Smart Index of the Inside Active Directory Book

Inside Active Directory, ISBN 0321228480, publisher Addison-Wesley
Authors Sakari Kouti and Mika Seitsonen

Back to the book's Web site

Even with a good printed index at the end of a book it is often difficult to track all sections where a given topic is discussed or mentioned. Our Smart Index of the 2nd Edition (AD2003) solves this problem. It contains kind of all text in the entire book, except:

  • To make the file smaller, all instances of 181 unnecessary "noise words" were removed (see a list).

  • We cannot give away the book contents on a Web page, so each word under a given heading appears only once (this also makes the file smaller), and the words are sorted alphabetically.

  • The text in any figures (drawings or screen shots) is not included.

Note that each word is independent, so any phrase such as "global catalog" is not maintained, and "catalog" and "global" appear independently in the list. Also, any punctuation is considered a word delimiter, so "HKEY_LOCAL_MACHINE" is actually three words: "HKEY", "LOCAL", and "MACHINE".


You can search for any word using your browser's Find feature. This way you can find all the locations where objectGuid, for example, is mentioned in the book.

Chapter 1
Active Directory: The Big Picture

500 2000 2003 access active ad2000 ad2003 address architecture authentication basic big blocks brief building built catalog chapters comparison concepts container containers control controllers data dcs definitions delegation depth differences directory directoryís discuss dns domain domains dynamic explanation fits forests frame gc global group groups hierarchies history include including infrastructure inheritance interest introduce introduction kerberos key ldap leaf lightweight limitations major model name naming nds noninclusive novell novellís nt object objects organizational ou ous overview partitions picture pki policy presentation programmatic protocol provides public publishing read reference relationships replication schema server services sites system topic topics trees trust units updates windows virtual

Introduction to Active Directory

access according account active adds administrators anyone anything application computer configuration contact database directory distributed domain entities find folders group helps manage models network nt objects optimized permissions printers provide providing purpose qualify rather relational relatively replaces represented resources scalable server service services shared simple sql static store storing ultimate user users wealth windows

A Brief Description

20 2000 2003 access according accordingly accounts act active addition additionally address administration administrators affect affects afterward allow allowance allows anything application applications applied appropriate approval area aspect aspects assisting attributes available book build building call card categories characterize check choose client code codes com companies company computing concept configuration configure configured connection consequently consider consistency consistent contains content continents control controller controllers controlling controls copied creating criteria customers data date deas definitions delegate delegated den describe design desired desktop desktops device devices directory dispersed distributed doing domain done door during effective efficient else employees enable enabled enforces enterprise environment extranets face faces falls fault faxing file finally find fit foundations general geographically globally granular group guaranteed having head help hierarchical hierarchies high highly identical important including informational infrastructure inside interesting intranets itself jackís key lan large ldap levels likely lives local located location log logon loose lower main maintain manage management managing minute minutes model modify month name necessary needs network networking networks nt objects offer office offices open optimization organization out part partitions parts password perhaps periodically permissions permitted piece place point points policies possibly postal printers programmed protocol provide provides proximity publish put reach read reads reference refreshed relatively relevant remaining reside resources restrictions result rpc rules s satellite scalability scalable search searches secure security server servers services settings significant sized smart somewhere specific specified specify sql standards static still store storing structure system take talk tasks technical technologies terms time tolerance try typed types understand useful user users usersí various ways verified very while view windows winsock within work write

The First Look at Active Directory

2000 2003 active adjacent administrator administratorís among available basic browse browsing contact contacts contain contents copying directory directoryís enable exactly explained file folder folders group groups interface left meant my navigation network newer objects open opens others ou pane part places practice screen search sees server she shot show similar small structure time tree typically user userís users versions view views windows xp


2000 2003 active development directories directory explore history including latest line long look microsoft microsoftís network nos operating previous products review server systems vendors windows

Previous Microsoft Network Operating Systems

51 1988 1989 1990 1993 1994 1995 1996 1997 1998 2000 2003 1980s agreed became before beginning brought cooperation develop developed developer developing development disk dos early efforts encouraged ended especially finally focused gain gradually had hadnít huge ibm integrated interfaces jointly june lan launch major manager march microsoft microsoftís momentum ms name net network nos nt operating os owner pack packs parallel plus popular presentation product programming published released separate server service shipped simultaneously since sole started subsequent success system truly understandably until user version versions while windows work years

The History of Directories

40 500 1487 1777 1988 1992 1993 1995 1996 1997 1998 2000 2003 2251 1980s accessing account active ad2000 ad2003 address allows announced anything banyan before being bigfoot bindery book call catalogs chronology com comments commercial companies computer concentrate contact contain currently databases developers directories directory discuss era examples exchange existed finalized foremost groupwise had history ibm important including indicates international internet iplanet kind kinds lan ldap ldapv1 ldapv2 ldapv3 listed log long lotus mail major manager michigan microsoft milestones nds netscape netware network notable notes now novell nt offered open operating organization others outside owned paper part passwords popular practically product products protocol published purposes real released request rfc rfcs selling server services shipped short software standard standards started store storing streettalk support switchboard system systems telephone university user usernames users verisign version versions whitepages whowhere windows vines yahoo

The History of Windows 2000

500 1990 1991 1993 1996 1997 1998 1999 2000 2003 1990s accompanied active actually advantage allchin among anticipated appointed banyan before began behind benefit beta bill born build burden cairo cairoís carries choice chronology class code comdex complex computers concept consequently considered consolidate contain couldnít course current currently definition demonstrated designation develop development did directory distributed domain early enterprise era evolved feature file fingertips forthcoming fresh future gates got guy had he illustrates imagine incorporating industry intensive internet intranet introduced introduces jim joining kerberos keynote launch launched ldap lead least lighter long longer made main maker marketing maturing microsoft microsoftís models mostly music name named nds needed needs networks nortel northern novell nt ntís object officer often old oriented originally parallel part passed peaks personal phase picture planned planning platform point preview product professor project public published reasons refer renamed resource rigidity roots run security separate series server service services seven ship shipped show simply specific speech started streettalk successor suitable system teams technologies technology telecom testing themes things time too trade trademark tv twin type understand until wasnít version versions windows vision years

The History of Windows Server 2003

1993 2000 2001 2002 2003 1990s active actually ad2000 ad2003 adoption again ago anytime approach aspect attended b back balance before beginning brought c causing changed circles code coding company computing concept conferences confusion consider contains corresponding creates current decision default delays deliver deployment derided describes design development didnít directory dropped dropping during easier easy effort efforts enhance enhanced entire events everything excellent extra fall fast fix focus former functionality gain general get giving guidance hacker had half heat iis improvements increased integral intense internet itself largest late launched lead little made maintain manifested market massive materialized maturation maturity mentioned mere microsoft microsoftís millennium missed momentum months name necessary net newer none now occurred off often ongoing operating par paragraph participant policy practices press previous product productís proliferation promote reason reengineering referred regard regarding remarkable respect retrospect sd3 secure security server shipped side similar since situation slightly slow software soon sponsors stance strictly substantially succeeded system taking time times took training turnaround turning understandably users various weaknesses version versions very whistler windows workstation wouldnít xp year years

AD2003 Compared to AD2000

ad2000 ad2003 afterward assume better briefly changed decisions describe design environment exhaustive goal goals large manageability minimize monitoring pretty principles scalability security skills skip structure valid


20 2000 2003 active ad2000 ad2003 admt admtv2 along available backup cd computer contents controller controllers database directory disk domain domains enables enhancements forest functional groups hours includes initial install installing interforest interim intraforest large latest level levels load locations media migrate migrating migration mixed mode modes native nt objects others passwords provided provides r regardless remote replicated replication require rising save server target tool user users version windows

Domain Management

accounts active add administration among application applications attribute authorization azman basic command commands computer computers contains controllers default delete determined directory domain drag drop ds dsadd dynamically easier editing effective enable enables enhancements filter group groupís groups include inheritance lastlogon lastlogontimestamp ldap line logged manager members membership modify moving msc multiple nonreplicating normal objects parent partition permissions principals queries query quotas read replicated restoring role saving security showing snap tracking types user users windows


0 20 200 2003 access act active ad2000 ad2003 added addition affected algorithm algorithms application area attribute automatically b balancing beneficial branch bridgehead c catalog chunk communicate compress compression control controller controllers cpu data depending directory domain domains drawbacks efficient eliminated especially excellent existed fast finally find forest generator gives global group hardware having hub improved improvement improvements independently inter intersite istg kept large latency least limitation linked links little load lost lvr management maximum member members membership microsoftís minutes modern modified much multivalued needed network off office out partition partitions percent performance place problem problems progress protocol query ratio reached replica replicated replication reside rpc s scenario scopes server servers since site sites smtp specify still store testing thousands together topology trade value values wan wide windows within worse writing

Global Catalog

ad2000 ad2003 added again applications attribute caches caching catalog cause connection constant contact controller domain during eight exchange find forest full gc gigabytes global group groups having hours large logged logon logons meaning member membership modified mostly much needed network normally occurred out part partial pas processing reduced relieves replicated replication schema server servers subsequently sync turn universal updates user values words

Forest Management

60 access active ad2003 always among application applications attributes authentication b back backups benefits better brought caution com command computers control controller controllers days dc default deleted detection directory dns domain domains during enables enabling except exchange external feature filtering foreign forest forests great green happen her id integrated jill kerberos lan ldp limit lingering log manager name netbios netdom nt ntlm object objects occur offline old older once online operation owners panel partitions principal process really reappears recommended reinstall removal remove rename repadmin replicate restore restoring restructure root routine routing sanao security selective server she sid snap still suffix temporarily tool trust trusts unfortunately upn user users ways whereas windows workstation zone zones


115 145 1510 2000 2003 2829 2830 128mb 16mb ability access account accounts acl active admin affect allows anonymous attacks attribute auditing authenticate authentication center changed channel characters clears clients communications compatibility compatible complex compliance computer computers connections constrained constructed contains controller controllers correct dcpromo decrypting default delegated delegation digest directory distribution domain editor effective efficient encrypted enhanced everyone feature group her inherited items kdc kerberos key keys layer ldap least level local locate log logged logon long makes man maximum md5 member middle network numbering numbers old option password passwords period permission permissions policy pre privileged rather reduce resources rfc run running sasl secure security selected server servers service services settings seven signed signing size smb sp4 system tab thirty time timestamp tls traffic transport update user version whereas windows vulnerability

Group Policy

32 4gb actual addition analyzing application apply aspects backup combined comes console disk download editor effect enables enhanced except filters free gpmc gpo gpos group inheritance installing instrumentation interface least limit manage management microsoftís multiple objects performed permissions policies policy sample scope scriptable scripts separately settings simulating site snap space specify traditional user web windows wmi workstations

Directory Database

40 2000 active contain database defaults defragmentation directory enables entries gain identical inheritance instance lot manual objects offline once online percent perform permission reduce schema server single sis size storage storing trigger upgrade windows


2798 active ad2003 affected attribute attributeid attributes automatically auxiliary class classes consequently converted data deactivated default defines defunct directory dynamic dynamically easier elapsed freely identifiers inetorgperson interoperability ldapdisplayname linked listed live makes migrating names normal object objects passwords predetermined product products rather removed reuse rfc schema store storing temporary time ttl unicodepwd user userpassword valid versa whole vice

Active Directory Compared to Windows NT

0 10 32 70 200 1kb 4kb account active add administration always amount applies attribute authentication base bdc bdcs bidirectional cases changed classes compatibility compressed container controller data database delegation developed direction directory distribution domain downward engine ese except explain extensible familiar feature folders free global group groups hierarchy intransitive ip item jet kerberos latest least link local master mean member members multimaster multiple needed needs nesting netbios nt ntlm object objects once operator organizational ou part pdc policies policy present privileges properties refer registry reinstalling relationships replicate replicated replicates replication s sam schema scope scopes security server servers settings single sites skip special storage supported system tcp technical time times transitive trust type types units universal user wan version versions versus whole windows within workstations yes

Active Directory Compared to NDS

active ad2003 add administration administrative advantage alias allows appears apply aspects attribute basis better big boundary canonical cases catalog changing close column compared comparison competitive cons context continually country covers criteria current delegation despite developed differences difficult directory disadvantage distracting distribution domain domains drawbacks easier edirectory effective equivalence except exist extensible familiar feature forest forests formerly free functionality gateway get global group groups help hierarchy host impossible included indicates ins invisible ip knowledge ldap learn legacy linked listed local locality mainly mentioned merely merge merged minus minutes mmc mostly much multimaster multiple n names naming native nds needed neither nesting netware newer newest numbers nwadmin object objects once opinion organization ou our ous partition partitions permissions plus policies policy privileges pros purpose rarely rdn relate relative replicas replication result schema scope scopes security sense separate sequence server servers services shipping sign since site skip small snap somewhat special split starting still support synchronized tcp time tool tree trees trusts type typeless types universal update users wan various version versions versus whole visibility visible within works worse writing yes z

A Sample Company

book chapters com company corporation corporations demonstrational depending dns domain domains name needs our present registered sample sanao slightly throughout

Basic Building Blocks

active addition administration basic beginning blocks briefly building catalog controller controllers dc directory domain domains explain global groups help independent installing introduce kinds knows located logical mostly object objects organizational organize physical relationships replicated sections servers sites stands structure trust units

Domain Controllers

2000 2003 active belongs computer controller dcpromo directory domain during exactly install installation itself join joined member option perform promote right running server utility windows workstation


account active acts add administrative administrators admins affect basic blocks boundary building choose com contain control controller controllers directory dns domain domains domainwide except groups hasnít include items kerberos locations lockout maintained name namespace nt object operators organization outcome part password permissions physical policy preferably reached replicated replication reside rights sales sanao security server settings therefore things time trusts unit user various whole windows words yet

Trust Relationships

15 30 4a 4b 4c access accounts across active actually administration advantage allow architecture arrangement arrows b benefit bidirectional c centralized circles comparable complete complex connect connected consequently contain contained course created define direct directory domain domains draw emphasize enable equal establish everything explicitly far fewer finally forest formula functionality go goes greatly group groups having headed her him intransitive keep large led likely lines look made makes maximum members minimum model models n necessary needed needs neither nor normal nt often organization pair paper permission permissions proper reason reduce relationships required resource resources rotated sense separate six smaller streamline structure symbolized symmetrical tier tiers totally trans transitive tree triangles trust trusted trusts turn unlike user users ways while windows words works

Organizational Units and Other Objects

30 access active addition administration administrative administrator administrators assign automatically below better choice computer computers contains contents control correspond covering created creates criterion delegate delegation directory dispersed domains during easier especially file files finance folder folders forgotten geographically group grouping groupings human implemented impractical include including installation level local locations logical marketing match modify nds network object objects order organizational ou ous passwords perhaps permission permissions physical policies printer printers properties purposes put read reset resources security shared software specific specifying stick store structure system time top tree types unfortunately units useful user users various write zones


able access across active addition additionally administration allow anything application applications approach assign assigned assigning assignments attached avoid b become being boundaries c capable catalog combinations company computers contains control correspond d defined defines depending described determines dictates directly directory distribution domain domains door doors easier easiest easily efficient energy entire everything facilitates feature file follow free freely function giving global go greatly group grouping groups help illustrates indicates individual large leads least let limitations line local logons lose mail managed management member members membership memberships multiple nds nest nesting normally now nt ntís object old operating others parts path penalty permission permissions point purposes put quickly read recommended related remaining replication represents resource resources save scope scopes security selection servers shouldnít sites slower something sound strategy system take thicker time track traffic type types universal usage user users valid various versa while vice windows workstations


2000 active addition administrator administrators affect applications areas assign aware clients closest communicate communications compress connections connectivity controllers cost costs cycles data decide decisions define determines dfs directed directory distributed domain efficiently enabled fast file find folders frs functions good group help her intelligent intersite intrasite ip knowledge knows lan lans link links listed locate locations logon mainly makes multiple network offered optimization option parameter physical policies printer printers processor purposes queries replicate replicated replicating replication requests route router routing save search send server servers service she site sites slow subnet subnets system sysvol tcp technically techniques typically uncompressed understand unless user users wan wants vendor why windows world


15 30 2000 2003 accessing accounts achieves across active add adding addition address administrator admins advantage against allowed alternatively always among application appropriate arranging authentication automated average b backup bad balancing base bdcs behind benefit bit builds c call care chain changed choose clock clocks communicate compresses configuration connections consequences contains controller controllers copying creation current d data database date default delays describing determine difficult direct directory disastrous domain domains domainwide down emulator ensures enterprise entire environments equal especially explained failure fall fashion fault feasible fix flexible forest forestwide fsmos functions get good had having held hop hops hour hours identifier implies indexed indexes infrastructure initiate inside intersite interval intrasite introductory j keep kept kerberos link links load local locally locked logged long made mail mainly making marked master masters mean meaning messaging minimum minutes much multimaster name naming nds needed network nine nonreplicating normal novell nt numbers objects off once operation operations option organization out part particular partitions pdc periodically piece place placed primary procedure properties property protocol provides proximity reasons relative rely remember remote replicate replicated replicates replicating replication requires reside respectively rid ring roles rpc schema seconds sequence server servers service setup shortcut shortcuts simultaneously single site sites situation situations smtp sometimes stands stay successful synchronization synchronized take takes tell ten things third time tolerance tolerant too topology total tracks turn under units unless unlike until update user users usns waited wan warning version windows within words work workstation workstations

Global Catalog

0 70 138 151 863 across active ad2000 additionally administrators alternatively appropriate avoid back basic better box catalog collect complete consuming contact contains contrast controller controllers copy costly data day define designate directory distinguished domain domains dramatically easy efficiency efficient enterprise entire explain forest global helps host included increase large least leave likely link links locally locate location makes mechanism name names needed netware network normal normally object occurs once operations out part path performed perhaps permissions possibility printers process properties property query raises read replicate replicated replication requested resources result search searched searches separate server services site sites slow sometimes soon specifies steps subject tie time together transfer travel user userís users wan whole workstation


active administration administrator appropriate better build centralized choose company concepts considerations decentralized depending directory discuss domain enterprise follows forest forests further guess hierarchy introduce introduced kind large largest model models multidomain multiple network ou sections simple simplest single situations size small smallest structure summarize topic tree trees whereas

Single Domain with No OU Structure

accounts active actually addition addresses administration administrative administrator administrators allow always amount applications apply applying appropriate assign assigned automatically basis call centralized chances changed companies company companyís container controller controllers couple currently data database depends directory disallow disks domain domains enough entire environments fax folders form format fortunately frequency group groups had hand handle hard helps her hierarchy his host improvement internal keyboard less limited links local locally locations log london long model nt numbers ou ous perform predefined printers privileges properties put remote replicate replicated replication represented resources right rights server services share similar simplest single site sites size small still store storing structure suitable talk tasks time tree triangles unfortunately user users wan whole via windows

OU Tree in a Single Domain

51 2000 achieve active administration administrator administrators amount assign basis capabilities complete compressed control controllers copy created currently decentralize deeper delegate directory domain domains double draw elect entire evaluate explained feels file forest get goal good group had handle he hierarchy inside larger level limited links logical longer master migrate model models modify multiple my naming necessary network nice nt object objects obviously open otherwise ou our ous part place places policies previous rather reason reasons remaining replicated replication represent resource resulting run separate server single sites specific structure therefore thing top tree treeís triangle unit unless users wan versions windows xp

Domain Trees

administrative administrators agree authentication automatically b base become becomes below better bidirectional big business catalog child choice common consider continents contrast controller controllers decentralization directly disks distant domain domains domainwide established everything everywhere explained extra family folders forest form format get global group groups grows happy hard hierarchy higher implementing impractical independent inside large level likely locations lockout long lower maintain memberships model nds needs object often operators organization organize others ou ous parent parents password path permissions place policies possibly privileges put relationships replicate resource root schema separate server share shortcut similarly someone speed stated step structures subdomain subsequent top totally toward transitive tree trust trusts unidirectional units user whereas via

Domain Names

active add addition arrangement belong child childís com company companyís computer contiguous controllers dc difficult directory dns domain domains eastcost forest get largecust ldap level maintain match member name names namespace normally our parentís part preceding prepending rd recommended registered root sales sample sanao sanaoint servers surprisingly therefore tree trees workstations ws1

Forest of Domain Trees

10 11 access address administration administrative admins assignments beginning below bottom branch business call catalog child com common contains contiguous control controller course described difference differences dns domain domains drawn ending enterprise equal forest forestwide fourth gives global group groups had illustrates impression includes incorrectly independent intertree layout level look looks lower main model name names namespace namespaces naming normal now objects our par perform permissions placing point previous problem rather remember represent right root sanao sanaoint schema scope search searchís seem shown sides single slight specifically starting subject subsection subtree term time top transitive tree trees triangle triangles trust trusts units unless view True

Multiple Forests

10 2003 access acquisitions ad2000 ad2003 addition among authentication benefits com company compared cooperation decentralized divisions domain domains enables explained external extra filtering foreign forest forests forestwide functional green her illustrate illustrates independent jill kerberos level limit log mergers methods model models multiple name nature nt ntlm offer older organization owners perhaps process requires root routing sanao selective server she sid single suffix totally trees trust trusts upn user ways whereas windows work workstation

DNS Integration

2000 able active addition allows authenticated basic benefit berkeley best bind broader character characters choice chooses client close common companies computers configuration consequently continue controller dash depend directory dns domain domains dynamic easier ensure feature file foremost former fulfill hardly implementation included infrastructure installed internet interoperability intranets life locate locating location main master members much multimaster name naming naturally needed network offers option organization perform possibility primary product purposes records related relationship replication requirements running runs secure selection serve server servers service services single srv standard stick store storing support supports system systems therefore traditional unicode unix updates various version windows wise work z zone

Locating Computers and Services

14 15 168 192 able active address addresses along among answer anyone asks best choose closest com communicate computer controller corresponds dc1 desired directory dns domain find involve ip job log looks name needs offer particular priority process queries query querying rather request return sanao secondarily server serverís service site something specific tell therefore user weight workstation

Dynamic DNS Updates

2000 2136 active adding address administrator applications automatically boots comments companies computer computers configuration configure configured contain controllers defined dhcp directory dns documents domain download dynamic editing eliminate eventually find forced form happen host http ietf internet ip legacy machines manually meaning name names naming necessary netbios nt obsolete org organizations original protocol read records register registers registration relieves request resolution retrieved rfc rfc† server service services site sites standard startup statically supports until updates web versions windows wins workstation www

Security and Policies

2000 access active anyone authenticated base computing control directory discretionary file files ntfs part password protected subject system trusted username wants windows

Access Control

12 13 2000 access aces active actually allow assign attached computer contains control dacl dacls define deny descriptor descriptors detailed differences directory discretionary enables enough entries explained fax figures fine fit full go groups individual inetorgpersons inheritance inside interface known latter level major maps model name necessary nt ntfs object objects old ones options ou ous owner permission permissions principals properties read remaining sacl sd sds security show similar someone special standard system third tune user userís users very window windows write True


2003 above access accessed aces active add advantage affects allow apply applying appropriate assigned beneath carry check child children choose completely cons container control controllers copied copies copy copying couple database descriptor directly directory disk domain dynamic exactly flag identical immediate improvements indicates inheritable inheritance inherited inheriting instance locally machines nds needs nt ntfs object objects old once opposite ou parent permission permissions power processing processor pros receive recognize replace replicated save saved security server significant single space specify static storage store take takes technology thousand tree type walk whole windows wonít word

Delegation of Administration

12 13 access addresses administration administrators assigns beginning boxes control delegate delegation dialog edit else especially figures helps interface intimidating learning less mail manage nothing object objects ou ous part permissions postal process property shown tree ultimately user users wizard

Group Policy

14 10000000000 10gb ad2000 ad2003 administrators affect affects application applies apply appropriate assign assigned assuming automated avoid billion blocked blocking burden bytes centrally chain choice chosen compared computer computers console contain contains contents correctly criteria data define desktop despite determine directly disable discussion disk documents domain domains dynamically enable enforce environment farther feature files filter filters folder folders follows force forced fortunately free freespace get gigabyte giving gpo gpos group groups hundreds includes individual inheritance installation language least level located locations logicaldisk logoff logon lower manage management manually menu my name nearer network nor normal nt object objects optional ou ous overrides part permissions policies policy precedence preceding predefined profile query read redirection registry remaining remote replaces resides result rights ris scripts secure security server servers services settings shutdown simultaneously site sites somewhat space startup store system takes tedious templates tool typical unless upper user users usersí win32 wmi working workstation workstations wql yet


500 access active architecture covered data directory infrastructure introduces issues kerberos key ldap model naming object physical programmatic public related schema

Data Model

1 4 11 14 15 23 26 59 60 70 142 191 207 250 257 863 2000 abc account active actually ad2000 administrative again always attribute basic belong belonging box class classes computer computers corresponding criteria data database decent defines directly directory enter entities examples faster fortunately having homephone implementation indexed integer logon mandatory match model multivalued name network object objects often optional otherhomephone out pm present printer printqueue properties property relationship represented resources respectively script search searching seem single sn snap stores string supports surname syntaxes time tool total type underlying unless user userprincipalname users value valued values

The Schema

500 active addition adds among attribute attributes auxiliary badpwdcount catalog chain class classes come contain content defines dictate directory discussed facsimiletelephonenumber finally gets global governs homedirectory indexed indicates inherit inheritance inherits little mailrecipient mandatory names object optional organizationalperson person relationships replicated rules schema securityprincipal services sn specifies standard states strange structure surname syntaxes telephonenumber title user wonder words True

Extending the Schema

2000 able active add adding administration administrators admins agree allows application applications areas attributes australian base belong canadians careful centralized chose class classes common creating default defined described directory disastrous enabled enterprise exchange extend find forest fortunately global group guarding human implications inheritance install installations irreversible itself least management mechanisms messaging microsoft network objects organization out planning preceding prevent purposes query reinstalling require resource resources restrictions schema security sometimes store supports testing usersalaryinformation whole

Container and Leaf Objects

56 67 86 124 500 active actually ad2000 addition base call class classes classstore contact contain container country defines directory directoryís files folders hood interface leaf locality normally ntfrssubscriptions objects obvious organization organizationalunit others refer referring rest schema seems specific standard total type types under user words


16 2003 active ad2003 addition among application attributes boundaries catalog child classes com combination computer computers configuration contain contains context controller controllers copies copy correspond corresponding default designated directory dns domain domaindnszones domains exist forest forestís forestdnszones form global groups hold holds independent least leftmost listed logical manage manager mentioned naming nc objects ous part partial partition partitions partly principals relevance replica replicas replicated replication reside resides rightmost sales sample sanao schema security server servers services sites snap sometimes structure together tree type unit users whereas windows zone

Naming Objects

2000 2003 access account active actually address administrators almost alternative among attribute attributes bottom brief brown c canonical cd classes cn com commas common component components computer computers container country dc define depending directory discussion distinguished dn domain domainís downlevel easy enter examples exists file format formats fortunately go graphical group groups gui identifies include included ins inside jack jackb kit l ldap learn least left locality location locator log logon long looks mail mandatory microsoft mmc mostly name names naming needs none nt o object objectís objects optional organization organizational ou our package pageís parent path place places prefix prefixes principal rdn relative relieves remember require required resides resource right sales sam sample sanao sensitive separately separators server shipping sibling significant similar slashes snap sold sometimes specifies stands support survive syntax syntaxes system therefore time top tree trees turn type types typing uniform unique unit upn upns url user username users utilities web versions while windows windowsserver2003 words www

The X 500 Standards

10 12 34 88 93 96 500 501 509 511 518 519 520 521 525 530 583 584 585 586 1988 1993 1997 2000 2001 9594 abstract access active administration adopted agents appeared approves area aspects attribute authentication away bad best binding certificate ch classes clients collaboratively commission communication communications complex concepts concerns conference conformance conforms considered dap data define definition derived designated developed device difference directory disp distributed dsas dsp electrotechnical examples four framework frameworks full functional good had hasnít held http iec implementation implements including int intensive interconnection international iso itu key ldap letters lightweight made makes management mentioned microsoft model models modem name namespace nations network networks object often open operation operational organization organizations osi overview particularly parts pics prepared previously procedures proforma protocol protocols public publishes reasons recommendation recommendations referred refers replication reputation reputations resource run sector selected series servers service services shadowing similarly slow specifications standard standardization standards stands statement streamlining stripped subset system systems t taking telecommunication telecommunications telephone top traditionally transport types union united unnecessary v version versions viable widely world www years True


40 977 1487 1777 1986 1993 1995 1997 2000 2251 access active actual administrative ads almost announced areas articles authenticated average back cake carry clients companies compared complex connect controllers current dap day defines directories directory discussions distribute domain dramatically emphasize era finally generate historical includes including inside internet ip iso junk late ldap ldapv2 ldapv3 light lighter lightweight made methods microcomputers microsoft millions modify netscape network news nntp nowadays novell obsolete organization osi pc piece place popular practice products protocol published query rather read rfc running runs search servers services shouldnít simplified since slower standard status still support supported taken takes talk tcp technologies tens too traffic wanted various version widely windows words worry write writing year yet

LDAPv3 Specifications

10 12 53 56 80 96 389 500 1823 1995 1997 1998 1999 2000 2001 2002 2003 2004 2164 2247 2251 2252 2253 2254 2255 2256 2589 2596 2696 2713 2714 2739 2798 2820 2829 2830 2849 2891 2926 2927 3045 3062 3112 3296 3377 3384 3671 3672 3673 3674 3687 3698 3703 3712 3727 access active actually address application asn attribute attributes authentication being browse browsing calendar carry category class clients codes collective communicate component control controller conversion corba core data date default definition definitions developed directories directory discovery distinguished dns domain domains done dse dynamic extended extension extensions family feature filters finally format general get half idea included includes indicated inetorgperson informational interchange interest interface internet introduced ip java kind language layer ldap ldapís ldapv2 ldapv3 ldif lightweight lookups manipulation mapping matching methods mime mixer modify module named names normal object objects ones operation operational organization paged password perhaps policy port printer profile program protocol published quickly recommended references remaining replication representation representing requirements results rfc rfcs root rules schema schemas search security server services side simple six slp sorting specification specifications standards status storing string subentries subordinate summary support supports syntax tables tcp technical templates things ties title tm together track transport url user utf v3 vcard web vendor version work yet

LDAPv3 Operations

11 555 1234 2251 abandon abandons actually add adding adds advisory allows anonymously answer anything application applies ask asynchronously attribute attributes authenticates become bind choice client compare compares condition connects criteria dap defines delete deletes described description designated directory distinguished dn else error event exact exactly exclusion extended extending extraordinary former fulfilling functionality genuine included indicates insufficient jackís latter ldap ldapv3 lightened location message modifications modify move moves name normal notification object objects operation operations opposite perhaps permissions phone prevent previous provide read renames request requests response restrictions retrieves rfc say search selected send sends server session situation specify subtree synchronously terminates unbind unnecessary unsolicited waits value values ways while wonít yes

Physical Architecture

17 500 2000 2003 above access active actual agent among application applied atomic attribute authority call clients column completes component components contain containers contains context controller corresponds corruption created creates customer data database db decent directory disk dit dll domain drawn dsa engine ese esent excel exchange exe executed extensible feature file files flat form frs full functionality functions generally handles hierarchical hierarchy implements indexed interfaces isam jet large layer ldap level link lives loaded local log logical logs lsass manager meaningful method microsoft model modified modifies modify mostly namespace needed normal nt ntds ntdsa object objects obviously offers operation others ous perhaps permanent physical place previously process product protects protocol ram read relationships requested reside row searched security selection sequential server similar spreadsheet sql storage subsystem succeeds system tables takes technique technology tens think tracking transaction transactions tree typical whenever while windows wins words written


18 2000 2003 abstract access account active activex administering administration administrator ado adsi affects allows among api applications array attributes authentication besides binary built c center cn com command component components computer container controllers corresponding creating criteria cscript data database dc default deleting description descriptions directories directory distribution domain echo enter eventually exist file filename filter folder general get getobject groups guest idea illustrates implemented included includes including interact interface interfaces internet key krbtgt ldap level line lines look low manage management manipulates member microsoft microsoftís model mytests name names netware notepad nt objchild objcontainer object objects operations oracle output press principle program programmatically programmers programming prompt protocol provider providers queries quotes reading real recommends resources sample sanao save saved script scripts search searching server servers service shares simple simultaneous source sql strategic technology things top turn type user users utilities vbs vbscript vbtab windows winnt workstations world write writing wscript xp

Kerberos Authentication

19 1510 accessing account acquires active advantages authenticating authentication b c caches center check client clientís clients communicating computers connections connects contact contacts controller controllers correct credentials data directory distribution domain downlevel enough especially external faster file fixed forest fulfill gets granting her illustrates impersonate impersonation issues kdc kerberos key lan logs makes manager member mentioning method mutual needs nt ntlm offers operating order primary request returns rfc running server servers service session she speeds starts still supports talking tgt ticket tickets trust user userís users validity wants version windows workstation workstations worth

Public Key Infrastructure

509 2000 2003 access accounts active assigned authenticate authentication authenticode authority available browser business buy ca card cards certificate certificates choose commercial credit customers described digitally directory dramatically drivers editable edition efs encrypting encryption enterprise extranet file files gain https identification included increases infrastructure introduces ip ipsec key keys logon mail memory network pairs partners password personal pin pki place private processor public purposes referred resources secure security server services signed smart store support system tcp technology templates traditional traffic user username users usersí web verisign version very windows words yourself

Other Features

active adds connecting considerations containers covered current delve directories directory external far havenít internet introductory limitations mention network publish say services special too weíll virtual words

Virtual Containers

active common container copy creating cross define directory dn dns external foreign happen holding ldap look name object part point reference server starting things virtual


2003 acceleration active adam address administrators advertise allow alternatively application applications attribute automatically available beforehand centralized choose class client com company computer configuration connect connection consistent controllers covered created data database dea developing differently directory domain elsewhere enabled exact exists explained extending file find flexibility folder freely happens help interest interesting internet introduced isa items itself job large little making mentioned microsoft mode name object objects often option partition partitions pays phone point points previous print printer provide provided publish publishing put reason reference replica replicated rpc schema security separate server servers service services settings shared something standard static storage store storing structure suitable suited system technology term themselves time user userís users whenever windows winsock

Connecting to the Internet

20 137 139 2000 accessible accessing active addresses administrators assigned authority being choice com communications company comprehend computer confusing connect context control controllers corp corporation crackers database delegated demilitarized directory displayed dmz dns domain easily else employees external externally filtering firewall firewalls forest gateway get hackers highly host http icann implement incoming inner install interested internal internally internet ip issues level local logical made mail medium much name names netbios network networks nt numbers org organization outgoing outside pick placed ports practice presence pretty protection protocols provider public recommended register registered registration remember resources router safe sanao sanaoint send separate server servers service services sized small something sort still tcp top traffic unless users ways web windows visible visit world www zone zones

Active Directoryís Current Limitations

active address appear concepts directory directoryís expected full indicates introduced limitations mentioned nothing perfect picture real serves shortcomings summary versions world years

No Forest Changes

2003 active ad2000 ad2003 addition afterward again allow always boundaries child choices concept constantly control controller controllers current demote development differentiate difficulty directory domain domains eliminate eliminating enables except fact feature forest forests freely functional future higher installation join laboriously level levels limitations local location locations member merge move nds novell objects offers older partition partitions place prohibits promote relieved remote remove removed removing rename replicate replication research right running server somewhat split things tied time transparent under versions windows

Domain Nature

active administrative anything boundaries boundary choose claim coincide consider criteria directory dns domain easily fortunately independent match namespace nds often part partition partitions planning policy replication security shouldnít structure things time unit units

Other Limitations

20 30 able active advantages allow application avoid better branch common compared controller databases directory directoryís domain domains extra flexibility focus folders gives group hand having headquarters host main mentioned multiple nds object objects office offices ou ous partitions parts permissions place placing preceding previously put replicas replicate say sections server servers shortcomings small thing unnecessarily useful user users various

Some Differences from NDS

active alias always around capability command concept consider context creating current cx depends directly directory distinguished extensive filename folder great line location mention missing move name nds necessary non object objects obviously parent path point possibilities rdn refer relative search shared shortcoming somefile somefolder support techniques tree unlike upns user workstation

The Next Version of Active Directory

2 2003 2004 2005 2007 active adam ads application around automated blackcomb client code console contain copy currently deployment directory downloaded dsml expected expects feature future gpmc group identity iifp include integration management manager march microsoft mode named netware pack packs part policy product r2 release resource rights rms separately server service services shadow sharepoint ship software sp2 sus system update version windows writing wsrm wss


active base concepts directory elements explains exploring forms installation introduced knowledge now offers process running server soon understanding

Chapter 2
Active Directory Installation

10 100 255 2000 2003 8gb access according across actions active actually ad2003 add address administering administration administrative administrator adminpak advanced afterward again alias aliases alone along alternatively always analyzing automated automating available aware backup basically better book briefly brings browse c cd center changed changing character chm client com come command common complex component components computer concept configuration connection consider console content controller controllers copied cover date decided decisions default demoting depending described design designs desktop desktops directory disable disabled discuss discusses disk display divided dns docs documentation doing domain domains double down drive during easily easy edition enable enables enforced enhanced enough enterprise environment evaluation event everyone examples exe explorer f10 f11 far feature files finally find folder forest formatted functional functionality further generally get good gpedit group gui had help hit http i386 ie ieesc image implementing implies include included includes including install installation installed installing internet introduced introduces ip issue keyword lab language least levels license licensing line local locate location long lonsanao1 look looking management managing mask media member microsoft mixed mmc mode modes msc msi mstsc name native now nt ntfs numerous ok online open operating options order pack part partition parts password permissions person phase phases policy preferences presents pressing primary problems process proddoc promote promoting prompt properties provides purpose raises rdtoggle reaching read reasons recovery regional reinstall related remote remotely removable remove renaming reports restart restarting retail right role root run running sample sanao scenarios search seat sections security separated server servers service services settings setup setuptxt seven share shift shutdown shutting since site skilled snap stand standard static structure studying subfolder subnet success suggests support supported switch system systemís system32 systems take taken techinfo technique technologically templates terminal test thing time tip tips toolbar topics tracker tracking trusted under uninstall uninstalling users value values web verifying version windir windows windows2000 windowsserver2003 wish wmi wmic volume workgroup worth www xp zone

Domain and Forest Functional Levels

1510 2000 2003 2589 5585 access accounts acl act active ad ad2000 ad2003 added adding addition admin affect algorithm allow alternatives application applications assign assigned attribute attributes authentication authorization auxiliary available back backup backward balancing basic become becomes bridgehead caching capabilities catalog cd changed changing class classes coexist com command communications compatible compliance complicated component computer computername computers concept connected connection constrained constructed contacts contains controller controllers conversion conversions correct creating cross dc dcs deactivating decrypting default defunct delegated delegation deny directory displayed distribution dns domain domains domainwide domren down drag drop ds dynamic dynamically dynamicobject easier editor effective efficient enables encrypted enforced enhancements enough es especially exe exist forest forests full functional functionality further fwlink gc generator global go group groups hand having health her highest history http important improved improvements improves including individual inetorgperson inheritance installation installed instance instances integrated inter interact interface interim introduced introduces introducing irrespective istg kdc kerberos key keys large lastlogontimestamp ldap less level levels limit line linked linkid listed live load local locate log logging logon longer lvr makes managed management manager managing media member members membership mgmt microsoft mixed mode modes monitoring moving msft multiple narrowed native nesting netdom network networks nt numbering numbers object objects old operations option order ordinary originating ou parent partial partition partitions partners pas password passwords pdc period permissions picker place plus policies policy prevents previously primarily principals prior properties provided providers providing queries query quota quotas raise raised rather records redefinitions reliable remote removes rename renaming rendom replicated replication require requirement requirements resources restore reversed rfc role roles roll root run running saved scalability schema scope search security selected selection selective server servers services setup show sid signed since site six specific step still stops storage storing stub subclass support supported supports synchronization system system32 takes tasks term time timestamp topology tracking traffic transitive trust trusted trusting trusts ttl types unicodepwd universal unsuccessful until update updates upgrade upgraded upgrading user userpassword users value valueadd warning versa version versions whole vice windir windows within wmi words workstations zones

Installing Active Directory

2000 2003 access active administrative administrator alone alternatively checked command completely computer configure controller dcpromo demote directory display displayed domain important installation installed installing logon logs manage member nt onto page promoted right role roles separate server setup stand started time tip uninstall window windows

Requirements and Recommendations

0 20 1995 2000 2003 2136 239924 10mb 2000ís 2003ís 200mb 2gb 42mb 4gb 500mb 50mb ability across active activedirectory ad ad2003 adapter addition address adequate administrative administrators admins adsizer advanced allow alternatively apps around article asp available base bind cable catalog com come comes complete component computer config configure configured connection considerably controller controllers database datacenter dc default define depending detect dhcp directory disabling disconnected disk dit dns domain domains download dynamic dynamically edition editor effort enterprise environment estimate file files find folder forest formatted gc get global group hardware hierarchy hosting http illustrates incremental install installable installation instructions internet ip itself kb kit knowledge known laptop least local location log loopback manually media member microsoft minimum needs netlogon network ntds ntfs objects operating order org partition permissions planning problem protocol recommendation recommended records reduces register registers replicated required requirement requirements resource rfc running sense server servers service settings situation sizer space srv stack standard standards status sum supplement support supports system system32 sysvol takes taking tcp techinfo technology tip transaction transfers update updated users version windir windows windows2000 virtual wizard volume wonít working www xp zone

Creating Domains Trees and Forests

2000 active command consequences dcpromo decisions directory during especially far initiated installation installing involved mentioned reaching starts steps windows wizard

Before Installation

0 1034 1035 1036 2000 2003 2052 accommodate acquired active ad2003 adam addition application applications arise authority available becomes before book child choose com companies company companyís conflict conform connected connection controller controllers currently dc dcs decide deploying deployment designing directory dns domain domains ensure entire essential ever exists extranet fault firewalls forest forests form forms frd http identity implemented include install installing integrated internet internetís join joined kind kit knowledge known latest learning least locate microsoft mode name namespace naming network notice options order organization provide proxy recommend recommends records registering registration represents requiring rfcs root rule rules scenario scheme security separate server servers services smallest solution standards strong suitable thorough thumb tightly tolerance tree trust unique uniqueness users while windows windowsserver2003 wise www

The Installation Process

15 64 155 2000 2003 $ ^` Ď accepted access accessing account acls active actual add added addition address administrator administrators admins allowed allows along among analysis anonymous appears applications applies appropriate ask attacks attribute authenticated authentication automatically before behind belong book builtin bytes c careful center channels character characters check checks choose clicked client clients clock com comí command common company compatible complete completed computer computerís computers configuration configure configured configures confirm consider consists contact contain continue controller controllers copy created creates creating creation credentials data database decide default defaults define defined depending detail detailed determine diagnostics differ directory disk disks display displayed displays distributed distribution distsys dit dns documentation domain domains drive dsgch02 dsrm during dynamic en enable enabling ensures entered enterprise especially events everyone existence exists external extra f8 file files flowchart folder forest formatted found generates goes grants group groups guide handles having http hyphens implications improperly improved include included increases initial install installation installed installing interface intersite ip ismserv kdc kerberos key keys kit labels length less let lets letters likelihood limit link local localgroup locate located location locator log logon lsa manages maximum members membership message messages messaging methods microsoft mode moved mspx mutual name net netbios netlogon network nobody notes nt ntds ntdsutil ntfs null numbers object objects obviously ok omitted operating operation optimize option options order our part1 partition password perform performance periods permission permissions physical place policies policy position pre preferred prepare pressing previous privileges process progress promoting promotion properly protocol ras reached read receiving records reducing registers registry removal remove replicated replication reset reskit resource resources restarted restore results review role root rpc rpclocator running runs sample sanao scenarios scenes screen secure security sending separate separated sequence server servers service services session setpwd settings shared shown significantly similarly sites snap source sp2 space spaces srv stack started starting starts startup static step steps stop storage store stores structure successful suffixed suggests summary supports synchronizes system system32 systemroot systems sysvol take taken tcp temporarily tickets time tip tracked tracking tree trksvr twice type unicode unique uniqueness unless update updated us user userís users utility w32time valid value various weaken verified verifies version very whereas while window windows winnt within wizard volume volumes work www youíve yourself zero

Installing Additional Domain Controllers

2003 accessories accommodate accomplished active ad ad2000 ad2003 addition adv advanced alternate alternatively amount asked authentication automatically backed backup bandwidth basis before behavior being boot branch bulk catalog cd check checking clicking close com command complete configure connecting connection considerably consists contacted controller controllers copy created database date dc dcpromo deleted deliver delivered dialog did directories directory disk displayed dns domain during dvd except facilitate facilitating fault file files follows gc global good had idea increase install installation installed installing introduces itís least link links locate location low main media menu metadata necessary network normal normally ntbackup office ongoing online onto option order parameter permission permissions phases placing process programs promote promoting promotion protected reason recent records reduce registration registry remote removable replicate replicated replication required restore restored result run running save searches server servers shipped shown slow sometimes source starting state steps still store surfing synchronized system sysvol take technique tip tolerance tool topology transfer transferred typing unreliable unselect update user wan windows wish wizard

After Active Directory Installation

23 56 2000 2003 308592 accomplished active adds administrator article being briefly cn command complete computer configuration consequently controller correctly created csv csvde dc dcphelp dcpromo dcpromohelp debug determine directory display displayspecifiers dispspec domain english everything exe flash forest further gui import installation instructions interrupt kb locales log logs mui name non now objects prevent process prompt restart runs seeing server specifier steps supported system32 systemroot takes time tip unsuccessful users went windir windows

Verifying the Installation

2000 2003 access active added addition address administrative alternative analyze appended applies builtin check checking client command completed computer computers config containers controller controllers copy created csv database dcphelp dcpromo dcpromoui dcpromoui001 debug default defaults directory display displayed dit dns domain domains during dynamic elsewhere ensure errors file files folder foreignsecurityprincipals forest gc group ins install installation installed installing ip items line linked local located location locations log menu mmc msc name net netlogon newer ntds older order ou parameter place policies policy present promoted promotion prompt properties provided records refreshing removed repadmin replicating replication replsum resolver resource respectively restarting run saved secpol security sequence server servers service services settings shared shortcuts showreps site sites snap specifiers srv states still stop successful successfully support sure system system32 systemroot sysvol testing thereafter times tip trusts try under unfortunately updates users verify version whereas windir windows within volume xp youíre yourserver

Ensuring Compatibility with Earlier Clients

95 2002 2003 ability active affect affects aforementioned always attacks authenticate box care ce channel channels check checked client clients communications computer computers configuration controller controllers data default define defined devices digitally directory disabled disabling domain encrypt enough group improvements including increases inheritance lan leave local machines man manager member members microsoft middle net network nt older options overwriting pack pc pocket policies policy previous prior reduce relationships remove requirement requirements resources running samba secure security server servers service services settings sign signing since smb take time tip trust unchecking under upgrade ways version versions windows workgroups vulnerability

Configuring Time Service

123 2000 2003 active ad2000 alternative c clock clocks commands computer config configure controllers correct dc directory domain edu ending external find firewall forest get hierarchy http including isc isi lowermost manual manualpeerlist members necessary net network ntp open order org pdc port professional protocol public resync resynchronize root server service source starting stop syncfromflags synchronize synchronized time timekeeper tip udp update w32time w32tm windows working workstation www

DNS-Related Tasks

2003 active allen allow basic book catalog clients com cornerstone cricket† directory discussion dns dnswinsvr get http including larson learn liu matt† network oíreilly order oreilly robbie† running scope server servers service steps thorough tip walk windows working www

