Inside Active Directory
A book by Sakari Kouti and Mika Seitsonen

Intro
Preface
Contents
Smart Index
Index
Scripts
Tables
Wordlist
Errata
Authors

 

 

Content (1st Edition, AD2000)

Inside Active Directory contains the following 11 chapters, divided into three parts.

Part   Chapter No of Pages
Part I:
Background
Skills
1 Active Directory: The Big Picture 64
2 Installation 51
Part II:
Core Skills
3 Managing OUs, Users and Groups 82
4 Securing Active Directory 104
5 Sites and Replication 111
6 Domains and Forests 84
7 Group Policy 76
Part III:
Advanced
Skills
8 Active Directory Schema 60
9 Extending the Schema 56
10 Administration Script Concepts 63
11 Administration Script Examples 143

The book contains 205 tables and 105 diagrams; 70 % of the book's spreads include either a table or a diagram. There are also 278 screen shots (of which 110 are sample scripts or their resulting output).

This page includes:

bulletContent Overview
bulletChapters' Overview
bulletTable of Contents
bulletList of Tables

You can also view two entire chapters online, if you have Acrobat Reader:

bullet Chapter 3 in PDF format (509KB)
bullet Chapter 8 in PDF format (382KB)

horizontal rule

Content Overview

We have divided the book into three parts.

bullet

Part I: Background Skills (Chapters 1 and 2) gives the big picture of Active Directory so you can successfully plan and implement an Active Directory network. This part also discusses the installation of Windows 2000 and Active Directory.

bullet

Part II: Core Skills (Chapters 3 through 7) describes the concepts, planning, and administration of both the physical and the logical structure of Active Directory. The topics presented in this part include user and group management, access control, and Group Policy. Even though Part III covers advanced skills, most chapters in this part discuss related advanced topics.

bullet

Part III: Advanced Skills (Chapters 8 through 11) looks at advanced techniques, including the schema and scripting. Along with these topics we also uncover many aspects of Active Directory architecture. You can probably live without the information in these chapters, but by reading them you can greatly deepen your knowledge and understanding of Active Directory and make use of it when implementing and administering Active Directory networks.

Chapters' Overview

Mika wrote Chapter 2 and Chapter 7, and Sakari wrote the remaining chapters.

Chapter 1: Active Directory: The Big Picture

Before going into detail, we give you a general picture of Active Directory. After you learn the concepts introduced in this chapter, you can freely skip some later chapters that you might not be interested in. However, we encourage you to browse through the table of contents of any such chapter to make sure that you are not going to unintentionally miss anything important.

Chapter 2: Installation of Windows 2000 and Active Directory

In this chapter, we explain how to install both Windows 2000 and Active Directory. We also describe the post-installation tasks, as well as how to automate and troubleshoot installation.

Chapter 3: Managing OUs, Users, and Groups

Once you have an Active Directory domain up and running, one obvious task is to create a user account for each user and plan how to enhance user administration by using groups and organizational units (OUs). This chapter looks at managing OUs, users, contacts, groups, and computer objects, and covers some related topics.

Chapter 4: Securing Active Directory

Active Directory has an access control mechanism that enables you to define who can read or modify what information in Active Directory. In this chapter, we explain the concepts and architecture of access control, as well as how to manage permissions in various scenarios.

Chapter 5: Sites and Replication

For Active Directory to work efficiently when your network spans multiple geographic locations, you must plan and implement the physical structure and define it in Active Directory itself. In this chapter, we describe the concepts, management, and advanced topics of the physical structure. Some of the content is also relevant for a company with just one site.

Chapter 6: Domains and Forests

Active Directory has several levels of hierarchies that you can use to implement an effective logical structure for your company network. In this chapter, we discuss whether you should use one or many domains and one or many forests, and how you should plan and manage that logical structure. We also revisit the physical structure, because it somewhat overlaps with the logical structure. In addition, we explain the anatomy of LDAP searches.

Chapter 7: Group Policy

Active Directory has an extensive management architecture called "Group Policy." You can use Group Policy to manage user desktops and server settings, as we describe in this chapter. You learn the architecture, inheritance, and processing of Group Policy in this chapter.

Chapter 8: Active Directory Schema

This chapter examines the Active Directory data model and how it is enforced by the rules of the schema. After reading this chapter, you'll better understand how Active Directory works behind the scenes and you'll also gain knowledge that you can use if you are going to extend the schema.

Chapter 9: Extending the Schema

One of Active Directory's advantages over Windows NT is that you can extend Active Directory schema, either to accommodate directory-enabled applications or for some administrative purpose. In this chapter, we explain the considerations for extensions and describe the process itself.

Chapter 10: Administration Scripts: Concepts

By downloading scripts from the Internet or writing your own scripts and executing them you can greatly enhance and automate administration. In this chapter we explain how to get started with technologies such as Windows Script Host (WSH), VBScript, and Active Directory Service Interfaces (ADSI).

