange format(LDIF), which is different from CSV used in CSVDE. Example:
dn: "cn=John Doe,ou=accounting,dc=contoso,dc=com"
changetype: add
ObjectClass: user
SAMAccountname: jdoe
UserPrincipalName: jdoe@contoso.com
Here the Changetype variable distinguishes what should be done with this record.
you would use ldifde -i filenametoimport.ldf
Use "replace" variable with Modify changetype
dn: "cn=John Doe,ou=accounting,dc=contoso,dc=com"
changetype: modify
replace: emailaddress
emailaddress: jdoe@contoso.com
You can also use new-aduser by piping in import-csv cmdlet.
5.2.5 configure user rights
User rights for a computer can be configured locally using the GPedit MMC(gpedit.msc)
Or you can define the user rights in a group policy
The order of assigning rights is Local, Site, Domain, OU with each overwriting the previous. The exception is when domain policies use the Enforced option, they are not overwritten, unless another GPO with enforced is higher in the AD hierarchy.
Extra note: You can use Local User Policy(secpol.msc) but I believe gpedit is preferred in domain and secpol is just a subset of it.
5.2.6 offline domain
join
offline domain joins are done using the djoin command line
using a computer with access to DC,
djoin /provision /domain contoso.com /machine OFFPC /savefile offlinefile.txt
then run on offline computer:
djoin /requestodj /loadfile offlinefile.txt /windowspath %systemroot% /localos
5.2.7 manage inactive and disabled accounts
Disable/Enable a user or computer in ADAC or ADUC: right click and disable/enable
Powershell:
enable-adaccount -identity
disable-adaccount -identity
For inactive accounts, you can use the
Search-adaccount -accountinactive
you can also use dsquery with -inactive parameter specifying number of weeks inactive
dsquery user dc=contoso,dc=com -inactive 4
No comments:
Post a Comment