Removing the DNS Root Domain and Configuring a Forwarding Address

2000 2003 active add address administrative answer assumed circumstances clients company computer conditional configuration configure configuring connect connected consequently created defined delete depending directory dns domain double enable enables entire external f5 feature finer firewall forests forward forwarder forwarders forwarding forwards go grade help icon important installation internet introduces ip isp itself lookup name nat network online order possibly pressing properties queries rather record records refresh remove replicated resolution restart result root server servers service snap started starting stub support tab tip translation useful versions windows wizard zone zones

Creating a Forward Lookup Zone and Enabling Dynamic Updates

10 2000 2003 active add administrative allows automatically available box check checked com command components computer configure context control controller decided default directory dns doing domain double dynamic enter field file finally finish forest forward good icon install installation ipconfig isnít latter let line lookup managing manually menu name net netlogon networking nonsecure now order panel perform previous primary programs provide reasons record register registerdns remove replicated replication restart right root running sanao scope secure selecting server servers service services similar snap specify step steps stop store system32 transfers type unless updates very windir windows wizard zone zones

Creating a Reverse Lookup Zone and Enabling Dynamic Updates

10 100 active address allows available box c can't check checked command computer computers configure context controller corresponding default diagnostics directory dns doing domain double dynamic enter error field finally find finish good icon id interactive ip ipconfig isnít line lookup managing menu mode monitoring name network nonsecure now nslookup octets ok once order out perform pointer previous primary provide ptr reasons record register registerdns replication request resides reverse right running scope seconds secure server service snap specify step steps store subnet test thing timed timeout too tool try twice type unknown unless updates work youíll zone zones

Storing DNS Zones in Active Directory

2078 2137 active allow before checked configure configuring defined directory dns dynamic field include install installation installing integrated let perform permissions properties records replicated rfcs secure selecting service support tasks updates within wizard zone zones

Application Partitions

323 act active ad2000 ad2003 aka api application applications architecture automatically availability catalog child com command configuration configure configuring contain container containers containing context contexts controller controllers created creating dc default depth differently directory discuss diverse dns domain domaindnszones domains domainwide dynamic ensure especially fixes forest forestdnszones forestwide geographically global greater guids h had ils important install integrated internet introduced introduces ip latency let located locating locator manage managing msdcs name naming ndncs nearest network networks non nor objects order ou partition partitions principals problem problems program records referred replicate replicated replicating replication requires root running schema secondary security separate server servers service sometimes subdomain system tapi tapi3directory tapicfg telephony topology within yourdomain zone

Managing DNS Replication

10 active application appropriate checking consequently controllers created creation default define directory displayed displays dns domain ensure event forestdnszones log option partition partitions recorded replicated replication store zone zones

Managing Functional Levels

11 2000 2003 absence active ad2000 ad2003 administration administrator admins adsi assuming attribute attributes automatically bdcs behaves behavior changing check checking class cn com computers configuration consider container controller controllers created crossrefcontainer dc default directory displayed displays domain domaindns domains dropped edit ensures enterprise exist exists forest functional functionality implications increased indicates install installed installing interim ldp level levels location lonsanao1 making member mixed mode msds name native newly nt ntds ntdsdsa ntmixeddomain object option order out partitions perform product raise raised raises raising represented reverse root rootdse running sanao security server servers settings similarly since site sites still storage stores support system tip trusts type users value values verify version view windows windows† workstation

Installing Additional Tools

active adsiedit book cd com console depth directory discuss download downloading exe exploring extensively gpmc group http install installation installing kit least management microsoft msc msi obvious package packages policy promotion repadmin reskits resource support suptools surface tool under valuable worth www

Changing Folder Locations

18545 accomplish active become changing com command compact complicated computer contain controllers created database default defragmentation defragments detailed directory domain file files folder folders fwlink go guide http installed instructions large linkid location log microsoft mode move moving necessary ntds ntdsutil objects online operations order rather reduce reinstalling related removed restore services size starting subsequently systemroot sysvol takes tip

Other Post-installation Tasks

accounts active ad alternatively best changing chapters computer computers containers controllers created default directory discuss document domain download during follow guide installation installations installed master microsoft off operation ous practice read redirect roles securing security services settings site tasks transfer turning unnecessary user users web

Automating Active Directory Installation

2000 2003 223757 active alternatively answer article assume autoconfigdns automate automated c cab cabinet cd chm com command confirmgc contains contents controller createorjoin databasepath dcinstall dcpromo default deploy differences directory dnsonnetwork documents domain domainnetbiosname editor examples far file files folder forest further hw92 include inside install installation installed kb letís lines logpath london media mentioned modify newdomain newdomaindnsname notepad ntds operating order preceding previously r7rg read reasonably rebootonsuccess ref replicaornewdomain root safemodeadminpassword sample sanao say server settings setup simple sitename slightly subsequently support switch system systemroot sysvol sysvolpath template tip tree treeorchild txt windows yes

Problems with Active Directory Installation

10 100 389 2003 active address alternatively bind box button c check checking clicking cmd com command common computing dcdiag deeper default delve diagnostics dig directory dns dnslint dnstool domain download edu enter especially filters find follows hostname htm html http inability include index internet isc ldap line location lonsanao1 looks menu name netdiag now nslookup open operation org out output parent pl port press pressing priority problems prompt properties queries query quotes records recursive related replies resolution response right run sanao selecting server service simple snap sort srv support sw svr tcp test testing tip tool try type utilities utility uwdomains washington weight version windows www

Recovery Options

2000 2003 access accessing bios blank bottom briefly diagnostics discuss f8 finished further goes help important includes logo menu message missed online options pressing recovery reference screen sections server shown startup technical timing windows

Startup Options

17 95 98 2000 2003 access active administer administration administrator always appended available back base basic boot cable card cases caused causes command computer configuration consequently controller controllers corrupted creates cure debug debugging default defined devices directory displays dns domain driver drivers during enable enables everyone familiar file files functionality good includes incorrect installation installed introduced keyboard known loaded loading log logging lost made mass minimal missing mode monitor mouse named necessary network networking newly ntbtlog option options password pcmcia presents preventing previous problems prompt properly purpose registry restore restoring restricted retain roll safe saved sending serial server service services settings shutdown since solve started starting starts startup state stop storage successful successfully support system systemroot tab tip txt useful various version vga while video windows working xp

Directory Services Restore Mode

2003 active backup computer data database defragment directory fulfills functionality help keywords mode necessary ntdsutil online portion recover restore restoring running server services situations state system tip windows

Recovery Console

10 2000 2003 able access active administrator administrators allowallpaths arc around attrib attributes autochk automatically available batch before boot bootcfg booted booting cab cabinet cd chdir checks chkdsk clears cls cmdcons com command commander commands compressed computer configures console contains contents copies copy creates current damaged default del delete deletes devices dir directories directory disable disabled disables disabling disk diskpart displays dots drive driver drivers during enable enabled enables environment equivalent erd exe executes existed exit exits expand extracted extracts fat fat32 file files fixboot fixmbr folder folders format formats forward functionality group hard help hidden http ini installation installations intel interface kind letters line listsvc local location logon long looked management managing map mappings marks mbr md media mkdir name nt ntfs old onto operation operations options original parameter parameters partition partitions party password paths physical platform policy products purpose purposes quotation rd rebuild recovery related removable removes ren rename renames repairs replacing report requests requires resetting restarts restricted restrictions results rmdir root scan screen sector server service services sets setup similar single source sources space spaces specified starts startup status support supports sysinternals system systemroot third time type utility variables various versions wildcards windows volume work works writes www

Installing and Starting the Recovery Console

2000 2003 810562 6mb 8mb alternatively anytime appears article available boot c cd cmdcons command computer console contains disk disks dos download drivers enter erd files floppy included install installation installed installing introduced kb latest load longer menu ms necessary nt operating option order partition pressing process r recovery repair screen server setup space startup supported system takes traditional try update windows winnt32 youíve

Using the Recovery Console

10 2000 2003 account administrative administrator administratorís allow ask automatic commands computer configuration configuring console country default directory disabled disk english exit finish hard installation installations keyboard layout listed local logon mode options password passwords policies prior process recommend recovery registry repair reset restart restore s scans security server services settings starts time tip type typing u windows

Automated System Recovery

2003 application asr associated attempts automated backup cd components computer configuration data disk disks enables f2 fail floppy introduced operating order press recovery restore restoring server services setup starting state store system windows xp

Uninstalling Active Directory

12 2000 2003 216498 able access active actual ad added administrator admins alone along application appropriate article asked attributes available become becomes before center certificate certificates classes clean command complete computer computers connection consequences continues controller controllers couldnít created credentials cryptographic data dcpromo decrypted define defined delegated delete deleted demote demoted demoting demotion developer directory disable dns domain domains easier encrypted ensure enter enterprise exist exists experimenting export exported exporting extinct failures finally forced forceremoval forest forward further gc going group handled happen help ignores inconsistent install instructions introduces isnít kb keys keywords local log longer lookup major master member metadata much necessary network nor objects online operations order otherwise pack partitions password permissions private problem question really records reinstall relevant remain removal remove removed removing replica requirements restarting roles root schema search server service services situation situations software srv stand subdomains support sure technique things tip transferring uninstall uninstallation uninstalling unrecoverable updates upon user users warning windows wizard zone

Automating Active Directory Uninstallation

8992 63trg active administrator administratorpassword answer answered automated c command dcinstall dcpromo dcuninst differs directory file hereís installation islastdcindomain obviously password questions rebootonsuccess sample somewhat txt ud uninstalling username yes


2000 2003 active aspects begins content controller core directory domain exploration explore groups learned least management network now ous promote ready running server small users various windows

Chapter 3
Managing OUs Users and Groups

23 35 59 active ad2000 ad2003 administration alias aliases alternative alternatively appear applications behind book class classes computers contacts contain contents corresponding cover covers creating csvde custom describe directory discuss discussion domain dsadd eight enables explore finally focuses folders follows further groups help include inetorgpersons install installation kit ldifde listed locate manage managing mention message microsoft msmq nine normally object objects organizational ou ous outside part populate printers proceed queue queues queuing recipient reside resource right scenes scope scripting shared snap topic tree units users visible

Active Directory after Installation

account accounts active administrative argue authenticate button clicking com computer computers containers contains controller created directory domain dsa enter forest group groups installed installing msc newly nt object objects often ou place predefined press promoting referred root run sanao selecting server snap something sometimes tip type upgrade user users windows

Predefined OUs and Other Containers

20 2000 accordingly active administering administration adsi advanced affects always anything assign assigned authenticated back below built builtin cds classes column come comparable computer computers contact container containers contents controllers cookbooks corresponding creating default delegate delete described describes directory discuss disk doing domain domains edit explained external extra files flags folder folders foreign foreignsecurityprincipals forest gpo group groups hood ies inís includes inetorgperson issue keep known level likely likewise little local member members move music neither nor nt object objects ou ous outside placeholders placing point policy predefined principals printer protection purpose putting redirect redirecting rename represent reside root security servers settings shared shelf shouldnít snap system therefore things together tool turned types under unless user users why windows visible workstations xp yes yourself

Why These Containers

2000 account accounts active add addition apis brought built builtin chosen command commands computer computers container containers controller controllers created default directory discouraged domain downlevel during ease explanation fact form group groups intentionally internally joins local localgroup long manager member migrated migration net netdom nt objects odd old ou ous precreated predefined process run seem separately separation server support switch tool upgrade user users whenever why windows workstation xp

Redirecting the Users and Computers Containers to OUs

2003 324949 advantage allow apply article base com commands computers container containers created dc default delete domain during employees flags functional group groups hand http knowledge level microsoft moved much normal old ones ou ous perform policies predefined protection redircmp redirect redirection redirusr rename sanao server system therefore users windows workstations www

Predefined Users

2000 access account accountís accounts active ad2000 ad2003 adding addition administrative administrator allow allows always anonymous anyone anywhere application automatically besides box browsers careful catch center chose clients compatible component confusing connect connector controller controllers correct crack decrypt default delete denied depending derived description dialog directory disabled discussion distribution domain domains door enable enabled encrypt everyone extra forest granted group groups guess guest he hidden hurdle iis iiswam installed internet intruder intruderís iusr iwam jack jackís kdc kdcís kerberos key knows krbtgt large license likely log logged logon manager member minimal name names network never objects offers optional outofprocesspool part password path periodically permissions personnel potential pre predefined present principal prompted protection really recognize rename renamed renaming resources server servername servers service services small someone spn stands switches symmetric terminal tgts think thinks time trying tsinternetuser type typical user users walks ways web wide widest windows workgroup workstation

Predefined Groups

ability accepts account active adding addition administer administrative administrator administrators admins among anyone anything applies apply appropriate assign assigned associated built builtin categories container containers controlled controllers corresponding database delete difference difficult direct directory dns domain drives easier easy else exact existed far files fixed folders follows foreign format get global group groups guests had hard he him illustrated includes individual individually items jack jill keys least life local locally log making meaning member members mostly names needs network nt objects often operators package partial permission permissions policy predefined primary printers privileges purpose put registry relationship relationships required reside resources rest right rights security servers settings shown specific sticking story suitable system thatís time turn types user users windows wonít workstations worrying True

Predefined Built-in Local Security Groups

44 47 2000 2003 297938 331951 abilities able access account accounts active ad2000 administrator administrators admins adminsdholder alerts allowed almost always anonymous appears application apply article attribute authenticated authorization back backup base being builders built builtin child compatible complete computer configuration configure connection console constructed container contains control controller controllers corresponding decisions default delete describe describes descriptive desktop detail directory domain domains down drives enterprise everyone except exhaustive file files flags folders forest formatting four full global group groups guest guests hard ignore including incoming inetorgperson inetorgpersons installed interactive ip iusr iwam knowledge known latter license licensing local locally log logged logon logs manage managing member members memberships microsoft modify monitor monitoring move name network none nt object objectís objects operating operators organization otherwise ou perform performance permission permissions pre predefined present principal print printer printers properties protection question read refers remote remotely rename replicator restore rights root running sanaobostonusers sanaousers security selected separate server servername servers service services settings share shares shut similar sp4 specific starting stop subtree system systems tables tcp terminal tggau therefore time tokengroupsglobalanduniversal tool total trust trusts universal user users windows visible workstation workstations

Predefined Groups in the Users Container

2000 2003 access account ad2000 ad2003 addition administer administrator administrators admins allows anonymous appears apply appropriate assign authenticated authority become behalf built cert certificate certificates child client clients computer computers configuration container control controlled controller controllers controls created creating creator default described describes description dhcp discuss discussed discussion dns dnsadmins dnsupdateproxy domain domains dynamically enable enterprise everyone forest full functional global gpo gpos group groupís groups guest guests hierarchy ias iis illustrate illustrates include included install internet joined known let level listed local located logon maintaining manage member members membership memberships missing modify mostly name native necessary needs network none objects operating options ou owners part permission permissions placing policies policy practically predefined principals problem process property publish publishers ras read real record records register remaining remote resolved resource restrictions reveals rights root routing rras running saw schema security seen server servers service services settings similarly sites system tables therefore tightened type typically universal user usercertificate users wants various whole windows wonít worker workstation workstations wpg write True

Predefined Computer Objects

beginning computer container controller controllers domain object point

Administering OUs

active behaves better circle directory disk domain drop efficient files folders form groups illustrates image inside itís keep natural object objects off organizational organize ou ous out part rather referred represents root similarly store structure think tree triangle units uppermost users ways whole

Features of OUs

2000 2003 able access active administration administratorsí assign bad benefits besides big box brown browse browsing button child clicking command continue control convenient copy correspond couldnít created database define delegate dialog difference difficult directory dll doing domain domains dsfolder easier enable entire extra file folder forest form found get good group hand he hiding illustrates independent inside jack level logical look lower manage matter microsoft my nds network object objects offer operation opinion ou ous outcome partition partitioning performs permissions person places policy primarily printer production properties providing purely put register regsvr32 related resource result sales sanao search searching security selecting selects server show sibling siblings single stick structure supported system32 target tell thing tip totally track tree turn unfortunately unit units upper user users usersí wanted various via windows visibility words work workstation xp True

Managing OUs

2003 administrative assigning center chapters checking com creating delegating deleting discussed domain encourage focus follows group harm help includes irreversible item items management managing moving ou ous partition permissions policy properties read renaming resultant rsop server sets support tasks try windows

Creating OUs

64 best character characters choose computers creating descriptive disk distinguished domain easy enough enter folder follow gurmukhi had harder key launch least life maximum name names nds now nwadmin object organizational ou ouís parent press punctuation put right short snap software steps string theory trick type unfortunately unicode unit users

Setting OU Properties

24 24 24 40 104 123 128 840 abbreviation ad2000 add addition address advanced affects appear base behind beings box c catalog characters choices choosing city clicking co code common computers contact contains country countryís countrycode created description dialog discussed distinguished dn domains enter faster fields former gc get global human include included indexed indexing indicate informational integer iso kit l latter ldap line locality makes managed managedby manager managerís matter maximum multiple name names none numeric object ou ouís parentheses part permissions postal postalcode properties property provide province purely reading region related resource right scenes schema scripting searches security sites snap st state states street string syntax tab tabs takes turned unicode united us user users utilities windows works zip

Moving Renaming and Deleting OUs in a Tree

above accept assigned b being c changed choose circumstances clicking command contains ctrl cut delete deleted deleting described destination discussed domain drag easily enter f2 find forest further group hand inherit inherited inside insufficient key keyboard keys line location longer mouse move moved movetree name object objects ok once ones opens optimal original ou ouís ous pane paste permissions planning policies press pressing previously proceed prompted rearrange rename result right selecting shift sibling similarly snap support too tool tree type

Planning OUs

2000 according administer administration administrative administrators aforesaid application aspects assignment boston bullet company confuse controlling corporate deep delegation department disk division divisions domain domains easy employees entities exist folder geographical geography group including isnít keep learned level limit locations logical london mainly match mind necessarily object organization organizational organized others ou ous partitions physical planned planning policy practical previous principles printers production publishing purely purpose related reorganize reorganizing replication right sales scenarios similar specific stands structure suggests top tree trees type types typical typically unit units users windows visibility

Administering Users InetOrgPersons and Contacts

2000 -- able access account accounts active actually ad2003 add addition address administration advanced appear application applications applies apply aspect assign being beings book box brought card category certificates chapters collection column com common comp computers contact contacts contain container contains control copy corresponding corresponds couple course cover creating date de define delegate delete dial dialog dictates directory discussed discussion distinguish distribution eight employee enabled entry environment examples except exchange expiration fax faxing folder function functions general group had home human identical include inetorgperson inetorgpersons informational install introduced introduces item items latter left little location log logon mail makes manage management meant member memberships mentioned menu move much name nature natures network never object objects official organization ou outside page password path permissions person personnel placeholder please point policies policy practically primary principal production profile properties published question reason refer related remote rename requirement resources right screen sections security services sessions shots shown significant smart snap software store subset summarize tab tabs tasks telephones tend terminal terms test third title traditional try turn turning twice type types typically user userís users web whose view visible

Creating Users

10 20 24 64 256 2000 access accesses account accounts active actual addition address administrative administrator alone alternatively base becomes brown call canít canonical capability cases catalog cause changing characters choose cn command common compatibility computer computers configuration consequently creation default describes description despite device directory display displayname displays distinguished domain enforces enter european everyday except experience explain explicit fewer firstname folder forest forests full furthermore generation givenname global graphical handle hasnít he her his iii independent indexed informational initial initially initials jack jb joined jr knows label lastname latter ldap legitimately length line local log logon logs machine mail maximum middle mobile modify name names needs network normal nt object objectís often old ou page part password performing permissions pre prevent principle privileges problems profile properties property purely qualifier rdn regard relate require required rights rule rules safer sam samaccountname schema selected server settings she shown situations sn snap specify sr stand strings suggests summary supported surname tasks third throughout time treats tree trust unicode unique useful user userís userprincipalname users utilities various warning windows within wizard workgroup workstation š

UPN Suffixes

active actual add administrative administrator appears box brown button choose clicks com consist contains corp default define dialog directory domain domains enables enter enterprise fixed forest jack left line logon name names once pane part parts properties right root sales sanao selects snap started suffix suffixes trusts upn uppermost user users

Creating InetOrgPersons

2798 311555 active actually ad2003 administrators affects along appear applications article authentication base before brought class com computers context defaulthidingvalue defined definition directory easier forest http identical includes inetorgperson interoperate knowledge menu method microsoft migrate modify needed network object objects practically products projected property purpose recommends represent rfc scenarios schema services snap standard test therefore tool type unless usage user users www True

Creating Contacts

11 address applications becomes book common company computers contact contains creating creation entry full informational log logon mail name names network object ou page password person properties represents saw settings shown significant snap specify therefore tree user users wizard working

Setting User InetOrgPerson and Contact Properties

30 50 138 150 165 207 257 account ad2000 addition address administering always behind contact context count counts covered creating define dial discussion easier exact explanatory express fortunately general groups help informational interface major member mention mentioned names numbers object objects organization our places precise profile properties provides required say scenes self sensitive settings significant simply tab tabs telephones user users windows

Significant Properties of a User Object The Account Tab

0 0 0 0 10 11 12 20 24 24 30 256 2000 2003 abcdef able acceptable access account accountexpires accounts active address adjustments administrator administratorís affects ahead allowed allows am amount anymore appear appears assign assigned associated attack attacks attempts authentication away back becomes being belgium binary bit boston boxes bpactlck brown calculated card causes cbc changing character characters check checks clear com command compatible computer computers configuration consequently contents control controller correction corresponding current data date daylight days default define defining delegated delegation delete denial des described description despite determined dictionary digest directory disabled discussed document domain during eight empty enable encrypt encrypted encryption enters except exempt expires explanatory expose firewall folder force forwarded freeze functional gmt going good granting group having he his hmac hour hours http human iis impersonation implementation implementations includes increments indicate initial interactive internally irreversible jack jackb kerberos key label ldap learn least length level line local locked lockouttime log logon logonhours logs long longer looks machine macintosh mail maximum md5 meaning microsoft minimum month mspx name names net netbios never normally nt object often old online option options out pass password passwordreq passwords periodically periods permissions pm policies policy practice pre preauthentication prepared prevent principal prodtechnol profile properties property pwdlastset rc4 regardless relieves represents require required reversible rsa rsadsi rule sam samaccountname saving schema security selecting self sensitive server service sets settings she shown significant sitting six smart snap someone soon special specified standard still store stores string syntax tab taken technet technologies temporary ten tgt tgts thorough throughout ticket tickets time times too tries trusted twice type types unicode unlocks until usable useful user userís useraccountcontrol userprincipalname users userworkstations utc vanish wants weekdays windows windowsserver2003 visible wonít workstation workstations wrong www xp year yes zone

Significant Properties of a User Object The Profile Tab

11 13 2000 $ able account active actually administrators alternative anydomaincontroller applications assign back bat brown browse characters connect connects contain contents control convention creates d default define defines description directory documents dollar downlevel downloaded drive edit environment exists field fields folder four full gives group handy he his home homedirectory homedrive homepath inherited invisible itís jack jackís jackb ldap letter local logon logs machine makes maps my name naming netlogon network newer nt object off old once path permission permissions policy pre private prof profile profilepath properties property providing read relative remove roaming saving script scriptpath server services shared sharename sign significant snap specifies store tab tabís time unc unicode uniform unlimited uploaded user userís username users value variable variables whereas whichever windows workstation xp

Significant Properties of a User Object The Dial-in Tab

14 apply book communication connections define defines dial managing network outside private properties provided reference scope screen settings shot significant tab therefore user virtual vpn

Informational Properties of Users and Contacts

12 24 24 24 40 43 64 89 93 128 256 840 2048 acceptable active ad2000 address advantage affect anything appear applications authorization base blank box boxes brown c categories categorized characters checking choose city cn co code color comments common company computer consequently consist consistency consistently consisting contact containing country countrycode covered creation criteria deals default department described describes description detail determining dialog dictate direct directory directreports display displayname dn document edit enter entered entries especially except facsimiletelephonenumber favorite fax field fields file fill fixed format four free ftp gc general givenname group groups guidelines hair her his home homephone http ideally important include index indicates info informational initial initials integer interested ip ipphone jack jackís jb jill keep l label ldap leave little locality locked logged mail management manager mentioned middle mind mobile multiple name network notes numbers o objects offer office operations options organization otherfacsimiletelephonenumber otherhomephone otheripphone othermobile otherpager others othertelephone otherwise ou p page pager permissions personal phone physicaldeliveryofficename postal postalcode postofficebox previously primary properties property provide province public query read recipes region rein reports requirements result rules screen search securing shots show shown simply sn snap something st state stated states street streetaddress stringent surname syntax tab tabs take telephone telephonenumber telephones tell therefore title together total treats tree unfortunately united unless url us user userís users values web very wizard written wwwhomepage zip

Editing Multiple Users

15 2003 computers description edit enables feature inetorgperson multiple object objects possibly properties server simultaneously snap time types typically user users version windows

Other Operations to Manage Users InetOrgPersons and Contacts

account clicking contacts context copy created delete disable full home inetorgpersons key mail manipulate menu mouse move open operations packed page password perform possibly press properties ready rename reset right send shortcut users ways

Copying Users and InetOrgPersons

13 20 33 account accountexpires add adsi anticipate assistant attributes behave brevity c categories category city clicking co code codepage company computers copied copy copying country countrycode default defined department description division done edit employeetype enables explain facsimiletelephonenumber fax hand homedirectory homedrive identically included inetorgperson inetorgpersons itís l launches ldap likely localeid logon logonhours logonworkstation manager maxstorage meaningful memberof modify names necessary needing nice normal numbers object objects obviously office options otherfacsimiletelephonenumber otherloginworkstations others parentheses personal phone physicaldeliveryofficename postal postaladdress postalcode postofficebox preferredou primarygroupid profilepath programmatically properties property province region remaining represents right saves schema scratch script scriptpath selecting showinaddressbook showinadvancedviewonly similar snap st state street streetaddress talk template templates therefore time typical user useraccountcontrol users userworkstations values visible wizard workstations zip

Moving Users InetOrgPersons and Contacts

above assigned b being c choosing clicking command contacts ctrl cut destination discussed domain dragging forest group hand inetorgpersons inherited inherits keyboard keys line location mouse move moved movetree now object objects ok once opens ou pane paste permissions policies proceed regarding right selecting shift sibling snap support tool tree users usual within

Renaming Users InetOrgPersons and Contacts

16 17 appears box c chance clicking common contact copy corresponding dialog documents enables enter f2 field figures folder folders full home inetorgperson keep local logon mail manually name names object objects old once page path personal physical press pressing profile prompted properties refers reflect rename right script selected selecting settings show still third type user userís username web

Deleting Users InetOrgPersons and Contacts

assign assignments clicking confirm delete group id identifier inetorgperson key long mechanism memberships never none object old permissions pressing principal re resources reused right safety security selecting sid specifically undo user

Disabling User or InetOrgPerson Accounts

account box check company contains context delete dialog disable disabled effect enable freeze his icon inetorgperson limited menu months object operation out properties red six someone still tab time user

Resetting User or InetOrgPerson Passwords

access become context encrypted files forgotten he his inaccessible inetorgpersonsí internet local longer mail menu messages never obvious operation password passwords reason reset saved user userís usersí warning workstation

Opening Home Pages of Users InetOrgPersons and Contacts

browser context corresponding defined his home menu object open operation page property someone

Sending E-mail to Users InetOrgPersons and Contacts

address context corresponding defined her mail menu object operation property send someone

Administering Computer Objects

14 95 98 1993 2000 2003 account active administrative allows alone among applies apply assign assigned automatically b back book broader c categorize chapters clear command compares comparing computer computers container controller controllers corresponding couple creation d dcpromo default delegate delete depending dictates did differently directory disable discussed distinction domain dsadd exceptions feature focus follows group guid help helps include informational inherited installation installing integrated item items join joining location manage managed management managing manually member memberships microsoft model move nds netdom network non nt object objects operating ou ous part permissions place placeholder policies policy principal properties property purely purposes range remote remotely rename reset resources script security semiautomatically server servers service services short significant signifies slightly snap stand support systems tasks terms test ties tool treated try types user users version very while windows workgroup workstation workstations xp yes

Creating Computer Objects

14 15 18 19 20 64 256 2000 2048 $ active adsi aforementioned afterward allows alone appear appropriate assign automatically backup balancing becomes beyond bought box check choice client cn command comments common computer computerís computers container controller controllers correct created creation dc1 dc2 dcpromo default depends depth didnít directly directory displays dns dnshostname dollar domain downlevel dsadd during edit enables enter enterprise explained forest four get goes graphical group guid guids help identified implies indicate install installation installed internally introduced items join joining latter launch ldap length listed load locate managed manually manufacturers match maximum name names netbios netbootguid netbootmachinefilepath nt object objects offers onto option ou ous page pages permissions policies pre precreate prestaging previous professional prompted properties property rdn remote require required right rights ris rule running sam samaccountname schema screen selected selections sell sends server service services short show shown sign sitting snap specify stand store stores summary system target ten third time treatment tree turned unique updates user users various ways windows within wizard wizardís wonít workstation workstations world xp

Setting Computer Object Properties

15 16 20 24 24 24 228 256 280 2000 2003 2048 3790 $ 0x1000 0x2000 active ad2000 administering appears behind binary bit book box boxes build button characters check checking choices comments communication computer computerís computers contact context controller correct cover created creating creation delegation described description dial directory discuss dn dns dnshostname dollar domain downlevel eighth explained explanatory fields functional gc general gets groups guid help helps id impersonation include index indicate indicates informational install installation installed interface internally ldap level location machine managed managedby managerís managing maximum member n name names netbios netbootguid netbootmachinefilepath normal object objects operating operatingsystem operatingsystemservicepack operatingsystemversion pack packs page permissions pre preceding precise present properties property provides purely read related relates remote ris role rule sam samaccountname saw scenes schema screen selected self sensitive server service settings seventh shots show sign signifies sitting sixth snap specifies stores string syntax system tab tabs takes trust unicode unique user useraccountcontrol users version windows wizard workstation xp yes

Other Operations to Manage Computer Objects

computer computers corresponding delete disable manage management manipulate move object objects operations rename reset

Moving Computer Objects

above assigned b being c choose command computer ctrl cut destination discussed domain domains drag forest group hand inherited inherits key keyboard line location mouse move moved movetree moving object objects ok once opens ou pane paste permissions policies right selecting shift sibling snap support tool tree users within

Deleting Computer Objects

account asks clicking computer confirm corresponding delete deletion domain key log longer mechanism memberships object old option part permissions pressing principal re right safety security selecting therefore undo user

Disabling Computer Accounts

account clicking computer controller disable doing domain logging object prevent right selecting sitting user users

Resetting Computer Accounts

21 2000 2003 $ able account accounts active addition administrator aforementioned again among authentication channel command communicate computer computername context controller corresponding directory domain dsmod enables enter error establish exchange his includes initial item joined known line local log logon logs lsa machine match member menu message netdom nltest nt object option password problem quotes receive receives reset resets resetting secret secure server sets shown sitting solve starts support things user username utilities value windows workgroup xp

Managing Computers

applications computer corresponding focus manage management object right server services sets snap starts storage system

Renaming Computers

2000 2003 button common computer control controllers discussed dns domain enter finally member name netbios object ok once operation panel password permission pre prompted rename renames renaming server system tab user userís windows workstation xp

Administering Groups

17 active addition administering administrators again applies applying assign assigning behave benefit brevity computer contacts course created deleting describes detail directory discuss discussion distribution effective extremely fact group groups handy identically individually inetorgperson inetorgpersons laborsaving mail mainly manage managing moving much network objects often once permissions policies printer properties purposes really save send separately show specifically target time treat user users work

Group Types

17 22 able access accesses active ad2003 addition administration allows application applications apply assign assigning audit available basic belongs briefly builds capable cheaper check commands company computer contact contacts contain contains controls corner course currently depending detail determine determining difference directly directory discussed distribution domain door doors enabled except existed expensive explained faster feature files folders functional gets group groups hand he identity illustrates indicates inetorgpersons introduced introduces itís labeled leads left less level line lines little log logon logs long lower mail member members membership memory miscellaneous nature natures needed needs network never normal notice nt object objects open operates operating part permissions policies policy possibly principal process purpose query question ram reason related remember represent resources scopes script security send server settings small smaller solid somewhat subset summarizes system terms therefore thin time token tokens traditional turn type types user userís users whatever why windows wonít

Group Scopes

2000 2003 accept active addition administration anticipate behave categories category compatible depending differently directory distribution divided domain domains explain fall fine four functional functionality global group groups having important including indicates inside interim level levels local members mixed mode native nesting nt plan principles pure raised read regarding regardless scope scopes security server time types universal unless very windows

Group Scopes in Windows NT Compatible Functional Levels

17 23 24 200 accept access active add administrators allow alternative anything appropriate arrangement arrow arrows assign associated b bidirectional boxes canít catalog circle circles color compatible computer concentrating consequently contact containment conventions corresponding deny desirable did directory discuss disk distribution division domain domains dotted downward dramatically draw easier effect employee especially evaluation figures folder folders follow foreign forest freely functional get gets giving global go group groups her hide hires illustrates image include indicated indicates individually intend isolation kinds less level levels lines local long looked lower manage member members microsoft mirror move multidomain name naming nature needed needs nest normal now nt object objects often organization oriented pages permission permissions point preferred present print printer printers pure purposes put queried r rcolorprintersprint reasons recommends refers relationships remember replicated resource rules saves security server servers shared she shortcuts shorter shouldnít similar simplify situation space speeds stay subsequently symbolize term therefore thick thin trust trusts type typically universal upper user users valid valuable weíll versa vice windows visible words work worse

Example of Group Usage

17 25 38 able active actual allow along anything appropriate assign assistants associated basic box categories color compatible computer controller department deployed dialog directly directory domain efficient established everyone fassistants feel final fmanagers functional global group grouped groups handle handles illustrates imagine individual individually level levels limit local managers marketing member members nesting now nt objects ofinance omarketing once open organizational our ous perform permission permissions personnel present print printer printers properties pure put quickly raise rcolorprintersprint result seem server servers skip step steps still structure unnecessary usage users while windows workstation workstations

Group Scopes in Pure Active Directory Functional Levels

10 14 25 26 27 28 29 350 2000 2003 accept accurate active actual again arrow arrows b basic bottom boundaries building c clear combinations compatible complex complicated computer contacts couldnít crossing d deciding delve described directory discuss discussion distinction distribution domain domains except far figures forget freely functional global going group groups having higher illustrates image images imagine indicate indicated introduces keep left level levels lines local lower member members mention mixed needed nest now nt object objects obviously out path planning pray preceding preferred pure reality remaining remember removed representation resources restrictions scope scopes security separately server show shown sites situation six still strategies symbolizes symmetrical therefore thick third times top types uncluttered universal unlike upper users valid weíll windows within words work

Built-in Local Groups

29 account administrators aspect belong built builtin concept concerns container domain group groups illustrates local nest operators reside scopes security technically therefore versa vice

Managing Groups

before book changing clear computers creating deleting environment figures global graphically group groups having head help image implement includes indicate interface mail manage managing memberships moving now paper perhaps planning presented primary production properties put read ready renaming scope scopes sending snap suggest tasks type types universal user users visual visualize

Creating Groups

18 19 30 64 256 2000 according active add adding addition alphabetical appears applications arise assign assigning aware becomes box boxes calls cn color common computers confuse confusion consider course created criteria d define describes description descriptive despite dialog directory distribution domain enabled examples f fassistants fsalesmen function functionality gives global group grouping groups gs gssales help her him hint identifiers indicate interface l label ldap length letter letters likely local logical ls lscolorprint lssapuse making manager match maximum meaning name names naming non o object ochannelsales odirectsales old organization organizational ou ous ousales permissions pre presents print properties property r rcolorprint rdn required resource resources right rsapuse s salesmen samaccountname sap scope screen security sequentially shot shown similar snap software sort standing structure suggestions symbol symbols target therefore throughout too tree type types unique universal unlikely us user users ussapusers windows within

Changing Group Type or Scope

31 2000 2003 active alternative canít catalog compatible consequently controller controllers directly directory domain domainís enable enables except forbidden forest functional global group groups illegal lead level levels local members memberships multidomain native none nt obviously perform pure raising restrictions scope server situation terms type universal unless versa via vice windows

Managing Group Memberships

0 2000 2003 account ad2000 ad2003 add administrators advise allows apply assistant authenticates become becomes computer computerís computers connection contact controller controllers creates delegate domain drag effective emulator forest function functional great group groups incoming interim latency level limit logs lost manage management member members membership memberships modified modify multivalued objects ou part pdc perhaps permission place previous property reason remove replication restarted risk running scenarios self server simultaneously snap structure tab take takes themselves time tree typically user userís users warning ways windows within workstation

The Members Tab of the Group

32 33 34 2000 2003 add added advanced before box brings button check choose clicking computers consuming contacts currently default dialog directory display domain enter entire field find folder group groups gssales guess intended large location manage matches member members name names now object objects ok opens prompted properties remove right selecting semicolons separate separators server show showed shown tab time type typed users valid windows youíll

The Member Of Tab of the Incoming Member

belongs boxes computer consequent contact dialog domains forest group groups member members object objects tab universal user work

Add to a Group Function

2000 accessed add child choose contact contacts context group include item members menu object objects option ou ous place right selected user users windows

Setting a Userís Primary Group

0 0 100 2000 apple application apply computer computers consequently default domain else forest functional global group groups includes kind level macintosh maximum member members move needed object objectís out posix primary primarygroupid property rather remove running security something subsystem tab therefore universal unix user userís users windows wonít workstations

Setting Group Properties

20 24 24 35 107 132 256 2000 2003 active ad2000 appears behind box characters check column comments computers contact contains context default description despite directory discussed displays distinguished dn explanatory field fields gc general get gets group help index info informational interface label ldap mail managed managedby manager managerís maximum member members membership modify mostly n name non ntsecuritydescriptor object objects old permission pre previous properties property provides purely samaccountname scenes scope sections self sensitive server settings shown snap software syntax tab throughout type unicode update user users version windows visible

Moving Groups

above assigned b being c choose command ctrl cut destination discussed domain domains drag forest group groups hand inherited inherits key keyboard line location mouse move moved movetree moving object objects ok once opens ou ous pane paste permissions right selecting shift sibling snap support tool tree within

Renaming Groups

2000 appears box chance clicking dialog enter f2 gives group groups name pre press pressing rename right selecting too type windows

Deleting Groups

clicking confirm delete group key mechanism memberships object old permissions pressing principal re right safety security selecting therefore undo user

Sending E-mail to Groups

address application context defined feature group mail menu naturally operation send work

Planning Groups

access administrative application before best burden concentrates cost decide deciding describes directory discuss distribution effectively efficiency enabled explained feature group groups indicate intend involves kind knowledge letters little manageability mechanics names network now often pays planning properties scopes security specific strategies study terms tokens types universal

Universal Groups Revisited

17 21 36 289 access achieve active actually ad2000 addition along applicable assigned behind benefit benefits brought care catalog checking choice claims column come comes confidence consuming contains contradictory controller cost costs crossing cumbersome determine direct directory domain domains easy effective effectively efficient elsewhere enterprise environment expensive explains explanation extra fairly feasible find forest free global group groups his implement introduce issue large larger leads learn limitations links local logon mean members membership memberships memory microsoft minimize multiple needed neither nesting networking networks occasionally occur often originally out outcome permissions planned present problem prompts provide provided question rationale read reads reason recall related removed replicated require resources result rightmost run scope scopes server site sites sitting slower small sound still suitable summarize take takes test therefore throughout time times tokens universal until userís users wan ways very why work world yet

Three Group Strategies

37 according active adding administration always approaches appropriate assign away b backups basic before c care carried choice choose class comfortable comments confuse containing cost course depending develop directory domain domains easily else experience extra feel final fine get global group groups her hierarchy holds illustrates learn level levels likely little local logical lose maybe member members membership month mostly move much multiple nds needs nesting network networkís novell nt object organizing perhaps permissions person predefined provide put rather removing resources role scope scopes sense simplify sites size someone strategies strategy takes taking think time too track universal usage user users windows youíll

Efficient Group Nesting

25 38 39 across active addition administration affect allowed almost approach assign assigning b boston boundaries call choose color comments confused consequently corresponding cover cross delegated denote denoted deserves develop directly directory distinguishable division domain domains due efficient event excessive explained feel fourth free functional geographical global group groups groupsí illustrated illustration implement intermediate l1 l1boston l1cambridge l2 l2massachusetts l3 l3usa larger largest less levels likely local location locations lower lowercase manage management massachusetts match matches member members memberships minimal model necessary nest nesting nothing o0acctpayabledoma o0acctpayabledomb o1 o1acctpayable o2 o3 obviously ones organization organizational oriented ou ous permission person place present printer printers pure put putting relatively replication resource responsible restrictions scenario scenarios scopes se server shown similarly simplify single small smallest step steps structure systematic tree unit universal unlikely upper uppercase user users various whatever work

Tips on Tools

active addition available before computers conclude covered directory havenít helpful main manage objects often say snap tips tool users weíll words yet

The Users and Computers Snap-In

briefly computers fill holes snap throughout users weíll

Choosing a Domain

active clicking computers connect directory domain left line name pane right selecting specifying typing uppermost users

Choosing a Domain Controller

40 active box choose clicking communicate computers connect controller controllerís dialog directory domain left line name pane right selecting shown sometimes specify typing uppermost users

Finding Objects and Information

2003 accounts common context criteria disabled domain enables feature find havenít includes item logged match menu months object objects ou queries search server things user windows

Filter Options

browse container enables feature filter filtering finding includes menu objects options snap specify various view

Saved Queries

41 2003 actual alternatives clicking computers define directly displays domain feature finally folder form friendly hand home implies include includes ldap learn left myriad name needs often pane point property queries query root save saved server shown snap specify starting store string subcontainers suits type user users version windows

Viewing Advanced Features

adaptations advanced authorization conflict container containers data defines directory discuss domain due explained finally group groups includes interface lost lostandfound manager maximum menu miscellaneous ntds object objects pages parent policy principals program property query quota quotas replication security show snap specific specifications system tab tabs things turn user view

DSAdd and Other Command-Line Tools

42 43 44 2003 account add addition center command commands computers contacts delete display dsadd dsmod dsquery enables group groups handy help includes input ldap line members modify move name names object objects operations ou ous output piping properties provided quota search selection server shown six specifications specify support switches type types user users wider windows

Alternative Means to Manage Users and Other Objects

10 11 20 active addition administration adsi anything automate available batch chapters command commands computers csvde directory download edit enable everyday everything explain export file files further get help import includes including individual inherited internet lan ldifde manage manager managing net nt objects occasionally operating part places practical properties provide quotes scripts snap structure support system tool typing understand users while windows write wsh


access active address administrative assigning assumed chapters computers control designing directory discussed examples explain explains focused full good group groups introduce kit mainly manage management objects permissions point practical pretty resource rights scripting snap support tool understanding user users windows

Chapter 4
Securing Active Directory

accept access active administrative administrators always architecture assumes authentication background behind benefit briefly chapterís control controllers default delegation delve describe directory directoryís discuss discussing discussion domain elements examine explanation explore facilitate fact filtering final forests general groups illustrate implement importance individual interface introduce kinds main manage management managing manually mechanisms move name normally object objects our ous permission permissions physical practical presented previous programmers protect related review right rights routing scenarios sections secure security selective separate sid situations step stress suffix system tables topic trusts underlying user users various ways whole windows wizard work works

Introduction to Windows Security

2000 2003 aaa acceptable access accommodate active addition administer administering administration administrator administrators affect against allows alt alternatively analysis analyze application appropriate areas assign auditing authenticate authentication authorization back backing backups beginning briefly businesses capturing card cases certificates checks choices chooses components computer computers concern configuration consequently console control correct corresponding ctrl current data delete designed determines digital directory disable discuss disk documents doing domains editor efs enables encrypting enforce enhance ensure enter era exe explanation explorer faxes file files focuses folder folders gaining gives group groups he her identification identity include includes infrastructure interactive internet intranet introduce ipsec kerberos key keys lan latter local locally log logon major malicious management manager manually mentioned mentions merely mind modification modify msc name names needed needs network nt ntlm object objects occurs offers often once ones operations others otherwise override password permission permissions personal pin pki place policy preferable printer printers process programs properties protection protects protocols proves provides public putting querying read reader regedit registry related require required requirement resource resources respect result right rights scripting secpol securing security server servers service services settings shares she sign signing simply single sites sitting smart snap software specific ssl starts stop support supposed system systemwide takes tampered target technologies tells templates therefore things time type typical typing unauthorized underlying unfortunately usage user userís users utilities utility values various version very whole window windows wire workstations xp

Background for Active Directory Access Control

able access active address addresses administrative administrator administrators assistant being benefit checks control controlled denied department depending directory fax full granted groups he her learn levels limited looks mail modify numbers object objects obviously operated ordinary otherwise ous partial perhaps permission permissions person powered previous properties read requested result rights study system tries user users usersí various world

Controlling Access

access active addition allowed allows always appropriate catalog concepts contains control defined delete determine developer directory else empty entries everyone exists full global groups identifies illustrates implies individual modify name ntsecuritydescriptor object objects owner owns part party permission permissions properties property read reality resources search she shown someone specifies specify users various

Security Principals

access account active actually always anticipation architecture assign background best choice computer concept condition control directly directory domain equivalence four future gets global group groups gssales he himself image include inetorgperson interactive iop itís jack jill known left leverage local logged making matter meets member microsoft nds object objects obviously ous permissions principal principals process remember resources right running security shown side stands system type types unattached under universal user users while via

Well-Known Security Principals

19 20 2000 2003 access accessed accessing account accounts across active actual actually add administrators affect allow allowed allowing among anonymous anyone application applies appropriate architecture assign assigned authenticate authenticated authenticating authentication authorization automatically available b background batch becomes becoming being better boxes briefly built came card center certificate channel check child choice choose circumstances clients comes command common commonly communications compared compatibility computer computerís computers confuse connection consequently control controller controllers corresponding created creator credentials data default delete denied depends described description designate desktop determined dial dialog dialup did digest directory displayed domain domainwide dynamic dynamically effective enabled enterprise error especially everyone examples except exceptions exist explained explains explanation extend external fewer fifth files firewall fixed forest forests forestwide four future get gets giving good got granted group groups guest habit happens he help helpful himself his hkey honor http identities iis include included includes increased indicates inherited interactive introduce introduced involved itself jack jobs kerberos key keyboard known layer let local localgroup locally localsystem logged logon made mean member members methods microsoft mode negotiate net network normal now nt ntlm null object objects operation operations operators organization ou out outside owner packages part party password pct permission permissions person pki placeholder plus preceding preprogrammed presence present presents primary principal principals print printer private process protocol provides proxy put query queue real reason receive referred refers registry remote rename represents request reserved resides resource restricted rights run running s safer sasl schannel scheduler secure security selective self server servers service services session settings short shouldnít simple sitting smart snap sockets sometimes somewhat special specifying ssl started starting still subkey succeeds support system task technology term terminal themselves therefore think third time tls token transport triggers trust trusted turn type under unless user username users valid version versions whose wide windows virtual words workstations vpn xp

Managing Active Directory Permissions

able accidentally account acl active administrative advanced anything apply appropriate assign assumption become behind best blocking choices computers control cope correct cover default defaults delegation deliberately determine directory discover discuss discussed domain editor entries excess explained explore finally fine former functionality granular groups inheritance interface kind latter learn loose loss makes making manage manual manually mechanisms modify network object objects ok operators opposite order ou owner permission permissions predefined preference problem proceed production put reason recommend remember remove removing restore result results risk security settings similar small snap someone tab talk templates test tight too turn understand unwanted user users various wizard wonít work wrong