Chapter 11: Administration Scripts: Examples

In this chapter, we present over 50 sample scripts along with their explanations. Outputs of many of the scripts provide some architectural information about Active Directory and you can run those scripts without understanding what they do on each line. Therefore, you can use these scripts not only for various administrative tasks, but also to gain more knowledge about Active Directory. This chapter also introduces some additional scripting concepts, such as ActiveX Data Objects (ADO), between the sample scripts.


horizontal rule

Table of Contents

Preface

 

About the Authors

 

Acknowledgments

PART I: BACKGROUND SKILLS

Chapter 1
Active Directory: The Big Picture

Introduction to Active Directory

A Brief Description

The First Look at Active Directory

History

Previous Microsoft Network Operating Systems

The History of Directories

The History of Windows 2000

Active Directory Compared to Windows NT

Active Directory Compared to NDS

A Sample Company

Basic Building Blocks

Domain Controllers

Domains

Trust Relationships

Organizational Units and Other Objects

Groups

Sites

Replication

Global Catalog

Hierarchies

Single Domain with No OU Structure

OU Tree in a Single Domain

Domain Trees

Domain Names

Forest of Domain Trees

DNS Integration

Locating Computers and Services

Dynamic DNS Updates

Security and Policies

Access Control

Inheritance

Delegation of Administration

Group Policy

Architecture

Data Model

The Schema

Extending the Schema

Container and Leaf Objects

Partitions

Naming Objects

The X.500 Standards

LDAP

LDAPv3 Specifications

LDAPv3 Operations

Physical Architecture

ADSI

Kerberos Authentication

Public Key Infrastructure

Other Features

Virtual Containers

Publishing

Connecting to the Internet

Active Directory’s Current Limitations

No Forest Changes

Domain Nature

Other Limitations

Some Differences from NDS

The Next Version of Active Directory

Conclusion

Chapter 2
Windows 2000 Installation

Before You Install Windows 2000

Decisions That Cannot Be Reversed

Dual Booting

Requirements and Recommendations

Hardware Compatibility

Preparation

Installing Windows 2000

Starting Installation

The Setup Program

Installing Windows 2000 from the CD

Installing Windows 2000 from a Network

Using Alternative Drivers

Selecting an Installation Partition

The Setup Wizard

Components to Install

Date and Time Settings

Installing and Configuring a Network

Finalizing the Setup

Upgrading Your Operating System

After You’ve Installed Windows 2000 Server

Installing Windows 2000 Professional

Installing Active Directory

Requirements and Recommendations

Creating Domains, Trees, and Forests

Before Installation

The Installation Process

After Active Directory Installation

Verifying the Installation

Removing the DNS Root Domain and Configuring a Forwarding Address

Creating a Forward Lookup Zone and Enabling Dynamic Updates

Creating a Reverse Lookup Zone and Enabling Dynamic Updates

Other DNS-Related Tasks

Other Post-Installation Tasks

Automating Installation

Automating Windows 2000 Installation

Answer Files and the Setup Manager Wizard

Duplicating Disk Images

Using SysPart

Using a Bootable CD

Automating Active Directory Installation

Troubleshooting Installation

Incompatible Devices

Problems with ACPI

Incorrectly Detected Devices

Problems with Active Directory Installation

Recovery Options

Safe Mode

Recovery Console

Installing and Starting the Recovery Console

Using the Recovery Console

Uninstalling Windows 2000 and Active Directory

Uninstalling Windows 2000

Uninstalling Active Directory

Automating Active Directory Uninstallation

Conclusion

PART II: CORE SKILLS

Chapter 3
Managing OUs, Users, and Groups

Active Directory after Installation

Predefined OUs and Other Containers

Why These Containers?