Permission Concepts

access aces active affects again analogous assign assigned atomic basic before build child class classes clear concepts contents control controller dacls define delete deny descriptors differences directory distinction domain effect eleven enables everything explained file files folder folders full goal group immediately individual inheritance inherited interface introduce level levels log look lower major manage management maps mean mind model modify nt ntfs numerous object objects off old overview owner owners parent password permission permissions propagate properties property rather read replicated replication reset security seldom similar special standard subtree take target third topology turn upper user userís ways weíll whole windows write

Anatomy of ACL Editor Dialog Boxes

acl advanced area assign b basic box boxes button c complicated cover d detail dialog discuss editor entries follow four help illustrates individual inheritance little mention object objects permission permissions polishing properties property screen sections seem sets shot show special standard study understand ways weíll via view

Dialog Box A

accurate add adds advanced allow always appears applies apply applying appropriate automatically away b bar basic before box boxes brown button buttons cases check checked child class clear clicking consequently correspond corresponding denied deny describes description dialog difference element elements exactly get gets granted grayed group include indicate indicates inheritance inherited jack level lines look looking lowermost marks modify name names now object objects obviously ok once opening out passed permission permissions preceding present principals properties property question read related remove right security selected sets show shown something special standard sure takes target tell title uncheck unfortunately upper user warning whole wonít

Dialog Box B

50 above access ace active actual actually add advanced allow appear applies apply associated b back box briefly button buttons c cancel characteristics check child clicking column combination consequently contains control correspond cover created creation d default deny depending describes description dialog dictates directory disappear display displays edit effect element elements enable entries entry except existed familiar fit full funny further get giving granted header include indicate individual inherit inheritable inheritance inherited jack latter least level levels line lines looking lower modify multiplied name nt object objects obviously ok pass permission permissions place principal prohibiting properties property read related remove removed removing reopen replaced restore results right s saved scope security selected side single sometimes sort special specify standard store subsequently sure takes target term times tip type unlike upper warning view windows write

Dialog Box C

applies apply beneath box boxes button c check checking children class clear clears clicking current default defines describes description determines dialog displays element elements entry field grayed indicate inheritance inherited level limit loses marks modify name object onto original out owner permission permissions principal s scope security selected shown special tree whole

Dialog Box D

access area box c contains d dialog difference elements fields individual items object permissions properties property public remaining remote sets special standard study weíll web visible

Summary of the Dialog Boxes

13 addition b box boxes c categories child class classes consequently container contains contents control d delete dialog divided domain eleven extended full group include individual manage marks modify object objects owner parentheses password permission permissions properties property put read replication reset rights show special specified standard subtree summary time topology type user various write

Standard and Special Object Permissions

11 accurately addition allowed among approximation authenticate b basic box boxes c categories categorizing category child class comments computer contact container containers control d define delete delve describe dialog enough exist extended full general good granular idea indicates individual internally keep listed maybe mind object objects others password permissions practically properties read receive relationship remember reset rights send seven slightly special standard suggested switch therefore thirteen try type user while write youíll

Standard Object Permissions

10 actually autochecked autochecks automatically back box boxes c check checked checking child combination contains contents control corresponding default delete dialog enabled extended full functionality go likewise mappings maps matches modify object objects others outside owner password permission permissions properties quickly read rights shortcut special standard subset subtree validated visible write writes

Thirteen or 11 Individual Permissions

10 11 13 2003 able accessmask active actually add apply auditing b being bit box c category child children claim class classes container contents correct corresponds count default delete dialog directories directory dns else enable enabled entry equal examples except explanation extended field files functionality giving host immediate implies include likely modify name names now object objects operation owner ownership perform performing permission permissions person principal programmatically properties property read refers restore right rights root server service settings show someone special starting subtree syntax take technically time types unless user validate validated windows visible works write writes

Enabling and Using the List Object Permission

1 adsi allows alternate ambiguous anr block box c character child cn com configuration contains contents controls corresponds cover dc default define dialog directory dsheuristics edit enable enough existence fourth functionality grant he hiding him immediate indicates individual inheritance invisible left modify name normally nt object objects obviously otherwise parent permission permissions propagate properties property quotes read related remaining resolution sanao scenarios sees service services someone string suppressed syntax third user value various while viewing windows visible words work write

The List Object Permission Peculiarity

2000 active actually aforementioned authenticated b box boxes c cís causing consequently consider contains contents corresponded corresponds course default definition dialog directory disabled display dropped dsheuristics enable enabled entries entry fact final four fourth functionality get gets grant group hurt inactive include incomplete inconvenience incorrect interface invisible jack jackís latter listed management map maps microsoft now object old peculiarity permission permissions prerelease properties property read release seeing seems she show since slight someone special standard still unless user users ways version windows wrong

Extended Rights

12 13 39 52 2000 2003 $ 31b2 abandon access active ad2000 ad2003 add address addressbookcontainer administer administrator allocate allowed allows application applications apply architecture authenticate authentication bit box cache changed check choose class classes cn collection com computer configuration connector consequently contact control corresponding course crossrefcontainer dc dead default define defines describe describes detail directory discussed dmd dns domain domaindns domains enable enabled encrypted enroll entire enumerate except exchange excluding execute exist exists explanation explanatory extended external familiar folder folders forest forests forgotten function garbage generate group grouppolicycontainer guid her hierarchy history host inbound inetorgperson infrastructure infrastructureupdate inheritance journal known less letter listed logging logons manage manager master meaning member message migrate monitor msds msmq msmqconfiguration msmqqueue name names ntds ntdsdsa object objects old ones open operating organizationalunit out outside partition partitions password pdc peek permission permissions phantoms pkicertificatetemplate planning policies policy previous principal query queue quota quotacontainer quotas reanimate recalculate receive refresh relates remove replica replicating replication required reset resultant reversibly rid ridmanager rids rights root sam samserver sanao schema script security selective self send server service settings share shared sid site special stale synchronization system tombstones topology trivial trust try understand unexpire update user userís validated windows wishes wonít words write

Create Delete Objects of a Certain Class

addition applicable child class delete giving object objects permission separately user

Permissions for Object Properties

active actually addition advanced basis box classes control d dialog directory discuss edit groups individual item modify object owner permission permissions present properties property read sets special subsections tab technically types various view write

Permissions for Property Sets

10 12 14 15 16 17 18 19 20 21 34 840 2000 abbreviation abstract access account accountexpires acl active ad2000 ad2003 add added addition additionaldnshostname address addresses admindescription administration administrators adsi affected allow allowedattributes allowedattributeseffective allowedchildclasses allowedchildclasseseffective allowedtodelegateto along altsecurityidentities applicable applies appropriate approx assistant attribute attributes auxiliary back background badpwdcount base belong box bug c cert certificates checking city class classes cn co code codepage columns comment comments common company computed computer computers connect consequently contact contains control corresponding country countryís countrycode default defined delegate department described description didnít direct directory directreports display displayname displaynameprintable displays dist distinguishedname division dns dnshostname domain domaindns domainreplica editable editor email equivalent except exist expires extended facsimiletelephonenumber fax field fixed folder forcelogoff found gave general gets givenname giving gpo grant grayed group groups he home homedirectory homedrive homephone homepostaladdress host hours illustrated immed include included includes indicates inetorgperson info initials internationalisdnnumber ip ipphone isdn iso l lastlogoff lastlogon lastlogontimestamp ldap legacyexchangedn length likely link local locality lockout lockoutduration lockoutobservationwindow lockoutthreshold log logon logoncount logonhours logonworkstation mail manager maxpwdage meaning member memberof members membership mentioned microsoft minimum minpwdage minpwdlength mobile modifications modified modifiedcount modify msds msmqdigests msmqsigncertificates msnpallowdialin msnpcallingstationid msradiuscallbacknumber msradiusframedipaddress msradiusframedroute msradiusservicetype n name never nonadmin normal notes nothing notice now nt4 numeric o obj object objectcategory objectclass objectguid objects objectsid oeminformation office old once options organization organizational oriented otherfacsimiletelephonenumber otherhomephone otheripphone othermailbox othermobile otherpager others othertelephone ou out outcome p page pager parameters parentheses partly password path permission permissions person personal personaltitle phone physicaldeliveryofficename picture policies policy postal postaladdress postalcode postofficebox pre preferreddeliverymethod primary primarygroupid primaryinternationalisdnnumber primarytelexnumber profile profilepath promised properties property province proxyaddresses public published pwdhistorylength pwdlastset pwdproperties ras rdn read reads region registeredaddress remaining remote reports respectively restrictions rights sam samaccountname samaccounttype schema script scriptpath sdrightseffective seems serverrole serverstate serviceprincipalname sets seven showinaddressbook showinadvancedviewonly sidhistory sn snap someone specify st state states still store street streetaddress subordinates surname sync systemflags tab tables tabs telephone telephonenumber telephones teletexterminalidentifier telex telexnumber theory therefore thumbnailphoto title tokengroups tokengroupsglobalanduniversal tokengroupsnogcacceptable told uascompat uid unfortunately unit united updated url us user userís useraccountcontrol usercert usercertificate userparameters userprincipalname users usersharedfolder usersharedfolderother usersmimecertificate userworkstations value values warning web whenever while white windows visible work workstations wouldnít write writes www wwwhomepage x121address x509 zip

Permissions for Individual Properties

0 12 22 49 50 65 71 120 207 257 409 acl acspolicyname ad2000 ad2003 added address administrators apply attributes backup box brackets choices class classes cn com compared computer computers configuration consecutive container contains contents copy corresponding d dat dc default descriptive dialog display displayspecifiers dscorepropagationdata dssec edit editing editor explained file filtered find folder givenname gives going header included individual individually interesting invisible ldap line lines locate mail mhsoraddress microsoft missing modify mostly name names needs none normally now objects often once onto open ordinary others ou out pages perform permission permissions properties property read remove restart run sanao servers shouldnít show shown siteobjectbl sn snap specified specifies specify steps subsequent system32 unsatisfactory user users usersharedfolder value values version while winnt visible workstations write

Renaming Objects

22 able acl active adsi allow alternatives applies box boxes check class clear cn computers consequently contact contacts container corresponds d dc depending dialog directory display easy edit editor exactly explain former giving latter ldap line lines n name names naming object objects ou parent permission preceding process properties property rare rdn recall remember rename renaming single slightly snap too trickier user users write writing

Permissions in Applications

2000 active add adds anything application applications apply b box boxes buys c company creating d decide developers develops dialog directory extended forest four launch listed objects part permission permissions previous properties property question rights salary schema sets system user windows visible wouldnít write


access accessed aces active add advantage affects apply appropriate assigned beneath carry check checking child children choose completely container control controllers copies copy copying database declines descriptor directly directory domain dynamic filters flag force humans immediate improvements indicates inherit inheritable inheritance inherited inherits itself level locally machines nds needs nothing nt ntís ntfs object objects old opening option ou parent permission permissions power processor receive recognize replace replicated requires security significant space specify static subdirectories subordinate takes thousand tree type types upper ways while whole windows wonít word

Choosing If a Child Allows Inheritance

10 2003 above add administrative again allow apply b before below best bottom box browse check checked child children clear clicking container copy created default defined deny dialog disabling dismiss displayed easy entries explicitly get hierarchy impact include inheritable inheritance inherited itís message normally now object objects off ok once operating owner parent pass performance permission permissions previously propagate read remember remove restore result server shown someone still stop stopped turn twice unnecessary warning windows wonít yes youíll

Choosing If a Parent Wants a Child to Inherit

11 70 add affect allow apply b beneath box cases check child children choices choose choosing circles classes container containers control course decide default define dialog enable entry filled four illustrates immediate inherit inheritance interface limit link meaning none object objects options parentheses permission permissions printer provided scope site time tree type user various whole within


12 2000 2003 access active ad2000 ad2003 administrator administrators admins always anyone anything apply back becomes before button choose clicking connected control controller controllers course created creator decide default depends directories directory domain else ensured except files finally full giving group groups he her himself member modify normal notices object objects ok original owner ownership part permission permissions requires restore right rights selecting server settings she similar someone starting take takes too user users windows True

Creator Owner

13 active administrator appear apply applying assign becomes cause child children cn com created creates creator dc directory entries entry future get he helen illustrates immediate inherited jack known lose now object objects old ou owner ownership permission permissions present principal principals properties sales sanao security special specify steps user users write

How Permissions Accumulate

accumulation active affect allow apply assigned belongs cumulative deny described directly directory dynamic exception granted groups he him indirectly inheritance known normal object permissions precedence principals rule security sums take target user windows

Effective Permissions

11 13 account acl allow anonymous approximation authenticated batch boxes c calculation choices contains controllers creator d default determined dialog dialup domain editor effective enterprise essential exclusion extended granted group included individual interactive interface local logon memberships network notably organization performing permission permissions person principal principals properties property proxy query read remote restricted rights security server service sets special specify system tab take terminal user users visible

Deny Permissions and the Ordering of Permission Entries

14 15 16 119 2003 access account acl active actual actually adds advantages affect aforementioned allow allowed almost application assign before beginning better broad child clicking column component consequently creation currently default denied denies deny deselect deselecting determine deviate dictates directory disk disorders duty easier easy editor effect effective enough entries entry evaluate evaluated evaluates evaluating except exception exchange exclude fewer fifth file finds follows freely future generate generates generation get gets getting grants group groups headers hides implement individual inherited interface internal jack kind latter leads least main management membership message monitor narrower noninherited object objects obviously operators order ordered otherwise override overrides performance performs permission permissions precedence preferred properties property protected purposely purposes reference remaining remember requested result results returns scenario security separate server sets shown single smaller someone sometimes soon sort srm starting steps stops storage take time tried tries unusual user users walking wanted warning weaker windows work write writing yes

Permission Performance

11 13 32 access accessing acl active advantages allow along architecture article avoid b background base better bit box cache child combination consequently control controller cover custom database delete determining dialog differently directory discussion disk domain down easy editor entries entry evaluate evaluation expressed extended faster fewer fit fits full granting having include includes individual inheritance knowledge large larger less lines listed little match microsoft monitor needs nicely object objects obvious offers ou passed permission permissions point properties property q271876 read reduce requires right rights separate show similarly single slow space specify standard store sum take therefore tree types user ways while viable write


11 18 access acldiag admins allow allows authenticated authority boston check com command common compare contain contents control controller controllers correctly dc defaults delegation detailed discussed display domain dsacls effective enables enterprise entries entry excel four full heading include includes individual line lines look modify nt object objectís ou output permission permissions permissons present property read related replicated sanao schema scripts sdcheck special support system tasks third tool users verify windows wizardís

AdminSDHolder Object

2000 817433 account accounts acl active ad2000 ad2003 added adding addition admincount administrative administrator administrators admins adminsdholder affected again allow applying article attribute automatically backup base become before better boston brown check checks clear cleared cn com command commands consequently considerations container containers contains controller controllers converted d dc default differing direct directory distribution dn domain dsacls during editor enterprise entries existed extended extends f file grant graphical group groups her holds hour hourly hurt identical identified include included indirect inherit inheritance itís jack knowledge krbtgt l ldifde level listed longer lower manually master mechanism mechanisms member members memberships microsoft modifies modify months n normal normally object objects old operators options ou p pdc performs perhaps permission permissions powerful print problem prot protect protected protection r read reason recommend reenable reflect related removal removed replicator resides respectively restoration restore right role s sanao schema security seem server sets settings six somewhat sp4 special specify still stops stricter system takes txt unwanted uppercase user users valid value while whoami windows wonít

Delegation of Control Wizard

acl active administrative alternative approximately assign assigning b behind boxes c cases comfortable compared control d delegating delegation designated dialog directory discuss domain easier editor else explains fine get implement interface introduce learn managing manually mechanisms mentioned microsoft naturally objects offers permission permissions possibilities previous primary quickly reason recommends right scenarios separate short shortcut shouldnít small someone straightforward subset tasks things tool tune typical usage user various why wizard

Common Tasks

11 17 18 23 2000 2003 accounts ad2000 ad2003 adds administrators advise anything apply assistant beneath characteristics child choose class clicking common computer consequently container containers control controller controllers custom define delegate delegating delegation delete domain domains else emulator entries filters force forest full functional generate get good gplink gpoptions group groups idea identical illustrate independent inetorgpersons inheritance interim itís join latency level links logon losing lost manage management member members membership memberships mixed modifications modified modify mswmi multivalued native nine normally object objects offers option ou ous password passwords pdc perhaps permission permissions planning policy predefined present properties property pwdlastset raised read replicated replication reset result resultant resulting right risk save screen selecting selections separately server shots simultaneously sites six som space specify stop target task tasks tree user users warning whole windows within wizard wmi write

Customizing the List of Common Tasks

11 23 190 able accounts acronyms add addition again appliestoclasses apply available beginning causes cc child children class classes common computer container control dc default defined defines definition delegate delegated delegation delegwiz delete described description descriptive descriptor difference domain domaindns easy edit eight enables entries entry explained file finished folder full ga generic gets granted heading includes indicates induces inf inserting interpret language ldap line lines listed lock locked lockouttime lowercase manage microsoft modify name needs object objects objecttypes once organizationalunit others permission permissions preceding present property reading relatively remaining rp run sample scope sddl security show slightly small specified specify stands state straightforward syntax task tasks template template1 template14 templates trickier unlock uppercase user while winnt wizard words wp

Custom Tasks

11 13 17 18 19 20 71 accustomed acl actually affects again alternative always appear applies apply b below benefit box boxes branch c capability check classes clearly clicking common completed contents control creating custom customize d dat delegate delegation delete dialog discussed dssec editor educational everything get grant granted great group happened help include inheritance interface main object objects offer opening outcome perform performing perhaps permissions previous properties property resulting right screen selected selecting special step steps stop subtree target task tasks tree types user whole wished visible wizard wizardís


2003 accompanying asks before boston com command commands consequently control cover dc delegation delete document domain download dsrevoke exe file follow granting http jack latter line microsoft november object objects ou ous permissions refrained released remove removes removing report root sample sanao sensibly tool verification wizard word www

Default Permissions for Objects

active come default defaults directory itís permissions preferable reason said something specifically unless

Sources of Default Permissions

access accumulate active addition administrative admins adminsdholder allow apply appropriate class classes combined command container containers contains control created decided default defaults definition definitions described directory domain dsacls effect except exception forest group groups inheritable inheritance inherited installation listed members microsoft object objects parent part permissions policy predefined restore s schema sources specific types users

Common Features of Default Permissions

2000 access account ad2000 ad2003 add addition administrator administrators admins advanced allow almost authenticated backup builtin common compatible computers container controllers default denies deny desired domain domains enterprise entries everyone except exceptions external forest general group groups guest inetorgperson inheritable inheritance inherited item krbtgt member members naturally object objects operators pass password permission permissions personal pre predefined print properties public read redundantly replicator schema self server snap trusted turn turned users web windows visible

Pre-Windows 2000 Compatible Access

2000 2003 access accordingly active add anonymous authenticated choice chose command compatible computers default delete determined directory domain everyone existence group groups guest includes inetorgperson installation installed known localgroup logon made member members membership modify net nt objects operating option permission permissions pre principals properties remember remote running security selected server servers service services snap systems time users windows

Listing Default Permissions

11 24 25 26 27 28 29 30 31 32 2000 access account acl acldiag ad2000 ad2003 add administrators administratorsí admins affect allow anytime applicable apply attributes authenticated authorization bit block builders cert child clearer com combinations compatible comprehensive computer computers contact contain container containers contents control controller controllers copy corresponding default delete described description difference directory display divided dns domain dropped dsacls editor enable encrypted enterprise entries everyone excel except extended folder forest full general group host http ias identical inbound include incoming inetorgperson inheritable inheritance inherited install jack keep kouti license listed localsystem logon mail manage map meaningless membership mention name noninheritable object objects ones operators options ou overview password permission permissions personal phone pre predefined principal print printer properties property public publishers ras read receive redundant remember remote replicating replication required restrictions reversibly rights scripts sdcheck security self send server servers service shared shorter shown subtree synchronization tables terminal terminalserver tokengroups tokengroupsglobalanduniversal topology trust type unexpire update user usercertificate users vain validated various vbs web windows workstation workstations write www

Where Security Principals Have Permissions

33 2000 access account administrator administrators admins allow authenticated authorization backup brief builders builtin cert column compatible computer computers configuration contact container control controllers creator dc delete deletes desktop dnsadmins dnsupdateproxy domain enterprise except extended folder forest four full general group guests headers helps ias incoming inetorgperson inheritance krbtgt license log monitor network object operator operators ou owners password performance permissions person personal perspective policy pre preceding principals print public publishers ras read remote replication replicator rights schema security send server servers serves shared subtree summary tables takes target terminal trust typical user users web windows

Changing Default ACLs

access class classschema cn com command configuration control d dc default defaults defaultsecuritydescriptor definition definitions descriptor descriptors explain f forest l language ldifde lines meet modify name needs object objectcategory part property r replacing sanao schema sddl security shown specifies txt type wrapping

Usage Scenarios for Active Directory Permissions

acl active addition adjust administration allow allows almost assign combine control corresponding default delegate delegation describe directory editor generally goal goals hand he her implementation independently made manage manually methods modify objects permission permissions properties relate s scenarios seen someone speaking user ways wizard

General Practices

150 209 225 2003 2004 access accidentally accompanying act active actual ad2003 administration administrator appendix assign assistant b before being best block com comprehensive control created creating delegate delegated delegating delete directory document documenting documents download easy else establish extended force fortunately full general get group groups gssalesadministrator guide he http individual inheritance installations items january latter makes manage managers member microsoft modify november numerous object ou owner ownership page permission permissions practice practices published put reading recommends related remember restore rights role sales scenarios securing security self server someone soon still sure tables take user username users windows www True

Delegation Scenarios to Make Changes

able address administration administrator aspects assigning assistant b beneath benefits better block blocking c carry clear close company computer control cross d delegate delegating delegation department did domain employees enough f followed function functions get gets group h he her him his implement informational job maintain maintains manage managing maybe members modify naming near needed network noninformational object objects offer often organization ou ous out part partial passwords permission permissions policies policy possibilities possibly printers proper properties property reduces reset resources responsible s scenario scenarios secretary separate service she significant someone something spans standards support task technology time title total tree turn type user userís users usersí whole whomever workload workstations zone zones

Scenario A Delegating an OU Tree with Possible Blocking

accept accomplish account acl administrative administrator administrators admins affects allow alternative anymore appropriate asks assign assigned assistant automatic back base become being beneath block child choose completely container control copy created creation custom default defined delegate delegated delegation depending didnít directly disallow disallowing disallows domain domains editor enterprise entry evaluate explain folder forest full gave get giving go goal gpos group gssalesadministrator had happen he him his including independence independent inheritable inheritance inherited keep lets level links longer made manage member members modification modify neither object objects operators options ou ous out outside ownership parent perform permission permissions policy practical previous previously really remove removes removing scenario schema simply solutions specify step steps still stops take takes taking talk target task therefore total tree types unless unnecessary user wants various warning very whole wizard wouldnít yourself

Scenario B Delegating an OU Tree without Blocking

access account achieve acl administration administrator allow assistant base block child control delegate delete difference editor entries except full goal gssalesadministrator happens he him let manage modify object objects ou out owner ownership permission permissions remember scenario similar sub take therefore time tree user yourself

Scenario C Delegating Administration of Group Policy

21 account acl addition administration administrative administrator alternative apply appropriate approximately assign assigning assistant box button child choose console contents context control creates creating creator delegated delegating delete dialog discussed domain easier edit editor enough enter equal except explained full giving global gplink gpmc gpo gpos grant group he him his installed jack likely local making manage management member members menu methods modify name objects once option options ou ous owner owners permission permissions policy preceding precise pressed process properties property put read reside scope security settings slightly tab third user ways write

Scenario D Delegating Administration of Certain Objects Such As Users

account acl administration administrator allow assistant child common computer control cover delegate delegation delete domain editor entries full get gets group gssalesuseradmins he hurt member object objects operators ou permission permissions scenario tasks too total tree type user whole wizard

Scenario E Control over Noninformational Aspects

account add administration administrator aspects assistant common control delegate delegation discussed explains follow gets group informational instructions locked manage members needed noninformational normal objects passwords properties reset scenario she showed task tasks unlock user users wizard

Scenario F Cross-Object Permissions to Carry Out a Function

addition administration administrators allow base c carry computer control covered cross d delegate disk drive entries explained folder folders full function group gshomefolderadmins home manage member object objects operators ou out permission permissions policies policy power property reside scenario server servers share support type user users usersí workstations write

Scenario G Administering Informational Properties

active address administration allow assistant book consider delegate department directory easiest employees entries fax find gsinfoadmins his individual informational least maintain needs non objects often permission personnel properties property public resemble secretary store suits task user whose write

Scenario H Userís Own Informational Properties

16 add address allow alternative appropriate assign base country done easily entries entry except expiration get groups her includes informational jack jill job known logon mail maintain map modify much name needs nicely objects options ou ous password permission permissions personal phone principal properties property region remaining sarah scenario security self sensibly settings she significant specifying tabs tedious telephones user users warning web write

User Scenarios to See Properties

add added adds allow almost arises authenticated consequently created default delegation entry forest general included objects obviously organization permission permissions personal properties property public read scenarios schema sets shown similar user users wants web

Auditing Active Directory Access

active ad2000 ad2003 adding almost anyone applies appropriate auditing b child computer configuration consists controller controllers default defaults define depending directory domain done enabling entries entry everyone filled forest gplink gpoptions hand happen inheritable installed known logged made mean meaning modifications modify object objects ones operations ou paragraphs partitions permission policy preceding principal requirement root schema scratch security specifies therefore troubleshooting turned turning upgraded version writing

Adding Auditing Entries

22 access accessed acl active add adding advanced allow audit auditing b box boxes button c call cause check clicking d define delete deny dialog difference directory edit editor editorís entries entry except fail failed generate get independently inheritable kind logged names object option permissions record respectively slightly subtree success successful successfully tab takes time types unsuccessfully useful whose view wizard works

Turning On Auditing

23 access active addition administrative affect audit auditing below brief button check clicking complex computer contains control controller controllers dedicated default directory discuss domain double easiest edit editor enable enabled event eventually failure file forest generate group installed introduction left lines little local log makes maximum mechanism minutes modify navigate node objects offers opens options pane part policies policy records refreshes remember replicates replication resulting right rights scratch screen security selecting sense service settings shown size subject success turned user

Viewing Audit Records

7 23 24 566 2003 $ 0x0 0x20 0x3e7 0x47b7b 27pm access accesses active actually addition administrative administrator audit audits boston button c category clicking client clinton cn com computer computers config connected contact controller corresponding creates date dc dc1 dc11 dc2 description detailed directory domain ds event events evt explained file generated generates handle header herbert id impersonation info info2 initials launch left lines local logon mask modified name object operation operations originally ou pane performed performs perhaps preceding primary properties property public record recorded records replicated requested right sample sanao secevent security selecting server service show shown sitting snap source specifies success system32 time type under user users view viewer windows workstation write

Access Control Architecture

access account ace aces active among architecture basic being better contains context control controlled dacl descriptor directory discretionary elements entries extended fields follows further help hood identify knowing linked look now object permissions practice process property right rights runs security sets sids take tokens turn under understand user work

Processes and User Accounts

25 2000 2003 access account active administrative application applications appropriate assigned assigns background built computer context correspond corresponding define directory exe feature help his including instructions local localsystem naturally network nt object often onscreen outside password permissions person process processes programs recognized represents rights run running runs security server service services she sitting something special support system technical terms under user userís utilities windows world xp

Impersonation and Delegation

26 2000 2003 access accessed accessing account accounts ad2003 adding administrators against allows appears applies assigned authentication authorization being browser check checked choice client clientís clients computer computers configuration construct context control controllers corresponding database default delegated delegation depending doing domain done enable feature functional further future get he his identity impersonate impersonating impersonation kerberos legitimate level localsystem member names needs now nt object objects order originating others page permissions place powerful preceding present previously principal process protocol query rather requests reside resource respectively rights run running safer scenario security sensitive separate server servers service services serving settings similar specific specifying spns starts step support supported switches tab take takes target therefore third thread trust trusted typical user web windows visible words work workstation


20 21 32 34 35 36 48 64 96 281 474 544 656 710 976 1000 1207 2000 2003 1030254238 1078345429 1718597718 access account accounts acl active administrator administrators admins aliases allocateandinitializesid allow anonymous areas assign assigned assigns authenticated authentication authorities authority authorization backup batch being belonging binary bit bits book break builders built builtin call cases category cert check choices cn com command comments compare compatible computer computers configuration container contains control controllers corresponding creates creator databases dc decade defined delete description desktop dialup digest directory domain domains down editor ensure enterprise everyone everything explained explore fact file fixed followed forest fourth gets getsid global go group groups guest guests http ias id identical identified identifier identifies identify ids includes incoming indicates inspect installation installed interactive internally jack known krbtgt latter less level library license listed local located log logon look meaning meaningful meanings member members microsoft model monitor msdn myserver name network never nonunique normal nt ntfs ntlm null numbers object objects objectsid often onscreen operating operators options organization owner owners package part partitions parts performance permissions plenty policy power pre predefined principal principals print process programmer prompt property proxy publishers ras reality relative remote replicator represented restricted result revision rid room s sales sanao schannel schema search secured security seem self server servers service seventeen sid sids six starting statistically store string strings structure structures subauthority support system systems ten terminal theory therefore time total trust trustee twice type unique universal user users utility value values wants wellknown versions very whole windows workstation world xp

Access Tokens

27 2000 2003 access account again allow allows along authenticates authenticating authentication background basic better book builds built character client command computer contains context copied created dacl default describes desired determine directly disallow display displays distinguishes during dynamically effective eight especially executes file fits generated group groups held her his identically identify impersonates impersonation including indication interactive items itself known lan less lines localadmin logged logon logs look manager member memberships mentioned much newly normal notepad nt objects off open operation operations output owner page perform permissions previously primary principals privileges process processes question quit reason redirect results rights rpc screen security seems server serving session shot sid sids sometimes source sources specifying starting starts string taken target test thread time token tries ugly until user username various version whoami via wider windows work xp

Security Descriptors

28 37 above access ace aces acl active allowed among assigned attribute audit auditing boxes check contain contains contents control correspond correspondence dacl dacls describe describes description descriptor determine directly directory discretionary entries entry expressly flag flags former group groups header identity inherited inheriting interface kind latter log notice ntsecuritydescriptor object obvious others owner part parts permission permissions prevents primary protected read recorded respectively sacl sacls se security seen settings system throughout turn usage user users various whose

ACE Contents

0 10 20 32 38 39 40 41 42 80 100 1000 10000 20000 40000 80000 access accesses accessmask ace aceflag aceflags aces acetype actrl ads allow allowed allows applies apply assigned attempts audit auditing bin binary bit bitfield bitfields bits calculator child children choose class consist contents control corresponding dac delete denied denies deny describe described description digit directly display ds empty enter entry except explanation extended failed field fields flag flags generates grouping hex hexadecimal idea identifies immediate indicate indicates inherit inheritance inherited inheritedobjecttype interface isnít itís itself least meaning meanings messages modify mostly name normally notice object objects objecttype off options owner pack particular password perhaps permission permissions present previous principal prop propagate properties property read receive represent represents resides right rightmost rights sacl scientific security self service sets settings significant six space special subtree successful summary system tables tell third tip tree trustee try type types ui user validated value values whose view visible write writes

ObjectType Field

29 32 43 128 00aa003049e2 0de6 11d0 a285 access accessmask ace aces active ads applies apply attribute attributeschema bf967aba binary bit braces cases characters child class classschema cn code com configuration container contains context control controlaccessright corresponding curly dashes delimiting directory ds eformat enumeration explore extended field force formats four gives globally go guid hexadecimal http identifier identifies included library linked looks mentions microsoft msdn needs object objectguid objects objecttype partition password permission personal postal postalcode programmer property read refer refers represented reset resides right rights rightsguid schemaidguid search series someone target type under unique user zip

Adding Extended Rights

39 256 2000 2003 access accessmask active add adds ads anything appear application applications automatically bits contains control controlaccessright corresponds created customer detailed developers directory ds exact extended installation interfaces modification objects once password permission present program property purposes receive relevant reset right rights runs saw send server software user validaccesses value whose windows write

Property Sets

11 29 access ace ace2 aces ad2000 ad2003 add addition anything application applies appropriate architecture arrow arrows attribute attributeschema attributesecurityguid base belong belongs break careful changing class code codeís common concludes consequently contains control controlaccessright corresponding creates deepen define defined defines denoted developers didnít discussion doing energy exchange exist extended field general guid guids hundred image included including installation interested itís knowledge link links logical manage match matching microsoft modify object objects objecttype our out part personal place postal predefined present program properties property put read recommend remove represent right rightmost rights rightsguid s schema schemaidguid scripting scripts security self sets settings six support sure target ten thirty trouble try typically value warning very windows

Single Instance Storage

40 2000 active contain controller database defaults defragmentation descriptors directory domain enables entries gain identical inheritance instance lot objects offline once percent perform permission reduce saving schema security server single sis size space storage storing upgrade windows

Domain Controller Access

2000 2003 247078 314976 315071 326690 access accessing active addition addresses admin administrative again anonymous answering article attack attacks base block channel clients communication controller controllers creation default denial deny detail directory disabled discuss domain emphasis enable enabled encrypted exists feature help individual ip item knowledge ldap ldaps mass maximums menu microsoft ntdsutil object objects pak permissions policies prevent protects queries query quotas ranges regulate removed resources secure security server service settings signing smb ssl unintentional users various version windows wire

Directory Object Quotas

2000 2003 active application applied attack becomes bug computer configuration controllers corresponding creating creator denial directory domain effective enforce enforced error happen host huge human incidences includes inetorgperson object objectís objects originating owner ownership partition partitions performed principal protect quotas replicated running schema security server service support transferred understand unintentionally update updates user windows

Setting Directory Object Quotas

15 18 500 able acct actually admins allow assigned brown cn com command commands computers container control created dc default definition delegation depending directly domain ds dsadd dsmod enterprise exists group groups he him his hundred individual inetorgpersons jack jackís jackb largest manage member members membership name ntds objectís objects ok owned part partition permission pre qdefault qlimit quota quotas raises sanao security sets settings she specify subject third unlimited user users windows2000name

Viewing Directory Object Quotas

10 acct along apply boston brown cn com command commands controller current dc default defined displayed displays dn domain domainroot ds dsget dsquery effect effective entries equals filter gained get group higher his individual input issued jack jackb least limit limits lines logged membership name none ntds object objects once ou output part partition pipe qlimit quota quotas qused result resulting sanao seems specify sums ten usage user users view wrapped

Userís Own Quota and Usage

add adfind adsi allows attributes b base batch cn com command constructed contains current dc display effective extended file graphical her http interface joe joeware launched limit limited line lines made msds net normal ntds object pause permissions query quota quotaeffective quotas quotaused result richards right s sanao script self therefore usage user users values ways very view work wrapped www

Tombstone Quotas

21 50 55 60 100 213 217 512 2003 521421359 546331233 4068841660 adsi appear attribute attributes cn com command complex constructed contain contains controllers counted days dc default deleted deletion descending determined domain ds dsmod edit exists expensive explained formula knowledge ldp left livecount looks lower makes ms msds multivalued normal now nowadays ntds object objects offline option options order ownersid partition partitiondn passwords percent preceding principals qtmbstnwt quota quotas quotaused random replicated required requires s sanao security seems server sorted stripped ten tombstone tombstonedcount tombstones top topquotausage usage userís value weight viewed windows wonder

User Rights

active assign assignments attached backup best clock computer computerís corresponding directory files folders get gets goal group groups her individual locally log needed objects obviously operators others perhaps permissions predefined properties put relating right rights system time user users usersofthiscomputer whole

User Rights Categories

34 39 2000 2003 account accounts active actually addition administrators advanced anyway api application assign built categorize code computer computers controller controllers correspond corresponds default defaults deny description descriptions directory domain drivers drives explanatory fixed follows format four general group groups hard help interface iurs iwam kit known local logon member mention name names nineteen normal nt ntrights object objects operators parentheses partly power principal principals print privileges program programming reason related repeat resource right rights sections security self server services settable showpriv somewhat special specific subsequent system ten tsinternetuser types user users utilities windows wonít workstation xp

Logon Rights

44 able access account admin administrators allow ao assigned assignments au authenticate authenticated authentication backup batch bo broader computer controllers counterparts default define deny doing domain eo everyone exclude follows group groups guest guests individual interactive job keyboard locally log logon member narrower needed network occurs operators override po power prevent print remove right rights sebatchlogonright sedenybatchlogonright sedenyinteractivelogonright sedenynetworklogonright sedenyremoteinteractivelogonright sedenyservicelogonright seinteractivelogonright senetworklogonright seremoteinteractivelogonright server servers service services seservicelogonright something terminal therefore time type types typically user users warning workstation

Normal Privileges

19 45 account accounts active add addition admin administering administrator administrators adsi along anymore ao api arises assigned assignment assignments au auditing authenticated back backup bo bypass category changenotify checking columns computer computers controllers default delegation device directories directory docking domain down drivers drives ds edit elements enable environment eo everyone files firmware fixed force forest format global hard includes increase keys known limit listed load log machineaccountquota maintenance manage member mentioned modify ms name networks normal notifications object objects operators outside ownership pagefile perform performance po point principal print priority privilege privileges process profile property receive registry remote remove required restore right rights room scheduling sebackupprivilege sechangenotifyprivilege secreateglobalprivilege secreatepagefileprivilege security seenabledelegationprivilege seincreasebasepriorityprivilege seloaddriverprivilege semachineaccountprivilege semanagevolumeprivilege seprofilesingleprocessprivilege seremoteshutdownprivilege serestoreprivilege server servers service sesecurityprivilege seshutdownprivilege sesystemenvironmentprivilege sesystemprofileprivilege sesystemtimeprivilege setakeownershipprivilege seundockprivilege shut shutdown single station still system take tasks ten time tool traverse trusted unload user users value values windows volume words workstations

Advanced Privileges

46 act adjust admin administrators advanced assignments audits authentication base care client computer controllers data debug default directory domain generate impersonate level local lock mean memory modify net network object objects operating pages part permanent privilege privileges process programs quotas replace rights seassignprimarytokenprivilege seauditprivilege secreatepermanentprivilege secreatetokenprivilege security sedebugprivilege seimpersonateprivilege seincreasequotaprivilege selockmemoryprivilege service sesyncagentprivilege setcbprivilege shared svc synchronize system tcb token trusted user

Fixed Rights

47 2000 2003 account active admin administrator administrators allowed anyone ao assign assigned assignments au authenticated backup bo book boston built chkdsk computer configure controller controllers delete directory domain drive drives excluding exhaustive files fixed folders format groups hard listing locked london manage membership modify normal objects operating operations operators ownership perform po print printers purpose right rights run scattered serve server services share shares stop system take throughout unlock user users windows

Active Directory Permissions Instead of Rights

45 47 active add assign directory domain effectively equivalent fixed having permissions right rights user workstations

Assign User Rights

allow assign assignments command contains describe equal fixed group modify ntrights object outcome permission policy right rights shortly similar user very write

Add Workstations to Domain

account add allows appropriate assigned assigning before computer computers container delete domain equal except group gsworkstationinstallers having installer join joining limit little member members objects ou permissions process right servers ten user workstation workstations

Applying User Rights

applied brief described details go group infrastructure introduction local policy provides rights security user

Brief Introduction to Group Policy

30 90 ability active affect affects afterward applied apply assign assignments bad boston computer computers conflicting connected container control controller controllers corresponding default defaults defined depending depends directory domain good gpo gpos group higher interval latter level link linked local locally located log logical london longer lower member minutes move object objects ou ous overrides ownership place policy prevail right rights security server servers settings starts take therefore thing tree unless user workstation workstations

Modifying User Rights for Domain Controllers

30 2003 administrative allow anyone assign assigned assignment assignments basic basics briefly button choices command common computer computers configuration contents controller controllers current default defined deliberately describe directly domain edit editor empty exception good gpo granted group kit left local locally log lower modify modifying navigate network ntrights object opens ou pane perhaps policies policy priority production properties purposes r resource right rights security seinteractivelogonright selected server settings snap sticking subsection subset tab taken test testing u user users ways windows

Modifying User Rights for Member Servers and Workstations

administrative affects again apply assign assignment basic basics button choices command computer configuration controllers default defined domain edit editor gpo group include kit left local m machineís member modify modifying name navigate ntrights object opens pane pc17 policies policy properties r regarding resource right rights security servers sesystemtimeprivilege settings sticking still strategies subset system tab time u user users windows workstations


access active administer along assigning chapters contents control directory directoryís explain hosts infrastructure knowledge learned logical managing now objects permissions physical plan presented previous skills structure structures users

Chapter 5
Sites and Replication

active administering administrative advanced appropriate architecture aspects cases communication concepts contains controller controllers cover covers creating describe describes detail diagnosing directory discuss discussed discussion divided domain domains established explain explains forests formation help identical includes interface introducing introductory keep kind lans large level links management network objects physical place plan planning problems process read readers regardless related replicating replication result return sections site sites size step structure task tasks terms things third time topics topologies traffic try user wan various

Concepts of the Physical Structure

active administrative aspects book boundary catalog contexts controllers directory dns domain elements get global independent ldap logical namespace naming ncs part partition partitions physical policy remember replicas replication security side sites structure structures talk terminology time unit

Why Replication

accessing across active available backups balancing controller controllers directory domain eliminate fails faster fault follows general get least link load local major money provide proximity reasons redundancy requesting reside resides retrieved saving slow store time tolerance wan workstations

Nature of Active Directory Replication

0 25 2000 2003 $ 8i 9i access accessing across active adam adc add added addition address administrator affected always among application approach appropriate associated attribute available backup bdcs boston bridgehead bytes causes cd changed changelog choice clients comes comma communicate compatible component connector consequently consistency consistent consumer contact contains contrast controller controllers convergence costs created data database db dbase decision deleted delimited difficult directory dirxml disparate domain domains domino downlevel dsml easier edirectory edition enables enterprise environments especially exchange explain failure feature files fixed forest forests formerly frequently gal get global greater groups had hand heterogeneous high identity iifp included includes informix instantly integration iplanet issue language lans latency ldif less license link links little load locations london loosely lotus made makes making manage markup master mean metadirectory microsoft miis mms mode mostly moved msdss much multimaster nds necessarily needs netscape netware network notes notices novell nt object objects odbc offs often older ole once operations option oracle originating pack pair part pay pdc personnel physical place placing primary processor put puts rarely read reading recognized remote renamed replicate replicated replicating replication return separated separately server servers services sfnw5 single situations source sql sun support supports synchronization synchronize synchronizing systems tend time topic toward trade traffic transformation us user users value wan version versions versus while via width windows world

Partitions and Replicas

11 15 70 138 151 863 2003 active ad2000 ad2003 administrator again among application attributes b base boundaries c call catalog child classes command computer computers configuration contain contains controller controllers copies corresponding count created data dc dc1 dc2 dc3 dc4 dc5 default definitions describes designated detail dictate directory discuss discussed domain domaindnszones domains drawn enterprise extended forest forestdnszones forestwide form four full gc global groups havenít host hosts identical included independent introduced kinds knowledge least logical majority master mention modify name namespace naming normal ntdsutil object objects often otherwise ous partial partition partitions present principals purpose read reasonably recent regardless remember replica replicas replicated replication requires reside rights running sample schema script security separate server servers show sites supported talk together too tree truly type types units users wants vast while windows yet

Overview of the Replication Process

10 15 2000 accounts active administration administrators advanced advantages almost among answer approximately authentication automatically bad boston changed clock clocks computers conflict conflicting conflicts consider consistent controller controllers data default detailed determine directory domain done else entire eventually fast fax forest frequent get havenít his important indicate isnít itís jackís job kerberos less london long minutes nds novell nt numbers object objects older organized phone pick prevail prevails primary process properties property protocol really reason recent regardless rely replicate replicated replicates replication requires resolution result saved seconds sensible sequence servers service short simultaneously situation someone synchronize synchronized tell thing time times timestamps type unlike update user usns values version very win windows winner within wonder work wrong

Overview of Replication Topologies

15 45 2000 accurate active ad2000 ad2003 add adjust almost application applies appropriate automatically b background becoming before bidirectional bridgehead builds c care cases chain chains check checker collects component connections consistency controller controllers creates d default delays dictates direction directory domain domaindnszones eight exact exceptions exists explained fine forestdnszones forms four further generated get ground hops host illustration increases intersite intrasite itís kcc kccs knowledge latency least likely link long manually maximum mention minutes needs never notification objects once opposite partition partitions path planning practice prevent provide replica replicas replicate replicated replicates replication require requires responsible ring seconds selection separate server servers shortcut site sites take therefore too topology travel turn wakes wan windows


10 14 17 20 23 24 82 2000 2003 2mbps able active add adding addition advanced allow always among anything appear applications apply appropriate area arranged aspect assign assigning assumed atm autositecoverage available aware bandwidth being belongs beyond blocks boston bridgehead building campus care cells child choice client clients closest cloud com communicate communicating communication company compress compression computers congested connected connects consequently consider considerations control controller controllers corporation correct correspond corresponding corresponds cost cover coverage covered covering cpu created creating criterion currentcontrolset data dc dcs decide decision default deployment describe described determines dfs directory distributed distribution dns documentation domain domains dword easily efficiently employs empty enable enough exact examples expensive explained extra fast file files find firewall firewalls folders forest frame francisco free freely frs function get go group hand having headquarters hkey home http included indicates inside internet intersite intrasite ip items itself kccs kind kit knows lan large latency latter layout least likely limit link links local located location locations logon logons london long longer look machine main manage marked match matches meaning microsoft multi name necessary needs neighboring netlogon network networks none notifications numerous objects offer office offices once operate operational others our packets page paper parameter parameters physical physically place plan policies power pretending printers procedure product production products purposes rd reach reasonably records reference reg registered registers registry relay replica replicate replicated replication represent requested require resource ring root route said sales sample san sanao segmented sends separate serve server servers service services she short shortcuts shorten similar simulated site sitecoverage sites slow slower small something sparingly specific speed stop subnet subnets system sysvol sz t take tcp technet technique techniques technologies test tolerable too topology type unless unreliable user users wan various watch white windows work workstation www

Overview of Intrasite and Intersite Replication

10 15 20 45 2000 2003 32kb 64kbps ad2000 advantage algorithm almost always application approximate b backup backward bridgehead c call catalog city communicate compares comparison compatible compresses compression configuration connections contains controller controllers cost cpu data day default destination directly domain down enterprise especially fast feature forward gives global hop hours improvement intersite intrasite ip latency latter less link links little locally lower maximum mechanism mentioned microsoft minimum minutes model modern needs normal notify off old once partitions pass pays percent performance problem procedure processes protocol pull ratio received recommends registry remote replicated replication revert ring rpc save schedule schema seconds server servers shortcuts since site smtp spanning speed spreads store topology trade transitive transport tree wan via windows worse yes

Change Notification

15 active actually ad2000 ad2003 alternative attack call causing controller controllers corresponding default delay difficult direct direction directory domain efficient enterprise exact exactly follows initial interested intrasite latter likely load mentioned method minutes missing much notification notifications notify object option originated partition partitions partners peak pending period pull push puts queue replicate replicated replication request requests respectively seconds sends sent served simultaneously site slightly source subsequent target targets therefore time times updates user vain waiting works