Predefined Users

Predefined Groups

Predefined Built-in Local Security Groups

Predefined Groups in the Users Container

Predefined Computer Objects

Changing the Domain Mode

Administering OUs

Features of OUs

Managing OUs

Creating OUs

Setting OU Properties

Moving, Renaming, and Deleting OUs in a Tree

Planning OUs

Administering Users and Contacts

Creating Users

UPN Suffixes

Creating Contacts

Setting User and Contact Properties

Significant Properties of a User Object: The Account Tab

Significant Properties of a User Object: The Profile Tab

Significant Properties of a User Object: The Dial-in Tab

Informational Properties of Users and Contacts

Other Operations to Manage Users and Contacts

Copying Users

Moving Users and Contacts

Renaming Users and Contacts

Deleting Users and Contacts

Disabling User Accounts

Resetting User Passwords

Opening Home Pages of Users and Contacts

Sending E-mail to Users and Contacts

Administering Computer Objects

Creating Computer Objects

Setting Computer Object Properties

Other Operations to Manage Computer Objects

Moving Computer Objects

Deleting Computer Objects

Disabling Computer Accounts

Resetting Computer Accounts

Managing Computers

Renaming Computers

Administering Groups

Group Types

Group Scopes

Group Scopes in Mixed Mode

Example of Group Usage

Group Scopes in Native Mode

Built-in Local Groups

Managing Groups

Creating Groups

Changing Group Type or Scope

Managing Group Memberships

The Members Tab of the Group

The Member Of Tab of the Incoming Member

Add Members to a Group Function

Setting a User’s Primary Group

Setting Group Properties

Moving Groups

Renaming Groups

Deleting Groups

Sending E-mail to Groups

Planning Groups

Universal Groups Revisited

Three Group Strategies

Tips on Tools

The Users and Computers Snap-In

Choosing a Domain

Choosing a Domain Controller

Finding Objects and Information

Filter Options

Viewing Advanced Features

Alternative Means to Manage Users and Other Objects

Conclusion

Chapter 4
Securing Active Directory

Introduction to Windows 2000 Security

Background for Active Directory Access Control

Controlling Access

Security Principals

Well-Known Security Principals

Managing Active Directory Permissions

Permission Concepts

Anatomy of ACL Editor Dialog Boxes

Dialog Box A

Dialog Box B

Dialog Box C

Dialog Box D

Summary of the Dialog Boxes

Standard and Special Object Permissions

Standard Object Permissions

Thirteen (or 11) Individual Permissions

Enabling and Using the List Object Permission

The List Object Permission Peculiarity

Extended Rights

Create/Delete Objects of a Certain Class

Permissions for Object Properties

Permissions for Property Sets

Permissions for Individual Properties

Renaming Objects

Permissions in Applications

Inheritance

Choosing If a Child Allows Inheritance

Choosing If a Parent Wants a Child to Inherit

Ownership

Creator Owner

How Permissions Accumulate

Deny Permissions and the Ordering of Permission Entries

Permission Performance

DSACLS

AdminSDHolder Object

Delegation of Control Wizard

Common Tasks

Customizing the List of Common Tasks

Custom Tasks

Default Permissions for Objects

Sources of Default Permissions

Common Features of Default Permissions

Pre-Windows 2000 Compatible Access

Listing Default Permissions

Where Security Principals Have Permissions

Changing Default ACLs

Usage Scenarios for Active Directory Permissions

General Practices

Delegation Scenarios (to Make Changes)

Scenario A: Delegating an OU Tree with Possible Blocking

Scenario B: Delegating an OU Tree without Blocking

Scenario C: Delegating Administration of Group Policy

Scenario D: Delegating Administration of Certain Objects (Such As Users)

Scenario E: Control over Noninformational Aspects

Scenario F: Cross-Object Permissions to Carry Out a Function

Scenario G: Administering Informational Properties

Scenario H: User’s Own Informational Properties

User Scenarios (to See Properties)

Auditing Active Directory Access

Adding Auditing Entries

Turning On Auditing

Viewing Audit Records

Access Control Architecture

Processes and User Accounts

Impersonation and Delegation

SIDs

Access Tokens

Security Descriptors

ACE Contents

ObjectType Field

Adding Extended Rights

Property Sets

User Rights

User Rights Categories

Logon Rights

Normal Privileges

Advanced Privileges

Fixed Rights

Active Directory Permissions Instead of Rights

Assign User Rights

Add Workstations to Domain

Applying User Rights

Brief Introduction to Group Policy

Modifying User Rights for Domain Controllers

Modifying User Rights for Member Servers and Workstations

Conclusion

Chapter 5
Sites and Replication

Concepts of the Physical Structure

Why Replication?