Change Notification Delay

15 30 2000 2003 ad2003 being bullet container controller controllers corresponding cross currentcontrolset default delay delays depending domain dsa dsas during dword effect forest functional hand hkey initial installed integer key level local machine minutes modified modify modifying msds nondefault notification notify notifying nt ntds object objects old parameters partition partitions pause precedence preceding properties reference registry replication replicator retained scratch seconds secs server services source store subsequent system take third under upgrade upgraded value values version windows

Scheduled Replication

0 0 15 40kb 480kb according administrators allowed am backup bandwidth benefit chunk combined compression connection consuming controller daily data day default domain effect efficient enable explain frequency get had higher hour hours increasing intersite intrasite least less link lost made mechanism method minutes night notification notifications obvious occurs often once periods primary replicate replicated replication request requests schedule schedules server site sites sooner source specified specifies specify target time typically weekdays while

Site Link Bridges

administrative bridge bridges cases combine fully interface introductory link links mention never rare recognize routed site wan

Urgent Replication

15 access according account active actual allow almost always amounts apply attempt attempts authentication authority automatically b backup basis c chaining changed changing channels computer connection controller controllers dates dc default delay depending described directory domain enable enabled event events examples except exist failed get hand her hours immediately important initial interdomain intersite intrasite items large lastlogoff lastlogon level levels link local locked lockout logon lsa master minutes mixed mode modify mostly never newly normal normally notification notifications nt object objects once ones original out password passwords pdc perform policy preceding process properties property reached read receives receiving regardless relationships replicated replicating replication request result retried retrying rid schedule seconds secret secure security sends server servers service settings site sites source state still time times too traffic tries trigger trust trusted trusting updates urgency urgent urgently user vain waiting week windows wrong

Nonreplicating Properties

11 39 55 across ad2000 addition badpasswordtime badpwdcount base being bridgeheadserverlistbl cached catalog com consists contains controller created database directory directreports distinguishedname dit domain dscorepropagationdata executescriptpassword file find format frscomputerreferencebl frsmemberreferencebl global http indexes isprivilegeholder kouti large lastlogoff lastlogon locally logoncount managedobjects masteredby memberof membersforazrolebl membership mentioned modifiedcount mscom msds multicolumn netbootscpbl network nonmembersbl nonreplicating nonsecuritymemberbl ntds objectguid objectreferencebl operationsforazrolebl operationsforaztaskbl ownerbl partialattributedeletionlist partialattributeset partitionsetlink peklist please portion prefixmap presented production properties querypolicybl regarding replicated replicationepoch replpropertymetadata repluptodatevector repsfrom repsto retiredreplncsignatures ridnextrid ridpreviousallocationpool schema schemaupdate scripts serverreferencebl serverstate siteobjectbl stamp subrefs tables tasksforazrolebl tasksforaztaskbl thanks time userlink usnchanged usncreated usnlastobjrem whenchanged www

Last Logon Timestamp

0 14 64 100 accuracy ad2003 adjust among attribute avoid balance bit causes controller controllers day days default disabled dll domain effects evenly excessive exist feature fixed follows indication integer interval introduces large lastlogon lastlogontimestamp latest logged logon logontimesyncinterval lunch maximum minimum minus month msds object old passed random range read replicated replication samsrv scan schema she since specified specifies spread therefore time today traffic update updated updates user value values words zero

Global Catalog

0 0 10 70 138 151 863 2000 2003 across act active ad2000 allows applications assign back base catalog closest consequently considered contact contains controller controllers cover default defines designers designing directory domain domains dramatically efficient enables enough ensure enterprise environment especially exchange exist forest four function gc global her includes large least likely links local locally long microsoft name names normally objects operations originally part partial partitions perform performed printers properties query replica replicated requirements resources responsibility result rule schema search searched searches serve server servers service site sites suggest take thumb time transfer travel user userís users wan words

Overview of Operations Masters

2000 2003 account active acts actual additions adds administrator attached cases catalog center computer computers configuration controller controllers creating cross default deletes deletions describes directories directory documents domain domains domainwide emulator enterprise external fizmo flexible forest forestwide fsmo functions get gives global group groups he infrastructure interface latter lockout main maintains master masters members mostly moved multidomain multimaster name naming objects old operation operations password pdc performs places pre primary principals pronounced rarely references removes renamed replication rid rids role roles root schema security server servers serves shouldnít sids single special synchronization target time transferring user users various windows workstations xp

Managing the Physical Structure

active anything configuration configuring creating describe directory enterprise forest location network objects partition perform physical sections services single site sites snap tasks tool various

Active Directory Objects for Sites and Replication

10 11 21 24 according active actually around automatically b belongs bos bossanao1 boston bridge bridges briefly building cases class collection computer connection connections consists container containers contains controller correspond course dc define defines defining describe describes description direction directory divide domain dotted enables existence fast four generated help hosts include indicates inter intersite intersitetransport ip island islands items kind licensing licensingsitesettings line lines link links local located lon meaning meaningful modify name names needed network ntds ntdsconnection ntdsdsa ntdssitesettings object objectís objects occurs physical place properties replicate replication rpc sample server service services settings setup site sitelink sitelinkbridge sites smtp solid special structure subnet subnets symbolizes ten transport tree type types wan various whatever

The Big Picture of Objects

11 15 1998 2000 2003 access active actually advanced affect aforementioned almost along among analogous apply arrow arrows automatically awkward backup besides big bit bridgehead bridges claims clear client combined connection consequently control controllers controlling costs created creating default define delay determines diagram dictate dictates directly directory discuss domain drawn dropped easier effect enable exist explained focus focused focuses frequency function functions gets gives hand hints hour illustrates intersite intrasite ip kcc kccs kind latency license licenses licensing line link links little logging lost main manage managing manually mechanism mentioned minute missing mostly much normally notification notifications nt ntds object objects off omission once others part physical picture pieces place point preferred process properties property reality reason reflect related relationships renamed replicate replication represent represented schedule selection server service settings show simplification simplify site sites smtp solid something source stands structure subset takes things topics topology turn turned types under until ways windows work wouldnít

The Sites and Services Snap-In

access active administrative alternative alternatively anything applying back before big brackets button canít changing check checking clicking clicks company compared computers configured connect connection connects consequently containers controller controllers corporation corresponding currently default delay delays directory domain dssite eight enter forest found fully generates hand happen illustrate immediate includes initiate latter leaf link look manipulate modify mouse msc much name necessary needs node normal ntds objects often open our perform physical picture preceding press pretty production react refresh replicated replication result right run sample sanao selected selecting services settings show sit site sites six snap specific specify step steps structure sure take takes target test things time topology tree trust type users wanted various whatever while view visible wonder workstation writable

Test Environment

actually available better child completeness computer controller depending described domain drive enables enterprise forest items member mention microsoft option pc promote related roles server servers test things virtual vmware workstation workstations

Tasks in Managing the Physical Structure

12 active adding administering administrators admins appropriate automatically child configure controller creating describe detail directory divide domain domains domainwide easier enterprise entire everything fairly follows forestwide geographical hand happens immediate include initiating introduce lan latter location locations managing model much multiple network objects operations pages perform physical references replication sections single site sites spans structure tables task tasks

Setting Up a Single Site

12 adjust advanced appropriate assign automatic automatically background becomes cases catalog column connection contains controller controllers created creating domain domains edition enterprise environment everything final forest global infrastructure install installation large maintained master mentioned numbers objects page perform perhaps please production promote replication review role roles root server servers shouldnít single site tables task tasks topics topology unless xxx

Setting Up Multiple Sites

10 11 15 100 active ad2000 addition adjust advanced anyway appropriate assigned assigning associate assume attach automatically away background belong boston break bridged bridgehead bridges catalog clients configured connection consequence consider contain controller controllers correct cost costs couple course created creating decided default defaultipsitelink define delay depending descriptive directory discuss domain efficiently else except find forest fully global go good happy helps install intrasite ip itís least less letís link links location locations logon london main maintained manually mechanisms move multiple multisite name needs network newly normal now object objects obviously ones operational order page perform performing perhaps physical point preferred relative rename replicate replication routed routers rpc running schedule seconds server servers similarly simple single site sites smtp something sometimes soon steps straight structure subnet subnets sufficient takes task tasks tcp things time together topics topology typical until wan work xxx youíll

Administering Sites

12 15 active addition administering administrative affects attached automatic background cases check controller controllers costs default diagnose directory domain enterprise especially fails forest greater immediate immediately initiate instances kcc kccs link links listed master masters menu minutes modify monitor mostly multimaster network now obviously occasionally offline operations optimal option page perform performing permanently place previous remove replicate replication revisit role roles selecting single site sites special speed still take task tasks things topology upgrade wait wake wan various xxx

Using the Default-First-Site-Name Site

actually automatically belong bos boston clicking company controller controllers created default delete descriptive doing domain easier f2 forest francisco gain include install installed leave location london missing move name names nothing object our phase pressing rename renamed right sample san sanao selecting simply site sites unchanged until waiting yet

Creating and Managing Subnet Objects

10 20 24 able actually address administratorís appropriate attach auditing being belongs boston communicate company consists contacted controller controllers correct created creating creation default delete description domain during easier entries fine forest go headquarters helps infrastructure installing ip latter locate location makes manually mask move needed network object once otherwise our ownership permissions place practice printers process promote promoted promotion rename sample sanao server site siteís source subnet subnets tasks texts users

Creating and Managing Site Objects

11 15 30 60 active affect anymore anything assign attach auditing backup before choose controllers correct created creating default defaultipsitelink define delay delete deleted description directory discussed doing domain enter entries event exist fine follows forest get gets group illustrates informational intrasite link links location lose lost lower mechanism message minutes move name notification notifications ntds object objects operations otherwise ownership perform permanently permissions policy purely remember rename renaming replication s schedule seconds server settings site sites sleep software texts think value wonít worrying youíll

Moving and Managing Server Objects

10 12 22 2003 active actually addition address along appear appropriate associated auditing automatically before belong boston bridgehead build causes communicate computer configuration contain contains controller controllers correct corresponding corresponds created decide default define defined delete description dfs directory discuss domain enables entries exists fine forest functional informational intersite intrasite ip latency level location locations lon london manually mean mechanisms member mentioned move moved moving much now ntds object objects occurs often operation operations ownership perform permissions preferred promoted purely refer removing rename replication represent represented reside right running sanao server servers services settings site sites still subnet take talk tells time topic topologies topology type under until while windows wonít

Managing NTDS Settings

13 14 15 16 2000 2003 active add addition adjust adjustments administrators adsi affect allows answering application associated attacks automatic automatically beginning bossanao1 bossanao2 box building catalog check child clicking clients com configuration connected connection connections contains context control controller controllers corresponding cover data default defines definition denial description dictate directory discuss dns domain domaindnszones effect enable enables existence figures follows forestdnszones function generated generator global hosts immediately include includes indicated indicates indication informational initiate inter intersite intrasite isnít kcc kccs kit ldap links longer manage manually maximums mentioned minutes modifyldap naming narrow now ntds ntdsutil object objects operations optimal page partition partitions performs physical place policies policy prevent programmatically properties property protocol pulls purely queries query refresh related replicate replicated replicates replication resource resources right s sanao schema script seconds selected selecting server service services settings show site sites snap specific still structure tab take takes tool topologies topology turn until wait wake values vbs version windows wonít

Promoting a Domain Controller to Be a Global Catalog Server

0 0 11 15 24 48 500 3268 3269 500mb acquainted activates active ad2000 ad2003 add added addition administrators advertise advertising again allowed apply appropriate attribute attributes away beginning being calls catalog check clicking clients command complete connect connection consequently contains controller controllers corresponding currentcontrolset currently days dc dc1 default depending directory display dns domain domains down dsgetdc during dynamically eight enter entry environment everything exchange fast flags forest gc get global go hand hkey hour hours impact implement implementation included install interface isglobalcatalogready itself kcc key large ldap ldp least let line lines local long lot machine menu minutes mission multidomain name nltest normal now nspi ntds object objects office ok once opening opens options outlook pace pane parameters partial partition perform performs perhaps port process promotion prompt properties reboot received recheck records registers registry remote remove removed removes repadmin replica replicas replicate replicating right rootdse sanao schedule script selecting server servers services settings showreps single site srv ssl started starting starts steps stop support supposed system take tcp teardown tearing traffic typing uncheck utility value ways week while windows visible yet True

Creating and Managing Site Links

0 0 0 0 10 15 17 18 19 20 30 32 80 99 100 180 767 999 act active actual ad2000 address advanced affect always am among appears apply assignment associate automatically availability available being besides box boxes bridge building button check cloud combined compares configuring connection connects considerations container containers corresponding cost costs daily days default defaultipsitelink depending descriptive dialog directly directory discuss discussed effect enables familiarity favors field fine four frame generated higher hour hours ignore ignores illustrated indicated indicates inter intersite interval ip knowing least link linkís links lower matter mesh minutes money network now object objectís objects occur packets place planning pm predefined process properties property protocol range relative relay replicate replication represent requires reside respectively resulting route rpc sanao say schedule schedules settings similar site sites smtp special specified still stmp take takes template topologies topology touch transports travel twice under week weekdays True

Managing Licensing Computers

21 2000 2003 administrative always c cfg child computer configuration contained controller copy cpl default depending designated domain enables file files folder group groups history interface lack level license licensing lls llsmap llsuser locations logging mappings move nt object often old pages present property purchase rather role selected server service settings site sophistication stop stores system32 systemroot usage user windows winnt

Removing Domain Controllers

accept accordingly active adapt add advantage affect alone among anymore anything application article assigned authoritatively automatic automatically back backup base become before benefit best bridgehead bring bypass canít catalog catalogs changed check choose cleanup clients close command complete computer computers configuration connections consequences consider container controller controllers corresponding created current data days dcpromo delete deleted demote demotion depending depends describes did difficult directory disabled discuss dns domain down downtime enough except exist extends feature file function functions get global goes group havenít holds hosts impact impossible including incoming initiates instructions intersite isolated itís kccs knowledge ldap length line locations logon logons lose made maintenance managing manually master masters meaning member membership microsoft missing moved network normal notice now ntds ntdsutil object objects obsolete obviously offer offline ok once ones online operation operations organized original others out perform performs perhaps permanent permanently plain planned preferred process q216498 re reason recent recommends records redircmp redirected reduce reinstalling related rely remember remove removing replicate replicated replicating replication rest restart restoring risk role roles running s server servers services settings short shut shutdown shutting size special stand steps still suitable sure suspect take taking target temporarily temporary tends therefore things time tool topology transfer transferred transfers trouble undesirable unsuccessful users web werenít versions whatever while wish workgroup workstation workstations wrong

Monitoring and Diagnosing the Physical Structure

13 20 24 30 36 60 100 200 1864 2000 2003 able active agent along analyze appears artificial aspects available b biased book bought brief broadcasts browser bytes capture cd check class com command compares computer connectivity contains contents controller controllers counters counts data database days dc1 dc2 dcdiag default demotion described description descriptions detailed detect detects diagnose diagnosing differences directory distributed domain dra dsastat during editor enable error errors event exe feature fix forest former frames full function functions generate graph graphical guide hasnít help hours http id identify included includes including incoming install installation installs instructions intelligence interrupted kcc kit latency leaving lifetime line local log logged logs manage management manager managing messages methods microsoft microsoftís minor mom monitor monitoring monitors month months multicasts names netdiag netmon network nltest ntds ntdsutil object objects ok operations out outgoing packets pages partition past perform performance performing performs physical point polished problem problems process published read reason received regedit regedt32 registry relate related remove repadmin replicas replicate replicated replication replmon resolve resource restrictions reveals rich s sample search seems selected sent separately server servers service services settings show site sites sms snap solve source sources specify still structure summary support switches systems tests time tip tombstone too tool type typical unnecessary various warnings web week version very viewer win2000 windows words work writing www yet

Does Replication Work Method A

17 43 82 100 2003 8524 02d 09s 11h 13h 17s 18m 30s 31s 39m 52m bydest bysrc code column command communicating configuration connection controllers corresponds count csv dc dcpairs delay delta direction domain dsa error errors excel fails failure failures forest import interval largest lines links locate lonsales2 lonsales3 lonsanao1 look object operation output pair pairs problems program repadmin replication replsum requires reveals server sfrrd2 sfrsales1 showrepl site sort source spreadsheet success throughout time total txt verify version windows works

Does Replication Work Method B

1 1 1 1 1 5 7 9 11 12 13 17 23 24 27 42 48 52 54 2003 2004 61503 192323 312883 319342 723422 able asterisk bos bossanao1 bossanao2 bossanao3 boston causes com command controller controllers dc directly domain host includes latency local lonsanao1 lonsanao2 looks name option output partition preceding previous quotes repadmin replacing replicate sanao server showutdvec showvector sort specifies time transitively typing usn version via windows works

Replication Permissions

able acl ad2003 administrators adsi application applies appropriate assign catalog configuration consequently controllers dns domain domains easiest edit editor explained extended feature get global grant launch locate manage necessary normal now object objects paragraph partition partitions permission person previous remaining replicate replication right root schema servers status synchronization topology until

Advanced Topics

active administrator advanced arise aspects before concepts configuring covered deep delving depth directory discussion easier encounter equipped eventually finer follows his install intersite intrasite knowledge learn least managing masters multiple network networkís obvious operations physical postponed problems process reason replication require sites situations skills smtp solving span structure subjects synchronization time topics topologies troubleshooting understanding until

Intrasite Replication Topologies

alterations automatically base checkers consistency controllers decisions determining domain exact intersite intrasite kccs knowledge links mentioned monitor necessary necessitate ntds objects optimal permanent problems replication settings site sites temporary topologies topology

Replication Ring

22 ascending automatically bidirectional close controller controllers corresponding created data dc1 dc2 dc5 determined domain establishes forms guids inbound intrasite largest ntds object objectguid objects ones order partnership property pull replication ring settings smallest sorted topology under

Drawing the Replication Ring

11 22 07de 11d3 4000f006f0d0 752d5592 92552d75 a61f actual alphabetically assumes before belong beneficial binary byte bytes call clicking consecutive controllers corresponding d311 dashes dc1 dc2 dc3 dc4 dc5 de07 diagnose dns document domain draw drawing edit export extract faster file forest format forward function get guid guids happen help helps install interested lines lookup management manual mouse msdcs name names network now open order parts presents problems replicate replication represented right ring script server short site snap sort swap therefore topology wonít work zones

Connection Objects

23 add administered anyway automatic automatically bidirectional bit connection controller created creating data delete determines discussion domain explain fine hosts illustrates inbound intersite intrasite kcc kccs learned least maintain maintained manually modify needed ntds object objects option options owner partner partners possibly process property pulls re replication ring settings significant soon topology work

As the Ring Grows

15 20 24 30 45 achieve active actually add adds algorithms almost approximate assumes base basic build building bypass calculated calculates care cases chooses chosen common connection connections connectivity consequently contact controller controllers cooperate created creates creating dc decisions delay described determined directory distance dns domain eight exact exist failed fewer follows four get goes greatest grows guid guids happen hop hops inbound independently intrasite kcc kccs kind knows large larger largest latency least local logic longer maintain maximum minimum minute minutes negotiate neighbors network never notification notifies object objects optimal ordering otherwise partner partners path place point problems random randomly rare reach regardless remember replica replication resulting ring run seconds seven shortcut site slightly source squeezes starting step take temporary therefore third topology

In Transition

15 16 17 22 24 45 accommodate active actually add again applied away back base before boots changed check completed connection consequently consistent controller controllers course created decisions default delete directory domain done during figures finally find get half happens harm hour independence initiate kcc kccs latency longer made minutes needs object objects ordinary out outdated part period picks plus point random reach remember replicated replication right schedule seconds shortcut shown site slightly source starting take thereafter therefore throughout time topology try until wake wakes yet

Several Partitions

22 25 26 aís a2 a3 accommodates across actually add addition affect again alone always anymore application arrows assigned assumes b b1 b2 back belong bidirectional bossales1 bossales2 bossanao6 boston build catalog com common computers configuration connection connections consequently consider controller controllers corporationís couple course crowded dc dc1 dc2 dc3 dc4 dc5 diagrams didnít domain domaindnszones domains enterprise exist far figures finally follows forest forestdnszones gets global guid host idea incur independent intrasite large latter less likely little mean member messy mostly multiple needed never nine ntds objects obvious obviously old order pages parallel part partition partitions phase previous random removed replica replicas replicate replicated replication ring rings running said sales sanao schema selection servers settings seven shortcut show showing shown side simple simplified site situation small starting therefore think time together topologies topology traveling unidirectional unit while whole

Global Catalog Replication

26 27 28 29 a1 alone always b b1 b1ís bossales1 bossanao1 boston catalog choice compared connection connections controller controllers corporation corporationís corresponding cross data depends domain domains enterprise exist fits forest full get global happen host location mainly nature normal objects obviously ones part partial partnership place properties replica replicas replicated replication ring sanao server servers side site sole source sources takes topology unidirectional versa via vice

Intersite Replication Topologies

administrators automatically connection created creating described examine excluding explaining intersite intrasite kccs likely manually now objects operator part plan ready replication responsible resulting ring spanning topologies topology tree while

Inter-Site Topology Generator

adsi agreed allow ample assumes automatically becomes building calculations connections control controller controllers cpu current data designated determine domain easy edit generator guid incoming independent inter intersite intersitetopologygenerator intrasite istg kcc kccs large machine managing manually modifying needed network ntds object old operating optimal ordering original owner page perform power producing property responsible role services settings single site sites snap still therefore topology transferred unavailable under unless upon whole

Site Links and the Topology

0 0 15 30 31 32 1311 307593 aís according active again allows alternative am among appropriate article automatic b base bridge bridged broken brown c cases cause check choose cloudlike command common communicate compare connect connected connection connections consecutive consequently container contains controller controllers correct corresponding cost created creates d day decide default describe difference direction directly directory discussed domain efficient efficiently ensure event examine explains expressed finally forest freely generation hints illustrates incoming inefficient intersite intervals ip istg istgs jack kcc kind knowledge let link links log longer match matter meaning meaningful microsoft minutes necessary network now object objects obviously office offices opposite optimal others our overlap packets phase phases physical poorly possibly presents previous remember remove repadmin replicated replication represent require result resulting router routes samples saw schedules selected sense settings setup showism shown site sites somehow sometimes specify things time together topology transitive travel travels troubleshoot wakes wan viewer window wire words True

Site Link Costs

0 0 0 0 0 16 32 33 34 50 64 99 100 500 700 767 999 000bps 128kbps 2mbps 45mbps 56kbps 64kbps accumulation active actual ad2000 addition affect affects among approach availability available b backbone billion build c calculate categories choose chosen communicate company compares consequently consider controllers correspond cost costs couple criteria cumulative determine dial directly directory divide domain domestic endpoint establish fast favored good higher highest idea illustrates international isdn istgs items kind large latency latter leased least line lines link links lower lowest mathematical mean meaningful minimum minute model monetary money multiple network nor open packets partition pay phone physical plays priority proportional relative reliability replicate replication represent representing role route routers routes routing sample simple site sites spanning specifies specify speed standard t take think topology transmits tree type wan wise

Intersite Topology of One Domain

35 active ad2000 ad2003 add among application appropriate assume bossanao1 bossanao3 bridgehead choose chosen com connection controller controllers data directory doing domain enterprise examples fewer follows forest francisco full host intersite intrasite istgs link linked london mean naturally now objects once out pair partition partitions picture ready replicate replicates replication routes sample san sanao server servers simplify site sites topology why

Preferred Bridgehead Servers

36 addition anymore application assign better bridgehead bridgeheads choose compression contains controller controllers covered designate designated designating designation domain enable ensure environment exception fail firewall freely happens including intersite ip istg large letting local long longer master microsoft multiple object obviously outside partitions pass pdc power preferred processing properties protocol protocols recommends replicas replicate replication rpc running s scenarios server servers shown site smtp suited sure typical world

Managing Bridgehead Server Failures

able add affected appropriate automatically bridgehead capable configuration connection consecutive consequently controller controllers correct course depending describes designations domain enterprise event fail failed fails failure failures find firewall fix functional handled hours includes incoming intersite istg learn least log lost made object obviously once operations option part partition partitions pass perform performed pick preferred problem question remove replacing replicate replicating replication resolved responds s selected server servers site sites steps still taking therefore until viewer wonít wouldnít

Intersite Topologies of Several Partitions

37 38 39 boston bridgehead catalog com connection connections consists controller controllers created domain domains effect enough enterprise established follows francisco global guid had happens implication include including independent intersite intradomain intrasite link names naturally needs order partition partitions previous rd replicate replication result ring rings room sales san sanao separate server servers shown site sites topologies topology totally transform whenever

Intersite Global Catalog Replication

37 38 39 40 41 actually ad2003 added always arrow arrows aspect basic boston caching catalog coincidental com comes comply connection consequently controllers convention decide describe direction domain domains easy enterprise environment feature francisco generate get global group had illustrated illustrates included includes increase increasing intersite intrasite introduced large least links local locally logons london membership needed needs often our part partial permanently place present purely rd read remember replica replication rule sales sample san sanao scenario server servers show simplify site sites source take takes therefore topology traffic universal wan

Creating and Managing Site Link Bridges

0 0 0 15 42 100 180 200 220 500 1009 1013 1311 2000 2003 307593 ^ according achieved active addition adjacent administrative affect aforementioned algorithm algorithms allowed alone answer answered applies appropriate article assumes automatic avoid b base become box branch bridge bridged bridgehead bridges bridging building business calculate calculates calculation calculations causes chain chains check checker choice clearing command common communicate complex complicated confuse connection consequently consistency container containers controller controllers corporate cost costs cpu creating cumulative current currentcontrolset default depending described diagnostics directory disabled disabling discussed domain domains draw during easiest edges efficient ends environment event events exact explained explains expression far find follows forest formula fully generation get goal graph greater greatly happens havenít headquarters highly hints hkey hours hub illustrates include including increases indicate intersite ip istg istgís istgs joins kcc key knowledge large least let likely limit link links local log long longer looking machine makes manage manual manually mentioned microsoft microsoftís minutes modify much necessary network ntds object objects off office offices ones optimal out overloading peak perform performance performing period permutations physical place placement power presents process properties protocol protocols q244368 question recurring registry relative relativity remember repadmin replace replication result results routes rpc rule run save says scales scenario scenarios schedule script seconds separately server servers service services settings show showism simply site sites smaller smtp snap solution speed spend spoke steps still sum symbolize symbolizes system take takes therefore thinking third thumb time together too topology transitive transitiveness triggers troubleshoot turn typical ultimate usage utilized value ways while why viewer windows writing yet True

Creating and Managing Connection Objects

14 43 44 45 2000 2003 active addition adlb adsi affect always among appears application apply arenít arises assign automatic automatically availability background balancing being besides best box boxes branch bridgehead bridging calculate catalog central check choices choose com command configuration configuring connection connections connectivity considerations contain contains context contexts controller controllerís controllers correct corresponding cost created creating currently data define delete demoted deployment destination detailed determine dialog direct directly directory discussed display distributes distributing dns domain domaindnszones domains else empty endís ensure enterprise entries errors exists explain failure feature fewer field fields forestdnszones four fully get global grid guide happy helps hops http hub important includes including indicate indicates initiate intersite interval intrasite ip istgs items kccs kit latter let line link links listed little load locate locating long lowermost manage manually master match menu microsoft modify name names naming needed network nevertheless none normally ntds object objects occur office offices ok operations option pages pair partial partially partition partitions planning previous produces programmatically promoted properties property protocol protocols read ready reasons receiving rename replacement replicate replicated replication resource respectively resulting results right role rpc schedule schema screen script scripts search server servers services settings sfrsales1 show shown site sites smtp solution something sometimes source special staggers standby take tell temporarily thousands time times too tool topology transport type upper weekly version windows www yourself

Reciprocal Replication

add adding adsi alternatively bills bit bitwise branch bridgehead call configuration connection controller correct corresponding created decimal define defined dial dials directions doing domain during easiest edit equivalent events headquarters help latter likely link locate manually modified modify modifying money never notification object obviously office open operation options order partition phone place produces properties property receives reciprocal replicate replication requests result right save sends server site takes together tool value values versa vice view

Using Change Notifications in Intersite Replication

15 16 2003 achieve adjust administrator anded automatically bit bits bridged cases causes chain changed connection controllers corresponding default define delay depending described description difference domain enable enabled enough explained fast find generated hex high initial intersite intrasite kcc latency link links long longer low maintained maintains manually mentioned minutes modify notification notifications object objects options place properties property reciprocal replication right seconds server settings site somewhat speed take therefore third together too urgent value wan windows words

Site Options

10 11 17 20 40 80 100 200 400 2000 2003 addition algorithm allows automatic behavior bit bits bridgehead bypass caching causes cleanup connection connections consequently contain control corresponding creation describes description detection disables election enable enables fail failed forces generation group hashing hex hop intersite intrasite istg kccs leads link links maintained maximum membership mode ntds object objects occur operate options outdated partner picking prevents property randomly redundant replication right ring schedule server settings shortcut site siteís sites sixth static temporary third time times topology universal value windows

Configuring SMTP Replication

2000 2003 able access always among application appropriate asynchronous authority availability bridges browser ca catalog certificate choice com component configuration configure connection contains controllers corresponding data direct document documentís domain domains encryption encrypts enterprise fields file follows frs get global goes group guide http ignores iis included install internet intersite interval intradomain ip ipsec ism istgs latter let limitation link links mail manually mentioned messaging microsoft microsoftís network normal objects once partitions perform perhaps point policies previously procedural protocol public read reason reasons reliable replicate replicated replication requests responses route rpc schedules schema search server service services settings shown simple site sites slow smtp somewhat step support synchronized therefore time title traffic transfer unreliable wan web while windows work www yet youíll

The Replication Process

18 able active along before built changed collision conflict controller controllers dampening data database date deleted deletion determine difference directory domain efficient endlessly examine flows function functions high identify individual initiate intersite intrasite itís keep leads learned listed local mechanisms multimaster multiple now numbers object objects order partner partners paths prevents process propagation properties property received receiving replicated replicates replicating replication resolved retrieve sequence someone system time times timestamps tombstones topologies topology update value watermark vectors version


18 active adding address application b before c changing committed contrast controller controllers correspond corresponding corruption creating d database databases deleting differentiate directory divide domain entire foundation four guid guids identified identifies including intersite invocationid lay makes mechanisms moving notification ntds object objectguid operation operations order original originally originate originating outbound partner prevents process properties property receives rejected renaming replicate replicated replication request restore ring s schedule sends server settings skipped step steps stores transactions transitive treats types under update updates user whole

Update Sequence Numbers

32 64 100 aborted access active addition amount applications attributes before billion bit bits catalog changed collision committed comparison conflicts contains context continue controller controllers coordinated corresponding count counter creation current database directory disagree discussed domain down duplicate during eventually exact excluding explained fast follows forest form four global gmt greenwich guid having help identifying implied incremented increments independent indexed indicates interrupted largest latest leaves left lets lifetime little local lose lost made maintaining mean microsoft never nonreplicating object objectís objects order originated originating out pieces point problem promised properties property reinstall reinstallation relative relieves replicated replication request resolving run sequence shortly significant simultaneously six solves specific stamp starts still stopped stores storing time times timestamp together transaction universal unlike update upgrade usn usnchanged usncreated usns utc value values version whenever wherever while years yields

Replication Metadata

1 1 10 13 15 24 28 29 35 40 48 2003 2004 20489 57494 15z 29t20 4c44 61ed70d4 9d26 active ad2003 add added advance attr attribute attributes bb3b3e82796d binary book boston breaks byte bytes choice cn com command compare configuration consequently contains controller controllers corresponding created data date dc dc11 description directory disk domain ds dwversion e35d eight entered entries extra fit format four ftimelastoriginatingchange get gmt graphical identify indentation indicates instancetype january keep lastlogon line listed loc local meta metadata msds multivalued name newness nonreplicating nor notice ntds ntsecuritydescriptor object objectcategory objectclass october org originating ou output overhead page picture plus pm preceding produces properties property pszattributename pszlastoriginatingdsadn relate remaining repadmin repl replattributemetadata replicated replication replmon replpropertymetadata sales sanao servers settings seven show showmeta sites sizes smaller storage time timestamp timestamps track transfer transferred usn usnchanged usncreated usnlocalchange usnoriginatingchange usns utc uuidlastoriginatingdsainvocationid value values ver version whencreated wire wonít xml z

Viewing Changes

16 324 555 1234 0x4 3f88 432343bc2ab8 450de4e057dc 46cb 46fb 4e6b 516f 6bb6b913 6f4483714924 8cfe a5d4 add again among appropriate b223 b775 be40f6ab big blob boss boston brown byte bytes c6b3872f cmd cn com command controller controllerís cookie copy correct couple current dc dc1 dc5 displays domain enough exe feature file final follows former get givenname guid hanson herbert herbertís instancetype issue jack jackís latter line lines locate modify modifying msdcs mycookie now object objectclass objectguid objects occurred organizationalperson ou output parentguid part partition paste person phone preceding previous records reissue repadmin replicate replicated result resulting returned run running sanao show showchanges showreps since sn source specify status telephonenumber things time tip title top txt type typing under user variation view wrapped write written yet

USN and Version Number Example

19 20 21 22 23 30 31 32 113 114 331 332 522 523 776 777 22114 23777 31332 32523 adsi advanced advances always attribute back basic behind bold brown c changed class cn controller counter created creating current data db dc dc1 dc2 depending didnít differently directory domain elapsed examine familiar generated gets givenname guid home homedirectory identical indicate indicates indicating italics knows l least local locally look mechanics metadata modifying move multiple name naming newly notice now numbers o object objects ones operation originating ou outcome properties property rdn reality replicate replicated replication sam samís scenes script she show shown simplified snap source specifically srv1 srv2 step steps sufficient tables time timestamp transactions treated update user users usn usnchanged usncreated usns ut value version work

High-Watermark Vectors

23 6577 18183 25882 appears application care catalog configuration connection consequently contain contains context controller controllers corresponding dampening data database date dc dcís dc1 dc2 dc5 dc9 destination detect didnít domain entries global greater guid help high highest incoming indication kick largest maintains maximum naming nonreplicating object objects ones owner parents partition partitionís partitions partner prevent propagation property provided receiving recent replica replicate replicated replication repsfrom request requested requests returns root rows schema send sending sends server source stores taken takes tells update usn usnchanged values watermark vector vectors words

Up-to-Date Vectors

12 22 22 23 23 23 23 24 25 26 27 28 29 331 332 916 1864 2003 6577 8022 8023 9915 9916 12320 12331 12332 18180 19234 25882 32904 actually administrator advance advances again asking bold causes changed command communication complete completed consequently contain contains contents controller controllers corresponding current cycle dampening database date dc dc1 dc2 dc3 dc5 dc7 dc9 demonstrate describes detection diagnosing directory domain easy enables endlessly entries entry equal error ever feature filter filters forest full get getting greater guid help high highest home included indicates initial knows latter less local logging made meaning mentioned minimal monitoring network newer nonreplicating notification notifies now object objects obviously offline ones option options originated originating out owner owns partition partitionís partitions partners party physical practical presents prevents problems propagates propagation properties property provide realizes received remember removed repadmin replicated replicating replication repluptodatevector request reside result resulting return returns root sends sent server show shown showutdvec showvector source state states step storing structure support tables therefore time times tip tool update updates userís usn usns value watermark vector vectors werenít version windows


30 2000 2003 000a 0a 28f9 48cb 507c75a0 7c33 aborts accidentally account active ad2000 ad2003 add addition administration administrator advance again almost always anything append appended application applications asterisk attributes automatic basis before being box brown byte call canonical cause cb946d109184 changed changing character choose class clearly clocks cnf collision collisions combined common configuration conflict conflicting consequently consistency container controller controllers cool correct created creates creation csvde current cycle data database dc1 dc2 delay delegate deleted deletes describes destination destroyed detected determine directory discussed display dn domain down equal event everything everywhere exact express fashion feature fine follows forest functional get go group guid handles happens having headache hex higher highly identical important incoming incremented interim interpreted jack keep keeps kinds knowledge larger latter ldifde let level likely linefeed linked little local log logic lose lost lostandfound lostandfoundconfig made managing master masters matter member members memberships message minimizing mismatch modification move moved multimaster multivalued name names narrows natural never normal normally numbers object occur once operation operations options organize originally originated otherwise ou1 partition partitions peculiarity perhaps phone playing possibility practice pre principal printable problem processing propagate properties property reach reached really remember rename renamed replicated replication representation represents requests reserved resolution result resyncs running sam scenario scenarios schema seconds seems seen server shouldnít sibling simultaneously single situation smaller someone something source special stamp state step steps still surname synchronized system take therefore things third time timestamp timestamps town track traditionally twice type types unambiguous under unlikely updated updates upn user userís users value values warning version white win windows winner wins within won wonít words writes wrong youíre


12 24 29 60 2003 000a 28f9 48cb 507c75a0 7c33 active actually ad2000 additionalsamaccountname anything asterisk attribute attributeid attributes attributesyntax auxiliary backups before brown cb946d109184 changed character check classes cn collector com common configuration conflict conflicts consequently container controller controllers couple created criterion current database databases days dc default defragmentation del delete deleted deletion describe die directory disk distinguishedname dnreferenceupdate documentation domain entry exist explained extra feature format garbage governsid grouptype hex hidden hours ignore immediately instancetype internal intid isdeleted jack kit large lastknownparent ldap ldapdisplayname learn least leaving left legacyexchangedn lifetime location made microsoft microsoftís mode modifying months moved msds msmqownerid multicolumn name ncname needs networks never normal normally nt ntsecuritydescriptor object objectís objectclass objectguid objects objectsid offline older omsyntax once operation original partitions perform please preserved problem production properties property propertyís recommendation recommends recover removed replacement replicate replicated replpropertymetadata represents reserve reserved residing resource restore reused runs samaccountname sanao search server service services shouldnít show shrink size something space special starting stripped subclassof systemflags takes task thanks time timestamp tombstone tombstonelifetime tombstones turns uid unless unnecessary useraccountcontrol usnchanged usncreated wakes value while why windows True

Tombstone Lifetime Dependencies and Lingering Objects

age allow appropriate back backup before brought causes collector contain controller controllers corresponding databases deleted deletions dependencies directory domain elapsed error fixed forest garbage had inconsistent intentionally latency leave lifetime lingering longer maximum months obeyed object objects offline older online prevented reason reintroduced replicated replication restore restored restoring shorter state taken tombstone tombstoneís unreachable unwanted utility windows worst wouldnít zombies

Using Strict Replication Consistency to Protect from Lingering Objects

2000 2003 actually advisory again appears attributes behaves behavior changed checks command consistency controller controllers controls corresponding creates currentcontrolset database default deleted destination detecting detection dilemma domain dword entire exist experthelp forest hkey include installed key lingering local loose machine mean mode modes newly nonexisting ntds object objects once option parameters partition performs process puts quarantine question re receive receiving reg registry remove removed removelingeringobjects repadmin replication requests server services situation solve source sp3 specifies strict syntax system timestamp type unwanted updates upgraded value whencreated windows

Time Since the Last Replication Check to Protect from Lingering Objects

2003 2042 again allow always application before better catalog collect com command configuration consequently consistency controlled controllerís controllers corrupt currentcontrolset dangerous dc dc1 dc2 delete described detection did divergent domain domaindnszones dword easily error event exceeded fixes force forest forestdnszones four garbage get global having hkey id images increase independent instructions issue lifetime likely lingering local log loose machine months now ntds object objects off operation option parameters partition partitions partner pc problem protection quarantine quarantines recover referring reg registry removelingeringobjects repadmin repl replica replicate replication reusing run sanao scenario schema server services since sites snap source store strict succeeded system test time tombstone tombstones try turned uncontrolled value via windows virtual vmware wonít worst years

Time Synchronization

123 1305 1769 2000 2003 accurate active admins among applications arises attribute attributes authentication batches care clocks collisions computers consequences controller controllers crucial default defined determine diagnosing directory disastrous display dll domain domainwide easier ensures enterprise environment events exe explained failure file firewalls fix forest forestwide get implemented included internal keep kerberos lives locked managing minutes name needed needs network ntp objects open organization out packets pass port preserved process protocol rely replicated replication resolving rfc right routers server service services simple situation sntp sophisticated starting svchost synchronization synchronized takes therefore things third time times timestamps udp users w32time value various warning vary windows within work xp

Time Convergence Hierarchy

262680 anyway article atomic authentication authoritative base boulder card client clock controller correct domain forest functions get gets global gov gps hardware hierarchy host htm html http install institute internet knowledge maintain manually master member microsoft mil national naval navy nist ntp observatory options owns parent pdc place positioning prefers protocol role root satellite server service site sntp sources standards system technology time timefreq tracks treelike tycho us usno w32time web whole visit workstation www

Controlling the Time Service

achieve automatically b c cause causes clock command commands computer config configuration control domain effect external follows forest get help hosts latter manual manualpeerlist master mil navy necessary net normally operations pdc preceding resync resynchronizes root service sets setsntp someotherserver source sources stop syncfromflags synchronized take tasks throughout tick time tock type update usno w32time w32tm workstationís yes

Monitoring the Time Service

0 0 0 0 0 0 10 12 20 21 22 28 31 33 40 41 192 2004 0000000s 0026064s 0044388s 0053861s 0461954s 0ms 13ms 3604854s 3704998s 3805142s addition address administrative c checking clock com command commands computer config configuration control controller controllers ctrl current currentcontrolset d dc1 dc2 default delay display displays domain dumpreg errors event external followed forest group hkey icmp ip issued line local log look machine mil monitor monitoring name navy near ntp o offset output parameters pdc perform policies press refid registry sanao seconds server service services settings source sourceís specified store stripchart subkey synchronizes system templates tick time tracking type until usno w32time w32tm windows workstation

Managing Operations Masters

active approach cases conflicts considerations controller daemon describe difficult directory discuss domain domains domainwide emulator explain extremely failure flexible follows forest forestwide formula fsmo functions hold implement independently infrastructure leads master masters multimaster naming operation operations pdc perhaps placed placement prone replication response rid role roles schema seize simple single special subsections time transfer zero

Schema Master

base controller domain ever forest forestwide holding master partition replicated role schema

Domain Naming Master

ad2003 adding application container cross directory domain external forest forestwide made master naming partition partitions performed reference removing rename

RID Master

100 250 500 600 2000 2003 305475 316201 $ active administrators always amount anymore article available base being below better billion block cases cn computer conflict consists controller controllers created creating dc dcname default directory domain domains enough ever explains falls forest free gets group guid high id identical illegal increases initiate interested issue knowledge lead level makes manager master microsoft modify move movetree object objects offers offline ou out pace part pool pre prevent principal principals puts rare read relative removes requirement resiliency retrieved retrieves rid rids risk run security server sid simultaneously situation size slightly source sp4 sure system time tip trusting unique user value while windows yourdomain

PDC Master

2000 access account always authenticating avoidpdconwan backup basis bdc bdcs beneficial best browser building changed changing check clients computer computers controller controllers currentcontrolset delay disabled discussed domain downlevel dword effort emulates exchange expect fills find former function functions happens hasnít her his hkey immediately includes indirectly instantly ip local lockouts machine made master match member natural needs neighborhood netlogon network networks normally notices nt object old parameters part password passwords pdc pre preferred primary processed pure push pushed reg registry releasing replicate replicated replication server servers service services sites subnets synchronization system time tries user userís users value ways via windows workstations written yet True

Infrastructure Master

accordingly boston brown cases catalog changed check cn com confuse consequently contacting contains controller controllers database dc deleted directory distinguished dn domain domains duty find foreign forest global group gssales guid his identifiers infrastructure jack lingering london marked master member move moved name needed never object objectís objects operation ou outside performs periodically phantom phantoms principal principals record reference referenced references referencing renamed renaming replicate represent responsible sales salesmen sanao scanning security server servers sid special still target tombstones update updated updating valid wouldnít zombies

Operations Master Placement

31 32 46 2000 accessed accessible active actually addition affect anymore anything apply automatically bdcs being better bullet call capable carry cases catalog changed child clients communicate communication computer conditions configuration connection contain control controller controllers covered created cross current data date dc dcs decently default depending describes designate directly directory disaster discuss domain domains domainwide downlevel emulator error especially event ever exception experience failed failure failures fast feel forced forest forestwide full functional gc get global go good guidelines heavy hurry hurt idea incremental infrastructure install instructions kcc keep large least less level link load log logged look manage managing manually master masters medium message mixed much multidomain multiple naming naturally needed needs network non notice nt object objects off omdc omdcís omdcs ones operations original otherwise out owner partition pdc perform phantoms placement powerful preferably prepare primary promote reasonably references reliable reliably rely remember replace replicate replicating replication requirement responding review rid role roles root rules scenarios schema selecting send separate server servers settle simpler site sites sitewide small special standby steps subject subsection subsequent sync therefore time tomorrow too topology transfer transferred unless updated updating users whole viewer windows vital wonít workstations zero

Transferring Operations Master Roles

11 33 $ abbreviate abbreviation active adsi alternatively backup before better cn co command computers configuration connect connected connections contains controller cooperation corrupt current difficult directory domain domains drastic emulator enter enterprise failure failures forest former fsmoroleowner graphical happens holds hood identified infrastructure latter left line listed long manager master masters mmc my myserver name naming ntds ntdsutil object old once operation operations owner owners owns pane part partitions pdc place points press prompt property put quit real requires respond restore rid right ro role roles root schema scripts seizing server settings situation snap still system target time transfer transferring trusts type unambiguous under understand users utility warning word writing

Managing Operations Master Failures

33 34 47 100 600 2000 16645 16651 absolutely access add addition administrator administrators affect affects allow among answer anymore anytime appears application assign automatically available back backup bdcs best care clients competing completes computers connection consequences consequently consider controller controllers corresponding corrupt course created cross dc dcdiag destroy directories disconnect disk domain domains drastic easily error event events external fails failure failures fear fix forest format get gets graphical group groups happens hard he immediately impact infrastructure ins itself kind least listed log manage manually master masters members message move moves naming neighborhood network never notice ntdsutil objects occur off often old omdc online operation operational operations original otherwise out outcome partitions password passwords pdc perhaps point pool pre principal procedure rather really referenced references reflect refuse remove rename renames replicate replication restore rid rids role roles run runs schema security seems seize seized seizing servers single sites snap soon standby starts sure synchronized system take therefore time try turn until updated user users verify windows wonít words yes

Seizing Operations Master Roles

1 1 1 1 8 11 13 14 27 28 32 33 35 39 45 51 2003 2004 6792 9733 12193 15108 again ago ahead alive alternatively anticipate anymore apply available back backup become becomes before being best brings candidate candidates carry chance closest cn com command commands compare completely computers configuration connect connection connections constantly controller controllers corrupt corruption course current date dc dc1 dc2 dc3 dc4 dcs decide default described designated directly display displays domain drive enter evaluate failed failure find forest fortunately four function go had hard help helps hour include infrastructure infrequently instructed intrasite issued largest latest latter left line lines listed locate long master masters matter minimize missing name naming needed normal nothing now ntdsutil object obviously omdc once operation option original originated out output outputs owner owners part partition pdc place preceding press prompt quit remaining remember repadmin replicate replicated replication rid rids risk role roles s sanao schema seize server shouldnít shown showutdvec showvector site snap standby state sure takes tape target time times tool transfer type unacceptably unavailable until urgent users usn utility wait vector version windows vital word worry yet


active automatic automatically bridgehead catalog configuration controllers covers diagnose directory domain efficiently enter equipped failure familiar finally finishing generated global good intersite intrasite logical long manage masters network once operations optimal physical process read ready replication roll servers special structure topology understanding

Chapter 6
Domains and Forests

active addressing aforementioned among beginning belong catalog causes concepts continue controller covered cross delegating design directory discussing discussion domain domains established examine examining explain forest forests frd global groups includes installation issues ldap managing move moving much network objects perform permissions physical placement previous references referrals relationships replication requires root searches servers structure structures talk techniques theme topic traffic trust trusts turn various within

Domain Controller Placement

active amount consequently controllers design determine directory directoryís domain examine help issue locations major network placement traffic us

Active Directory Network Traffic

140 2000 2003 active ad2000 administrators adsizer along apply asks background better book building catalog client com controllers data database derived description deserves directory domain download enter entered enterprise estimates field forbids full generates get global good hardware http include indication ldap license log logon measured microsoft much network notes numbers objects off often once page pays present presented press publishing read refer replication requested requirements results roughly screen server services shots show size sizer space strictly summary therefore third too tool traffic type types unfortunately users windows windows2000 writing written www xp

Windows 2000 Client Logon Traffic

90 95 98 100 600 2000 12kb 155kb 28kb 38kb 3kb 50kb 60kb 70kb 85kb accesses add adds affect affects amount back belongs booting boots bytes caching causes check client communication computer concurrently controller copy default depends designated disk dns domain download downloading due during easily especially estimate exact except exchanged exchanging executed extra factors file files folder folders functionality generates goes gpo group groups growth her home hundred include included interactive interactively items kerberos kilobytes launches ldap likely local locally logging logoff logon logs minutes naturally necessarily needs network numbers object obtaining obviously offline perhaps phases policies policy presented process profile programs put query querying read redirection refreshed roaming rough roughly run saves scale script server servers side sids size small startup subsection ticket tickets tied time total toward traffic transferring types typical typically universal uploaded user users whereas windows workstation workstations written

Active Directory Replication Traffic

0 1 10 14 17 20 24 25 29 48 58 87 87 90 92 95 97 100 112 114 120 132 134 137 153 165 168 177 180 192 196 210 256 259 260 290 314 350 357 372 408 418 476 519 637 747 780 808 958 985 2087 2137 2250 Ī 10kb 32kb above absolute account accountexpires accurate active actual ad2000 add added adding addition adds adsi again algorithm almost amount amounts analysis answer approach approximately around aside attribute attributes average b base before best biggest bytes calculate cases catalog caused changed character check codepage column comes compress compressed compression configuration contain controller controllers correct countrycode counts couple creating data database degree derive derived detailed determining did difference direct directory dns domain domains doubles easily effect efficient efficiently encrypted encrypts error errors estimated estimation except explains expressed fact fancy fewer find finding forest formula fortunately four full function gc get gives global good group groups had headers higher host hundred include increase increases increasing indicate initiating integrated interested intersite intrasite introduces involves kilobyte kilobytes larger largest less life likely line linear mandatory manually margin margins mathematical mathematically matter measured member members microsoft microsoftís mostly multivalued noncompressed nonexistent nonlinear nonlinearity normal notification now numbers object objects often ones our out packs parameter parameters parentheses part partial partition partitions password percent percentage picked place points practically present printer produces proportional pwdlastset raw real really reason receiving record regression replicate replicated replicating replication represent representative represents results right rightmost roughly rpc savings say schema school scopes security seen server servers seven shouldnít show shown single sites small smtp sought specify started storing string tables take takes taste ten tens tenth term terms thereby therefore thing threshold time times total traffic transportation truth type types unicode universal user users value why volume words y zones True

LDAP Client Traffic

11 124 10kb 29kb 7kb access active address administration administrative administrators adsi amount amounts anonymous anyway api applications authenticating avoid bind book brief bytes c catalog cause causes client clients connecting devices directory enabled excessive executed explained findings global half increase increases ins inside interface large ldap least microsoft microsoftís mmc modifications modifying native network normal object objects obviously ous page port properties property protocol queries reading reads reasons retrieving roughly search searching server settings similar single size snap sspi summary takes tested times traffic tuned user users windows

Determining the Placement of Directory Information

abstract active actual ad2003 application benefit catalog choices concentrating configuration contain continues controller controllers cover decision designated determine directory discuss discussion domain domains enterprise examine field forest general global host introduces level location london looking network now obviously our part partial partition partitions place placement placing planning playing previous purely recall replica replicas reside schema selections server servers shouldnít single site sites somewhat store suggests thing third together topics whereas

Looking at All Sites and Domains Together

access active actually always among amount aside attributes best boston brings buy cases catalog compare configuration controller controllers depends directory distributed divisions domain domains drawback dropped effect enterprise equivalent ever examine extreme fall follows forest francisco general global having independent involves less likely link local london maximum meaning minimum multidomain necessary now objects offers others part partition partitions perhaps placed placement practice present proximity regard replicate replicated replication represent requires san savings scenario scenarios schema server servers single site sites solution therefore third users wan viewpoint worse worst

Looking at a Single Site and Domain

100 2003 access active adsizer affect always american amount approach attacker backstage besides better branch calculate cases catalog causes causing choose client clients complete computer conclusion configuration consequently consider considerations contains controller controllers corrupt couple decent decide decision decisions depends deployment designate directory discussing domain domains elementary enables enough entire evaluating exact excessive final foreign forest frequency get global going greater group hand having hours hub important including intuition kit large ldap leads learned least less letís link links live local locally location logon logons london mainly making manage mentioned microsoft much naturally needed normally now numbers obvious occurs off often option options partly passwords pays peak perhaps physical place placement placing plan plays policies possibly precise previous profiles put queries reliability remember remote remotely replicate replicated replication reside return roaming role rules scenarios scheduled schema security seriously serve server services simply site sites sitting size small speed states suffer suggested sure takes times too tool traffic transaction user users usersí waiting wan variables various whereas windows wise workstation

Looking at Global Catalog Server Placement

20 100 165 166 2000 2001 2003 accept access account active add adding address adequate amount application assign attributes authenticating availability available avoid button cache caching careful cases catalog changing claim com combining computer computers connection consequent considerations constant contact contacted controller controllers corporate correct corresponds data database dcom directory discuss distributed domain during easily enough excessive exchange extra fast find forest functional gets global group groups had hardware having his host impractical included increase increases interesting intersite intrasite item items large larger lead leads leave level link links listed local location log logon logons logs lot mapping maximize member members membership memberships menu message microsoft msmq name native needs network nor normal normally once operation organization part password percent perform place placement placing powerful preceding previous principal promote put queries queue reason reasons recommends refrain reliability reliable remote removes replicate replication required requires requiring resolved roaming running say search sections security server servers service site sites size something specific speed suggests sure take time token traffic universal upn user userís users wan via willing windows visit wouldnít

Disabling the Requirement for a Global Catalog Server During Logon

2000 2003 access across add becomes caching catalog contacted contain control controllers correct currentcontrolset denied discussed domain global group groups hkey ignoregcfailures key link local logging lsa machine members membership method preferred problem recognized registry resource server site still system universal users wan windows

Universal Group Membership Caching

active ad2000 ad2003 applications box cache caching catalog check clicked closest connection constant contact controller corresponding default determines directory domain during eight enable exchange find global group groups having hours indefinitely logged logon logons member membership mostly much needed normally ntds occurs out processing properties reduced relieves server servers settings site specify subsequently turn universal update user

Designing Domains and Forests

active authentication choose design directory domain domains forest forests multidomain multiple optimize plan possibly relationships root shortcut structure trust

Single or Multiple Domains and Forests

2003 account active add adjust administration among apart areas benefit benefits bit capabilities cases catalog catalogs choice choosing combine complete configurations configure conflicting consolidate contains cost costs dc dcs depending depends difference differences differentiate directory discussed dns domain domains evaluate extra feature forest forests four functional gc get global groups hierarchies host introduced item items kerberos latter lead level lockout making multiple names options ou ous password placement policies possibilities present priorities purposes questions recall replication running schemas search server similarly single structure summary topic tree trees trust trusts units universal weigh windows

Single or Multiple Domains

active administration aspects blocks building chapters cited controllers costs directory discussed domain domains explain hierarchies justify logical managing master microsoft multiple objects obviously operations organization ou physical placement policy recommends related remember replication review roles specifically subjects tree unit units unless wish

Multiple Domains Because of Units of Administration

able account active administration administrative administrators admins autonomous boston boundaries configuring consequently control controllers countries country creating cumbersome default defaults deployed directory domain domains drives fixed folders foreign forest formatting geopolitical get groups hard highly include isolated legislation london notably objects operators organization outside outsider part permissions printers prohibit protect rights rogue senses separate server services sharing someone starting trusted unit wide

Multiple Domains Because of Units of Policy

10 15 2000 2003 account addition administrator amount apply automatically branches come computer configuration contains default domain domains enable entered expire expires force gpo gpos granting group guess guest hours include includes intruder kerberos kinds local lock lockout log logoff logon long longer minutes network off options others ou password passwords play policies policy potential rename require security server settings someoneís specified specify tgt ticket tickets time times too user users wait valid windows visible wrong

Multiple Domains Because of Units of Replication

0 100 56kbps bandwidth cases catalog compressed configuration connection controller controllers cost created creating data day direct directions directory domain domains enough estimate everywhere feasible feel forest free global host important includes least link links location lower mail microsoft million monetary needed needs object objects occur once open optimize part partition pay places powerful presented reached reasons reciprocal reduce replicate replicated replication rough schedule schema separate simply single site slow smtp spend store thereby too traffic unavailable unit usage users wan

Multiple Domains Because of Existing Windows NT Domains

active address alternative book consolidate directory domains empty exactly fewer forest goal groups had having ideal includes intermediate kind large leads long mandatory mention migrate migration multiple network nt organization path performing perhaps place reach reason run selection stage strategies structure take toward ultimate upgrade users windows year

Nonreasons to Create Multiple Domains

0 0 26 40 100 accounts active administration administrator allow capable computer concern delegate delegation directory domain domains groups hardware host least limit million needed nt objects ou permissions server single too user users windows

Branch Office Environment

100 approach automate basic branch child com common correct deployment detailed domain domains environment feature get guide headquarters http includes large locate microsoft office offices pages planning process scripts search special www

Costs of Additional Domains

access accesses accessing accordingly addition administered administration administrators allows along among authentication bridgehead caches carried communicate communications computer computers controller controllers costly costs created cross direct domain domains duplicate easier established extra fault final fortunately global group groups having home host illustrates implements including increased increases independently inside interdomain introduces item job kerberos laborious least less licenses likely local machine managed mean move moves moving needed needs objects often ou out path policies possibility present process protocol quicker reached referral relationship reorganization requires resource return returns risk scattered scope separately server serverís servers session significant sites sometimes somewhat subject target ticket tickets time tolerance transitive transparent trees trust trusts unavailable universal unnecessary until user userís users usersí windows work workstation

Single or Multiple Forests

access administration administrator administrators affect aforesaid again allowing alternatively america anyone area asia autonomous book boot catalog catalogs child choice choose choosing common complete configuration consequently considered controllers corporation costs created d decide deploy describe described discuss diskette division divisions domain domains ends enterprise especially europe feels foreign forest forests form four gain gained geographically global greater group groups having highly implement incur independent interact isolation justify kind left likelihood management merely modifications modify multiple multipleness opt organization organizations oriented out part partnership parts personnel physical preferred premises privileges protected protections put question r reason reasons replicate represent rest risks sanao scenario schema sense separate separately single singleness specific specifically subsequently suggesting suitable suspicious system thing traditional treat trust trusted trusts unless upper users wants variations warning ways worth

Number of Schemas

added administrative agreed allowed amount applications applied attributes care classes consequently control coordinate costly decide duplicate ensure extensions forest forests group host identifiers implement multiple names necessary network numeric organization owner part person production program rare reason related require requirement schema schemas separate separately setup single slightly someone take test therefore tolerable uniqueness wants various vendors work

Number of Forest Configurations

added administrative again approves autonomous benefits best circumstances configuration consider control costs created decide decision definitions domain domains duplicate enterprisewide forest he includes links maintain making managed management organization owner part person political power responsible results schema separately she similar site sites terms wants work worth

Number of Global Catalogs

acceptable active actual actually addition advantages aforementioned application applications authentication authentications brown card catalog catalogs checked checking com companies computer computers confusing dcom default directory distributed domain domestic during easier enterpriseís enters entire exchange external forest forests four global groups hand he his included jack jackís locate locating log logon logons mainly maintained memberships message microsoft msmq name names network networks normally now object objects part principal property provider purposes query queue rely remember sales sanao search searches separate server servers service sitting smart snap someone something still suffix trust universal upn upns user userís users ways whenever via windows work wouldnít

Complete Trust Area

2000 able acceptable access accordance achieve acl ad2003 addition administrators admins aforementioned allow almost alternative anyway applies approach area assign assigned authenticated become becomes block blocking browse button causes characteristics child cn com compatible complete computer computers consequences consider constitute containers contrast control controlled controllers course creating dc default depending described domain domainís domains doors editor enough enterprise entry environment error errors exe forest forests form full good group groups guards he hidden hide highly hope idea included includes independence inheritance inside installed kind laborious latter ldp level levels limits listed local lower maybe medium member modifications modify multiple names navigating necessary object objects out outside outsiders owner permission permissions phase plan practically pre prevents principals problem process prone properties put putting read really reason relationships remember remove replace resource rights root sales sanao savvy scope secured security separate setup she somewhat specifying still support test therefore thoroughly top trust trusted trusts unlocked user users various ways widest windows

Other Reasons for Multiple Forests

acquisitions active actually administrator administrators allow allows assume before built central centralized company consequently coordination coupled decentralized deployment directory divisions domain exchange forest forests group historical independent large mail mergers merging multiforest multiple network networks off operations organization organizations partnerships protect reasons recommended result rogue security separate split supported system tends tightly until version

Other Costs of Additional Forests

2000 accounts active ad2000 ad2003 addition address administrators authentication browse catalog catalogs clone connected consequently costs directoryís domains exchange forest forests four global guids kerberos latter main maintain miscellaneous move multiple ntlm object objects operate option organization passwords potential preserve reasons recipients single trust user users

Forest Planning Considerations

add authentication choose domain faces forest optimize organization plan root shortcut topics trusts

The Three Faces of a Forest

accessed according addition administrative administrators admins among anyone arranged authenticate authentication b bunch c central child connection contact contains control controller controls depends determined dictates dns domain domains enterprise exactly except explained faces follows forest forests forget get group groups illustrates inherit level levels longer look lower managerial matters meaning merely namespace pairs parent path paths permissions policies presented relationships resides resource rights root saw schema scopes search separate special speed station still structure superiors takes target think traditional traffic tree trust userís various view viewpoints views workstation workstationís

Shortcut Trusts

10 11 15 access actually add administrators along anything approach authentication authentications b bypassed bypassing c child communication consider contact controller cost created creating d direction dns domain domains drawbacks energy exist fails failure faster fault find forest four frequently go helps illustrates improve interdomain makes mechanism minutes minutesí missing name needed normal nt old ones opposite out pair parent part path pays prevents relatively resolution resource resources root shortcut shorter six speed structure subsequent succeeds takes target therefore tolerance transitive trust trusts trying unlike userís users usersí via views windows words work workstation worth

The Forest Root Domain

0 12 30 above accessible addition administrators admins afford authentications avoid backup being central child choice choices computers connected consequent consequently contain contains control controllers created decide delete depends domain domains easily empty enterprise fail fast forest forestwide former groups hundreds illustrates install interdomain latter link lose maintained marks master members monitored multiple naming network nonempty objects obviously organization parts paths permanent predefined quotation reinstall relatively reliable removed requirements restore role root schema scratch selecting shortcut station still transfer travel tree trees trust trusts unless users warning word wouldnít

An Empty Forest Root Domain

12 above accidental account accounts addition admin administration administrative administrators admins approach appropriate assign b becomes before benefits best bought buy c child chosen com committee complex configuration consequently considers contain control controlled controllers created decentralized decided deploying didnít difficult division divisions domain domains downsides easier easily easy empty enterprise establish europe european exist fewer forest forests fourth frd functions future had hardware having independent installed isolate left licenses light likely listed locations locks longer lot main manage managing membership merger microsoft model multiple needed network never objects obsolete offer opt organization others outsource ownership password passwords permissions policy power practice predefined purpose raise relatively replicate required reside resources responsible restructuring rights root sanao schema sell separate server side single still strict suits team tolerated transferred troubleshooting unless user various words work wrong years

A Nonempty Forest Root Domain

0 12 17 21 578 access accesses administration administrators admins america american asia asian assign assumed authentication best branch bypasses cases centralized choice communicate contain contains continent control controller controllers controlling convenient cover creating delegated directly disks domain domains employees enterprise europe european extra faster fewer folders foreign forest format get group hard hardware headquarters level likely limited long main members membership modify needs normal north office organization ou ous path perform permission placing remove replicating replication require resource results right root scenario schema share shortcut shortens shouldnít side solution sometimes south structured tasks therefore top traffic transitive transmission travel tree trust trusts unless user users various warning versa via vice

Various Roots

19 22 2000 above active actually ask authentication basic beneath browse catalog client com concept connects consequently contains controls denoted despite directory distinguished dns domain domains dot edu empty explained forest former global gov latter ldap ldapv3 level mechanisms name namespace object operate org ou our paragraphs part preceding properties provide purpose referred related root rootdse roots running sample sanao sense server single sld specification supports things tld top tree windows virtual

Trusts between Forests

access accounts ad2000 ad2003 b certificates connects domains entire existed external forest forests map pki provide resources root together trust trusts types user users

Name Resolution between Forests

2000 2003 able active added advantage advantages allowed alternatives authority automatically b being block book briefly c com combinations communicate compared computer computers conditional configuration configure configured connect consequently contacted containing copy correct cover data dc2 dc6 describe directory dns domain downsides drawbacks easy entire etc exactly firewalls foreign forest forests forward forwarding glue hand higher host knows latter level local lower modify name names never non ns obvious older option others part possibly prepared queried queries query rd record records replicate replicated requirement requires resolve resolved sanao sanaoeurope secondary separately server servers service soa source specific specify standard store stub target transfers trust type unix version whenever windows work works zone zones

External Trusts

13 14 18 2000 access ad2003 appear applies assigned authenticated authentication available b brings concept consequently contains correct course creating cross dedicate direction discussed domain domains enlarged enlarges external feature filtering forest forests illustrates interforest kerberos makes manually needed nontransitive nt ntlm objects opposite outgoing package pair pairs part permissions place practically proper relationship required requires resource resources roll scope security selective sid source takes target transitive trust trusting trusts type unidirectional unless users windows

Forest Trusts

2000 2003 accessed accounts acquires actually allow allows always apply area assign assigning authenticated authentication available b benefits c chains child com combine companies company complete computer consequently describe disables divisions domain domains down drop enter enters explain explicit external filtering foreign forest forests format functional global grant green group groups half handy her implicit includes individual jill kerberos level limit local log logging logon members memberships merge methods name option organization permissions pre present principal requirement resides resource resources root routing running sam sanao sections secure selective separately server sid sp1 sp4 specifies suffix therefore third transitive transitiveness trust trusted trusting trusts universal upn user users widest windows works xp

Selective Authentication

able access accessed accessible account addition allowed appropriate authenticate authenticated authenticating authentication being belong belongs better chosen com computer consequently control controller controllers convenient conversely default direction domain domains domainwide error extended external firewall foreign forest forests forestwide get gets grant group groups heavily inherit inheritance jack local logging machine member modes normal normally object objects onto organization organizations ou permission permissions properties protected required reside resides resource right sanao sanaoeurope seeing selective separately server servers she specified specify srv02 srv02ís tip trust unless user users widely visible workstations

SID Filtering

1 1 address asp attack background brief bulletin com control countermeasure discusses domain elevation explain filtering foreign forest giving http impact issue local microsoft ms02 nt prevents privilege security sid technet threat type windows www

Background of SIDs and SID History

account acls authentications consists deleted domain existed explained extremely forest get group her history id identify identity likely matches meant memberships migrated migration necessary old once part permissions previous principal principals property purposes relative resulting retained retains rid scenarios security she sid solution temporary unique user userís world

The Possible Attack

account add administrative administrator administrators anyway applies attack authentication becomes belongs breaking connects considered counterfeit counterfeiting domain during elevation enterprise especially external foreign forest forests gain he highly his history local necessarily never normal nt organization perform permissions place practically present primary privilege privileges problem property requires risk say scenario sid sids single someone spoofing trust trusted user windows False

The Countermeasure

across authentication comes disables domain effectively filtering foreign forest functionality history local match part received remove removes request risk sid sids spoofing trust trusted

The Impact

15 access accounts across again anymore applies assign com consider contains disable domain done enable enabled except filtering foreign forest granting group groups half harm history hurt hurts identities illustrated intruderís likely listed losing match memberships migrated multidomain necessarily normal obviously often ok permissions prevents problem problems purposes rd regardless remove requires resides resources root sanao sanaoeurope scenario sid things time transitive transitivity trust trustís trusted trusting trusts universal user users wonít work works wouldnít

Controlling SID Filtering

check com command commands creating default depending disable disabled domain enable enabled external filtering forest get netdom notification part preceding quarantine respectively sanao sanaoeurope sid stating support trust trusted trusting turned windows yes

Name Suffix Routing

access apply authentication block ensure external feature filtering foreign forest legitimate local methods name previous routing securing selective sid suffix trusts unwanted

Blocking Unwanted Access

16 17 18 access add added administrator appropriate asterisk block blocked child com configuration contains created creation default disable disabled displays domain domains enable enabled exceptions exist exists foreign forest granted group groups illustrates individual individually latter level local log manually member modify name names net nonconflicting nor ones out pages parent part parts permissions practice prompted properties rd remotely resource resources route routed routing sanao sanaoint script settings she shown snap specified specify still subordinate suffix suffixes term therefore think time top tree trust trusted trusting trusts unique upn user users valid why visible words workstations

Ensuring Legitimate Access

10 11 12 13 14 15 16 17 18 19 21 2003 243955535 469933409 632508713 800657386 818466588 899519789 1021733379 1151220268 1200319115 1550387488 1578890251 1770414764 1802320308 1906473553 1998507016 -- access accident active actually adding admin advanced affected again areas b basic boston c cloned com command competition conflict conflicting conflicts connecting consider contain contains controllers corp directory disable disabled disabling dns domain domains enable enabled essential exclusion extremely fine forest forests former happen hierarchical hurt identical inside latter listed local log loses marketing matching name names namesuffixes naming net netbios netdom nonblocked notes notice now occur occurs ones option output outside parts point preceding produce rd realize record remove rename renaming resources routing s sales sanao sanaoeurope sanaoint saw screens server shown sid sids snap special specify status steps still subordinate suffix suffixes superior support sysprep togglesuffix trust trusts type unlucky upn users windows works

Managing Domains and Forests

chapters discussed domain examine familiar focus forest manage management multidomain now ready single structures tasks various

Managing Trusts

able access account active actually ad2000 administrator administrators allows area assign automatically child column combine complete consequently created creating describes direction directions directory discussed domain domains duplicate enable explicit external forest forests general group having installed kerberos kind manually memberships non nontransitive nt opposite owners parent path permissions purpose purposes realm realms relationship relationships remaining reset resides resource resources root seem shortcut shorter snap specific structure think tightly time transitive transitiveness tree trust trusts type types typically user users verify versa vice windows work yes

Trusted Domain Objects

0 0 10 20 40 80 2000 active actual ad2000 ad2003 authentication being bit child comment computers computing container conveyed corresponding cross dce describe differs directions directory disabled distributed dns domain domains downlevel enabled enablesidhistory environment except external files filtering flatname forest groupís header help hexadecimal incoming internal kerberos line listed mainly meaningful mit name netbios netdom newer non nontransitive nt null object objects open option organization outgoing parent partner platform present properties property quarantined realm refers represented reside root sdk selective shortcut sid specification specifies support system theoretical tree trust trustattributes trustdirection trusted trusteddomain trusting trustpartner trusts trusttype type uplevel valid value values version windows

Viewing Trusts

18 19 20 2000 0x20 actual adsi advanced appear attr being com command completed computers container contents controller d direct direction displays dns domain domains edit enables flags forest hierarchy hr inbound includes incoming index indicate launch ldp least line linuxrealm listed locate manage marketing mit mode names native netbios netdom nltest non nt object objects outbound outgoing output parent primary properties property query rd right root running sales sample sanao sanaodc1 sanaoeurope sanaoint screen security server shot show shown snap specific successfully support system tab tabs target tool trans tree trust trusted trusteddomain trusting trusts trusttype turn type types uplevel users ways view viewed windows words

Validating Trusts

20 21 22 23 24 2000 2003 $ Ö abstract account accounts addition administrative administrator always appears asterisk attempt box boxes button cause causes channel channels character check checked choose chose claim clicking cn com command commands complete computer confirmation connected connections consequently contact container contains controller controllers credentials current dc2 dc2ís dcdiag defines dialog discussion display displays disruption dollar domain domains enter entire error established everything exact examples exists failed found get gives hand happen harm help incoming interdomain joined latter left line lines local making manually member message name names netdom network nltest normally nositerestriction nt offline ok option options otherwise outboundsecurechannels outgoing output part partner password passwords path pd preceding problem prompted provide query querying rd real receive refers repair repaired replacing reset resetting reside result right run s sales sam sample sanao sanaoeurope sc secure server services show shown sign sites snap something source specified specifies stands success successful successfully support talking target test testdomain tests therefore thing think tool trust trusted trusting trusts try trying type types ud user username users v validate validated validation warning verbose verify verifying version windows wonít words work working works workstation wrapping wrong xp

Creating Explicit Trusts

18 19 25 26 27 2000 2003 abc able access account achieve active add addition admin administrative allow allows alone alternative always anywhere appear appears ask asks assumes authenticate authentication away before being better cases catch chance check choose clicking com command commands confirm confirmation consequently contains continue correct corresponding created creates creating creation d depends described didnít differences direction directions directory domain domains domainwide easier ed else ends enough enter establish established explicit external feel filtering forest forests forestwide four frequently functional get goes graphical hard help include incoming ing interface issue kerberos knew launch level lines linuxrealm local lower manager message mistyped multiple name names necessary netdom nontransitive now nt once open opposite option otherwise outgoing page pages partner password perform pop possibly preceding presented previous properties provide pt rd realm remember resource right root routed sales sanao seen selected selection selections selective server shortcut showed sid similar slightly snap someone specify speed state stating step suffixes tab take target therefore thing time times tool topics transitive trees trust trusted trusting trusts turn twoway type upn user username users v5 valid validates verify versa version very vice windows wizard worry wrapping yes

Foreign Security Principals

add added advanced always authenticated automatically computers container contains corresponding deleted domain domains external foreignsecurityprincipal foreignsecurityprincipals forest group id known member members name object objects placeholder placeholders principals refers remove represent security sid snap turned users visible

Moving Objects in a Forest

2003 active admin administrator admt aforementioned allow allows asp available bindview buy bv cd cfm com command commercial computer computers contacts copy default diradminmig directory dma domain domains dsmove explain fastlane folder forest forests group http i386 index inside line migrate migrating migration migrator move movetree netiq object objects part perform products profiles quest related roaming server snap solutions support tasks tool translating trusts types user users usersí version windows works www

MoveTree Features

access adds along being computers container contents controller domain during forest group guid guids individual interrupted left links lostandfound maintains master memberships move moved moves movetree name object objectís objects objectsí old ones operation orphan passwords performance permissions policies policy principal property re remove restore rid security sid sidhistory sids similar single slower source special specific tool user users usersí yet

MoveTree Limitations

2000 accounts active actual admt build builtin channel child class computer conflict conform consequently containers containing controllers corresponding cut directory discuss domain drawbacks duplicate effect empty feature file foreignsecurityprincipals functional global groups higher history includes less level limitations local logon longer lostandfound member members move moved moves movetree name names native netdom nonempty objectís objects obvious options otherwise out outside password policies possibly problems profiles property remaining requires restrictions schema scripts secure servers sid specific system systemonly target universal user users value whose windows wonít work workstations wouldnít True

Moving Groups

28 29 able add added addmember adds approach back bat batch calls catalog cause command convert converting document domain domains easiest easy file files get global group groups issue latter line little local member members modifying move moved movetree myggroup nature necessary net option options parameter peak presented previous relatively remove renaming replication resources resulting shouldnít shown special stated steps take therefore txt universal user writes

Using MoveTree

actual addition administrative aforementioned anything appears becoming causes check chk com command continue controller controllers correct credentials d dc ddn destination distinguished dn domain enough errors fault file finished four interrupted lines logon main master move moves movetree names network object operation option optional options ou output p password perform powerful pre prevent problems prompted read ready renames requested rid run s sales salesdc2 salesmen salesrep sanao sanaodc1 sdn source specify startnocheck succeed successfully target trial u unavailable username wrapping

Managing Groups and Permissions in a Forest

assigned directly domain forest group memberships multidomain often permissions users via

Predefined Administrative Groups in a Forest

30 active addition administrative administrators admins adminsí allow assigned blocked child consequently control default direct directly directory domain domains effective enterprise entry except exceptions explained forest full get gets group groups illustrates inheritance member memberships multidomain object objects out permission permissions predefined remove revisit rights roles root showing things topic

Predefined User Groups in a Forest

add anything apply authenticated default describe domain figures forest groups illustrate interdomain local memberships multidomain permissions predefined recall single user users various

Group Member and Permission Assignments in a Forest

31 assigning candidate catalog choose com contacts contain contains directory distribution domain domains entire forest get global group groups holders illustrated local members never objects ou permission permissions potential retrieved sanaoeurope sanaoint selected selecting tree trust whole

Referrals and Cross-References

2000 active application base boundaries calling chase chasing client close component computer concept configuration connected contain contexts continuation controller controllers couple decide directory discuss distinguished divided dll dns domain domains equal error forest hand includes ldap multiple name naming necessarily normally object objects operating operation operations otherwise partition partitions place plus pointing points references referral referrals referred request requested requests resides returned returns s sales sanao schema search searches sends server servers single span system takes turned user windows wldap32 yet zones True

Cross-Reference Objects

32 access active add addition address administrators always application automatically base bit bits child client cn com comparable configuration connect consequently container context controller controllers corresponding corresponds created cross crossref dc define defined describes description directory distinguished dns dnsroot domain domains equal external find forest forestwide having hex host includes indicates installed internal ip knowledge known ldap locations marketing match mentioning msds name naming nc ncname non normally ntds object objects otherwise out outside parent partition partitions point points properties property purpose query rd receives reference referenced references referral referrals referred replica represents request requests reside resides residing resolved resort right root roottrust sales sample sanao sanaoint schema serve server settings seven six specific specifies structure subsequent superior superiordnsroot systemflags together tree trees trustparent value worth

Creating External Cross-References

able access active addition address adds administrator admins allows appear appropriate boston calendar calendarserver child clients cn com configured contact contiguous corporation correct corresponding creates creating cross crossref data dc define defined defines describe descriptive directories directory distinguished dns dnsroot domain enterprise enters exists external forest former generated her hosts internal ip latter ldap linux long members microsoft name names namespace ncname necessary needing noncontiguous object objects organization ou outside partition partitions properties property queries refer reference referenced references referrals referred registered results root sales sanao serve server servers seven specify subsequently therefore trust typically under user users while workstation

Managing Application Partitions

2003 322669 access active ad2000 addition alternative application appropriate article base catalog command commands control controller controllers creates data directory domain exact excellent forest global knowledge limitation manage management microsoft ntdsutil partition partitions place primary query refer replica replicas replicated replication reside s scopes server specify store submenu windows

Delegating Domain Installation

10 28 abbreviate abbreviation able access active actual add adding addition address administration administrator administrators admins adsi aforementioned alloweddnssuffixes allows alone always appear apply appropriate asked assign assigned became before being binding bold box button c capturing centralized ch child clear cn com command communicate computer computers configuration connect connected connections consequently container contains context control controller corresponding course created creates creation creations creator creators credentials cross dc dc1 dc6 dcpromo decentralized delegate delegating delegation demonstrated describe described detail dialog directly directory disconnecting dns domain domainís domaindnszones domains during early easy edit enabled enables ensures entering enterprise enters environment exist explained extra fail forest forestdnszones found four fourth full get gets global group he headquarters his host included incoming install installation installed intend ip ipconfig jackb joins known lab ldap leaving letter letters line lines listed locally locations logged logically long longer ma manage management master match meaning member members membership modifications modifies modify monitor move msds n name names naming natural necessary network ntds ntdsutil object objects once opens option options organization organizations others our owner packets panel parent partition partitions password perform performed permission permissions personally ping place point preceding precreate precreates primary principal process promoted promotion property purpose quit rd read record reference refers registerdns registered registration remove replicate replicated replicating replication required resides resolved result root run running runs s sales sample sanao schema secure security server servers service services settings ship shouldnít site source specify stand starts status step steps suffix suitable summary sure synchronization system take technique terminal test tool topology travel trusteddomain trustee turn type unambiguous under universal unless unlike until updates uppercase user wait value various windows word works yet False

Delegating Domain Controller Installation

2000 2003 able absolutely account active add address administrator administrators admins appear apply assign assigned assigns authenticated before ch child cn command communicate computer computers configuration consists container control controller controllers converted creator dc dcpromo default defines delegated delegating delegation directory domain during explain forest full get gpupdate group he highly his incoming install installation installer installers installs ip jack joins local locally locations log logical logically makes manage member members microsoft minutes modifications modifies monitor move moves needs ntds object objects once option ou our owner partitions perform performed performs permission permissions person process promote promotion purpose read recommends remaining remote remove replica replicate replicated replicating replication required requires right root runs sample scenario schema server servers service services settings ship site source step steps synchronization target terminal time topology travel trust trustee type under universal unless until user wait windows write

LDAP and Searches

access active directory explain implement ldap mechanics obviously place searches show takes

LDAP Searches

11 33 attributes base baseobject beneath boundaries child children client com contacts context controls criteria cross dc default defines derefaliases described describes description discussed distinguished distinguishedname domain downward eight elaborate evaluated excluded explained extended filter filters four givenname identified identifiers identify illustrates immediate implemented included includes itself ldap listed main matching meet name names naming object objectcategory objects oid oids onelevel operation operations option options parameter parameters parent partition pass perform person properties property queries query remaining request result retrieves returned root sanao scope scripts search searched searches selected sends server sizelimit sn specifies specify starts subtree targets timelimit tree typesonly users whole whose

Property Lists

canonicalname comma constructed contains correspond empty explained explicitly form imaginary include included ldap ldp multivalued names nonconstructed oid oids otherhomephone properties property quotes range ranges request results retrieves returned returns search seem separated specify therefore tool values ways work

LDAP Search Filters

0 0 0 10 11 13 28 29 30 30000 2a 5c achieve active actually added addition allows almost among ampersand approximate around ascii asterisks attribute attributes author b backslash base beginning belong better brown bruwn byte bytes c categories category character characters child class classes column combined comment common complex computer computers conditions consequently consists constructed contact contacts contain contains correct corresponding criteria d defined describes detail directory e2 efficient elements ends equal equality equals escape exact examples exceptions exist exists explained expressed extensible fact filter filters final follows form format greater hereís hex hexadecimal identified illegal implementation include included includes indexed inetorgperson initial insensitive inspect item k layout ldap least less letter letters logic lowercase matching meaningful meanings meet missing name names needed nonconstructed object objectís objectcategory objectclass objects opposite organizationalperson otherwise outer parentheses part pass permutation person presence present presented printable production prop properties property reads remaining requires result resulting results row ruleoid rules salary sample schema search searching sequence sequences sets side sign simple sn son space special specific specifies specify specifying stands starts string substrings support supports surname syntax syntaxes therefore thousands together type types uppercase user users value values wanted various while wildcard z zero True

Specifying Values

0 0 2 10 11 15 16 20 24 26 29 42 59 77 79 90 147 200 483 650 803 804 840 2001 8000 30000 113556 2147483650 20010226132000 20010226152000 0z 2f 4f a2 able accepted access active add address ahead allowed applies apply arithmetic ascii attributesecurityguid b ba bd belong binary bit bitwise boolean boston brown byte bytes c0 c2 calculator cf changed cn code com common comparison convert converted corresponding created d0 d3 data dc decimal defined denoted described description descriptor didnít differential digits directory display distinguished distribution dn doing e277bd e2w enables entire enumeration escape examples expand explaining expressed extensible far february filter finland follows form format former forms general generalized get global gmt group groups grouptype guid guids hex hexadecimal hhmm hours includes integer integer8 integers jack large latter ldap letters light link local look matching member messy name names normal nt objectcategory objects octet oid operators optional ou person pm point practice preceding presentation principles properties property replica representation requires resulting rightsguid rule ruleoid rules salary sample sanao scenario scope search seconds security seen sequences sheds showinadvancedviewonly sid single sn specify ss string strings study supplied supports syntax syntaxes technically tenths therefore time topic type ugly unicode uppercase utc w value values wanted various vbs whencreated wildcard windows year yet yymmddhhmmss yymmddhhmmssz yyyymmddhhmmss z zone False True

Multidomain Searches

11 34 37 42 43 389 3268 able allows approach base catalog chasing child client com communicate communicating consequently context controllers covers dc direct discuss distinguished domain domains effective empty examples extending feature figures find forest fulfill further get global large ldap limited located much multiple name naming network nonexistent normal normally object objects option options part partition partitions perform port query reach referral remote sanao sanaoint search searches searching server servers site sites special specify standard stores time travel trees turn whole world youíre

Continuation References

2251 authenticates base brown browns child client cn com configuration connected connects contain continuation cross dc dc1 dns documentation domain domains empty exist exists explained find follows found immediate ldap learns matching microsoft name nor object objects partition partitions performs point points process queries query reference references referral referrals request residing result return returns rfc sales sanao schema scope search sends server serves slightly specified specifies starting steps subordinate subtree term unable url urls users wants

Search Tools

11 34 35 36 37 2000 2003 2849 3268 access accounts active actually administrator administrators adsi advanced allows arguments back base batch box browse bullets catalog chasing child clicking com command common computers consequently container containers contains context corner criteria custom data dc dedicate define defined depending described description deserves dialog direct directed directory discussed dll domain domains dsquery easier edit effectively enable enables enter entire entries exchange exist explained export exported exporting feature file filter filters find forest format found get global graphical hand illustrates importing include includes individual interchange interface issued item ldap ldif ldifde ldp left line listed longer meaning meet menu mode modifications my name names network normal now object objects ok open opening openquerywindow opens options ou our output pane partition perform performing places properties provides put queries query referral remove reside returns rfc right rundll32 sanao sanaoint saved scope scripts search searches selecting sensitive server show shown similar slight snap specifies specify stands structure t tab target task terminology therefore third time times tip tool tree turn txt type upper users v various ways verbose version very view windows visible word xp

The LDP Tool

38 39 40 41 42 43 389 2000 2003 3268 access add addition administrative administrator administrator' adsi again allows anonymously api appears attributes authenticate authenticated base basic bind binds box boxes briefly browse button c catalog chase chasing child children choose clear com communicate compare connect connected connection continue copy covered covers credentials ctrl current dc delete described dialog didnít disconnect discussed displayed displays distinguished dn dns domain domains double empty enable enables enter entered establish establishes exe explain far file filter forest front functions general generated get gets global hand identity illustrated includes indicates initiate launch ldap ldp leave listed local matching menu modify n name native navigate navigation nonconstructed nonexistent normal object objects often ok open opens operation operations option options output pane paper parameters password paste paths perform performing permissions point polished port preceding press previously print properties property proved queried queries query reach referral referrals rerun result returned right rootdse run sanao sanaoint save scope search searches searching selecting server session show shown single specified specify standard started starting steps string support switch tcp time tool transfer tree trees turn turned type username users v value values various weíll versatile very whatever view window windows visible words

Extended LDAP Controls

10 12 16 319 417 473 474 521 528 529 619 800 801 805 840 841 970 1338 1339 1340 1413 1504 2000 113556 113730 active actually add added administrators allows along applications article asq attribute aware base before behavior behaviors beneath capabilities catalog chunks client com commit commits container contains control controls creating cross data dc delete deleted deletion description descriptor developers direct directory disk distinguished dn dns domain efficient enabled enables error exists extend extended flag flags forest form former frequently generate global group guid http includes including indicates initiated inside kind latest lazy ldap limited listed listing long made makes member members microsoft modifies modify move moved msdn name names never nonexistent notification notified object objects occasionally old once online operation operations paging partition pass perform performing permissive previous properties property query recently refer referrals register renamed request requesting respond responding response results retrieve retrieves return returned returns rootdse scoped search security server service short show side single sort sorted sorting special specification specify statistics supported supportedcapabilities supportedcontrol supports synchronization talk tells tombstones tree trying wait value values vendors verify version whole view windows virtual vlv workstation written www yet

Virtual List View

2003 addition allows application attribute browse client cn contact contacts contains control default feature format item keys large ldap ldp limited mail menu order paged provides responses results retrieve return segment server sort sorts specific specify starting test tool useful very view windows virtual vlv xp

Listing Deleted Objects

44 45 417 840 2003 113556 active add addition alternatively attributes back base basic bound box button call check com connected container contains control controls correct corresponding couple dc deleted dialog domain enables explain extended field fills filter functionality get hidden identifier isdeleted ldapv3 ldp load long names object objects oid ok opens operations options output parameters part perform predefined requires resulting return run sanao scope screen search server shown special specify subtree sure times tombstones type value version windows

Restoring a Deleted Object

46 2003 addition admins again allows application appropriate attribute attributes automatically backup before browse call capability characters check child class clipboard cn consequently container controller converted copy delegate delete deleted deletion did disabled distinguished dn domain elapsed elements entry exist existed explained ext extended feature field fill forever get gone good granting group guid he illustrated include initially isdeleted lastknownparent ldap ldp least lifetime limitation mandatory meant member menu modify name normal object objects obvious olí operation optional ou ouís parent partition paste perform permission previous programs provide rdn reanimate relative remove replacement requirement restoration restore restored right root run s sales server she something special steps still synchronous test tombstone try user value windows yet

LDAP Data Interchange Format

2849 active along back command content created data defined describes directory entries export exported file files format import interchange ldap ldif ldifde line modifications objects performed property purposes rfc slightly tool type types typical values

LDIF Files to Describe Content

123 127 321 0a 0d 1970s adding addition apart ascii base64 beginning binary bjŲrn blank book borg boston break brown carriage character characters cn code colon colons com comment comments consecutive contain content contents continue dc denoted describing description dn ť empty encoded etc european except exporting expressed famous file folded generate givenname green illustrate importing including jack jill ldap ldifde less line linefeed lines multiple name object objectclass objects ones order otherhomephone ou page pair player please pound production properties property qmrdtnju quotes remaining requires return s safe sample sanao separate sign sn space starting starts subsequent sure tennis thumbnailphoto unsafe user value values visible xyzxyz š Ų

Base64 Encoding

24 63 64 alphabets always base64 basic bit bits byte bytes character characters divided encoded encoding equals follows four lowercase mapped multiple numbers original plus possibly results sections sign signs slash slashes string uppercase value values works z

LDIF Files to Describe Changes

13 14 123 456 457 2000 2849 active add addition adds allowed along always appear applied applies article automatically base becomes block boston brown changetype choice choices client cn com compared contain content controls cover dc defined defining delete deleted deleteoldrdn deletes describe describing description directory discussion dn element exhaustive extended extra file files fill four fourth further givenname handling his hyphen include individual jack john knowledge latter ldap ldif leave line lines london mandatory manipulate microsoft moddn modify move moved multiple multivalued name newrdn newsuperior now object objectclass objects office old omitted once operation operations optional otherhomephone ou passwords perform phone physicaldeliveryofficename present previous properties property q263991 rdn refer referred rename renamed replace requires rfc right s samaccountname sample sanao separate server showing something special specified specifies specify started stays user useraccountcontrol userprincipalname value values windows True


active administering along aspects chapters come consider content core covered deploying directory explain group learned logical management optimal organization plan planning policy previous skills structure topics youíve

Chapter 7
Group Policy

Group Policy Concepts

0 128 2000 2003 326469 accomplish achieve active actually ad2000 addition administering administrator administrators ads allow allowing almost along apart applications apply appropriate architecture article assigned assignments associated automated autoprof available backup base being better bit break brings built bulk care categories ccm centralized centrally choice client com command complexity complicate components computer computers configuration configure configuring consequently consideration considered console contain container contains control controllers cost coupled created creating cse data decentralized default defined deploy deployment developed difficult direct directory divided domain download downloads due easier editor effect effectively efficient efficiently enable english environments except exists extend extensible extensions facilitates feature featurepacks fewer file filtering fixing former four framework french functionality functions general german gives globally gp gpmc gpo gpoe gpos graphical group groups guids he help helps hotfix http identified identifiers implies improved improvement included includes incorporating independent individual infrastructure initiated initiative install installation installed installing intellimirror interface interpret introduced introduces intuitive isv japanese kb kit knowledge lack language languages learn least length line linked links literally lives local locally location log logon logs loosely lower machine main maintain maker making manage management managing manner manually matters members method microsoft microsoftís minimum minutes misleading mismatch mmc msc net networks nonlocal nt object objects obvious opening operating order otherwise ou ownership pack packs particular partition password perform periodically permissions pervasive planning platform policies policy previous primarily primary prior process processed processing products professional rather read receive recommend recommended reduce refer refers related relationship remote replicating reporting requirement resource restore restrictions resultant right ris rsop running runs s scripting scripts securing security server servers service services settings setup side site slight snap software solution sometimes sp4 specific stage stages starts still storing structure suggests supports system systems tab take tasks tco technologies term terms time tip together tool topics total troubleshoot troubleshooting understand unique update user userís usersí various warning welcome vendor version whereas windows windowsserver2003 within workstations www xp

Tools for Managing Group Policies

2000 2003 access accessing accomplish acl active add adding addition adds administrative affecting again analyzing appears aspects available backing box browse button completely computer computers configured console container control controllers controlling copying creating default delegate delegating delegation deleting description desired dialog directly directory disabling disappear displayed distinguish domain easy editor enables enabling explain extended extension filter format functionality gp gpmc gpo gpos group groups html importing including individual inheritance ins install installed installing integrates intend interface intuitive link linked linking links makes manage management managing members menu method mmc msc object objects open opening operations order ou ous pages perform permissions policies policy processing properties property remains renamed report reporting restart restoring right run scripting searching seems server services settings side since site sites snap storing system tab tasks template touts typing under unless unlinking until user users window windows wizard xml xp

NT 4 0 System Policy Compared to Windows 2000 XP Server 2003 Group Policy

72 100 130 140 450 780 800 2000 2003 actions active adjustable administrative again ask automatically binary command compared computer consistent contains control controllers default defined desktops differences difficult directory domain down during efficient ensure feature file filtering filters focus folder found functionalities functionality global gpupdate group groups had improvements initiated intellimirror intervals larger log logged logon logs made major making management manually n netlogon network networks newer night nt ntconfig ntfs off often operating ou part periodic permissions pol policies policy previously primarily problem process processed purpose read registry removed restrict restricting retains scope secedit security server servers settings share shared shut site specific starts state subjected system systems tattooing templates user users usersí various vast via windows wmi workstations xp yes

Group Policy Contents

15 97 115 136 145 316 340 359 467 468 2000 2003 administrative applications available categories category centrally columns computer computers configuration configure contents counted default define defining describes details discuss domain editing editor exist explorer figures folder global gpo group individual installing internet least logoff logon main major numbers numerous object opened pack pane policies policy purpose redirection registry related removing restriction ris rows scripts security server service settings shutdown snap software sp1 sp4 startup summary system templates time type upgrading user users values various versions windows visible xp yes