Nature of Active Directory Replication

Partitions and Replicas

Overview of the Replication Process

Overview of Replication Topologies

Sites

Overview of Intrasite and Intersite Replication

Change Notification

Scheduled Replication

Site Link Bridges

Urgent Replication

Nonreplicating Properties

Global Catalog

Overview of Operations Masters

Managing the Physical Structure

Active Directory Objects for Sites and Replication

The Big Picture of Objects

The Sites and Services Snap-In

Test Environment

Tasks in Managing the Physical Structure

Setting Up a Single Site

Setting Up Multiple Sites

Administering Sites

Using the Default-First-Site-Name Site

Creating and Managing Subnet Objects

Creating and Managing Site Objects

Moving and Managing Server Objects

Managing NTDS Settings

Promoting a Domain Controller to Be a Global Catalog Server

Creating and Managing Site Links

Managing Licensing Computers

Removing Domain Controllers

Monitoring and Diagnosing the Physical Structure

Replication Permissions

Advanced Topics

Intrasite Replication Topologies

Replication Ring

Drawing the Replication Ring

Connection Objects

As the Ring Grows

In Transition

Several Partitions

Global Catalog Replication

Intersite Replication Topologies

Inter-Site Topology Generator

Site Links and the Topology

Site Link Costs

Intersite Topology of One Domain

Preferred Bridgehead Servers

Managing Bridgehead Server Failures

Intersite Topologies of Several Partitions

Intersite Global Catalog Replication

Creating and Managing Site Link Bridges

Creating and Managing Connection Objects

Reciprocal Replication

Using Change Notifications in Intersite Replication

Site Options

Configuring SMTP Replication

The Replication Process

Background

Update Sequence Numbers

Replication Metadata

High-Watermark Vectors

Up-To-Date Vectors

Collisions

Tombstones

Time Synchronization

Time Convergence Hierarchy

Controlling the Time Service

Time Synchronization Process

Managing Operations Masters

Schema Master

Domain Naming Master

RID Master

PDC Emulator

Infrastructure Master

Operations Master Placement

Transferring Operations Master Roles

Managing Operations Master Failures

Seizing Operations Master Roles

Conclusion

Chapter 6
Domains and Forests

Domain Controller Placement

Active Directory Network Traffic

Windows 2000 Client Logon Traffic

Active Directory Replication Traffic

LDAP Client Traffic

Determining the Placement of Directory Information

Looking at All Sites and Domains Together

Looking at a Single Site and Domain

Looking at Global Catalog Server Placement

Designing Domains and Forests

Single or Multiple Domains and Forests

Single or Multiple Domains

Multiple Domains Because of Units of Administration

Multiple Domains Because of Units of Policy

Multiple Domains Because of Units of Replication

Multiple Domains Because of Existing Windows NT Domains

Nonreasons to Create Multiple Domains

Branch Office Environment

Costs of Additional Domains

Single or Multiple Forests

Number of Schemas

Number of Forest Configurations

Number of Global Catalogs

Complete Trust Area

Other Reasons for Multiple Forests

Other Costs of Additional Forests

Forest Planning Considerations

The Three Faces of a Forest

Shortcut Trusts

The Forest Root Domain

An “Empty" Forest Root Domain

A Nonempty Forest Root Domain

Various Roots

Managing Domains and Forests

Managing Trusts

Trusted Domain Objects

Viewing Trusts

Verifying Trusts

Creating Explicit Trusts

Foreign Security Principals

Moving Objects in a Forest

MoveTree Features

MoveTree Limitations

Moving Groups

Using MoveTree

Managing Groups and Permissions in a Forest

Predefined Administrative Groups in a Forest

Predefined User Groups in a Forest

Group Member and Permission Assignments in a Forest

Referrals and Cross-References

Cross-Reference Objects

Creating External Cross-References

Delegating Domain Installation

Delegating Domain Controller Installation

LDAP and Searches

LDAP Searches

Property Lists

LDAP Search Filters

Specifying Values

Multidomain Searches

Continuation References

Search Tools

The LDP Tool

Extended LDAP Controls

Listing Deleted Objects

LDAP Data Interchange Format

LDIF Files to Describe Content

Base64 Encoding

LDIF Files to Describe Changes

Conclusion

Chapter 7
Group Policy

Group Policy Concepts

MMC Group Policy Snap-In

NT 4 System Policy Compared to Windows 2000 Group Policy

Group Policy Contents

Computer versus User

Software Settings

Scripts

Security Settings

Account Policies

Local Policies

Event Log

Restricted Groups

System Services

Registry

File System

Public Key Policies

IP Security Policies

Administrative Templates

Other Policies

Folder Redirection