Computer versus User

administrators afterward applications applied appropriate assigned belongs computer computerís computers conflicts controllers define defined describe detail domain exception greater group individual installed intervals logs loopback matter others periodic policy processed processing rule security sense separately settings specify starts user users wins youíll

Software Settings

2000 2003 9x active add addition administrator alternative appear applicable application applications asset available bandwidths centralized centrally changed compatibility computer computers connections consideration control cycle define deployed deployment developed directory discuss ensure enterprise environments files format functionality group house installation installed installer installs introduced inventory lack larger legacy letter life limited log logging makes manage managed management mandated me menus method methods microsoftís middle modifications network nt off offer operating optimal optional packages panel patches periodically place policies policy possibility previous processed processing programs provides rather redeployed redeployment removal remove removed removing reporting required result routines saved scenarios scheduling sense server service settings setup shortcomings shortcuts sms software solution starts storage system systems take takes think together typing unless updated upgrade upgrades userís users usersí version versions whole windows word workstations


2000 2003 access active added administer administration alone alternatively batch better built computer computers console controllers convenient de default define defined defining directory domain especially facto files functionality gpedit group hidden host interpreted jscript large legacy local logoff logon method mmc msc netlogon networks nt offers ou policy rather recommended run script scripting scripts server servers settings share shutdown snap stand startup still store targeted user vbscript very windows workstation workstations wsh xp True

Security Settings

2003 add adding addition alternatively analysis analyze appropriate available become bussys cd centrally com comes command compare complicated computer configuration configurations configure configuring consists console contains controlled created default defined download easily editor empty environments especially extension files find ftp gpo gpos group guide illustrates import inf ins line manager manually menu microsoft mmc modifying nine node notepad nt object pack perform permissions policy ported public quickly result right roles sample scenarios scm scts secedit security server servers service settings ships site snap subfolder systemroot template templates tip too tool toolset undefined various web windows winnt

Account Policies

10 2000 2003 259576 $ account accounts active addition administrator administrators alone appear apply article automatically base categories characters com complex complexity computer configured constructing contain container content default defined digits directory dll doc documents domain effect effective english exe expire force full gpos guest had http include install kerberos kit knowledge level linked local lockout logging logon lowercase manually member microsoft name newer nonalphabetic nt off option options ou pack passfilt passprop password passwords policies policy readiness registry remain renaming requirement resource security server servers service settings site stand technet times tip tips types unicode uppercase userís users usersí value web windows workstation workstations www z

Local Policies

10 17 36 39 40 67 95 567 2000 2003 9x ability able access accomplish account accounts action actions active actually adextension administrator advanced allow alone alternatively always application applies asp assignment attempt attempts audit audited auditing audits authenticate authentication available basic being blue bulletins c0000244 card carries categories caused causes cd changing channel client clients collect collecting com communications computer computers configure connect connecting control controlled controller controllers current data default define defined defining detail digitally directly directory disabling discuss distribution domain down drivers effect enable encrypt encrypting evaluation event events extension failed failures file files fills find folder folders former full generate gpo granular group grouped grown guest halt help http id immediately implications importance include includes including incorrect install installing introduces keys kit lan latter leave legacy level local locally locking log logged logging logon logs lower management manager member message microsoft network networks news nine nt ntfs ntlmv2 object objects off online operating operation option options passwords place policies policy prevent production propertiesí rather receive recommend recommends reference regarding registry relax remember removed rename required resource rights sacl screen secure security seen server servers service settings seven shut sign signing similar site smart smb sp3 specify stand stop successes successful support supports system systems tab takes tasks time too trails turned turning type types unable unless unsigned user users validate warning windows windows2000 written www xp

Event Log

2003 128mb 16mb 512kb access addition application computer controllers default define defined domain during event file finally full guest handled increased local log logs maximum policies policy properties restrict security server settings setup size sizes system various versions windows

Restricted Groups

2000 add belongs computer computers control controllers course default define defined domain empty enable group groups indicate leave local member members membership policies policy restricted s sp2 sp4 starting windows xp

System Services

administering appear automatic automatically category computer controllers default define defined disabled domain during gpo group installed local manual pause periodic permissions policies policy rather refresh service services started startup state status stop system upon


audit computer controllers default define defined domain keys local permissions policies policy registry settings

File System

audit computer controllers default define defined domain enables file files folders local objects permissions policies policy settings system

Wireless Network IEEE 802 11

11 802 2003 ability ad allowed along authentication becoming brings common company computer controllers days default defined domain encryption hoc ieee local location network networks obviously policies policy preferred server settings since specific ubiquitous windows wireless wlan

Public Key Policies

2000 2003 ability able account add added administrator agent agents alone authorities authority automatic automatically available away ca cards cas certificate certificates certification communication computer computers controllers ctls data decrypt default define defined delete deploy deploying deployment domain edition efs enables encrypted encrypting encryption enterprise exception exist extension feature file files folders generated group ipsec key link local necessary needed network opens operating order ou page pairs policies policy public recover recovery removed request required requires residing resources root secured securing server settings signed smart specify stand system trust trusted types useful user users usersí vacation web while windows xp

Software Restriction Policies

2000 2003 addition administrators allow allowed allowing application applications applied apply applying assigned authenticodeenabled automatically available calculated certificate codeidentifiers computer conservative controllers data default define defined defining details dialog directory disallowed doing domain double effect enable enclosed enterprise environment except exempt explicitly explorer file finally four group groups hash having highest hklm include installed installer internet introduced key kit known levels local locate microsoft object ok order pane path paths percentage policies policy precedence priority prohibit prohibiting publisher publishers regedit registry resource restart restriction restrictions rule rules run running safer safers security selected server shown signs software sp1 specific substitution take takes terminal tool trusted turn turned type types unrestricted useful user users value windows xp zone zones

IP Security Policies

applicable assigned authenticated communication computer computers data default defined domain effect enables encrypted environment ip ipsec local lot none ones policies policy predefined result samples security settings

Administrative Templates

11 12 13 16 17 18 19 20 25 30 33 34 39 40 53 56 64 71 91 93 94 110 242 243 344 352 475 556 596 737 800 1003 2000 2003 214752 8mb 9x ability access accessing accomplish according accordingly acquisition active add addition adm administering administrative administrators aer aer1033 alt alternatively always apart appears application applications applies apply article assistance automatic available become behavior bit blue box branch browmon browse browser browsers browstat buttons candidate capability categories category causes causing center centrally changed characters check clear clearing clicking client com come common communication compared compatibility compatible completely completion complex components computer computers conf configurable configuration configurations configure configured configuring congested connection connections contain contains content contents control controllers controlling controls crash created creating criterion cse ctrl current currentversion dc default define defined defining del deployment description deselect deselecting desirable determined developed dfs dialog did digital directories directory disabled discourage discuss displayed displaying distinguish dns domain dot download dynamically easy edit editor editors effect election elections else enabled enabling enforce enhanced error errors exactly excel excluded exist explain explorer extended extension familiar far file files filtering firewall folders format four frequency frs fully functionality going gpo gpos graphical group grouped grown growth guide had happen help hibernate hkey home http icons ie ieak ieesc iis illustrated illustrates include included includes increased individual inetcorp inetesc inetres inetset inf install integrated interface internet intranet introduced introduces kb keys keywords kilobytes kit largest learn least leave level license limits load loaded loading local locate located locations locator logoff logon machine maintains manage managed management master media mentioned menu messenger microsoft modified modify modifying my n nearing neighborhood netbios netlogon netmeeting network networking networks newer node nodes notepad nt ntp object occur off offering office operating options order originals outside page parser part participation participationinbrowserelections party password places platform playback player pol policies policy portion power preference preferences preferred prevent previous previously principle problematic processed processes processing production profile profiles programs prompting publish purpose qos read reason recommend records red reference registry related release remote remove removing renamed replication reporting require requirement resource resources restarts restore result resulting resume right rights roaming roots running sample saving scenario sceregvl scheduling scripts sdk searching security seeing selected selecting server service services settings shared show shutdown simply since site size snap snmp software soliciting somewhere source sp1 sp2 sp3 sp4 specific specified spreadsheet starting starts startup status stick still suffix support supports suspend switch sysprosoft system systemroot systems tab taking target template templates terminal test third time tip tool top total totaling try ui undefined under unicode uninstalled unnecessary update updated updates upgrades upon user userís users usersí value values wan various warning web version versions while view windows winnt wins wmp wmplayer words writing written wuau wus www xp yourself zones True

Other Policies

categories define explorer folder installation internet maintenance policies redirection remote services users

Folder Redirection

10 2000 2003 access according achieve active advanced appends application appropriate available avoid backed backup belong belongs better buttons cause centrally checked computers consequently contains contents control copied copies correct created data default define defined delays deploy desired desktop determine determined directory documents down ease effect enables ensure environment everyone exist exists explorer feature file files folder folders followed follows four full group groups had help home include internet introduce introduced involved large least local location locations logging logon manually matching membership menu moved my network ntfs off online options order ownership path paths perform permissions physically pictures policy problems profile profiles rather read rearranging redirect redirected redirecting redirection redirections remains replace replicating roaming root s security separately server settings shadow share shared something sp1 specified steps subfolders systemdrive target temporary time tip too unc under user userís username users usersí verified windows xp

Remote Installation Services

2000 2003 active adding addition allowed applications choice choices computer configuring custom denied deploy dhcp directory dns during four he installation installed installing operating operation permission remote requires restrict ris screen seeing server services settings setup starts system systems user windows xp

Internet Explorer Maintenance

2000 2003 accomplish administration administrators advanced available browsers categories centralize clicking configuration contents corporate creating enables exception explorer favorites gpo ie ieak initial installation internet kit maintenance mode networks once packages periodically preference processed proxy right role security selecting server sets settings still task thereafter time under usersí windows zone

Group Policy Objects and Links

affect choose common computer control domain examine explain gpo gpos group inheritance link objects ou policy pool priorities site user

Group Policy Objects

11 12 13 14 2000 2003 10009 65545 00c04fb984f9 016d 11d2 31b2f340 945f aas achieved active actual addition adm admfiles administrative adsi advanced again always applicable application applications applies assignment associated attributes automatic autoprofís being binary box braces bracket byte bytes changed check checked checking class clicking client cn coded com compared component components computer computers conf configuration console contain container contains controllers copied copies created cse dc decimal default define defined delimited deployment description determine developer dfs dialog directly directory disable disabled display displayed displaying displayname displays distributed documents domain edit edited editing empty enabled ensure entry equals event exist explorer extend extension extensions file filename files filter finally find flags folder folders forest format fpdeploy general gets giving gpc gpcfilesyspath gpcfunctionalityversion gpcmachineextensionnames gpcs gpcuserextensionnames gpcwqlfilter gpo gpos gpt gpttmpl group grouppolicycontainer guid guids hexadecimal identified identify ie ieak illustrated implies important include independent indicates individual inetres inf ini ins instructions interface internet isv kept kinds ldap ldp line linked listing loading local locate logoff logon logs lower machine maintenance maker manage managed manipulating manner match microsoft mmc name namely networks node nonlocal nt numbers object objects occurred open opening order oscfilter party path place pol policies policy policyís prevent process processed processes processing properties property rather read recently redirection reference registry reliable remoteinstall replication representation required reside resides revised revision ris root sample sanao schema script scripts secedit sections security separate separated separately server services settings shared shutdown side similar similarly site sites snap software som sooner specific starts startup store stores straightforward structure subcontainers subfolder subfolders support sync syntax system systemroot sysvol tab takes template templates third time tip tool tree trouble under update upper user users value wants various vendor version versionnumber versions whereas view windows virtual visible within wmi wmipolicy wmplayer wuau xml xp

Local Computer Policy

2000 2003 active addition almost apart application applies attributes available beginning bit braces bracket check checked client computer computers configuration constructed contains contents copy created cse database default define defined delimited deployment description directory disable disabled discussed domain effect enabled entry exist explorer extension extensions file files folder folders gpc gpcfunctionalityversion gpcmachineextensionnames gpcuserextensionnames gpo gpos gpt group grouppolicy guid guids hidden icon identify illustrated indicated indicates ini ins local manage member members menu mmc numbers objectís options order override policies policy policyís processes properties property remember resembling row rows sdb secedit sections security separated server settings show side similar snap subfolders subset system32 systemroot tip user value version versionnumber view windows within xp yet

Group Policy Links

15 999 324949 active afraid alternatively application applied article associated associates bit bottom box builtin buttons clearly clicking computer computers container containers default define defined dialog directory domain domains down effect exceeding getting gpmc gpo gpos group illustrates individual instructions kb latter least link linked links little lower maximum mktg object objects order ou ous plan policy priority read redirecting remain result settings site sites tip top types user users value worried

Scope of Group Policies

16 17 access add affect associated child clearly computer computers contain container containers default defined display displays domain domains forest forests gpmc gpo gpos group illustrated illustrates levels linked management mentioned node objects order ou ous parent policies policy referred right s scope show site sites som sometimes tab tip top user users very


18 access active addition administrative age apply below boundaries characters child client com common computer conflicting consider container containers contains controller default desktop desktops documents domain domains down dramatically effect gpc gpo gpos gpt group illustrated include inherited interface link linked location logon lon london maximum menu minimum modifications nearest objectís objects order ou ous parent password path policy process production receive remains removed restrictions sample sanao security settings similar site slow source span template theoretically tree user users wallpaper

Solving Conflicting Policy Settings

19 2003 Ď administrative available cases categories closest computer configuration conflict conflicting defined displayed editor effect exists explain extended files folders gpos group illustrates including kind left mentioned object offline offlineí policy precedence processing prohibit prohibiting result sample server settings side situation situations tab take template user wealth windows wins xp

Blocking Inheritance

20 21 active ad administrator affect block blocked blocking blue check child children circle computer container containers define demoblock deployed directory displays done exclamation force gpmc gpo gpos group indicates inheritance linked mark menu mouse nothing object objects options ou override parent pointer policies policy properties settings shortcut specific tab user words

Enforcing Group Policy

20 21 administrator apply blocked blocking box check clicking column conflicting define dialog displayed domain double effect enforce enforced ensure gpmc gpo havenít hierarchy higher icon illustrated inheritance installed level link linked lock lower object options override regardless remains right s sanaocomsecuritysettingsv1 scope selecting settings small tab third u within

Filtering Group Policies with Groups

17 22 able access account aces acl addition administer admins advanced affect affected allow along anyone applies apply applying appropriate assign authenticated available box cause caution checking child clicking cn column comes command computer computers container controllers creates creator dc default defined delegation deny dialog displays domain dsacls editor effect enterprise exact except extended fact filtering finally get gpmc gpo gpos group groups illustrated include inetorgperson inheritance inherited installed itself known link manipulating members mentioned method mode needs never object objects option options order otherwise owner permission permissions policies policy predefined principal properties property read relationship remove required rights scope security settings since special system tab tip tokengroups useful user users

Filtering Group Policies with WMI

63 600 800 850 900 2000 2003 314572800 300mb 3com 3cr990 able according active ad ad2000 add adding again alain almost alter always amount applications applied apply area assign assigning automatically available avoid become behavior being beneficial book button buttons c c2612 capable caption card cd cdromdrive challenge cimv2 class classes close command components computer computers connect consequently construct contains creating criteria criterion default defined defining delegated depending design deviceid dialog dialogs digital directory disk divisions double down drive dvd dynamic easier easiest editor effect empty enter enum enumerate environment errors evaluate except excessive existence familiar fewer field fifth filesystem filter filtering filters follow follows form fourth free freespace fulfill functional geographical get good gpo gpos group groups hierarchy higher hotfix http ignored iis implies include included includes including incorporated infrastructure inheritance innovative install installed installer instances instrumentation integrated interface ipsec keep kinds language larger layer learn least leave letís letter level line link linked links lissoir lissware listed locate location logicaldisk long lower maintaining making manage management managing mapped meet memory microsoft mind mixed model monitoring name namespace necessary net network networkadapter newer now ntfs object objects obtain off often ok open opens operating option options order ou our ous out peripheral permission planning policies policy press processing product professional properties property provider queries query ready recursive remove represents resulting results retrieving rigidly rom root row run running sample scripting sd security separate server servers service services settings show simple slow solution somewhat space specification sql standard started static structure superclass support syntax system systems tester third tip title top toshiba tree try type understanding user users w3svc value varies wbemtest weíll version versions while win32 windows within wmi volume works workstations wql www xp True

Processing Group Policy

apply get group immediately logon manually periodically policies processing servers startup test thereafter time trigger workstations

Processing Basics

2000 2003 acronym actions active along applied being cause changing command computer computers conflict d directory domain down effect effective event events exception fact finally gets going gpo gpos gpupdate group groups immediate immediately implemented l linked local located location locations logoff logs loopback lsdou machine member moving object objects obvious occur off ou ous overrides periodic policies policy processed processing refresh refreshpolicy remember removal result s scripts secedit sequence server settings shutdown shuts site software starting starts tip tree triggers unless user users windows xp

Windows XP Fast Logon Optimization

2000 2003 account active administrative advanced alt always apply asynchronously available background becomes before behavior box cached command completed computer computers configuration credentials ctrl default define delete dialog directory done during effect ensure explorer fast folder force foreground fully gpos gpupdate group home initialized logon logons logs network off optimization order place policies policy presented process processed processing profile properties redirection required roaming scenarios script scripts server settings she shell side speed startup sync synchronous synchronously system take templates time tip turn under user users wait windows words work xp yet

Processing Group Policy Periodically

16 30 90 120 960 00c04f79f83a 11d2 6eac 827d319e a4ea administrative again back background centrally changed clients computer computers configuration controllers cses currentversion default defined deployment disable distribute domain doubt dword enabling exceptions folder gpextensions gpo gpos group helps hkey hours interval local log logs machine managed maxnogpolistchangesinterval microsoft minute minutes modified nt objects off offset option period periodic periodically place policies policy prevents process processed processing random reapplied reapply redirection refresh refreshing reg registry restart security settings simultaneously software somehow specify starts system take templates time tip user users value windows winlogon

Manual Refresh of Group Policy

2000 2003 assigned background boot box causes check checking client command commands computer connection controller default defined dial domain effect enforce ensure extensions folder force forces gpos gpupdate group immediately implement installation interval log logoff logon machine manually off otherwise parameter parameters policies policy process processing reapplied redirection refresh refreshed refreshpolicy screen secedit server settings side similar since software starting target tip update updated useful user waiting wanted windows xp

Slow Link Processing

10 11 32 107 127 2000 2003 2048 16000 105ms 107ms 108ms 109ms 150kbps 500kbps accomplished administrative allow allowed amount applicable application applications applied approximate authenticating average behavior byte bytes c calculated calculation cellular changed check client com command computer connection consecutive consequently consider considered controller data default deployment detected detection dialing disable disk domain echo effects efs estimated explorer extension extensions fast firewall folder formula group hand his icmp including install installation installed internet ipsec l less link links loaded long lonsanao1 loss lost mail maintenance manually maximum milli milliseconds minimum modified ms much option options order otherwise out package packet packets pass permitted phone ping pinging pings place point policies policy problem processed processing quota received recovery redirection regardless registry remote reply response round sanao scripts seconds security sense sent server settings side since slow software solution speed statistics status successful take takes templates threshold time times transferred trip try ttl upgrade upgraded user usersí windows wireless xp yes

Loopback Processing

2000 2003 according across administrative affect applications assigned available behavior changing come computer computerís configuration configure conflict default defined feature forest gpos group higher installation installed linked located location logging logs loopback merge mode modes modify newer normally object obtains onto operation ou policy priority processed processing receive received registry replace result server settings similar software sometimes sp1 sp4 specifying system templates trust user usersí windows words xp

Group Policy Processing in Detail

30 92 Ö 00c04fb984f9 016d 11d2 31b2f340 945f accessed active addition address affect again altered api applicable application apply applying assigned authenticated authentication automatically boxes cached call channel client com computer computerís configuration configured connection considered contacted container controller controllers created creates cses currectcontrolset decide default defined detail determine determined determines dfs dhcp dialog directory displayed distributed dns domain done dynamically dynamicsitename effect executed executes explorer extensions file forces getgpolist gpcfilesyspath gpo gpos gpt gpts group her hierarchy his hkey hklm immediately installed installing interface ip kerberos key least letís link loaded loading local locates location log logon logs loopback machine managed merge message messages microsoft minutes mode move name netlogon network object objectís objects obtain obtained off once options order otherwise ou parameters password personal policies policy priority process processed processing profile programming query refresh registry replace restart retrieved roots sanao screen secure security sees server services sets settings she shell side since site slow software sorted speed stage started starts studied successful system sysvol time type types unless user userís username userpolicymode wait walk value version windows

Determining Effective Group Policies

23 2000 2003 analysis available command computer contains depth determining discuss effective exe form functionality gpresult group handy help improvements incorporate integrated introduced kit line mmc msc online policies policy processing properly resource result resultant results rsop server snap started tool version windows xp

Determining Effective Group Policy Security Settings in Windows 2000

24 25 2000 2003 accessing account active addition administrative administrators alone assigned authentication becoming box built button changed check clicking clock come command computer computers configured console consoles context controller controllers currently default defined determining dialog differently directory display displayed domain easy editing effect effective enables filtering find go gpo gpos group groups had inherited ins kerberos level levels linked local maximum menu minutes mmc modifying node ones open operators option order overridden policies policy power prior programs refresh refreshed reload restricted right rights screen secedit security selecting server settings shortcuts shot show shown similar since slightly snap something stand synchronization system templates time tip tolerance took useful user users view views window windows xp

Sample Scenario for Group Policy

10 11 26 2003 able according accounts ace active add addition adm administering administrative administrator alternatively altogether applicable applied apply assign assistants b before being blocked book bos bossanao100 boston c category class clicking close com computer computers configuration configure consequently contain container containers contains controller controllers corporation created createenvironmentfromxml creating current d default define defined defines deny determine determines determining differ directory displayed domain done edit editing editor effective enabled ensure entered environment evaluation explorer file filtering final find four further gp gpmc gpo gpo1 gpo2 gpo3 gpo4 gpo5 gpo6 gpo7 gpo8 gpo9 gpos grasp group help her higher hkey http ie illustrates inf infrastructure inheritance instructions interest ip jack jill jillís keyname kouti least letís lines link linked loaded located location log logging logically logs lon london lonsanao10 loopback marked max member mfg min missing mode moved msc name named nine node notepad numeric object ones open order organized ou our ous override part perform performed permission physically policies policy priority process processed processing professional profile properties proxy real receive refer registry remove repeat replace replicate replication required resources responsible result results right router rsop run sample sanao save scenario script sections security selecting sequence server servers services settinga settingb settingc settingd settinge settings show shown simple site sites snap software specific specified specifying spin starts steps strings subnets supernet systemroot tab templates testsettings tip try trying type under user users walk value valuename values web view windows workstation wsf www xp

Managing Group Policies

12 32 2000 2003 acl active administrative adss aduc analyses analysis analyze analyzing appropriate backup blocking computers console copy creating delegating describe directory editing editor enforcing export files filtering filters forest gp gpmc gpo gpos group import included inheritance installed involves least linking links logging management managing manipulating mode modeling msc n notepad o object operations perform permissions planning policies policy provide quick removing reporting requires restore results rsop sample scripting scripts searching server services settings sites snap som sp4 specific summary task tasks template users w various versions windows within wmi xp

Group Policy Dialog Box

27 accomplish active add apply associated box button buttons container controllers current delete dialog directory domain edit gpmc gpo gpos group immediately installed link links management managing normal notice object objects ok options perform policy properties purely related remove replicated replication save shown tasks whereas

Target Domain Controller for Group Policy Operations

28 2003 administrative administrators always available behavior behind clicking configuration controller controllers data dc default domain editing emulator force gpmc group holder holds link loss master menu mmc modifying object operations option options order overriding pdc policy preferred prevent prevents replication right role running selecting selection server settings setup slow snap system target targeted templates tip user wan while view windows

Creating GPOs

29 account ace administrators admins assigning child cn container created creator dc default delegate delegating directly domain domains enterprise folder folders global gpo gpos group groups include indirectly local management member members necessary nor ntfs objects order owner owners ownership permission permissions policies policy since system sysvol take task user

Creating and Linking GPOs with GPMC

ad alternatively clicking container created drag drop easy gpmc gpo gpos group link linked object objects order policy right selecting unlinked very

Creating and Linking GPOs without GPMC

30 active add again alone anywhere appropriate box browse cancel complex computers console container creating dialog directory domain edit field finish gpmc gpo group host link linked look mmc name navigate object ok open operation ou policy properties rather right selecting services shown simply site sites snap stand tab toolbar twice type unless unlinked users ways

Naming Convention for GPOs

13 200 2003 account addition application apply architecture assign assigns c character characters computer computers contain contained contains convention deployment description documents domain field fields find format free function gpo gpos group guide illustrates important indicates keeping linked location main management microsoft modified name naming objects organizational original ou ownership policy policytype purpose r recommended recommends registry responsibility revision s security server services settings site slightly solutions specific st target track type u unit update user users v version windows within wus

Editing GPOs

14 31 2000 2003 access aces active add added addition administration administrative adsi affects allow alone appears available beginning button changed changing check clicking cn com command computer console consoles controller controllers dc dcpol default defined dialog directly directory disabled display displayed dns domain dompol edit editing editor explain filename focus gpcomputer gpedit gpmc gpo gpobject gpoe gpos group guid icon indicated individual latter ldap line local longer machinename member menu method mmc msc n name netbios node object opens option path policies policy professional properties read related row run sanao saved secpol security selecting server servers settings shortcut shortcuts similar snap specified stand starting switches system target targeting typing under user windows work write xp yes

MMC Extensions

2000 2003 actually add addition almost along author becomes bottom brings components console default definite desired displayed explain extended extension extensions file gpedit gpoe group heart improvement include individual ins ip key learn least longer management menu mmc mode msc network nuisance open order pane parameter policies policy public remove restriction right security server settings since snap software standard starting tab tabs ten view window windows wireless

Managing GPO Links

active add always associate automatically button computers container created current default directory disabled extension gpo group ins link newly parts policy services sites snap users

Disabling Parts of GPO or GPO Links

32 administrative alternatively apply before beneficial box clicking column computer configuration context controllers default deselect desired details dialog disable disabled domain double effect enable enabled ensure especially experiments force gpmc gpo gpos group link links located logon menu object objects open options order parts policies policy preferably process right selecting settings shown speed startup state status system tab templates temporarily testing tip under unused user

Deleting GPOs and GPO Links

33 34 2000 access active add affect almost associated associates before box button choices clicking confirmation container delete deleting deletion desktop dialog difficult directory domain down easy enables former gpmc gpo group installed latter leaves link linked links locate nor now object objects open operation option order ou permanently policy presented property removal remove removed removes removing right selecting shutdown shutting simple site tab think unlinked ways very windows

Group Policy Operations

back call capability discuss gpmc gpos group improvements introduces operations perform policy restore settings transfer welcome

Backing Up GPOs

35 36 2000 2003 access accessing active addition almost application apps armorís assigned authenticated back backed backing backup backupinst backups basic being bkupinfo cd clicking consequently contains controller copy core created creates cse cses date default description descriptor detail dialog difference directory discuss discussed dns domain domains domainsysvol element elements enables entire exactly fazam file files filter folder folders forest former fqdn full function functionality gpmc gpo gpos gpreport group groups guid hidden identified illustrates included individual individually installed instance instances ipsec items keeps kit latter learned link location machine manage management manifest membership method name numbers objects obviously options order part partially party paths permission policy prior purchase read readtime reduced referenced report reports resource restored restoring right root security separately server settings setup shortcoming since specify state storing structure supplement supported supports system tab taken template third time timestamp tool track user users utc version versioning whereas windows wise wmi words wrapped write xml

Restoring GPOs

addition along attributes backed contents delegation delete deleted domain edit entire filters function gpmc gpo gpos guid ipsecurity links modify nor order original ou permission policies restore restored restoring retains s security settings since site tab wmi works write

Copying GPOs

37 38 access across addition advanced alternatively application asking asks assign assigned assignments associated associations automatically backed backup checks clicking connects contains converts copied copy copying cross dacl default defined deployment destination directly displays domain domains editor else enables exclusively exe extension file files filters finds finished folder found gpmc gpo gpos group groups illustrated illustrates import ipsecurity kinds linked links local management maps menu migration migtable mtedit name nodes objects obviously open options order outside paths permission permissions policies policy populate prepared presented principals problems production programfiles question read redirection references registry restricted retain retained right rights scripts scriptssamplemigrationtable security server services settings simultaneous solves someone source specify starts syntaxes system tables target template tip trust unc user validate warning within wizard wmi xml

Importing GPOs

access actual assignments filters gpo guid import imported ipsecurity links modify order permission permissions policy prior removed settings simultaneous source target wmi write

Managing WMI Filters

code domain export file filter filters format gpo gpos learned managed managing mof object operations outside restore separate transfer wmi

Scripts for GPO Operations

15 automating available backed backing backs backup backupallgpos backupgpo backups copies copygpo created createifneeded createmigrationtable creates default domain exist fail file full function gpmc gpo gpos guid importallgpos importgpo imports installation instance instances latest location migration notes operation operations original overwritten parameter querybackuplocation regularly relevant restore restoreallgpos restoregpo restores sample script scripts settings since source specify target tasks tip upon verbose version versions wsf xml

Restoring Default GPOs with Dcgpofix

16 2000 2003 administrative administrator categories command computer controllers dcgpofix default domain during efs encrypting enterprise exchange explorer file folder gpos group illustrates included installation internet introduces located made maintenance management migrated nt object operation policy redirection remote repair restored restoring ris run scripts security server services settings setup sms software system system32 systems templates tool upgrade windir windows windows† works

Reporting GPO Settings

39 2003 able add categories clicking configuration convenient default displayed document domain easy enhanced exe explorer feature gpmc gpo hide html included internet link makes mmc open pane policy receive report reporting reports right save security selecting server settings show sites store suggesting tab tip trusted warning very windows xml zone

Group Policy Analysis

40 2003 access account action active add adding addition administrators advanced advantage analysis analyzing application applied apply associated available back beginning c capability center clicking completed computer computers configuration console container creating cse current custom data default directory disabled displayed displaying displays down effective eight error especially failure file files filters find formatting functionality generate gp gpmc gpo group help htm html include included incorporating initiate integrated interface introduced ipsec kerberos link local located logging loopback managed mentioned menu mmc mode modeling modes msc mypolicy names narrowing node nodes nonadministrative nor object operating order organizational out perform permission planning policies policy primary problems process processing properties query refresh refreshing report reports resultant results retained right rsop runs save saved security selecting server settings simulate slow snap software started starts status steps support system systems tab tabs tasks tip tool top troubleshooting unfortunately units useful user users wealth versions very view windows wireless wizard wmi words write xml xp

Searching GPOs

41 access ad allows authenticated become branding clicking computer configuration contain contains criteria disk domain effective efs exactly exist explicit filtered find folder forest gpmc gpo gpos group guid ie installation ip larger links locate looking name necessary network node packet permission policy qos quota recovery redirection registry right scheduler scripts search security settings software user users versatile wireless

Delegating Management of GPOs

17 18 19 42 2000 2003 ability access ace aces acl active actual ad ad2000 add addition administer administration administrators admins adprep advanced affected again allow allows along analyses apply assigned associated attributes button child clicking cn combination common container containers contents control corner created custom data dc default delegate delegated delegating delegation delete directly directory displayed domain done during edit editor enable enterprise execute extended filtering folder forest forestprep frd fully generate gets gplink gpmc gpo gpoptions gpos group grouppolicycontainer groups hand imply individual inherited learned link links listed logging lower manage member members modeling modify necessary needs ntfs objects once order ou owner perform permission permissions planning policies policy properties read remove resultant results right rights root rsop run s scope security seeing server settings she site special specific specify standard system sysvol tab task tasks under upgrading user users whom windir windows wizard write yourdomain

Creating an MMC Console for a Delegated GPO

12 24 43 2000 263166 able access active add added adding administrative appropriate article author base browse c changing clicking close components computer configuration console consoles context control default delegated delegating desktop directory displays documents dsa dssite editing enables ensure entering exclude explicitly extensions finally finish folder gpo gpos group help icons ins knowledge limited management manipulating menu menus microsoft mmc mode modify modifying msc node ok open opening options original parameter permitted policies policy prevent restrict restricted restricts right running save seeing seek sensitive services settings shown single sites snap specific starts templates ten tip under user users views window windows visible within wonít youradminuser yourself

Delegating Local Computer Policy

ace aces active affected among apply applying computer conflicting control define delegate deny directory file folder group grouppolicy local members ntfs ntuser object permission permissions pol policy prevent read settings system system32 systemroot user wins

Delegating Management of WMI Filters

acl addition authenticated cn control created creation creator dc define delegating delegation domain edit filter filters full he holder individual manage modify mswmi node object ones options others owner permanent permission permissions principal properties read representing security selected she som system tab users whereas wmi wmipolicy write

Scripting Group Policy Management Tasks

32 chm commongpmcfunctions console copy definitions depend documentation easy file folder found gpmc gpo group help illustrated included includes installing interfaces js lib location management occasions online overview policy programfiles sample samples scripting scripts sdk setup since tasks very

Managing Administrative Template Files

2000 816662 ad ad2000 add adm administrative article automatic available becomes behavior capable cause client comparison computer computers configuration console control controller copied copy crucial decide deploy description directly domain editor empty explain file files folder functionality gpo group includes incorporated individual inf interface kb least local manage management managing mmc modify newer object obviously off open operating option order pack performed policy primary problems properties restricted server service settings ship showing snap source system systemroot tab target template templates timestamp turn understanding until update user version windows xp

Managing User-Made Administrative Template Files

44 adding administrative appeared basic caused checked checking displayed distributed done error errors file files implement keyword load loaded old order place removing supported syntax template tested unload update version wrong

Additional Tools

2000 addition available common download group included increased inventory kit operating policy resource scenarios seen somewhat system time times windows writing

Group Policy Inventory

18 45 2000 2003 administrators alternatively analysis analyze append c collect command computer computers contains defaults defined delimited download excel file files folder framework further generate gpinventory group gui illustrates import initially installed instructions inventory kit kits least line loads logging machines member mht microsoft names net order ou permission policy processed program provides queries query requires resource resultant results rsop run runs server setup simple site specify store tab target tool type web windows wmi wmiqueries words xml xp

Group Policy Common Scenarios

12 40 2000 accessible addition alternatively appropriate back bat batch cmd command common commonscenarios consequently createcommonscenarios createenvironmentfromxml creates defined documentation documented domain download easily excel experiments file files fine folder found four functionality get gpmc gpo gpos group html import imports included includes interesting level linked links loadpol microsoft node now ou our ous package pages policy recommend reports result sample savepol scenario scenarios script scripts settings site six spreadsheet structure supported supporting time toolset top transferring under usage various web version windows work wsf

Software Management with Group Policy

64 ad2003 administration along application applications bit brings compatibility functionality group help network policy simplify software

Windows Installer

46 2000 2003 account actual add administrative administrator always appear applet application applications approved associate attached attend automatically before benefits box certified certifying cfw com company components computer configuration conflicts consequently contain context control copy corrupted creates creating custom customizable customize database databases dcom defined deployed developers did display division dll dllís documentation during effective elevated enable enabled engines environment environments especially exeís exists failed file files find finds folders follow follows fulfilled get http illustrates include includes including install installation installed installer installing insufficient interrupted isvs kit legacy locations logo meet menu merge method microsoft modules msi mspx mst necessary nt offers office often once option order package packages pages panel partners party past paths performed performs policy prior privileged privileges problem procedure process product programs register registry removal remove repairing replaced requirements resource restart returned rights rollback script security self server service settings setup shortcut shortcuts sign software specific stages standardized standards started state sticker store support system tables tasks templates third transform try type types uninstallation unsuccessful url user userís various vendorís whole windows windowsserver2003 wizard wrong www xp

Creating Windows Installer Packages

2000 2003 3rdparty adminstudio available cd com contains deploying enterprise files folder get group http include includes installer installshield le mgmt microsoft msdn msi net ondemand ondemandsoftware package policy project rom server setup software stage studio task template tip tool valueadd various veritas version windows wininstall winstle wise wisesolutions visual vstudio www

Deploying Software with Group Policy

application assign aware choose computer decide deploy dfs distributed distribution fault file folder infrastructure installation package publish server service shared site software step store system tolerant user

Published versus Assigned Application

20 2003 actual ad2000 add administrator again appears applet application applications applies appropriately apps assign assigned associated auto automatic available away c cab ccm checked clicking clicks client cn com compares comparison completely computer computers configuration console control copy dc default deploy deploying deployment discuss edit editor ensure extension feature field file files folder follows forcing found gpmon gpmonitor gpmonitordeployment gpmonitoredcomputers gpo group guide http icon improving infrastructure install installation installed installer link local located logon logs lonsanao1 management menu method methods microsoft mobile monitor msi n name necessary object office ok open opening opens options order ou package packages panel path place policy programs published removal remove repair required reskit restart right s sanao script selected server settings setup shared shortcut software source started starts steps supported takes target techinfo thatís time tip type types unc unless user users v1 ways whom windows windows2000 www yes zap

application class cn containers corresponding created dc domain gpo guid objects package packageregistration packages policies store system user

Deploying Non-MSI Packages

97 application architecture com contains contents deploy displayversion excel exe file follows friendlyname http install installation installer installing instructions intel mentioned microsoft msi office older options publisher sample setup setupcommand url windows www zap

Upgrading Applications

47 2000 applications available computers current deploy easily gpo group infrastructure install longer method microsoft pack packs policy released service services software sp1 sp4 sus update upgrade upgraded windows wus xp

Patching Applications

application applications automatically clicking deployed deploying developers group includes installed issue maintaining minor newer now originally package patch patched patches policy receive redeploy result right selecting server software task tasks upgrades users version

Removing Applications

2003 application applications cleanup complete computer continue deployed existed fail failed files group help install installation installed installer logs longer mandated msicuu msizap named online option optional policy prior properly removal removed removing resort restarted retains server settings setup starting tip tool traces try user users utility windows zap zapper

Troubleshooting Group Policy

2000 2003 able account administrators against analysis analyze analyzes arise came categories clue computerís configuration console did drastically effect enables event exist expediting file follows former gives good gpmc graphical group groups helps improved indications interface intuitive itself local log missing policies policy prevent problem problems provides registry restricted results rsop security server services settings snap system templates tool troubleshooting user very windows worst xp

Logging Group Policy Events

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 6 6 6 10 13 13 13 16 16 16 22 25 26 26 35 40 41 45 48 55 59 62 62 65 144 153 173 183 193 200 203 213 249 311 331 340 360 370 390 396 419 429 563 573 583 603 650 670 719 721 740 750 758 957 996 1008 1684 2000 2003 2488 930000 930000 930000 930000 930000 100000000 ----------------------- 0000f87571e3 00a0c90f574b 00c04f79f83a 00c04fb169f7 00c04fb94f17 00c04fb9603f 00c04fb984f9 00c04fbbcfa2 016d 06a7 08b7c9ee 0f6b957d 0x10000 0x10001 0x10002 0x870 11d0 11d1 11d2 2037c53745ad 31b2f340 35378eac 384kb 446a 48a6 509e 512kb 53d6ab1b 683f 6eac 785a 803e14a0 827d319e 84d0 942a8e4f 945f a0d0 a261 a28c a4ea a760 a7cc a89a a9b7 access adapter against analysis applicable application appropriate assuming b1be8d72 b4fb ba2756cb background become before behavior better bound bps build c c6dc5466 calling changed check checked checkgpos checking claimed client cn com combined common comparegpolists computer configuration connection contain continues controller created creates creating critical currentversion data dc debug default deferring depth detailed determined determining diagnostics display dll dn doesn't domain done dropped dword e8af0149c1c2 edit editor enable enabling engine entercriticalpolicysection entering entry error errors especially established event events exe exist exiting expand extension extensions extension's failed fast file filter find flag flags folder found full functionality gather generate generated getgpoinfo gpc gpmonitordeployment gpmonitoredcomputers gpo gpos gprefresh gpt gptext group had handle hkey hklm hours illustrates impersonating increased interpret key ldap least leave leaving lines link local located log logging logs longer lonsanao1 lonsanao21 machine matter maximum membership microsoft mode multi name names needed network nogpochanges nonsignificant normal nothing nt numbers object openthreadtoken order ou output passes path permissions pingcomputer point pointer policies policy previous prior processgpo processgpos processing purposes query rather read readextstatus readgpextensions reading readstatus recommend reg regedit regedt32 registry remember remove removed repetitive results role rsop run rundiagnosticlogginggrouppolicy s sample sanao scenario search searchdsobject searching security server side since site sites size skipped software something speed starting starts status still successfully support system system32 systemroot sysvol sz tab target task thing thread time tip troubleshooting turn turned turning type types ui under understanding useful user userenv userenvdebuglevel v1 value values wanted warnings verbose version windir windows windowsnt winlogon within workstation xp youíd

Detailed Logging

3 21 0000009b 00c04f79f83a 0x0f 0x10002 0x1002 0x2 11d2 6eac 827d319e a4ea appmgmt appmgmtdebuglevel categories common cse currentversion data debug detailed diagnostics dword editing enabling errors extensiondebuglevel fdeploy fdeploydebuglevel file folder gpedit gpeditdebuglevel gpextensions gpmc gpmgmt gpmgmtlogfileonly gpmgmttracelevel gpo gptext gptextdebuglevel group hkey hklm installation installer key local log logging logs machine microsoft msi nt obtain policies policy purpose redirection reg registry security settings software specific starting string temp troubleshooting type usermode value values verbose windir windows windows† windowsnt winlogon voicewarmup

Resource Kit Tools for Group Policy

2000 2003 adm analyzing asp category com default deployment file find group helps http include included incorporated integrated issues kit kits located management microsoft migrate migration monitor network nt objects parser policy professional related reskit resource results server settings spy system techinfo third tip tool troubleshooting windows windows2000 www xp

Group Policy Results

2 11 19 23 55 56 500 1981 2000 2001 2003 2004 2600 -------------- ------------------ ----------------------------- ---------------------------------------------------- -------------------------------------------------------- ---------------------------------------------------------- ------------------------------------------------------------------- $ administrators am analysis applied authenticated authority brown builtin c changed client clientís cn com computer computers configuration connected consideration copyright corp created data dc default detailed determine documents domain effective empty everyone exe explanation filtered filtering find further gpmonitordeployment gpmonitoredcomputers gpos gprefresh gpresult group groups help hex incorporate interactive interpreting jack jackb kbps kit lines link local logging lonsanao1 lonsanao21 member microsoft mode name network nt objects operating os ou out output parameters part policy previous process professional profile r registry removed resource result results roaming rsop run s sample sanao security server settings side site slow source system take threshold time tool troubleshooting try type under user users v v1 v2 values vastly version windows workstation xp z

Group Policy Verification Tool

22 32 33 37 2004 ------------------------------------------------------------ 00c04fb984f9 016d 016f 11d2 31b2f340 4ddb 5a59a545 6ac1786c 945f 94f4 add ales among analyze available bossanao2 c changed com command components computer contents controller controllers created dc dcs default details determine did domain ds e706 ea77d0440c86 enabled error errors everything exe exist existed expands extensions fields flags follows found friendly functionality gone gpc gpo gpos gpotool gpt group had having indication interpreted line lonsales1 lonsales2 machine name noticed null ok output pm policies policy preceding processing provides r replicated s sales sample sanao sanaogeneralgpover1 searching server side smoothly specific switch synchronized sysvol tool troubleshooting u user validating valuable value verbose verification version yet

ADM File Parser

2003 4322 add addition adm admfull administrative admx analyzing before c command compare computer config configuration consists contained copied data default diff diffbetweenw2k3andwxpsp2system drive exe executable explain export fields file files folder framework full he help include individual inf install installed installs kit kits letter line lines location log mapped microsoft msi name net node order output parser path paths permission policy program reading registry remote requirement resource running runs separate server settings setup she since sp2 startup support supported supportedruntime symbolic system systemroot template tool txt unc unless useful user utility v1 version windows write writes written xp

Group Policy Monitor

22 49 2003 adm administrative analysis application archived assigned brief c cab captured chm components computer computers configure contains data defaults define defines deployed deployment environment events exe execute extracted file files find folder format four frequency gpmon gpmonitor gpmonsrv gpmonui gpo gpos group help illustrates included install installation installed installs kit kits lab listed local main menu monitor monitors msi named network notes online order package path policy program purpose refresh refreshed refreshes remote report required resource rsop server service settings share small system32 template tool unc windir windows workstation written

Policy Spy

50 2003 access actions applying appmgmt computer contains dump dumping event exe fdeploy files functionality getting gp gpedit gpos gpupdate group illustrates initiate initiating kit kits listing log minutes pausing policy primary processing programfiles providing registry related resource secedit server settings spy ten tool troubleshooting user userenv values various versatile very viewer windows winpolicies

Replication Monitor

51 2000 2003 active advanced analysis analyze capabilities check column context controller directory display displayed displays domain forest gpc gpo gpos gpt group issues kit mark menu monitor object option output part policy replication resource right sample server show status support sync sysvol tool version windows within

Group Policy Migration

2000 2003 created differs exe files gpo gpolmig included kit location longer migrate nt ntconfig pol policy registry resource server settings structure system tool windows

Group Policy Reference

2000 2003 addition administrative available boxes chm contains dialog explain explanations file gp group help hyperlinks incorporated kit online policy reference resource security server settings tabs templates windows


2000 active addition analyze armor auditing available back capability check com computer computers console contains cost directory editing fazam free full fullarmor functionality gpanywhere gpos group http kit launched local management managing members operations out party policies policy product products provides reduced removed report resource rfv server supplement third tool valuable version versioning windows www

Advanced Topics

administrative centrally client define detail discuss especially extensions filters good group history ipsec policies policy present registry related settings side storage templates topics troubleshooting values wmi youíre

Registry-Based Settings for Group Policy Processing

16 23 24 30 45 64 90 294 440 800 967 2000 2003 196kbps 500kbps ability account achieve across active actually add adm administrative allow along always appear applied applies apply asynchronously authenticating automatic available background before box centrally changed changing clicking completely computer computers configuration configurations configured connection connections considered console controller controllers created cross current data days dc default define defined deployed deselect detection determines determining dialog directory disable disabled disables disallow disk displayed domain during editor effect efs enable enabled enforce event events explorer fast files focuses folder forest generating gpo gpos group hours ignored inf initiate ins installation interactive internet interval invoke ip ipsec link links loads local locate location log logged logging logon loopback machine made maintenance managing manually merge minutes mmc mode msc nonadministrators object objects off offset often options pdc periodically plus policies policy preferences presented processed processing profile profiles purpose quota range receives recovery redirection refresh refreshed registry related remove replace requires restart resultant right roaming rsop script scripts seconds security sees selection server servers settings she shell show slow snap software sp4 system systemroot take templates tested threshold titled trust trusted turn unchanged under update user users value warning view windows wireless work workstations xp zero

Client-Side Extensions

25 52 4852 6536 0000f8080861 0000f87571e3 00c04f79f83a 00c04f86ae3b 00c04f991e27 00c04fa31a66 00c04fb169f7 00c04fbbcfa2 0acdd40c 0b47 11d2 25537ba6 35378eac 3610eda5 426031c0 42b5faae 47ab 683f 6eac 75ac 77a8 77ef 785a 827d319e 84d0 8dc5 9b6c a2e30f80 a382 a4ea a89a aa7d ac3d37bfcb39 active actually ae5a along appear appmgmts b0ca b1be8d72 baa0 bbde before bf6de7e7fe63 branding c6dc5466 client complete component components computer cse cses currentversion d7de defined directory disk dll dlls dskquota dynamic e437bc1c efs explorer extension extensions fdeploy files folder gpextensions gpos gptext group guid guids hkey iedkcs32 install installation internet introduced ip library link local machine microsoft names notice nt obviously operating packet policy previous process purpose qos quota recovery redirection registered registry remote ris scecli scheduler scripts security services settings side software sorted system userenv windows winlogon wireless