Remote Installation Services

Internet Explorer Maintenance

Group Policy Objects and Links

Group Policy Objects

Local Group Policy Object

Group Policy Links

Scope of Group Policies

Inheritance

Solving Conflicting Policy Settings

Blocking Inheritance

Forcing Group Policy

Filtering Group Policies with Groups

Processing Group Policy

Processing Basics

Processing Group Policy Periodically

Manual Refresh of Group Policy

Slow Link Processing

Loopback Processing

Group Policy Processing in Detail

Determining Effective Group Policies

Managing Group Policies

Group Policy Dialog Box

Target Domain Controller for Group Policy Operations

Creating GPOs

Editing GPOs

Managing GPO Links

Disabling Parts of GPO or GPO Links

Deleting GPOs

Backing Up Group Policy

Delegating Management of GPOs

Creating an MMC Console for a Delegated GPO

Delegating Local Group Policy

Additional Tools

Software Management with Group Policy

Windows Installer

Creating Windows Installer Packages

Deploying Software with Group Policy

Published versus Assigned Application

Deploying Non-MSI Packages

Upgrading Applications

Patching Applications

Removing Applications

Troubleshooting Group Policy

Logging Group Policy Events

Detailed Logging

Resource Kit Tools for Group Policy

Group Policy Results

Group Policy Objects

Replication Monitor

Group Policy Migration

Group Policy Reference

FAZAM 2000 RFV

Group Policy Scenarios

Advanced Topics

Registry-Based Settings for Group Policy Processing

Client-Side Extensions

Registry Settings for Group Policy History

Default Permissions for GPOs

Slow Link Detection Algorithm

Conclusion

PART III: ADVANCED SKILLS

Chapter 8
Active Directory Schema

Overview of the Active Directory Data Model

Classes, Objects, and Attributes

Container and Leaf Objects

Indexing and the Global Catalog

Schema

Role of the Schema

Location of the Schema

The Physical Location of the Schema

The Logical Location of the Schema

Inspecting the Schema with ADSI Edit

Inspecting Attributes of Classes and Attributes

Various Attribute Names

Inspecting the Schema with the Schema Manager Snap-In

Dumping the Schema to a Spreadsheet

Subschema Subentry

Schema Cache

Triggering the Schema Cache Update

Constructed Attributes

Classes

Names and Identifiers

Object Identifiers

Obtaining a Base OID

Structure and Containment Rules

Class Inheritance

User Class Example

Class Categories

Miscellaneous Characteristics of Classes

ShowInAdvancedViewOnly

Category 1 and 2 Schema Objects

Object Category

Security Descriptor Definition Language

ClassSchema Object Property Pages

Attributes and Syntaxes

Names and Identifiers

Linked Attributes

Syntax and Content Rules

Syntax Choices

Multivalued Attributes

Searches

Ambiguous Name Resolution

Miscellaneous Characteristics for Attributes

AttributeSchema Object Property Pages

Conclusion

Chapter 9
Extending the Schema

When and Why to Modify

Guidelines

What Data to Put in Active Directory

Planning the Modifications

Creating a Class

Modifying a Class

Creating an Attribute

Modifying an Attribute

Deactivating Classes and Attributes

Restrictions on Deactivation

How to Deactivate

How Deactivated Classes and Attributes Behave

Reactivating Classes and Attributes

The Modification Process

Order of Tasks

Enabling Schema Modifications

The Means to Make Changes

The Schema Manager Snap-In

Creating and Modifying Attributes

Creating and Modifying Classes

ADSI Edit

LDIFDE

CSVDE

An Installation EXE File

Some Gotchas in Changing the Schema

Schema Replication

Concurrency Control

Bringing the Extensions to the User Interface

Where to Place the New Objects

Managing Permissions

Managing Permissions for Individual Attributes

Using Property Sets

Creating and Displaying the Objects

Display Specifiers

Testing to Change the Displays

Adding the Menu Definitions

Creating and Testing a Batch File

Creating and Testing a VBScript Script

Extending the User Class

Planning the Extensions

Implementing the Extensions

Managing the Attribute Values

Adding a Script to the Context Menu

Searching on the New Attributes

Managing the Attribute Permissions

Conclusion

Chapter 10
Administration Scripts: Concepts

Getting Started

The Script Execution Environment

The WSH Environment

The VBScript Language

The ADSI Interface

Launching WSH Scripts

Script File Types

WScript versus CScript

Testing with a Small Script

Controlling WSH Scripts

Command-Line Options

Script Settings

Killing a Script

Setting Up the Development Environment

Getting a Script Editor

Getting the Help Files

Sources of Additional Information

VBScript Language

Dissecting a Sample Script

The First Sample (Normal)

The Second Sample (Short)

The Third Sample (Very Short)

ADSI Concepts

Basic ADSI

ADSI Operations

A Sample ADSI Script

LDAP Binding Strings

Using rootDSE

Basic COM

The Property Cache

Between the Property Cache and Active Directory

Between Your Script and the Property Cache

Handling Special Data Types

Single-Valued and Multivalued Properties

ADSI Interfaces

The List of ADSI Interfaces

The IADs Interface

The IADsContainer Interface

The IADsUser Interface

The IADsGroup Interface

ADSI Syntaxes

Additional Techniques

Ways to Input and Output Information

Using Executables from Scripts

Using COM Components

Using the Win32 API

Debugging Scripts

Debugging with Extra Output Commands

Microsoft Script Debugger

Including Script Lines from Another File

Conclusion

Chapter 11
Administration Scripts: Examples

ADSI Examples

User Management

List the Users of One Container.vbs

List the Users of One Container to Excel.vbs

List the Property Cache Contents.vbs

Property Cache Interfaces

The List the Property Cache Contents Sample Script

List User Properties with Get.vbs

List User Properties with Methods.vbs

List the Account Options of a User.vbs

Create a User with Minimum Attributes.vbs

Create a User with More Attributes.vbs

Create a User with a Batch File.bat

Create a Home Folder for a User - Ver 1.vbs

Create a Home Folder for a User - Ver 2.vbs

Read User Information from Excel.xls

Read User Information from Standard Input.vbs

About Standard I/O

The Read User Information from Standard Input Sample Script

Schema Access

Concepts

Properties of the Abstract Schema Objects

Retrieving the Path to an Abstract Schema Class Object

Schema Sample Scripts

List All Abstract Schema Objects.vbs

List the Member Attributes of a Given Class.vbs

List the Member Attributes of a Given Class to Excel.vbs

Show Property Properties.vbs

Container or Leaf.vbs

List All Real Schema Objects.vbs

List Indexed Attributes.vbs

List ANR, Nonreplicated, and Constructed Attributes

List Global Catalog Attributes.vbs

List All classSchemas to Excel.vbs

List All attributeSchemas to Excel.vbs

Create an Attribute and a Class.vbs

Configuration Information

List the Supported Namespaces.vbs

List Attribute Display Names.vbs

List the DC GUIDs.vbs

List the rootDSE Property Cache.vbs

List the GPO GUIDs.vbs

List the Operations Masters.vbs

Changing an Operations Master

List the Operations Masters with ADsFSMO.vbs

List ADSystemInfo.vbs

Access Control Lists

Security Interfaces

The Access Control List Sample Scripts

List ACEs - Short.vbs

List ACEs to Excel - Short.vbs

List Binary GUIDs.vbs

List ACEs - Long.vbs

Using Regular Expressions to Convert the GUID

Add ACEs.vbs

Knowing What to Add

The Add ACEs Sample Script

Order of ACEs

Defining Trustees

Using the Generic Permissions

Add ACEs to a Folder.vbs

OU, Group, and Computer Management

OU Management

Creating an OU

Deleting an OU

Moving Users of One OU to Another

Deleting Objects of One OU

Group Management

Create a Group.vbs

Deleting a Group

Add Users of One OU to a Group.vbs

Create a Computer Object.vbs

ADSI without Active Directory

List Services.vbs

List Users, Groups, and Print Queues

List Shares.vbs

Create a Share.vbs

List WinNT Properties of User Class.vbs

Create a User in a Workstation.vbs

Additional Techniques

Binding with Credentials

Binding with WKGUIDs

Bind to a WKGUID.vbs

Rename-Safe Binding to Other Objects

Binding to the Global Catalog

List the Users of a Subtree.vbs

Error Checking.vbs

Error Mechanics

Error Categories

The Error Checking Sample Script

Scripts As Command-Line Tools

CmdTool.vbs

Using ADO

ADO Concepts

ADSI versus ADO

ADO Mechanics

Basic Example.vbs

The LDAP Search String

Basic Example with SQL.vbs

Modifying Objects.vbs

Multipartition Queries

Using the Global Catalog

Referral Chasing

Additional Settings

The Connection Object Properties

Search Options As Command Object Parameters

List Objects That Have Blocked ACL Inheritance.vbs

Conclusion

 

Bibliography

 

Index

horizontal rule

List of Tables

Table 1.1: Windows NT versus Active Directory
Table 1.2: NDS Compared to Active Directory
Table 1.3: Syntaxes of Active Directory Names
Table 1.4: X.500 Standards
Table 1.5: LDAPv3 Specifications
Table 1.6: LDAPv3 Operations
 

Table 2.1: File Systems Supported by Windows 2000
Table 2.2: Hardware Requirements and Recommendations for Windows 2000 Server
Table 2.3: Important WINNT Switches
Table 2.4: Important WINNT32 Switches
Table 2.5: Windows 2000 Server Components
Table 2.6: Windows 2000 Server Upgrade Considerations
Table 2.7: Steps during Active Directory Installation
Table 2.8: Sample Configuration Used in This Book
Table 2.9: Windows 2000 Safe Mode Options
Table 2.10: Windows 2000 Recovery Console Commands
 

Table 3.1: The Predefined Containers in Active Directory
Table 3.2: The Predefined User Accounts in Active Directory
Table 3.3: The Predefined Built-in Local Security Groups
Table 3.4: The Predefined Groups in the Users Container
Table 3.5: End-User Memberships
Table 3.6: Properties of an OU Object
Table 3.7: The Nature of User and Contact Objects
Table 3.8: Name Properties of a User Object
Table 3.9: Significant Properties of a User Object: The Account Tab
Table 3.10: Significant Properties of a User Object: The Account Options
Table 3.11: Significant Properties of a User Object: The Profile Tab
Table 3.12: Informational Properties of User and Contact Objects
Table 3.13: Properties That Are Copied When Users Are Copied
Table 3.14: Comparing Domain Controllers and Other Computer Objects
Table 3.15: Name Properties of a Computer Object
Table 3.16: Properties of a Computer Object
Table 3.17: The Nature of Security and Distribution Groups
Table 3.18: Name Properties of a Group Object
Table 3.19: Symbol Letters for Group Names
Table 3.20: Properties of a Group Object
Table 3.21: The Extra Costs Related to Universal Groups
 