Registry Settings for Group Policy History

26 active administration applied applies available braces bracket checked client clientís computer configuration container contains cse cses current currentversion cycle defined delimited directory disable disabled displayed displayname domain dspath enabled entry extension extensions filesyspath find forming functions gpc gpo gpolink gponame gpos gpt group grouppolicy guid guids higher history hkey identify incremented indicates ins installed iparam key larger ldap link linked local machine manage microsoft mmc name numbers options organized ou path perform policy policyís priority processed processes processing properties property purpose purposes registry resides result sections separated settings side site snap software starting system32 systemroot type under unlinked user value values various version windows within written zero

Storage of WMI Filters

27 actual attributes author changedate cn com creationdate creator dc description displays filter filters guid id implies important mswmi name objects parm1 parm2 principal purpose query sanao som system user value wmi wmipolicy wql

Storage of IPSec policies

active assign assigning associated attribute cn com computer configuration configuring container created dc decide directory domain easier editor gpo gpos group guid ip ipsec ipsecfilter ipsecisakmppolicy ipsecnegotiationpolicy ipsecnfa ipsecownersreference ipsecpolicy items link linked machine microsoft much object objects open policies policy sanao security settings system track trying unfortunately windows


2000 2003 active administering before benefits bringing complex complicated console cumbersome deployed directory domain domains ease enables evaluate forests gpos group improvement infrastructure leave left main management mastered much network performing plan plenty policy production rather reap resources room server settings since sometimes surely tasks test tool transferring ways windows wish youíll

Chapter 8
Active Directory Schema

active administration approach attributes background behind better classes data describes directory enforce enhance extend extensions faster forest general indexed learn learning model overview prepare purposes rules scenes schema searches sections syntaxes technical understand works

Overview of the Active Directory Data Model

500 active attributes classes consequently data derived directory domains full implements including introduce ldap model normal notably objects relationship service user

Classes Objects and Attributes

1 4 14 23 26 59 70 70 142 191 207 250 257 500 863 2000 2003 abc active actually ad2000 alias architecture attribute attributes base behind belong bringing brown class classes common computer computers contain contains corresponding defines description dictates directory discuss enter familiar fancier fancy folder forest forms generalized groups home homephone implement implements inner instantiated instantiation integer interchangeably jack knowledge logon mandatory multivalued name object objects often optional otherhomephone phone pm pool principal print printer printqueue properties property relationships represented say scenes schema server ships single slightly small snap something speed standard string strongauthenticationuser subset supported supports syntax syntaxes term time turn type types unicode user users value valued values various whereas windows words

Container and Leaf Objects

56 67 86 124 active ad2000 analogy base becomes call class classes classstore cn compare computers contain container containers contains correspond data difference directory domain doomed eternal examples except file files folders former interestingly leaf leafhood leafs mean modify ntfrssubscriptions objects obvious organizationalunit others our parent remaining schema snap specific superior system total types under user users whereas

Indexing and the Global Catalog

64 69 138 active ad2000 attributes base being birthlocation catalog cn contain database directory efficient examples fast faster fifty forest givenname global helps hundred including indexed indexing local locate making millions much multidomain naturally nonindexed object objects obviously part printstaplingsupported retrieving right schema searches searching sn surname therefore thousands userprincipalname via


briefly cache explain inspection location role schema subentry subschema topics

Role of the Schema

abstract active addition attribute attributes auxiliary builtindomain catalog category chain choice class classes cn contain container contains content dc default described describes description descriptor dictates directory domaindns exist explains explore global governs helps hiding hierarchy id identification indexed inheritance inside instantiation introduced itself lostandfound maintain mandatory miscellaneous multivalue name names naming necessary numbers object objects optional organization organizationalunit ou parent protection range relationships rules schema sections security services single structural structure syntax syntaxes system topics type types under user value various why words True

Location of the Schema

active add administrators applications attribute attributes attributeschema chose class classes classschema coded consequently contents created directory enables everything file hard implement implemented location long manipulation microsoft modified modify object objects query schema service syntaxes techniques vendor

The Physical Location of the Schema

active c choose come configuration contain contains controller controllers copied copy database dcpromo default despite directory dit domain during explained file folder forest full holds identical ini initial initialize initiated learned located location master mostly name ntds objects obviously partition partitions physically process replica replicas replicated replication resides role schema separate serves stores system32 tree units whatever winnt

The Logical Location of the Schema

70 191 261 advanced attributes class classes cn computers configuration container contents dc directory distinguished dmd domain forest letters located location logically management meant name object objects partitions physically root schema seems show snap stand tree turn turned under users wonít

Inspecting the Schema with ADSI Edit

2000 2003 active adsi aka among attribute attributes before begin button cd check class clicking computers container contains contents contexts directory discussion documents edit enables explore explorer familiarize find folder follows general good help icons idea implemented install installation interface itís job launch ldap ldp leaf left locate location main manager managing mentioned msi naming nicely now object objects opens operations others our pane part partitions picture previously programs properties right run schema screen selecting separately server similar snap specialized studying support suptools tool under user users various white view viewing windows yellow yourself

Inspecting Attributes of Classes and Attributes

2000 2003 0x active adsi apply attribute attributes attributeschema attributesyntax binary box boxes brown browse bytes cancel check choose class classes classschema cn contain contains contents context copy data dialog directory discuss display displays edit enables givenname helps hex inspecting jack little mandatory meaningful menu move name notepad nothing object objects octetstring ok ones opens optional paste properties provided ready replace replication s schema schemaidguid server straight string study sure syntax syntaxes tip track turn user usnchanged value values warning version view windows

Various Attribute Names

409 500 address admin admindisplayname administration administrative adsi attribute attributedisplaynames attributes attributeschema base book bridge classes cn coded comment common computers configuration confusing consistent contain container contains convention conventions description descriptive display displayspecifiers documentation english equal especially established examples explanation facsimile facsimiletelephonenumber fax field filters find four gives hard hyphen identifier info ins ldap ldapdisplayname ldifde letter likely link locale locate long lowercase mainly manager microsoftís monitor multivalued name names naming noticed object occurs office open others page pairs practice properties readable reality reasons refer replication schema scripts similar site sitelinkbridge slightly sn snap sometimes specifier starts states street streetaddress subsequent suggested summarizes surname telephone together tool turn under united unlike uppercase url user users various web versus word words www

Inspecting the Schema with the Schema Manager Snap-In

2000 2003 able access active add addition admin adminpak adsi again always apply attribute attributes available box boxes button cancel casual cd class classes classschema clicking close column command common console container containers cumbersome description dialog did directory discuss displayed dll double edit enter exit extra file folder get givenname help homedirectory i386 illustrate indicating ins install instances items ldap left listed locate location look made management manager managing mandatory mean menu message microsoft mmc msc msi name names now object objects ok open opens optional original pak pane press prompt properties ready refresh registration regsvr32 remove right run saw save saved schema schemaidguid schmmgmt screen sections server shots show shown slightly snap specifically steps successful syntaxes take time tip typing unlike users warning view viewing window windows workstation

Base Schema Versions

13 30 2000 2003 ad2000 ad2003 administrators adprep ago applications attribute b base before cases cd cn command common computer configuration contained currently dc describe differences doing exe extended files folder forest forestprep functional gc get happens i386 install installation installed installing kinds ldf ldif level levels mentioned minute modify name named object objectversion obviously once operating path place process raise recorded run running sch14 sch30 schema schupgr scratch sections series server slightly step sum system tool twice upgrade upgraded variations version versions windows

The Effect of Raising the Forest Functional Level

138 150 151 2000 2003 ad2000 ad2003 add added adding adprep aforementioned anymore attribute attributes being catalog caused causing command company controllers count die domain during entry existed forest full functional get global good identitycertificate increases installed level light links load massive modification msdrm msds msmq multicastaddress now operation outcome place possibly printmemory printrate printrateunit raise raised replication running schema scratch securedsource securityidentifier server servers still sync takes thing thirteen time trustattributes trustdirection trustforesttrustinfo trustpartner trusttype upgraded wan while windows

The Effect of Upgrade versus From-Scratch Installation

2003 access acl ad2000 ad2003 addition admindescription aforementioned almost app appears applicationversion around attribute attributes audited auditing auxiliary background base bullet cases class classes completeness computer configuration container controllers cosmetic created default defaultsecuritydescriptor described description differences discussed domain domaindns domains dynamicobject editor effect enterprise entries entry entryttl event exists forest forests group identical immediate inherit inherited installed instances leaving listed little located log marked meaning missing modification msds msexchassistantname msexchhouseidentifier msexchlabeleduri ncreplcursors ncreplinboundneighbors ncreploutboundneighbors neither nor object objects operations outcome part permission place policy practice previous replattributemetadata replvaluemetadata reside result ridmanager sacl samdomain schema scratch server settings showinadvancedviewonly similar since site sites six slightly subset successful system systemflags technical theory therefore time tombstonequotafactor topics unprotected upgraded upgrading users version very whereas windows visible word wrong True

AD2003 Schema versus AD2000 Schema

49 52 53 70 90 142 191 207 810 863 2798 accommodate acronym ad2000 ad2003 additions attributes base carlicense changed classes common consequently contain contains contrast convention correspondingly created directory discussed exceptions follows hyphen ldap leaves letter letters lowercase meaning microsoft ms msds mssomethingelse name names old ones organizationís prepended rfc rfcs schema service unchanged

Schema Peculiarities

51 70 88 189 190 ad2000 ad2003 addition admindescription admindisplaynames aims applies attribute attributes base belong bugs class classes cn common consequently corresponds cosmetic description domainrelatedobject employeenumber employeetype enables equal exercise explain explanation extensions follow four gentle good homepostaladdress inconsistencies indicates items ldap learn marked marking maycontain meaningless microsoft miss missing modify mstapi much mustcontain nagging name names objectclasscategory others out peculiarities perhaps possiblesuperiors prefix protection rdnattid read relate remaining rfc rtconference schema seems showinadvancedviewonly six skip specifies systemmaycontain systemmustcontain systemposssuperiors things uid us usersmimecertificate value while wonder wrong zero False True

Dumping the Schema to a Spreadsheet

10 11 30 191 a2 activate adjust allows applications attribute attributes attributeschema autofilter autosize base better border broader button c cell characteristics choose class classes classschema cn column columns com comma command commands complete completed configuration connecting contents controller created csvde current d data database dc defaulthidingvalue define definitions delimited delimiter described directory display distinct distinguished ditcontentrules domain double down dragging drop dump easily enter entries excel explain explanation explore export exported exporting extendedattributeinfo extendedclassinfo f feature file files filter filtered finish fixed format freeze gives graphical h header help idea import instancetype interested labels launch ldap left lines locate logging longer menu modifytimestamp mouse name names newly nice now null object objectcategory objects online open option our out output panes perform post preceding present press problem processing progress prompt put r read reference remove resize results right row rows sanao save schema screen scroll searching sheet show sort specifies specify spreadsheet sspi stays steps successfully tables taste time tool turns txt type user usnchanged usncreated value values various whenchanged whencreated wide width view window visible wizard workstation writing xls False

Schema References

20 257 active addition address adschema asp attribute attributes available base bookís class classes com computers contains correspondence default directory documents dumping en exact excel explained field file http includes internet kouti least library microsoft microsoftís msdn names objects phrase pieces previous ready reference references related schema search site snap spreadsheets url us user users web work writing www

Subschema Subentry

10 11 23 35 70 191 access active adsi advantages aggregate attributes attributetypes available classes cn com container contains directory discussed ditcontentrules environments expose extendedattributeinfo extendedclassinfo follows interface ldap ldapv3 limited listed look multivalued name netware notably object objectclasses objects path properties real requires sanao schema scripting service single specify stores subschema support supports syntaxes take under virtual

Schema Cache

2003 access accessing active added admin applications brown built bytes cache consequently consumes consumption content continue contrary controller controllers copy counted delay differently directory disk dit documentation domain due during easy efficient exited extra fact fast february file follow four get goes guards holds identical internally jack latency latter little made master memory minute minutes modified naturally needed ntds object objects old older once period platform ram reason released reload reloaded replicate replication reset restart running says schema sdk slow soon starts stays structure structured test therefore threads time too until update updated user wait waiting version

Triggering the Schema Cache Update

10 11 active adding adsi attribute attributes before cache chapters class conclude constructed contains cover describes detail directory discussion general immediately interface ldifde left long manager mention minutes node object our pane programmatic reload residing right rootdse schema schemaupdatenow script snap special too tool trigger triggering update wait value weíll virtual write

Constructed Attributes

22 36 70 account ad2000 allowedattributes allowedattributeseffective allowedchildclasses allowedchildclasseseffective anr approx attributes attributetypes auxiliary base built canonicalname classes computed constructed control createtimestamp database directory disk ditcontentrules entryttl extendedattributeinfo extendedclassinfo follows fromentry immed keyversionnumber modifytimestamp msds multicolumn ncreplcursors ncreplinboundneighbors ncreploutboundneighbors object objectclasses parentguid please possibleinferiors primarygrouptoken production quotaeffective quotaused replattributemetadata replvaluemetadata schema sdrightseffective six structuralobjectclass subordinates subschemasubentry thirty tokengroups tokengroupsglobalanduniversal tokengroupsnogcacceptable topquotausage user


0 10 14 16 17 18 21 22 24 36 48 67 69 74 78 88 90 95 114 117 122 124 143 163 165 169 170 173 174 181 182 184 187 189 190 191 500 840 1466 2342 113556 113730 304900 62963047 134217744 4856468b 70f6ca9b 8c32fcfe a28500aa abstract actually ad2000 address admindescription admindisplayname adsi almost appears attribute attributes auxiliary auxiliaryclass ba7a96bf base builtindomain c canonicalname categories category characters claim class classís classdisplayname classes classs classschema classstore cn column com common configuration contain container containment contains corresponding created d dacl data dc defaulthidingvalue defaultobjectcategory defaults defaultsecuritydescriptor define defined defining description detail discuss displayname displaynameprintable dist distinguished distinguishedname divided domaindns e60dd011 edit exact examine examining examples finally fortunately four gives governsid happens helpful id idea identifiers ids important include indicates inherit inheritance inherited instances instantiated introduced isdefunct itu kind kinds l latter ldap ldapdisplayname leaf listed long m mailrecipient mandatory mark maycontain meaning mention mentioned microsoft miscellaneous mstapi mustcontain name names naming netscape normal ntfrssubscriptions ntsecuritydescriptor numbers o obj object objectcategory objectclass objectclasscategory objectguid objects omit optional organizationalperson organizationalunit others ou overview parentheses person plus possibleinferiors posssuperiors provide pss rdn rdnattid real related remaining remember resemblance resemble role rpwpcrccdc rules run sacl sanao schema schemaflagsex schemaidguid securityprincipal short source starting string structural structure subclassof subsections summary systemauxiliaryclass systemflags systemmaycontain systemmustcontain systemonly systemposssuperiors t too tool top tree type uid uninteresting unique user usnchanged wahl values wonder wwwhomepage False True

Names and Identifiers

15 128 840 2000 113556 304900 62963047 4856468b 70f6ca9b 8c32fcfe a28500aa access active actual admin admindescription admindisplayname adsi always attribute attributes ba7a96bf bit c canonicalname category choices class classdisplayname classes classschema cn com common configuration consequently container country dc derive describes description descriptions descriptive directly directory discuss display displayname displaynameprintable displayspecifiers dist distinguished distinguishedname e60dd011 exchange exist fifteenth filters format fortunately furthermore governsid guid id identifier identifiers identifies identify include includes indicated install instances internally isnít l ldap ldapdisplayname leaves left level listed locality location low microsoft mstapi multivalued name names naming nine none nonredundant o obj object objectguid octet oid organization ou path prefix printable rdn rdnattid redundant related respectively sanao schema schema schemaidguid scripts six software specified specifies string syntax syntaxes system uid unicode unique unless us user various wonít yes

Object Identifiers

7 20 77 208 311 500 680 840 2002 8824 113556 123123 abstract acknowledges active addition address addresses administered allocate allow alvestrand among ansi anyone asn assigned assigning assignment assignments attribute attributes base basic child class classes consists contains coordinates corporation corresponds current currently defense defined department describes directories directory discussed dod domain domen dots enterprise express globally hierarchical highest history html http iana icann identification identified identifier identifiers identify iec indicates inspect internet ip iso issued itu joint kinds level management microsoft name names netscape network notation numbers numeric object objectid objects oid oids org organization organizations owner owns part private protocol recall recommendation respectively root roots schema similar simple since six snmp source specification specifies standards superseded syntax syntaxes t things top tree unique us usa value variables various world www

Obtaining a Base OID

0 10 16 233 840 2000 2003 7000 28684 28688 96821 113556 123123 760998 1142349 1196228 $ active ad add address addresses administration aforementioned alias ansi answer appeared application applications apply asp aspx attributes authority available base bin book branch buy certification certified cgi ch choices classes com companyís contact corresponding countries country customer days dedicate did didnít directions directory edition enterprise establish explained extend extensions fee find form format four free general generates get had http iana icann iec included includes international ip iso issue issuing itu joint kit local logo mail menuid microsoft modify months msdn mycompany name needs network numbers numeric obtain obtained oid oidgen oids once org organization organizations page perhaps permanent pl policy private production programs receive reg regarding regardless register registration resource responsive resulting rise run schema schemreg seems sell sent server services situations six specific standard standardization states t tests time try united us utility ways web vendor vendorís very whose windows writing www youíll

Structure and Containment Rules

18 257 account accounts active ad2000 ad2003 admin administrator administrators agent allowedattributes allowedattributeseffective allowedchildclasses allowedchildclasseseffective alter application attribute attributes audio base brown builtindomain calculated carlicense changeable check child children chose class classes classschema classstore compare consequently consist constructed contain containers containment contains content counterparts created creating credentials definitions described description did directory discuss discussed disk displays domaindns done dsa edit effect effective establish fields four freely grayed illustrates include indicate indicates inheritance instance instances jack job logged long main mandatory match maycontain mean mentioned microsoft modifying mostly multivalued mustcontain name nor normal ntfrssubscriptions object objects oid optional organizationalunit pairs parent parents part permissions photo possibleinferiors posssuperiors previous process program protect protection read reads reason remove reside resides restrictions role rules running schema seem seven show six specifies still string structure study studying subsection sum syntax system systemmaycontain systemmustcontain systemposssuperiors take takes therefore types user users value whose yes

Class Inheritance

88 abstract admin agent attributes auxiliary auxiliaryclass build built changeable characteristics child class classes classschema containment corresponding defining derived description directory dsa easier enumeration explain four gets ground inheritance inherits mailrecipient makes mandatory multivalued name object objectclasscategory objects oid optional organizationalperson parent previous relevant say schema securityprincipal string structural structure subclass subclassof superclass superiors syntax system systemauxiliaryclass user yes

User Class Example

10 87 92 93 abbreviated actually add addition affect agent appear attribute attributes auxiliary base book built call chain class classes cn com comments common computer configuration connection dc directory domain effect exist expect explanatory far goes hand happen happens hierarchy illustrates inetorgperson inherit inheritance intuitive keep key ldap less little mail mailrecipient mandatory mathematical mspki mustcontain names nor normal nothing object objects optional organizationalperson ou overlap person picked posssuperiors precise reason recipient recovery relationship requires right sanao save schema securityprincipal show shown siblings side simple slightly smaycontain space still subclasses sum sums superclass superclasses superiors system systematically systemmaycontain top user

Class Categories

10 11 88 169 500 1988 1993 abstract act active actual actually addition approved arrows attribute attributes auxiliary base before belong belongs brown categories category class classes comments created creating dashed derive derived describes directory four generic include indicated inherited instance instantiated instantiation introduced jack made mandatory marked necessary normal object objects ones optional previous purpose refers relationships remember schema shouldnít standard store structural subclasses superclasses templates time user version year yes

Dynamically Linked Auxiliary Classes

10 11 2003 actual ad2003 add added administrator adsi affect allowedattributeseffective anything application attribute attributes automatically auxiliary available book check child class classís classes clear containing contains contrast cost created direct dynamic dynamically easily edit enter explicitly feature file filter find forest functional governsid include individual instance instances jack jill ldap ldif ldp level link linked linking listed mandatory modify multivalued mustcontain myauxclass name needed nothing object objectclass objects oid ones opinion our out parent performance process program properties provide raised rather received related remove removed removing sales salespeople samples saving script server show similarly static statically subclass superclass systemmustcontain talk target therefore time trick unfortunately user users value values very windows

ObjectClass versus StructuralObjectClass

10 appear attribute auxiliary become belongs brown chain class classes constructed contents corresponding dynamically exact filter filters find forget four him inheritance jack ldap linked lowermost main multivalued name normally object objectclass organizationalperson person saw structuralobjectclass superclasses think top user wonít work

Miscellaneous Characteristics of Classes

11 16 0x10 active admins advanced agent allows attribute attributes b base belongs bit boolean categories category characteristics class classschema cn computers concepts context corresponding created d dacl default defaulthidingvalue defaultobjectcategory defaults defaultsecuritydescriptor definition description descriptor details directory disabled discuss discussion distinguished dsa extension fifth four general honors instance instances integer introduces isdefunct itself language long menu miscellaneous modify multivalued name nt ntsecuritydescriptor object objectcategory objectclass objects obviously oid part person plus program provide read replace right rpwpcr sacl schema schemaflagsex sddl security showinadvancedviewonly showinadvancedviewonly snap specify starting string superclass syntax system systemflags systemonly tells ten tool top turned unicode user users value visible yes False True


active administrative administrators advanced attribute choose class cn computers configuration container derived dfs directory examples helps hide honor interesting interface missing normal object objects once parent program programs shell show showinadvancedviewonly snap system top turn user users value view windows visible False True

Category 1 and 2 Schema Objects

15 able added application attribute attributes base belong belongs bit categories category class classes deactivate extensions marked modifications objects part peculiar reason rules schema something stricter supposed systemflags tells therefore words

Object Category

11 able achieve active actual advantages allow apart attribute base belong belongs brown categories category changing class classes confusing consequently contact contacts contain context criterion defaultobjectcategory defines difficult directory exact examples expressed faster filter filters fortunately get hierarchy indexed inetorgperson inetorgpersons jack ldap likely main makes much multivalued object objectcategory objectclass objects organizationalperson person practical queries query regardless schema search seen single situation steps superclasses theory therefore things top user users valued whereas word

Security Descriptor Definition Language

11 12 13 32 560 9819 00aa0040529b 11d0 1e2f 405a 46a9b11d 60ae ab721a55 access accessmask account ace aces acl acronym acronyms actrl ad2000 addition admins ads allowed ao attribute au authenticated authorization b7e8 bit bits briefly c cc child children class com compare consists contents control corresponding cr d da dac data dc default defaultsecuritydescriptor definition delete described description descriptor detailed development discretionary discussed divide divided domain ds dt easier editor eight elements equal examples except explain extended familiar ff8a58d456d2 fields files flags follows format four full group guid http included inf inherit interface interpret interpretation interpreting kit language lc letter library line lines listed lo long longer mask mentioned microsoft missing modify mostly msdn name names oa object objects operators out owner pairs parentheses partial permission permissions personal platform prop properties property ps rc read reality refer rest right rights rp rplclorc rpwpcrccdclclorcwowdsddtsw s sd sddl sdk security self semicolons send seven sid six software special specifying spelled standard string subsequent subtree sw sy system templates ten times tokengroupsglobalanduniversal tree turn type ui user users validated wd whenever windows wo wp write writes

ClassSchema Object Property Pages

12 13 14 16 17 38 840 2000 2003 113556 acl active admin admindescription adsi again aspects attribute attributes auxiliaryclass bottom box bug builtindomain characteristics check checked class classes classschema cn common conclude control controls correspond corresponding count course covered created currently default defaulthidingvalue defaultobjectcategory defaultsecuritydescriptor defunct desired dictates differences directory discussed discussion domaindns edit editor effect empty exclude excluding fields figures follows general governsid hierarchy inheritance inherited isdefunct itself ldapdisplayname mailrecipient manager mandatory maycontain meaning move mustcontain nonadvanced normal now object objectclasscategory objects obviously once optional organizationalperson organizationalunit our page pages parentheses person picked posssuperiors property ready relationship remaining schema screen screens security securityprincipal server shipping shots show showinadvancedviewonly showing shown snap something structural subclassof superiors syntaxes systemauxiliaryclass systemmaycontain systemmustcontain systemposssuperiors tab tool top tree turn user values various view windows visible

Attributes and Syntaxes

8 12 13 14 15 16 17 21 22 23 27 34 40 56 58 64 65 66 69 70 70 70 70 70 70 70 90 94 102 113 114 117 125 127 131 146 151 216 231 250 256 341 460 500 729 839 840 854 863 919 924 939 944 945 956 964 975 1466 2342 33137 113549 113556 113730 304900 22a9624f 4b998f46 7a357859 9a7996bf a28500aa a658e3c2 accepts active actual ad2000 admindescription admindisplayname appears apply arrows aspects attr attribute attributeid attributes attributeschema attributesecurityguid attributesyntax base canonicalname catalog categories category characterized child class classdisplayname classes classschema cn column com common configuration contain contains content control correct cover dacl data dc define defines definitions describe description descriptions detail directory discuss discussing display displayname displaynameprintable dist distinguishedname divide e60dd011 except extendedcharsallowed figures finally four general global helpful homephone id identifiers ids imprecise included indexing indicates inherited inherits instances isdefunct isephemeral ismemberofpartialattributeset issinglevalued itu kind kinds latter ldap ldapdisplayname level linkid listed m mandatory mapiid mark meaning michigan microsoft miscellaneous name names netscape nonzero now ntsecuritydescriptor o obj object objectcategory objectclass objectguid objects omobjectclass omsyntax optional out parentheses part possibleinferiors pss rangelower rangeupper ranging rdn real relationship remaining remember reside result right roughly rsadsi rules s sacl sanao schema schema schemaflagsex schemaidguid searches searchflags sections separately show side source syntax systemflags systemonly t themselves things top total type unique university user wahl value values various zero False True

Names and Identifiers

15 125 460 840 33137 113556 ad2003 admindescription admindisplayname api applications attribute attributeid attributes attributeschema attributesecurityguid back base belong canonicalname category class classdisplayname cn common consequently contains described description descriptions discussed display displayname displaynameprintable dist distinguishedname exactly familiar form forward four id identifier identifiers identify integer internal intid ldap ldapdisplayname leaves link linked linkid links mapi mapiid messaging msds multivalued name names needed nine obj object objectguid objects octet oid pairs permanent permissions place present property purpose rdn repeat reused schema schemaidguid six string syntax undocumented us wrong yet

Linked Attributes

10 13 16 24 48 58 access accordingly active ad2000 ad2003 administrators attribute attributes attributeschema back base beneficial binary bl bridgeheadserverlistbl bridgeheadtransportlist contained contains corresponding count defined denotes directory directreports dl dn exch forward frscomputerreference frscomputerreferencebl frsmemberreference frsmemberreferencebl group hasmasterncs includes integrity isprivilegeholder larger link linked linkid maintaining managedby managedobjects manager masteredby member memberof membersforazrole membersforazrolebl membership missing modifies modify moved ms mscom msds name netbootscpbl netbootserver nonmembers nonmembersbl nonsecuritymember nonsecuritymemberbl object objectreference objectreferencebl objects odd often operationsforazrole operationsforazrolebl operationsforaztask operationsforaztaskbl owner ownerbl pair pairs partitionlink partitionsetlink point privilegeholder process querypolicybl querypolicyobject reason reference referenced referential refers relationship reports responsible schema serverreference serverreferencebl siteobject siteobjectbl string syntax syntaxes system target tasksforazrole tasksforazrolebl tasksforaztask tasksforaztaskbl unicode updating user userís userlink userpartitionsetlink users value

Syntax and Content Rules

12 16 17 20 64 127 256 400 500 abstract accepts api asn association attribute attributes attributeschema attributesyntax belongs boolean characters choices code consistent contain content context control currently data defined defines describe describes description display distinguished express expressed extended extendedcharsallowed format former group http ia5 identifies integer interface involved issinglevalued itu largest ldap letters longest lowest management manipulation messaging multivalued name naturally necessary numeric object octet oid omobjectclass omsyntax open opengroup org organization osi others printable rangelower rangeupper refers seven shortest single specifies stand standard standards stands string subsyntax syntax syntaxes t tables teletex trademark type unix value values vendor whereas www xapia xom True

Syntax Choices

10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 27 32 58 64 65 66 72 123 127 138 193 394 400 680 1278 2000 2252 7498 8601 2a864886f71401010106 2a864886f7140101010b 2a864886f7140101010c 2b0c0287731c00853e 2b0c0287731c00854a 2b0c0287731c00855c 56060102050b1d access accordingly active actually add address addresses along alphabet appear application array asn attribute attributes attributesyntax b base belongs binary bit boolean bytes categories category character characters choices coded consisting contain contains control coordinated corresponding count criteria currently data date defined describe described description descriptor digit digits directory dis distinguished distinguishes divide dn dots enforce entities enumeration exact f12a4b filters format formats four further general generalized gmt greenwich hard hello hex hexadecimal ia5 id identical identifier ignore insensitive integer integer8 international interval iso keeps large latter ldap link mail match matters mean mention moved name names normal nt numeric object objects octet oid omobjectclass omsyntax osi parentheses partition point presentation printable reference references related renamed replica replication represent repsfrom repsto restriction rfcs roughly s schema sd security sensitive sets seven sid simple somedn specify specifying standards stores string strings supports syntax syntaxes tables target teletex things time treats types unicode universal updates utc valid values various vector windows year False True

Multivalued Attributes

0 0 1 850 2003 ad2000 ad2003 added aforesaid allows application attribute attributes b behavior controllers data deleted depend domain except explained favor forest functional good group idea interim large ldap level limitations linked member members membership memberships modified multivalued nonlinked normal normally now order program put raised random range read reasons relatively removed replicated returned returning script separately server size small specifying still therefore together too unit until value values whole windows write True


10 20 22 23 29 32 33 69 active allows ambiguous anr answer appear apply attribute attributes attributeschema base beginning bigger binary bit bitfield bits boolean calculator care catalog changed class coded computers conjunction consequently container contains convert copied corresponding count creating database decimal define defined deleted der described describes description difference directory display domain duplicating enables entry enumeration examples explained fast faster givenname global group grow grows happens hard hex impact include index indexed indexing ismemberofpartialattributeset ldap least less local longer makes meaning member members membership microsoft multivalued name object ones part partial percent preserved replicated resolution right rightmost schema search searches searchflags servers settings significant single size sn snap son specified specify string strings substring substrings syntax tombstone treated tuple universal user users value values whereas wildcard wildcards windows wonder words True

Ambiguous Name Resolution

23 2000 account ad2000 ad2003 addition additionalsamaccountname address allows ambiguous anr attribute attributes base beginning book bro brow brown brownfield complex corresponding described didnít discussed displayname dsheuristics enable enabling explained explanation feature filter filters find flexibility functionality general get givenname gives include jac jack ldap legacyexchangedn listed manually match mentioned modifying msds name needs nine object office part partial perform performed permission physicaldeliveryofficename pre procedure properties proxyaddresses rdn required resolution samaccountname schema search searches simple six sn starting suppress surname tab try type user ways windows words works

Miscellaneous Characteristics for Attributes

0 7 10 15 16 21 24 25 28 36 46 55 63 800 able address afterward appeared aspects attribute attributes attributeschema base belong belongs bit bits boolean built catalog category classes classschema constructed continues controller corresponding count creating deactivate define defined described describes description discussing discussion disk display domain dsa extension global hex integer isdefunct isephemeral ismemberofpartialattributeset ldap left marked miscellaneous multivalued name ntsecuritydescriptor object objectcategory objectclass otherwise overrides part peculiar reason repeat replicated right schema schemaflagsex supposed syntax system systemflags systemonly therefore things undocumented value False True

AttributeSchema Object Property Pages

13 17 34 256 460 840 2000 113556 active admindescription adsi advanced allow anr attribute attributeid attributes attributeschema attributesyntax box bug catalog checked checking cn containerized copied count didnít directory discussed display duplicating edit existed global index isdefunct ismemberofpartialattributeset issinglevalued ldap ldapdisplayname little manager meaning name object objects omobjectclass omsyntax page parentheses practical property rangelower rangeupper replicate schema searches searchflags sets showinadvancedviewonly shown single snap string unicode user valued values various version view windows False


attributes attributeschema built classes classschema described detail discussed evaluate examined extend far made objects schema syntaxes

Chapter 9
Extending the Schema

2000 2003 accommodate active addressing advantages anticipate attributes base beginning bringing build check class classes counts cover data demonstrate directory established explain extend extending extensible extensions gained going helpful interchangeably interface knowledge logon mind modifications modify modifying nt organization perform phrase plan point preceding predecessor read reference schema server show somewhat summary talk terms therefore topics user users various why view windows works

When and Why to Modify

70 91 450 accommodate accumulates active ad2000 ad2003 add added adding addition administrative administrator advantage alone anr anything application applications approach approaches appropriate attribute attributes auxiliary base big catalog category characteristics class classes consequently contain copied creating current data dea delete deletion departments derive desirable didnít directory discussed documented dynamically easier enabled enables enterprise evaluate evaluation ever examine except exclusive extend extending extensible extensions fill find fine focus four further future get global guaranteed higher illegal imagine include includes indexing indicate inherit instances keeping kind large lead least less linked managing mandatory maycontain mention microsoft mind modification modify modifying much mustcontain named necessary neither nice none object obviously offer ok once ones options organization out planning point purchased purpose put reason requires right safe schema seems selling settings shouldnít similar situation something sounding store stuck subclass suit suitable superclass superiors support systematically time top try tuning unfortunately unless unmodified user value wants versa version whereas vice wouldnít years


able accepts active actually add adding admins ahead analyze application applications applied approve attribute attributes attributeschema auxiliary base binary birthlocation card carry category changing class classes classschema committee consider consideration consolidate controller conventions correct course creates creating customer customers data departments design determine directly directories directory discussion document documentation documented domain electronic enabled ensure especially establish evaluate except explained extension file fill future get go group guidelines impact include inheritance installation instructions isolated kind least likely logon management manual master mentioned modification modifications modified modify modifying moving much multiple naming needs networks nominate now object objects obtain obtaining offer oid old order organization originate out paper passwords perform perhaps permission person plain plan point preceding presented previous program provide purchased put putting remove request requests require responsible role rules run safe schema separate simpler smart software store subclass successful superiors tasks thoroughly throughout turn user users usersí values vendor within write

What Data to Put in Active Directory

able access active ad2003 adam add addition aforementioned allow allows alternate among application attribute attributes available basic benefit better binary bitwise catalog characteristics classes clients complex configuration connections consider consistency contains control controller controllers corresponding costly creating criteria data database date depend depending determine directory discussion distributed document domain dynamic easy efficient elements enough especially evaluate examine examples explained expressions extensions fault file fill fills flat further geographically global globally go hand hierarchies high highly hour implement implemented importance important includes increases incremental individual intersite intrasite introduced items job joins keep large ldap level locations lock loose mail management message mind mode modify multiple multisite multivalued necessary needs nesting network never numbers object objects often operations optimized option order out particular partition partitions perform permissions physical placement plan precise print programmer protocol provides proximity put putting queries read reading reads registry relational relatively replicate replicated replication requirements result retrieve schema search sense server sets single sites small smaller somewhere spanned sql standards static store structure substructure summary system tables take techniques terms things time tolerance too useful users vain values various vectors views volatile words write

Dynamic Objects in AD2003

2589 access accurate active ad2003 allowed anything application applicationís applications attached authors behind care choose class client closed closely collection control controller controllers corresponding created creates currently data decrement defined delete deleted deletes deleting development directory domain dynamic expiration expire expires extended garbage get globally goes http idea ietf interesting invoking involved ldap left let lets live local meeting microsoft modify modifydn needed needs normal now object objects offline oneís online open operation operations org owner participant participants performing periodic periodically person possibilities practically refresh represent responsibility responsible rfc search sensible server service services soon specification starting starts static still supports take tells time tombstone traditionally ttl user users utilize valid value while work writing www zero

Controlling the TTL

8 11 15 24 31 86 365 400 557 600 900 2003 86400 absolute active actual again am attribute august average calculates choice client cn configurable configuration constructed contains controller corresponding creates data date days dc default defaults die directory documentation domain dynamic dynamicobjectdefaultttl dynamicobjectminttl entry entryttl expiration forest highly hours implementation including leap left length little long mean menu minimum minutes modify modifying moment msds multivalued name names nt ntdsutil object platform queried refresh requests result returns sdk seconds server service services settings short smaller specified specify time tool traffic ttl value values whenever windows wrong year

The Refresh Request and Response

0 0 24 30 86 101 119 400 1466 2003 accept actually ad2003 allows attribute back check chose client clients consequently controller decrease delay detect discussed distinguished domain dynamic expire extended feature get hours includes latter ldap less long lost minimum name network object obviously oid operation outage packet periodic prevent previously readd refresh request requested requires response returned rfc rootdse seconds seems sends server supportedextension supports target ttl ttls unreasonably value windows year

Creating and Viewing Dynamic Objects

1800 2589 acquainted active add administrators adsi advanced afterward allow application applications attribute attributes auxiliary away changetype child class classes cn com command computers configuration consequently contain control controllers converted corresponding created creates creation csvde d dc default developers die directory discussed display dn domain dynamic dynamically dynamicness dynamicobject dynamicsubtrees dynobject1 dynobjects edit entry entryttl f file follow get half hidden hour including indicate introduce l ldif ldp lifetime linked linking little msds normal object objectclass objects operational ou partition partitions perform person process query r received regardless remaining replicated request required rfc right rootdse sales sanao scan schema small snap specifically static structure supported test therefore time tool ttl turned txt typically unless users value values versa vice view wonít

Active Directory Application Mode

2003 8mb active actual adam administration adsi application applicationís applications approve c cn com companies component computer configuration configure consequently contain contains controller corresponding created csvde data dc dcdiag deployed directory distinguished divided domain download downloadable dsacls dsamain dsdbutil dsdiag dsmgmt edit edition enabled enables enterprise excluding exe extensions extensive file freely guide havenít hrapp http implies includes install installation instance instances introductory ldap ldifde ldp light made maintained microsoft minutes mode mostly multiple name names needs normal notes ntdsutil o otherwise package paper partition partitions parts prefix prior process processes product programmer provides reboot regular related release repadmin require requires reviewerís role runs sanao sanaohrapp schema sell server service services single somewhat sp1 step targeted us user web vendors version versions white windows windowsserver2003 www xp yet

Planning the Modifications

address attribute attributeschema class classschema consider corresponding creating deactivating determine gather modification modifications modifying necessary object operations planning relevant remember

Creating a Class

15 16 21 36 88 91 128 123123 abstract according acronym active ad admindescription admindisplayname advanced afterward alias allocate among anything api application appropriate asp assign attribute attributeís attributes authority auxiliary auxiliaryclass base basically being best bit c category certification certified check checks class classes classschema clients cn column com common computers conform considerations consistency consists constructed containing containment controllers convention convertsecuritydescriptortostringsecuritydescriptor couldnít created dc default defaulthidingvalue defaultobjectcategory defaults defaultsecuritydescriptor define defining definition described description descriptive descriptor directories directory discussed dn domain easier encourages ensure especially except exists filled find fine follow frequently function generates generating get governsid guid guideline guidelines guidgen helps http hyphen identifiers identifies include indicate indicates inherit inheritance installations instances interface issued issuing itself l language ldapdisplayname ldapv3 least letter library lighter little logo long lowercase mail managing mandatory marked maycontain microsoft miscellaneous modifying msdn mustcontain myproductconfiginfo name names needs none normal o object objectclasscategory objects obviously octet often oid option optional organization organizationís otherwise ou parents part parts pass permissions place plan platform posssuperiors previous programmatically programmers property provide qualify range rdn rdnattid really recognize recommends referred refers refuses register registration remaining replication requirements right rules sanao schema schemaidguid schemreg sddl sdk searches security series sets shell shouldnít since snap specified specify string structural structure subclassof superclass superiors system systemauxiliaryclass systemmaycontain systemmustcontain systemonly systemposssuperiors taking tasks technically tip top turned type unique uniquely unless unlikely uppercase user users uuidgen value values vendor verify whichever view win32 windows visible within world yes True

Modifying a Class

10 15 16 21 803 840 113556 accidentally active add addition admindescription admindisplayname adsi allow anything application applications apply attribute attributes auxiliary auxiliaryclass base become being category changed changing check checks class classes classschema cn common consequently contain container creating defaulthidingvalue defaultobjectcategory defaultsecuritydescriptor delete described didnít directly directory disable edit ensure erroneous filter guideline guidelines harm illegal indirectly inheritance instance instances keep ldap ldapdisplayname made mandatory maycontain mind modifications modify mustcontain name narrows object objectcategory obsolete optional posssuperiors prevent protection rdn reason recognized rename renaming rest restrictions safety schema shouldnít something suddenly system systemflags tip user users value wonít

Creating an Attribute

13 15 20 25 34 127 128 1040 123123 1gb 25gb according active ad2000 ad2003 adding adlinkid admindescription admindisplayname adprep allocate among amount anr anymore anything application applications asp attribute attributeís attributeid attributes attributeschema attributesecurityguid attributesyntax authority avoid back bad base being best bit bits boolean catalog category cause caused certification checks choice choices choose chosen class classes cn com combined common consequently consistency constructed contained contains content controller controllers conventions correspond corresponding cover covered created creating data database databases deactivating default define described description didnít directories directory disadvantage discussed division domain domains enterprise especially evident exact extendedcharsallowed fill filled forest forward full future generate generated generates get global guid guidelines guidgen had happen helps http ia5 id identical identifiers identify ids ignore includes increases index indexed indexes indexing install installations instance interest ismemberofpartialattributeset issinglevalued issued issuing keep lans larger ldapdisplayname library light lighter limit link linked linkid little locally lower managing mandatory mapi mapiid marked matches mentioned microsoft mind miscellaneous msdn multivalued myproductuserdata name names needs nonallocated normal numeric object objects octet oid omobjectclass omsyntax optional organization others part partial pass permissions platform printable problems programmatically property provide provides range rangelower rangeupper rdn recommends registered relatively remaining remember removed removing replicas replicated replication rest rightsguid rules run sanao schemaidguid sdk searches searchflags seldom server servers sets size slight small specified specify store string subsequent sync syntax syntaxes system systemflags systemonly tasks technically teletex tool traffic unique unlike upgrading upper uuidgen value values wan wants varies warning vendor within wonít world yes False True

Modifying an Attribute

20 62 accidentally active actually addition admindescription admindisplayname affects anr anymore apply attribute attributes attributeschema attributesecurityguid base being built careful catalog category changed changing checks choose class cn common consequently creating database described directory disable dropped dynamically erroneous global guideline guidelines index indexing instances ismemberofpartialattributeset ldapdisplayname limit match membership modifications modify name object obsolete perform perhaps permission previous property range rangelower rangeupper rdn recall recognized rename renaming safety schema searchflags sensible settings shouldnít something sparing store systemflags tighter value values warning very

Deactivating Classes and Attributes

active advantages attribute attributes class classes cleaned cleanup corrupted deactivate deactivated deactivating decide defunct delete deleted deleting deletion difficult directory enterprise especially forest globe instances known longer lost making mistake necessary network nothing object process rather resurrect schema slow spanned task

Restrictions on Deactivation

active attribute attributes auxiliary category class classes deactivate deactivated deactivating did directly down except include inheritance mandatory member microsoft nondefunct optional protection relationships restrictions source superiors systemflags tearing words

How to Deactivate

active appears attribute attributeís attributes before being benefit box catalog check class classes clear concern corresponding course database deactivate deactivated deactivation delete directory efficient events expect global indexed indexes indexing instances isdefunct keep little manager membership object once open option order page part perform property reactivate remove replication save schema search searching settings snap soon space steps storage True

How Deactivated Classes and Attributes Behave

2003 achieve activate ad2000 ad2003 add adsi again anymore attribute attributeid attributes attributeschema auxiliary b become behaves belong c canít cases changing claims class classes classschema clean cn contains contents continues corresponding data database deactivate deactivated deactivating deactivation delete deleting depending directory edit error except exist exists extend extending fact forest functional governsid having identifier identifiers illegal immediately inheritance instance instances invisible keep ldapdisplayname ldp level linkid manager mandatory mapiid member modify name names normally now object objects obviously old ones operations optional order previous prior rdnattid receive relying remove removed removing reuse reusing salary sanaohumanresources save schema schemaidguid searching seems server ships show similar single situation somewhat soon space starting stated still structural superiors sure tasks theoretical thing time try trying user value values viewing windows wonít

Reactivating Classes and Attributes

activate active again appropriate attribute attributes box check checks class creating deactivated directory exist isdefunct manager maycontain nondefunct performs reactivate remove schema snap False

The Modification Process

discuss explained issues job modifications modify now order perform practice put related schema tasks theory time various

Order of Tasks

10 11 12 13 14 15 2000 accidental according active add addresses admin administered administrative administratorís administrators admins adsi again ago allocate allocating anything application apply asset assign attribute attributes attributeschema authority auxiliary base before beginning boot bought cache card changing check choose chose class classes classschema commercial complete concurrency control controller controllers custom customer customers dea deaís decide default depend depending described determine didnít directory disable discussion disk divided documentation documenting doing domain done double edit employ enable enabled enough enterprise enterprisewide errors evaluate except exist export extensions fix follows force forest four future get good gotchas guidelines happen havenít help holding house idea implement import inheritance install installation instances instructions intended internally ip issuing keeping kicks ldap ldifde little locks log logon made management manager manner manually master matter maybe members mind minimized minute minutes modifications modified names naturally necessary needs normal normally now objects obtain oid oids ok operations order organization organized others otherwise outside part pass perform perhaps plan point policy possibility preferred prevent procedure proceed process production program protection purposes querying recall recommends reestablish refer refers remaining remove removed replicated replication responsibilities responsible restore return role round running safe schema separate servers similar smart snap snmp someone sooner specified steps strategy superiors team test therefore thoroughly tool topic trigger try unique unless unlock update updated wait value values vendor vendorís verifying version view windows work written

Enabling Schema Modifications

2000 active actually add aforementioned allowed automate box check checking context controller currentcontrolset data dialog directory disable domain dword enable exist exists files good hkey idea includes key kit labeled left line local locate machine made manager master masters mentioned menu modifications modified named node ntds opens operations pane parameter parameters previous protective quotes reg regedit regedt32 regini registry removal remove resource right running schema services snap system tool tree turn type under update value ways whole window windows

The Means to Make Changes

11 active add administrator adsi advance anything application applications attribute attributes basic before beginning bugs careful class comma command cons containing creates csv csvde curve customer data database delete deploying describes description directory edit enabled errors exe export exports extensions feedback file forest format graphical greater handle his import installation interactive interface lab language ldif ldifde learning line made manage manager managing manual modify network object objects operations possibility production program programmatic pros provide right sample schema script scripts separated short simple snap software specially spreadsheet steep steeper suited support tampered test things tool typically utility values ways vbscript vendor write