Table 4.1: Rights and Permissions Needed to Administer and Use Windows 2000
Table 4.2: Security Principal Types
Table 4.3: Well-Known Security Principals
Table 4.4: Overview of Permissions
Table 4.5: Parts of Dialog Box A (“Basic”)
Table 4.6: Elements of Dialog Box B (“Advanced”)
Table 4.7: Elements of Dialog Box C
Table 4.8: Permissions for a User Object by Categories
Table 4.9: Dialog Box A Permissions for a User Object by Category
Table 4.10: Dialog Box A Permission Mappings to Dialog Box C
Table 4.11: Special Object Permissions for Any Object Class
Table 4.12: Extended Rights for User Objects
Table 4.13: Extended Rights for Other Classes
Table 4.14: Base Schema Property Sets
Table 4.15: Property Sets: General Information
Table 4.16: Property Sets: Personal Information
Table 4.17: Property Sets: Public Information
Table 4.18: Property Sets: Remote Access Information
Table 4.19: Property Sets: Account Restrictions
Table 4.20: Property Sets: Logon Information
Table 4.21: Property Sets: Web Information
Table 4.22: Names of Object-Naming Properties
Table 4.23: Delegation of Control Wizard Common Tasks
Table 4.24: Inheritable Default Permissions for the Domain Object
Table 4.25: Noninheritable Default Permissions for the Domain Object
Table 4.26: Default Permissions for the Users and Computers Containers
Table 4.27: Default Permissions for the Domain Controllers OU
Table 4.28: Default Permissions for the First Domain Controller in the Domain Controllers OU
Table 4.29: Default Permissions for a New OU in a Domain
Table 4.30: Default Permissions for a New Contact or a New Shared Folder in a New OU
Table 4.31: Default Permissions for a New Group in a New OU
Table 4.32: Default Permissions for a New User in a New OU
Table 4.33: Permissions of Typical Security Principals
Table 4.34: Parts of a SID
Table 4.35: Identifier Authorities
Table 4.36: NT Authority SIDs
Table 4.37: Parts of a Security Descriptor
Table 4.38: Fields of an ACE
Table 4.39: ACE AccessMask Bits
Table 4.40: ACE AceFlags Bits
Table 4.41: ACE Flags Bits
Table 4.42: ACE AceType Bits
Table 4.43: How the ObjectType Field Identifies a Permission Target
Table 4.44: Logon Rights: Default Assignments for Domain Controllers
Table 4.45: Normal Privileges: Default Assignments for Domain Controllers
Table 4.46: Normal Privileges: Differing Default Assignments for Member Servers
Table 4.47: Advanced Privileges: Default Assignments for Domain Controllers
Table 4.48: Some Fixed Rights Assignments for Domain Controllers
 

Table 5.1: Active Directory Partition Types
Table 5.2: Replicas of an Active Directory Sample Forest
Table 5.3: Number of Domain Controllers in Each Domain and Site of a Forest
Table 5.4: Comparison of Intrasite and Intersite Replication
Table 5.5: Urgency Levels of Active Directory Replication
Table 5.6: Operations Masters
Table 5.7: Active Directory Objects for Sites and Replication
Table 5.8: Tasks for Setting Up a Single Site
Table 5.9: Tasks for the Default Site and Site Link
Table 5.10: Tasks for Additional Sites and Site Links
Table 5.11: Advanced Tasks for Setting Up Multiple Sites
Table 5.12: Tasks for Administering Sites
Table 5.13: Tools to Diagnose Replication
Table 5.14: Transport Protocols for Replication
Table 5.15: Options Property Bits of Site Links
Table 5.16: Options Property Bits of Connection Objects
Table 5.17: Options Property Bits of NTDS Site Settings
Table 5.18: Functions of the Active Directory Replication Process
Table 5.19: A Newly Created Object on DC1
Table 5.20: A Replicated Object on DC2
Table 5.21: A Change to a Property on DC2
Table 5.22: A Changed Property Replicated Back to DC1
Table 5.23: The High-Watermark Vector of DC1
Table 5.24: The Up-To-Date Vector of DC1
Table 5.25: USN of Each DC and Vectors of DC1: Initial State
Table 5.26: USN of Each DC and Vectors of DC1: Step 1
Table 5.27: USN of Each DC and Vectors of DC1: Step 2
Table 5.28: USN of Each DC and Vectors of DC1: Step 3
Table 5.29: USN of Each DC and Vectors of DC1: Step 4
Table 5.30: How Active Directory Handles Collisions
Table 5.31: Placement Rules for Operations Masters
Table 5.32: Placement Rules for Operations Masters in a Multidomain Forest
Table 5.33: How to See or Transfer the Role Owner
Table 5.34: Impact of Different Operations Master Failures
 

Table 6.1: Replication Traffic Amounts When Creating New Objects
Table 6.2: Per-Domain and Per-Forest Features
Table 6.3 Trust Types
Table 6.4: Properties of Cross-Reference Objects
Table 6.5: SystemFlags Property Bits of Cross-Reference Objects
Table 6.6: Permission Modifications for Delegating Child Domain Installation
Table 6.7: Permission Modifications for Delegating Domain Controller Installation
Table 6.8: The Main Parameters of an LDAP Search
Table 6.9: LDAP Search Filters
Table 6.10: The Escape Sequences in LDAP Search Filters
Table 6.11: Extended LDAP Controls of Active Directory
Table 6.12: LDIF Operations
Table 6.13: LDIF Modify Operations
 

Table 7.1: NT 4 System Policy Compared to Windows 2000 Group Policy
Table 7.2: Summary of Group Policy Contents
Table 7.3: Default Template Files in %SystemRoot%\Inf
Table 7.4: Important Properties of a Group Policy Container
Table 7.5: Processing Group Policies
Table 7.6: Slow Link Processing options
Table 7.7: Settings Used in Sample Scenario for Determining Effective Group Policy Settings
Table 7.8: Default Group Policy–Related MMC Consoles
Table 7.9: Groups with Permissions to Link GPOs
Table 7.10: Comparison of Published and Assigned Applications
Table 7.11: Registry Values for Starting Detailed Logging
Table 7.12: Registry-Based Settings for Group Policy Processing for Computer Objects
Table 7.13: Registry-Based Settings for Group Policy Processing for User Objects
Table 7.14: Client-Side Extension GUIDs and DLLs
Table 7.15: Group Policy History Registry Values
Table 7.16: Default Permissions for GPOs
 

Table 8.1: Uses of the Schema
Table 8.2: Inside Uses of the Schema
Table 8.3: Various Attribute Names
Table 8.4: Some Confusing Name Pairs
Table 8.5: Attributes of a classSchema Object
Table 8.6: Name and Identifier Attributes of a classSchema Object
Table 8.7: Microsoft Active Directory OIDs
Table 8.8: Structure and Containment Attributes of a classSchema Object
Table 8.9: Class Inheritance Attributes of a classSchema Object
Table 8.10: Class Categories
Table 8.11: Miscellaneous Attributes of a classSchema Object
Table 8.12: Default ACEs for a Group Object
Table 8.13: SDDL Permissions
Table 8.14: Attributes of an attributeSchema Object
Table 8.15: Some Name and Identifier Attributes of an attributeSchema Object
Table 8.16: Syntax and Content Attributes of an attributeSchema Object
Table 8.17: Syntaxes for Simple Data Types
Table 8.18: Syntaxes for String Data Types
Table 8.19: Syntaxes for Time Data Types
Table 8.20: Syntaxes for Reference Data Types
Table 8.21: oMObjectClass Values for “127” Syntaxes
Table 8.22: Search Attributes of an attributeSchema Object
Table 8.23: SearchFlags Bits
Table 8.24: Miscellaneous Attributes of an attributeSchema Object
Table 8.25: SystemFlags Bits
 

Table 9.1: Attributes of a New classSchema Object
Table 9.2: ClassSchema Object Attributes That Can Be Changed
Table 9.3: Attributes of a New attributeSchema Object
Table 9.4: AttributeSchema Object Attributes That Can Be Changed
Table 9.5: Means to Modify the Schema
Table 9.6: The Schema Manager Snap-in and the Attributes of an attributeSchema Object
Table 9.7: The Schema Manager Snap-in and the Attributes of a classSchema Object
Table 9.8: Display Specifier Attributes
 

Table 10.1: WScript and CScript Comparison
Table 10.2: Host Options for CScript and WScript
Table 10.3: WSH Script Settings
Table 10.4: Ways to Read and Write the Property Cache
Table 10.5: Get versus GetEx
Table 10.6: The Four Modes of PutEx
Table 10.7: Put versus PutEx
Table 10.8: Relevant ADSI Interfaces
Table 10.9: Properties of the IADs Interface
Table 10.10: Properties of the IADsContainer Interface
Table 10.11: Methods of the IADsContainer Interface
Table 10.12: Static Property Methods of the IADsUser Interface
Table 10.13: Methods of the IADsUser Interface
Table 10.14: Methods of the IADsGroup Interface
Table 10.15: Syntaxes and Data Types
Table 10.16: OLE Automation Data Types and Corresponding Active Directory Syntaxes
 

Table 11.1: The Two Ways to Access the Schema with ADSI
Table 11.2: Relevant Properties of the Abstract Schema Classes (IADsClass Interface)
Table 11.3: Properties of the Abstract Schema Properties (IADsProperty Interface)
Table 11.4: Name Formats to Use in the Trustee Property
Table 11.5: Generic Permission Mappings to Special Permissions
Table 11.6: ADSI and ADO Comparison
Table 11.7: The LDAP Search String Contents
Table 11.8: Search Options

 
Last modified 07/22/07