The Schema Manager Snap-In

attributes classes manager modify schema snap

Creating and Modifying Attributes

20 500 active ad2000 admindescription admindisplayname advanced afterward allow ambiguous appear appears attribute attributeid attributes attributeschema attributesecurityguid attributesyntax bold box bytes check choice cn common consider container contains continue copied corresponds created creating creation description dialog discussed display enter exactly extendedcharsallowed forest general id includes index indicates interface isdefunct ismemberofpartialattributeset issinglevalued ldap ldapdisplayname linkid listed manager mapiid maximum meaningless minimum multi name object objects octet oid omobjectclass omsyntax once open operation perhaps permanent property rangelower rangeupper rdn replicate right sample schema schemaidguid searchflags seven shortcoming shown slight snap specifies string syntax system systemflags systemonly test time tool unique user value valued values warning warns view x500 yes

Creating and Modifying Classes

21 500 acl active add admindescription admindisplayname affect allow anything attribute attributes auxiliary auxiliaryclass bold category class classes classschema cn common container course created creating creation default defaulthidingvalue defaultobjectcategory defaultsecuritydescriptor description difference directory dismiss display edit editor enter four fourth governsid having id includes indicates inheritance interface isdefunct ldap ldapdisplayname least longer manage manager mandatory maycontain modify mustcontain name normal object objectclasscategory objects obvious oid optional otherwise page pages parent posssuperiors properties property provided rdn rdnattid remember schema schemaidguid screen security shortcoming show shown snap structural subclassof superior system systemauxiliaryclass systemmaycontain systemmustcontain systemonly systemposssuperiors third time type unfortunately unique user warning wizard x500 yes


88 able adsi asks attribute attributeid attributes attributesyntax before class cn creating deactivating edit enter except finish fix get governsid issinglevalued ldapdisplayname ldifde least mustcontain objectclasscategory objects omsyntax otherwise procedure progress prompts sample schema schemaidguid short similar situation subclassof sure system time try values warning wizard wonít


10 20 123123123 4a 8b9kky41pes0yaf8iaa active actually add admindescription admindisplayname adsi again anything appear ascii attachments attribute attributeid attributes attributeschema attributesyntax base64 before binary block build buy c cache changetype class classes classschema clean cleaner cn coded colon com comma command completed config configuration connecting container contains controller copy correct created creations current d data dc dc1 dcpromo defaulthidingvalue defaultobjectcategory defaultsecuritydescriptor demote depend dependent designates detail development didnít directory discard disk distinguished distinguishedname dn domain edit edited editor empty enter entries exactly exist explain export f file finally follow forest get governsid had help hyphen identical import importing info install instancetype intid introduced issinglevalued latter ldap ldapdisplayname ldf ldif ldifde letters line lines little loading logging look lowercase m makes manager match messaging method mime modifications modified modify msds mustcontain myext myextmod myproduct myproductconfiginfo myproductuserdata name names notepad now object objectcategory objectclass objectclasscategory objectguid objects oid ok omsyntax online order others output parameter perhaps place position posssuperiors preferred press process production r rangelower rangeupper rather rdnattid recall refer refers removal remove replace representation resulting rootdse run sanao save schema schemaidguid schemaupdatenow server show showinadvancedviewonly smtp snap something space spacing specific specify sspi still subclassof successfully systemonly takes test tests testsanao tip tool top try txt type unless update uppercase user usnchanged usncreated value values warning weíll verify whenchanged whencreated virtual virtualpc vmware work writes writing True


attribute best csv csvde describe dumping explained extensions file format imported latter ldif line name names object option pair practical schema spreadsheet suited value values

An Installation EXE File

adapt administrator advantages alter application awkward base64 beings binary c choose commercial completely corrupted customer customers data difficult digitally directory easily enabled encoding ensure error exe fail file format going handle happen hasnít hexadecimal human impossible infected installation intelligence intentionally interactivity language ldif likely origin program programmer prove put schema ship show signed situations somewhat transmission unicode unintentionally various vendor virus write

Some Gotchas in Changing the Schema

before conclude concurrency control discussion issues mention minor modification our process replication schema

Schema Replication

abort add again automatically before class controller current data described domain event everything explained fine go instance log message mismatch normal object processing reaches receives replication requests resyncs schema situation solution source time unknown write

Concurrency Control

accommodate add applications commercial complete concurrency conflicting consequently control controls eight especially extensions former four gracefully installation latter missing modify notice object occur person personís place prevents program repeat run schema separately simultaneously situation six take ten therefore time try

Bringing the Extensions to the User Interface

active added anxious attributes brevity call classes directory discuss display extended extensions hood including instances interface manage now objects permissions place schema things under user

Where to Place the New Objects

achieve active addition administration adsi again application applies buy child choose cn collide com computer configuration consider container control controllers convenient corp corresponding creating data dc delegate delegation delete deleted depending directly directory domain edit enabled ensures exists forest globally important include includes intended microsoft move moved name normal now object objects obviously options organizationís ou parent part partition permissions place places placing purposes recall recommend recommends related relates relatively replicated requirements sales sanao services single site situations small sometimes specific static store storing system tree type under useful user users various visibility wonít

Managing Permissions

assign attribute1 attribute2 attributes class demonstration descriptive discuss important individual manage managing mandatory names nondescriptive objects once optional part permission permissions possibilities property remember sanao sections sets settle

Managing Permissions for Individual Attributes

acl add appear attribute attribute1 attribute2 attributes automatically become class classes consequently dat described dssec editor hide illustrates manage page permission permissions property sanao visible

Using Property Sets

5 10 16 32 44 46 48 49 55 67 73 74 84 86 89 95 586 1234 3412 8605 9589 12345678 78563412 4400000000 2f 4e 4ebb 55f648e1 73a749ad 73a749ad8605e844aa46a9d3bbe7f9bf 7e 7e74fc2f8d84 8d a7 a9 a9d3bbe7f9bf aa aa46 able acl ad ad49a773 add ads adsi advanced applicable applies appliesto apply appropriate assign attribute attribute1 attribute2 attributes attributeschema attributesecurityguid bb begin being bf box byte bytes characters class classes classschema cn computers configuration contain container controlaccessright conversion correspond corresponding corresponds creating d3 define described dialog did displayname downloaded ds e1 e7 e8 e844 edit editor enables enter entity explained extended f3 f367 f6 f9 fc finally format four fresh get guid guidgen guids havenít hex hexadecimal hyphen hyphens identifier instance instances lines locate modify name necessary normally now object objects obviously our partition perform permissions platform point process production prop properties property purposes put random read refer remember remove replace represent resides result results reversed right rights rightsguid run s sanao schemaidguid sdk serves show snap something spaces specifies specify step store swap swapped tab test third try type unfortunately users uuidgen validaccesses value values whereas windows visible word words write yet

Creating and Displaying the Objects

according active adding admin administration administrative administrators adsi again always application applications appropriate architecture attribute attributes available bad basic best book briefly brings browse building buy c choice class classes columns com company component computer computers context counts course covers creation customizing defined definitions developer directory directoryís display displays distribute distributing dll documentation easier edit elements elsewhere especially explain extends facilitates far files forest go good group hand house icons icontextmenu implement including installer interface interfaces ishellpropsheetext item itself languages listed local logon manage menu menus model multiple my names needs network news object objects old option packages pages pane piece places platform policy prepare programmer programming property question real reasons refer require requires right scripts sdk search selected shell show showing snap still tool toward turn user users various view windows visual wizards wouldnít write writing

Display Specifiers

10 11 15 25 409 2000 2003 8424 8922 77597368 4E+83 0060081692b3 00a024ab2dbb 00c04fa372d4 00c04fc31fd3 00c04fd8d5b6 00c04fd8dca6 0800361b1103 080036af3f03 08eb4fa6 0f65b1bf 11d0 11d1 11d2 126a 1dd2 369c 4e40f770 62ae1f9a 6dfe6488 6dfe648b 6dfe6492 6ffd 740f 7b15 a0c2 a14b a212 actual ad2003 add admin admincontextmenu administrator adminmultiselectpropertypages adminpropertypages adsi again allows among app appears append appended application applications appropriate arguments attribute attributedisplaynames attributes b0e0 b52c1e50 bbe6 bc43 bcd5 bcdb boolean brown c8ac c8ae changing choice choose choosing class classdisplayname classes closed clsid clsids cn coded column columns com common completely computer computers configuration consecutive contactís contain container contains contents context contextmenu copy corresponding couple created createdialog createwizardext creation creationwizard customizing d6d8c25a data dc dde2c5e9 default define defined defines describes description determine determines disabled display displayed displayspecifiers dll dn documentation dump edit element elements english exe exist expressed extensionís extracolumns f5d121f4 field file filenames files find follows formation friendly full givenname globally guids hand hard hasnít header help hkey icon iconpath icons id identifier identifiers implement implemented include index initials interface introduced item jack keys latter launched ldap ldapdisplayname ldifde leaf lines listed lives local locale locate location managed managedby mentioned menu menus microsoftís modifying module multiple multivalued name names needs normally now numbers object objects office often open operating operatingsystem operatingsystemversion optional order organizationís organizationalunit origin otherwise page pages pair pane passed path pixels position pre previously program properties property rather read ready reality recognize refer regedit registered registry remove replaced replaces required resource respectively right root samaccountname sanao schema scripts search selected separate server shell shellcontextmenu shellpropertypages similar single sn snap specifier specify state states suggested syntax system technically test things third token tool treatasleaf type unique united universally unused upgraded user users uuids value valued various version width view windows visibility visible wizard wouldnít xyz zyx True

Testing to Change the Displays

achieve add adding adsi attribute batch cached class classdisplayname computer computers context contextmenu corresponding definitions display edit experiment file forest had item locate logon menu much name notice now object objects open perform process program restart running session shown snap specifiers steps television test things type user users value vbscript

Adding the Menu Definitions

11 12 13 active add adding adsi allows ampersand appear attribute available bat c character classes context contextmenu corresponding defines definitions directory display edit exist find future hot item items key leave locate look menu nothing numbers object order out program programmer proper remove result room selecting shown specifier test testitem underlined user values vary vbs version yet

Creating and Testing a Batch File

14 add added appear ascii bat batch c class computers context echo editor except file files folder idea item items keep launch launched ldap limited lines menu name notepad object off open passed path pause possibilities practice process program screen selected showing shown simple snap test testitem userís users values

Creating and Testing a VBScript Script

0 10 11 13 14 15 16 37 64 1601 account acctinfo across actually ad2003 add adding adsi ahead along am among ancient appear argument arguments aspects attempts attribute attributes away bad badlogincount badpasswordtime basis bit bon bookís box c caption carriage character chose collects com computer computers consequently contains context continue controller controllers correspond corresponding count creates crlf cscript d date dates daylight default denoted description designed didnít discuss display displays dll domain download editplus else empty error except explained extra failed file fill fine format france get gmt he henri henry his hour hours http include indicates install integer introduces item itself iv jack kit knows kouti language large lastlogin lastlogoff lastlogon lastlogontimestamp ldap le letter letters likely line linefeed lines local log logged login logins logon logoncount logons lowercase menu message method microsoft midnight name names netware networks never nonreplicating nor notepad novell object objects old others our output password passwordlastchanged passwords path pops program property puts putting quitting read reason remember replicated reset resource result results retrieves return right ruled running saving screen script scripting selected sensible sensitive settings shareware show shown site six snap someone sometimes source specifies split starts still stores string successful test testitem therefore time times tried underscore unless unsuccessful upon uppercase useful user users utc value values variables warning vbs vbscript web weekly whereas window work wrong wscript www zero zone

Extending the User Class

attributes class data date discussion employer extend extension extensions her his human implement least manage management modification name organization permissions plan present previous primary purposes resources schema show situation started summarize user values work workstation

Planning the Extensions

17 64 123123123 add allocated attribute attributes auxiliary base below characters class classes company contain contains convenient expect generalized hrpreviousemployer hrworkedsince human latter left length mandatory maximum maycontain normal objectclasscategory objects oid optional our put resources sample sanao string syntax therefore time unicode user whereas

Implementing the Extensions

11 12 24 54 64 123123123 actual add added admindescription administrative allows attribute attributeid attributes attributeschema attributesyntax auxiliary auxiliaryclass base besides book changetype characteristics class classschema cn com compact company configuration contains date dc defaulthidingvalue did dn document employee employeeís employer exact extend extensions file governsid hidden house hrpreviousemployer hrworkedsince human humanresourcesextensions interface issinglevalued keep ldapdisplayname ldif ldifde lines maycontain modify needed normal numerous object objectclass objectclasscategory objects omsyntax once part previous rangelower rangeupper related repeat resources sanao saw schema schemaupdatenow screen shots showinadvancedviewonly since straightforward subclassof tool top trick us user values worked True

Managing the Attribute Values

11 active adsi again apply attribute attributes c choice choices class com component computers current demonstrate directory displaying edit enter examples excel handy implement input item language large listing magically menu modify modifying neither notice option our page pages particularly perhaps property read script scripting scripts selecting showing single snap spreadsheet unfortunately user users value values write writing

Adding a Script to the Context Menu

14 16 18 19 20 26 27 409 active add admincontextmenu adsi anao appear apply ask attribute attributes back box briefly brown button buttons c clicks cn configuration contents context current default dialog directory display displayspecifiers edit enter explained extension file finally free function he human inputbox item items jack line lines locate menu msgbox object ok our read remove resources results s sanao sanaohr saving screen script she show shown specifies steps store terminate test user users value values vbs yes

Searching on the New Attributes

21 1996 2000 active add adding advanced again attribute attributedisplaynames attributes available box catalog choose common company contains custom date default dialog directory discussed display domain employer enter entire fields find global hand hr hrpreviousemployer hrworkedsince items joined ldap left log menu modify my name network object off open our pane places practical prev previous queries query refers sanao search show shown since tab tasks user users values windows worked

Managing the Attribute Permissions

acl assign attributes automatically creating described editor explained once permissions property repeat requires show steps wonít


base carefully efficiently evaluate examples feel forbidden guidelines implement learned lightly modifications necessary needs plan saw schema serve taken

Chapter 10
Administration Scripts Concepts

active administration adsi architectural architecture background basic basics before chapters check com concepts country course covers debug description directory discuss download effectively enhance entertainingly environment everything examples explanations extends forth full get getting gives going good grammar host http include increase input instance internet isnít knowing kouti language learn line mechanisms modify much novels organization output outputs pack presented provide read run safety save schema script scripting scripts situations skills sources speak started techniques theory too topics travel useful vbscript while windows vocabulary work write www youíll

Getting Started

able active administration administrative aims apply automate available batch before book brief command commands contain convenient cover curve depending directory downloaded enterprise examples files fortunately goal iis important internet item learn learning least line little logon manage microsoft objects perhaps powerful practice programming read real rocket scientist script scripts server servers services source steeper step super tasks teach teaching toward useful user users versatile workstations write written

The Script Execution Environment

10 98 2000 access active activex ado adsi along alternatives beneficial bind child choices cn cons container contains data database db directory discuss domain enables environment excel except focus four fourth generic good host implemented included interface interfaces interpreter item items language languages lines microsoft names notepad objects ole open oracle present previous programmatic pros provider purely run running sample script scripts sections server service source spreadsheet sql team technologies things users various vbscript windows write written wsh

The WSH Environment

95 98 2000 2003 able accepted access achieve acquired actions active addition administrative administrator administrators ado adsi advantages advsyscon aligned almost alternatives amazing anything apart application applications architecture asp basic batch begins binary book broad buy c call calling cdos check choice code collaborative com command commands commercial company compared compiled compiler component components computer computerís computers conclusion conditional contain continues contrast control correct cover data databases debugging develop developers development difficult directory disadvantages display displays dll download easier editor enables environment environments error events excel exe execute executed file files find fledged flow focus follows fortunately full functionality further general generic go graphical greater harder he help his host hosting hours house http ide idirectorysearch iis inappropriate include included includes including input install integrate integrated intelligent interact interactive interface items jscript jumped kit language languages large launch learn learning less letter limits line local loop lottery love macro macros made malicious manage management meaning megabytes messages messaging method microsoft model msdn much natural needed normal nt numbers object objects ocx off office old once ones opens operating others pages party plain pop power powerful prefer present pretty processing professional programmers programming programs progress ram ran react ready real registry remote remotely resource run running script scripting scripts selling separately sequentially server services simultaneously solutions something sometimes spend standard starting statements successfully suitable superset support supports system takes tasks tend terminated things third time txt typical unless user users various vba vbs vbscript web weekís vendor vendors versatility version via widely winbatch windows windowware visual working workstation world write written wsh www xlnt xp

The VBScript Language

262 2000 2003 administrative administrators backward better book c choice compatibility compliant conforms consequently considered dedicate difficult easier ecma ecmascript edition entirely examples fancier included includes jscript language languages learn learning lives maintain mostly older programming require scripting scripts server specification standard vbscript web version versions while windows wsh xp

The ADSI Interface

95 98 2000 2003 access active add ado adsi almost alternatives among api application best boston brown c call choice clearly client cn com command commands dc difficult directory directoryservices download ds dsadd dsclient easier enable enables environment existed full functionality get gives http implies include includes install instrumentation intended interface interfaces introduced jack jackb knowledge knows language ldap leverage management microsoft name net netware nt offers old option ou person practical programmatic programmers programming properties provide pure purposes pwd range read recommends samid sample sanao script scripters scripts sds server service somewhat system targeted targets top unlike user versions windows wmi wouldnít write wsh www

Launching WSH Scripts

before command file get graphical interface launch line say script scripts types user various ways weíll words wsh

Script File Types

actual along argument button command contains current default double drag drop dropped enter executables extensible file filename files folder four graphical interface interprets js jscript language launch line markup maybe mouse path press run script search selected settings specify tags traditional type types user ways vbs vbscript while via wsf wsh xml

WScript versus CScript

10 appears black box c choice choose command commands comparison computer corresponding cscript default dialog differences drop echo environment errors examples exe executing explained extension extra feature file filename former front graphical hello launch line lines manager maybe method output path pop precedence process run script show specify takes task test type typing vbs window word wscript wsh yes

Testing with a Small Script

10 100 actual administrative applies ascii aspects autocomplete beginning better button character characters choice clicking cmd command completionchar computer consequently control cscript current cycle default depending depends easy echo enabled environment environments error examples exe execution feature file filename find graphical half hello hkey important include key launch launched less line local locate long longer look machine matches matter messages microsoft name names needs notepad now operating order output parameter perhaps pop press print processor rather redirect regedt32 respectively results run save script scriptís scripts selecting serious show small software starting suited system tab tasks tend test tip try txt type typing user users value various ways vbs version window world write wscript

Controlling WSH Scripts

before command computer discuss explain line options script settings store user weíll

Command-Line Options

10 13 active actually allowed always appear ascii assumes b batch before beginning character command commands contains convention copyright cscript cursor d debugger debugging default describe description dir documentation enable engine environment erroneous error examples execute exist explains file files get h happens help host hostopt1 hostopt2 include indication initial input interactive introduced job jobs js jscript launch limit line lines logo long meaningful mentioned message messages microsoft mode n name nologo normally notice noticed now o obsolete often omits omitted once online open opens opposite option options output p pc placing pop preceded previous process receive redirect run running s save saved saves screen script scriptname scriptopt1 scriptopt2 seconds separate settings showing slash slashes something sometimes specifies specify starts suppresses t time timeout traditional type typing u unfortunately unicode user warning vbs vbscript version whatever windows visibility wscript wsf wsh zero

Script Settings

10 15 00aa004a55e8 11cf 5b07 a4b0 actual actually add alphabetically apart appear b b54f3741 batchmode briefly carries character classes clsid command commands computer contents corresponds created cscript current default defined described dll dot effect elaborate environment examine examples exe extension familiar file find folder found general h hkey host indicates inprocserver32 instance interested interprets invocation key launch line locate logo long mentioned mentions microsoft name nologo now nowhere nt ok once ones open operations option options others out page performing permanently precedence previous procedures properties property reference registry remain right root run s saw save script scriptengine scripts settings shown similar software sorted step steps t tab take third time timeout type under unless user various vbs vbscript vbsfile windows wscript wsh

Killing a Script

able active actually administrator affect alphabetically amount applications appropriate batch being c careful cause check close closes column columns command course credentials cscript ctrl damage deduce depending directory doing environment esc exe factors finish goes graphical happen harming help helped hung image infinite input interface job kill killing launch least line localsystem locate loop manager message middle moment name never numbers o operation operations output part perform place pop possibility possibly press pressing privileges process processes reads requires running scheduler script seconds seems service shift shouldnít something sometimes sort specified spend started steps stop system tab take task taskbar theoretical time timeout tip unless update user wait warning while whole view willing window windows visible writes wrong wscript

Setting Up the Development Environment

adsi among convenient documentation easier editor effective extra fingers includes minimum notepad others quick requirements script scripts vbscript windows work writing wsh

Getting a Script Editor

10 137 2003 action advanced advantages application around away bar bars basic black browse button code color colors column com comments company computing context corresponding course current default defines easily edit editing editor editors editplus eng enhancements error errors es especially examples explain explorer extension favorite file files finally folder frames function help highlighting htm html http improvement include included keywords koala least line locate made menu mouse much names nice notepad notice now numbers ok open opens options our path primalscript problem product program programming programs provides quickly readable replace reserved right rulers run sapien save script scripting scripts sell server shareware space status strings stripped syntax tab tells times tip toolbars tremendous try trying turn types typing ultraedit us various vbs vbscript version white view windows winedit writing wsh www

Getting the Documentation

10 1999 2000 2001 2003 1mb 395kb 3mb 5mb access adam address adsi adsi25 among anymore asp available bin branch button buy cd chm com compiled contains contentname continuously convenient core cost created current dated directory disk documentation download downloadable downloads easy engine exe february file find folder format fulfills get go guides handling hard help html http https included includes including install internet itís language less library menu microsoft microsoftís msdn msdownload navigation netdir networking newer nts ntserver old online opening option others page part place platform platformsdk platformsdkhome point programs purpose qmedia references relatively run scrdoc56en script scripting sdk sdkupdate search seems separately services shipping showcontent site size starting storefront technologies tree updated userís vbscript web windows windowsserver2003 writing wsh www

Sources of Additional Information

15 2000 15seconds access active address administer adsi alone among areas aspects available basis bookís browser center chapters collection com communities community contains cwashington developer developments directory documentation engine feel find fit formerly general good http including interfaces internet keep knowledge kouti large learn library magazine microsoft microsoftís msdn msn net netreach news newsgroups nntp nt obviously others out overview pages platform public publisher purposes reading related resources sample script scriptcenter scripting scripts sdk search seconds server service site sites solutions suffice technet technologies update vbscript web win2000mag win32 win32scripting windows windowsscript visit writing wsh www

VBScript Language

adsi again anxious arrays aspects available basic bat batch cmd commands complete conditional constants constructs control conversant cover data documentation downloaded elementary enables enough explain file files flow fully functions gain general good guidelines includes isnít items keeping keywords language learn learning length looping necessarily objects offer often operators presented procedures program programming reasonable reference require scripts series skip statements subsets time try type typed types understanding variables vba vbscript while visual

Dissecting a Sample Script

10 ask asks basic box calculates centimeters contains display displays explaining exploring feet fewer height inches input introducing language lines looks message nearly output question results sample script scripts separately short show things user warnings vbscript

The First Sample Normal

10 12 13 14 15 17 18 20 22 23 25 26 30 34 48 200 2000 1970s actually add addition again ampersand answer apostrophe argument arguments ask asterisk automatic back ball basic beginning born bugs button buttons calculate call cancel carriage carried cause causes characters clause clauses clicked colon comma commas comment comments complex computer concatenate concatenation conditional consequence const constant constants contained contains contents continuing control convention conversion convert corresponding corresponds couple cstr cut cylinder data decimal decimals declare default define descriptive device dim dimension display divide easier edge editor empty encouraged enhance equals error evaluated everything exclamation executed explain explanatory explicit extra file fix flow foot forces forming formulas function functions generate get good had hard height help helps ibm inches indent indicate indicates input inputbox inside int integer intheightinmillimeters intmyvar intrinsic keyword kinds known language leaving left letter letters likewise line linefeed lines locate long mark marks middle millimeters mismatch mistype msgbox multiply name names neared necessary needed needs nicely notice now numbers ok old omit once operators option optional options our out output paper particularly parts physical plus point prefix prefixes printed program programming put quickly quotation read readability readable recommended regional remaining remember represents require return returns rid right rods rolled round row runs sample says script scripting scripts scroll seem seen self sensitive separated seven short show sign slash sometimes source standing stands starts statement statements store str string strings strresult style succeeds symbol take takes tell term terminals thing times together too try type types typewriters typical typically typing underscore understand understanding unnecessary uppercase user value values variable variables various vbcrlf vbexclamation vbokonly vbscript version why window visible work works write years True

The Second Sample Short

10 11 34 able adds always better calculate comments consider const contents dim directly drop explicit formula functions input inputbox intermediate intheightininches j less letters lines longer loop option out output place possibilities readable regards results sample script seem shorten shorter show statements store user variable version write

The Third Sample Very Short

10 11 12 arguments basketball book comment considered contents cut directly everything fit inputbox intermediate line lines msgbox notice page result results return sample shortest squeeze values vbscript version

ADSI Concepts

10 13 2000 abstract access account active actually add addition address administrative adsi affects alone among application applications apply automation background basic best beyond bindery binding book c cells client clientís clients code com comes common compile component concepts consequently contain controller controllers conventions cooperation corresponding data debug declare demonstrate depending details development differences differs dim directory discuss documentation domain dump early echo embedding environment environments eventually exact examples excel exchange exe explain explanations facilitates fashion file four fragments full general groups identically iis implemented include included integer integrated interface interfaces introduced jscript kinds language late ldap leave linking loosely manage manipulates match member method microsoft modify msgbox named namespace namespaces naming nds netscape netware nonautomation novell nt nwcompat object objects ole our output place platform point print programming provider providers provides queues real related replace resources sample script scripting scripts server servers service services shares shipping show small somewhat spreadsheet stand stands statements stores suitable support supported supports system technology term terms tip turn type types understand understands user users variable variables ways vba vbaís vbscript vendor vendors view windows winnt visual work working workstations world write written wscript wsh xp youíll youíre True

Basic ADSI

adsi demonstrate fragments operations scripts typical

ADSI Operations

acls active adsi bind bound child consists container delete demonstrates directly directory events flow include listed manage move object objects operations perform permissions properties read rename sample schema script steps target typical write

A Sample ADSI Script

10 14 15 active adsi along apply basic bind binding bound browses child children class cn com computer confusing container contains contents cycle declare define demonstrates description descriptions directory distinguished filter forest get include includes instance ldap line listed little loop marks name names namespace now objcontainer object objects operation our out output point predefined print provider quotation ready reason result run sample sanao schema script shown slashes sound specifies string subclass subclasses target test user userís username users variable variables whose within

LDAP Binding Strings

389 3268 a434e4ee3da56b4a81a282fcb79e1748 adsi adspath alternative attribute attributes being better bind binding catalog changed changing cn coded com concatenated container controller credentials dc dc1 default descriptiveness discuss distinguished domain examples follows gc global guest guid hard include ip ldap let letters logged longer look lose mentioned name names namespaces necessary needed normally object objectguid omit path pick point port present previously provider replaced running sanao script seen selects server serverless show site sometimes somewhat specific specify standard still string strings synonymous target tcp therefore us user users version whose winnt work youíll

Using rootDSE

18 19 22 500 2000 access active adding adsi agent attribute attributes being belongs bind binding cn coded configuration configurationnamingcontext container context controller corresponding credentials currenttime default defaultnamingcontext described directory disadvantage discuss distinguished dnshostname documentation domain domaincontrollerfunctionality domainfunctionality dsa dse dsservicename encounter entry exact examples execute far find follows forest forestfunctionality four get getobject guest hard highestcommittedusn include includes interesting isglobalcatalogready issynchronized knowing ldap ldapservicename ldapv3 line lines logged name names naming namingcontexts normally objdse object objuser our part partition presents provide refers remove root rootdomainnamingcontext rootdse running schema schemanamingcontext script scripts seen server servername show slight specific specify stands string subschemasubentry supportedcapabilities supportedcontrol supportedldappolicies supportedldapversion supportedsaslmechanisms system term time tree turn user userís users whose windows virtual words write

Basic COM

10 13 555 3159 accomplish active addition adsi among applies appropriate arguments around attributes basic batch binary c call calling cn com command commands component components concrete control couldnít delete directory display documentation easy echo enable enables enhance entity exact examine exe faxnumber file files finally full get gives interact interface interfaces invokes jack language latter likely line makes mechanism method methods mostly name names normal object objects objou often operation ou parentheses perform power principle properties property read refer relationship represent represents ret return returns sales saw script scripts something sources standard store syntax tasks technology things time tremendous user value values variety ways vbscript versatile version write wscript

The Property Cache

10 16 1988 1970s active adsi along ancestor answer appeared arenít attribute attributes back basic benefit cache chapters choice common convention current directly directory documentation efficient enable existed follow function generate generates get getinfo go goes group instance interchangeably lan language larger latter manager method methods microsoft names network nt o object objects os others phone principle programmers properties property put putinfo read reads replies request requests script separate setinfo small speed statements talks technically terms think traditional user utilization variables why windows wonder workstation write writes

Between the Property Cache and Active Directory

30 36 active arguments attributes back bypass cache call calls changed concerned constructed corresponding count delete directory empty except explicitly file forget get getex getinfo getinfoex gets implicit invoke issue letting listed method methods nonempty normally notepad nothing object objou objuser ou password performance properties property refresh retrieve saving script scripting scripts setinfo setpassword similarly therefore userís value ways whatever writing written

Between Your Script and the Property Cache

10 11 16 20 30 36 257 access account active actually admit adsi along apply argument arguments associated attribute attributes avoid avoids b before binary boolean c cache call checking choice choices class classes code column consequently considerations constructed control converted corresponding cover creates d data date dates description descriptor differences difficult directory displaying dn dynamic dynamically easier easy enables equivalent error errors examples exceptions explained explicit expressed extra fairly fetched finds format found fuller get getex getinfoex getting guest handle handling handy hard hassle help iadsuser includes integer integers interface interfaces item large lastname ldap lines listing little logged look marks mentions method methods middle missing modifies mostly multiple multivalued mysterious name names naturally normal normally noted nt object objpropentry objuser obvious offers out part picture please privileges production properties property put putex quotation raw read reader reading referring require results retrieve return returning rows run script scripts security separated show simplification sn sometimes special specifically static string strlastname subject thanks time tricky try types unicode unless user value values variables ways vbempty vbscript whereas write writing yet

Handling Special Data Types

11 14 17 32 64 ^ 26074403172981e access accessing accuracy active add adsi arrays attribute base binary bit bits briefly bytes component components consist contain converted count data decimal decimals describes descriptor directory dn documentation effective examples explain explained extra extremely floating formula fortunately get good handle handling headaches help high highpart hundreds iadsdnwithbinary iadsdnwithstring iadslargeinteger iadssecuritydescriptor integer integers interface interfaces large listing losing low lowpart mean mentions move multivalued nt objects out parts perhaps permissions point previous properties property rare refer result resulting returns right schema security seems separately show single spaces special string suited too total tricky try type types understand unicode user value valued values vbscript vbscriptís very work wrong zeros

Single-Valued and Multivalued Properties

10 111 257 444 1111 4444 active added ads adsi again allows almost always append argument arguments array arrays attribute attributes before best call choice clear cleared compare consequently constant data delete describe describes description difficult directory divided easier easy element enables error examine feature flexibility found four get getex had handle home include includes ldap line lines meant method mode modes multiple multivalued name normal normally numbers objuser order otherhomephone out particular phone previous properties property put putex rather read received rely remain removed replace result resulting retrieve returns script seven show single specify state store strategies string strings takes time total tried type types update updated user value valued values vbempty versus work works writes writing written

ADSI Interfaces

36 64 65 access active activeds add addition adsi almost alone answer back basic bit book capabilities class classes colons com component consequence contains convention correspond corresponding corresponds dedicated define dim directory dll documentation easier enable enough equivalent exist existence expressing familiar fewer file follow follows forget forth general generic get getex getinfo getinfoex gives high iads iadsgroup iadslargeinteger iadspropertylist iadsuser implemented implementing important inherit interact interestingly interface interfaces lastname ldap lines listed locate low mainly managing manner matter mean meant merely method methods much name names object objects objgroup objuser offers official ou part password point previous print properties property provider put putex question queues raises read reason responsible router secure services setinfo setpassword shares something specify specifying static still ten topic trying twofold useful user userís variables various vbscript visual

The List of ADSI Interfaces

10 45 65 access accesscontrolentry accesscontrollist acls active add adsi adsysteminfo almost appear attributes automatically automation basic behind brief browse c cache call categories category class classes clients collection common computer computeroperations container core couple cover current data deleteops describe description directory discussions divided dnwithbinary dnwithstring documentation domain dual dynamic enable enables examples exception extension familiar file files fileservice fileserviceoperations fileshare four frequently functions getinfo group helper iads iadscontainer iadsgroup iadsuser idea idispatch independent interface interfaces isvs iunknown largeinteger left locality made manage meant members methods modify name namespaces nametranslate nds nonautomation novell o object objectoptions objects obsolete open opendsobject organizations ou out pathname persistent present print printjob printjoboperations printqueue printqueueoperations properties property propertyentry propertylist propertyvalue propertyvalue2 provide queues read references relatively relevant resource save scenes schema scripts sections security securitydescriptor server service serviceoperations services session sessions setinfo shares software space special specifically syntax syntaxes therefore type types user utility vbscript vendors winntsysteminfo

The IADs Interface

10 17 18 active adspath always attribute basic binding braces build cache class container contains contents curly dashes depending description descriptions directory display displays distinguished enable execute explain form format formats get getex getinfo getinfoex guaranteed guest guid iads iadsgroup iadsuser inherited interface interfaces ldap listed manage mentioned methods name namespace namespaceís naming normally object objectguid output parent point previously properties property provider provides put putex rdn read return schema script seem setinfo shouldnít shown six slightly specific string target titled user values vary view work

The IADsContainer Interface

10 11 14 2000 access active adsi appear argument array attribute attributes basic browsing cache call child class cn com combine container containers contains contents copies copyhere count creates creating current dc delete deletes deleting demonstrate described description directly directory divided documentation echo element examples filter filtered follows form getobject guest handy hints iadscontainer ignore implemented including interface jack jill ldap line lines longer match meaningful method methods microsoftís move moved movehere moves moving name network normally now objcontainer object objects objuser optimizing otherwise ou performance perhaps possibly properties property provider put read reasons rename renamed replaced retrieved returned sales sanao seems source specified speed subclasses suggests supported target traditional traffic user users value variable wasnít vbtab version windows work wscript

The IADsUser Interface

0 0 10 11 12 13 14 22 36 64 128 1601 2000 2003 able accountdisabled accountexpirationdate accountexpires active addition administrator adsi advantage advantages always anyway api apply argument arithmetic array attribute attributes attrldapname away b badlogincount badpasswordtime badpwdcount beginning behavior belong belongs better bit bits bitwise book browse c cache call century changed changepassword choice choices class cn collection com comfortable common compare comprehensive computers connection consequently consistency consistent contain containing contains convert correction correspond corresponding d date dates dc defined demonstrate department depending description descriptive difficult directory disadvantages discussion displayname division dn dynamic echo emailaddress employeeid empty enter equivalent error etc excluding explain explicit facsimiletelephonenumber faxnumber filter firstname found fullname generalized generationqualifier get getobject givenname gmt group groups happens help homedirectory homedrive homepage homephone iadscontainer iadsmembers iadsuser including individual integer integers interface interfaces intervals isaccountlocked isnít itís item january kerberos large lastfailedlogin lastlogin lastlogoff lastlogon lastname ldap legacy likely lines listed lockouttime loginhours loginscript loginworkstations logonhours long loop mail maintained manage managed manager manually maxstorage meaningful members mentioned method methods microsecond middlename mobile modified much multiple multivalued name nameprefix names namesuffix neither netusersetinfo netware never normal now nt objchild objects objpropentry objuser obsolete octet offers officelocations old ones option othername pager parts passed password passwordlastchanged passwordrequired pc25 pc37 pc38 personaltitle physicaldeliveryofficename picture postaladdress postaladdresses postalcode postalcodes previously primarily profile profilepath properties property protocol provider put pwdlastset raw read reading reason regardless repadmin requires retrieve return returns right sanao script scriptpath secondarily seconds secure seealso server setpassword sets settings seventeenth shown similar similarly since single sn snap something specific ssl static still stores string strlastname syntax syntaxes telephonehome telephonemobile telephonenumber telephonepager telling therefore third thumbnailphoto time times title tool tries type unicode unless user userís useraccountcontrol users userworkstations utc value valued values variable vbtab version versus very windows visible work works writing wscript wwwhomepage yes zero zone

The IADsGroup Interface

10 14 2000 2003 account active ad2000 ad2003 add adds admins adspath attribute cases changing cn collection com computers contacts controller controllers corresponds count dc dc1 default demonstrate depending describes description directory domain echo empty emulator filter forest functional get getobject group groups habit help iadsgroup iadsmembers include interface ismember ldap level lines loop loss managed managing member members membership memberships mentioned method methods modifying multivalued name narrow normal normally objchild object objects objgroup pdc primary primarygroupid property provides remove removes replication results returns running sanao seems server somegroup static take target therefore time user users warning windows work wscript False True

ADSI Syntaxes

10 11 12 13 15 16 19 20 22 23 25 27 28 32 40 58 72 123 138 193 394 access accesspointdn active address adsi adstype adstypes again aka appear attributes audio automation base binary bit bool boolean bstr byte caseexactstring caseignorestring comment correspond corresponding count data date dedicated descriptive descriptor descriptor directory directorystring dispatch distinguished dn dnwithbinary dnwithstring enumeration essential exact finally four friendly generalized generalizedtime handles handling happy hear help i4 ia5 ia5string identifier identifiers idispatch ignore integer integer8 interfaces large ldap ldaptype link map mapped name nt numeric numericstring objectsecuritydescriptor octet octetstring oid ole orname parentheses point presentation presentationaddress printable printablestring provider replica schema script scripting security sensitive show sid signed special string sufficient supports syntax syntaxes teletex telexnumber time turn twenty type types understand unicode utc utc utctime value values variant various vartype write vt

Additional Techniques

11 api aware com commands components debugging describe encoding examples executables file good including input items lines net output present script scripting scripts sections techniques ways win32

Ways to Input and Output Information

active arguments command cscript database depending destination directory display echo enter equal excel file follows function input inputbox interactive likely line lines mentioned method methods msgbox options output pop popup prompt read redirected scripts source spreadsheet standard still user ways vbscript very window write wscript wsh

Using Executables from Scripts

administrative applications available command commands copy dir dos ds dsadd graphical including keep line mind net operating scripting scripts solve system tasks user windows wsh

Using COM Components

15 100 2000 2003 access active addition address administration ado adsencode adserror adsfactr adsfsmo adsi adsi25 adslocator adsras adssecurity adsversion among anything api applications arguments asp beyond book brief browse cd clicking com command components computers control counters creating custom default demonstrate desktop developer devices directory dll doc documentation download downloads driver drives eight enable enables environment err error event excel extensive file files filesystemobject fills folder folders functions handling homemade http iadstools included includes install installer instrumentation interact interface kit library line link log made manage management manipulate mappings master microsoft model modifying monitor msdn network nts ntserver object objects office often operating operations organization others owners perform performance permissions popular products provide providers purchased read registry related relatively replication resource role rom sample samples say scope scripting scripts sdk server services setup sheets shortcuts shrink site snmp specific standard support system thing things utility variables vbscript wdm win32 windows wmi wrapped write writing wscript wsh wsharguments wshnetwork wshremote wshshell www

Using the Win32 API

amount api apis application available button call calls com command computer createobject data difficulties dll exe find function functions http huge interfaces learning least library line lines locks lockworkstation microsoft msdn occasionally option otherwise parameters pass passing program require right run rundll32 script scripts sensitive shell study try types unfortunately usage user32 viable win32 window wmi word wscript wshshell

Debugging Scripts

commands debug debugger despite development environment extra integrated microsoft output recall satisfactory script scripts shortcoming wsh

Debugging with Extra Output Commands

add appropriate beginning command commands const containing debug debugison determine easily going help include keyword line moment off output places prefix print printing script try turn user value values variable weíll within

Microsoft Script Debugger

10 20 1997 2000 2003 advance again appear arise arrow asp ball basic breakpoint bugs call calls chain com command commands complex contains contents continue corresponding cscript current currently cursor d dark dated debug debugger debugging degree download downloadable edit ends environment error excluding exe execute executed executing explanation explorer f5 f8 f9 files find fix follows function functions get halts host html http identify include includes indicates internet intheightininches itself kill launch launched left line logging long made manager meaningful microsoft move much myscript newer normal nt october off once opens option options our page part places press pressing procedure program query receive red requires respectively responding running scd10en script scripts searching seems server shown stack starts statement stops subprogram sudden symbol task time tip track try turn unfortunately until useful value variable vbs version vertical window windows visible word works wsh www xp yet

Encoding Scripts

adequate against available buyers check com command commercial contents cracking creates download encoder encrypted encryption enough exe file follows horses http inspecting install intact latter leaves look mdbwu microsoft modifying msdn myscript organization prevents protect run sample sce10en screnc script scripting scripts serious similar threats trojan trust users warns vbe vbs vendor whose willing

Including Script Lines from Another File

10 13 14 16 21 22 200 absolute address adsi beginning closing com constant contain copy corresponding course definitions directly download examples extension file files functions gather gathered http huge include included kouti least line lines little modify needed normal others pairs paste path receiving reference relative required result reuse script scripts series show shown single solution special specified subprograms tags tens typically useful wanted various vbs vbscript wsf www xml youíll


adsi concepts environment explained explore now presented ready run sample script scripts test writing

Chapter 11
Administration Scripts Examples

active addition administration architectural architecture background before begin chapters check concepts course description directory download enhance examples explained extends focuses get going immediate include internet introduction isnít journey knowing learn let line mechanisms modify much organization outputs pack practical presented presents previous provide providing read recall run safety save schema script scripting scripts situations sources theory too useful work write youíll

ADSI Examples

14 112 accept access account active administration ado adsi appear apply arguments attributeís attributes bar become best binding build cache categories category checking class clearer code com combine command commands comments complete computer concepts configuration consider constant continue control covers definitions depending directory discuss display divided download downloaded drive editplus emphasizes encourage error examples excel explain explained explanation explanations explicit extension feature field file filenames files find findstr fit folder font format former function gathered get givenname group guest hard heading helps http hundreds include included including indicate indicates input inputbox interface kouti latter ldap learning length line lines local long longer looking main management manipulated match method methods missing mostly multipage multiple mysterious name needs nicely normal now numbers object objects objuser once ou our output page part phrase pick placed plentiful point prefix principles proceeds programming prompt properties property put qgrep rather reading repeat right sample samples save schema screen script scripting scripts search seems serves shorter shots show simpler solution somehow space sparingly special specify spreadsheets status still string suggests tasks technique techniques technology tens therefore third thoroughly tip total toward type user values various vbs windows word works writing wsh www xls

User Management

1 2 3 4 5 6 7 8 9 10 11 12 13 account add addition ado adsi appear approaches attributes bat batch cache ch11 container containers contents examples excel file folder get home imply includes input macro management methods minimum names normal options properties property read rest run sample scripts show standard techniques user users vba vbs ver written wsh xls yet

List the Users of One Container vbs

10 11 13 14 15 17 accepts add adsi along application appropriate argument ask asks basic batch before bells bind box browse bug calling cancel child chosen class clicks coded commas computer container contents default description descriptions dim display distinguished domain done enter entered error explicit file filter finally found get had hard input level line logged mentioned name names now objchild object objects option output previous prompt property provided put quit read recognize returns rootdse run sample saw script scriptís similar something specify statements subclasses title user users vbs werenít whistles

List the Users of One Container to Excel vbs

11 12 13 14 15 21 22 23 31 add adsi allows appear append application argument binding browse care cells child choose cn column com command computer container contents corner creates cut default define description descriptions didnít difference displays distinguished dn dump ellipses empty excel extra filter headers horizontal installed instantiate left letters line lines makes move name needlessly object objects offset output place previous put removed result save script scriptís short space spreadsheet starts taken time truncate upper username usernames users vbs vertical window visible workbook write

List the Property Cache Contents vbs

0 0 3 10 11 15 17 25 26 27 46 12711570387 27115703873392e adsi adstype answers appears attribute attributes badpwdcount bind book cache changed changing character class column command consequent constructed contain contents controller controllers convert corresponds date depending depends didnít discussed display displays divide domain exact get getinfoex gives guest guestís he his include indicates integer interfaces itself knows large lastlogon latest left line lines local long member multivalued name nonreplicating object organizationalperson original output parentheses part password person pick position previous properties property query read repadmin result results sample script scriptís selected settings showtime string sum superclasses support take target tens therefore time tip tool top until user utc value values warning vbs zone

Property Cache Interfaces

11 access adstype argument before better browse browsing cache caseignorestring difficult drawn enable enables entries entry everything explain finally former four getobjectproperty getpropertyitem givenname iadspropertyentry iadspropertylist iadspropertyvalue iadspropertyvalue2 iadsproperylist ignore illustrated index indicate individual interface interfaces item latter lines looks method modify name now object objpropentry objpropvalue objuser original our perhaps practice properties property read represent respectively retrieves sample script show skipping soon string strsomething time turn userís values variables work write writing

The List the Property Cache Contents Sample Script

11 13 15 16 18 19 20 21 26 27 31 32 33 34 36 38 39 40 41 access accuracy actual added adsi adstype align anything argument b binding bit bits browse browses cache calculates call caseignorestring choice clear clumsier column complicated consequently const constant contents converted copied count data definitions descriptor descriptors differently display documentation easy entry finally floating formula get getinfo getobjectproperty go guest handle help high host iadspropertylist iadspropertyvalue iadspropertyvalue2 included index indexing integer integers interface keyword large latter lengthening line lines loop losing lower makes methodís name names negative objadobject object objlargeint objpropvalue octet onscreen order otherwise output parentheses part parts pasted point print proper properties property rather read recognize represents required result retrieve rootdse script scriptís security show single space spaces specify starts statement store string strings sure syntax too types until upper value values variable varpropvalue vbs vbscript whole wouldnít zero

List User Properties with Get vbs

0 0 0 0 10 11 12 13 14 15 16 20 25 29 30 34 36 39 41 46 48 49 50 51 55 64 84 85 86 90 91 95 97 104 107 200 223 257 263 372 775 807 854 1601 access account accountexpires accounts active actually ad2003 add adding additionally additions adsi again align aligned allowedattributes alone always anything appropriate argument arguments array assuming attribute attributes avoid b base beginning besides bind bit browse bugs c cache call changing characters choice class clear code column command commented compared constant constructed contain contains contents continues control count created current d data date declare default defines detect dim directory discuss display displays domain easier effect enabled enough equal err error errors examples except exist expected expire expires explained explicit explicitly expressed extensions extra f failing feature feed figures file find format function functions further get getex getinfo getinfoex givenname guest h half handle handles handling hands helps hexadecimal hides iadslargeinteger implicit include indicates integer interested interface involving largest ldap level line lines listusers long longer look mandatory mean method middle multiple multivalued name names nasty needed needs negative never nonexisting now nullifies numbers object objects objuser once ones onscreen operation option optional order original our out output outside parentheses part parts pass passing perform possibly practice previous procedure produces properties property put read really recognize redirects related represent reserved result results retrieve roughly run running said schema scope script scriptís scripts seconds selected short shouldnít show showbinary showlargeinteger showothertypes showpropandvalues since single situation six spaces special specifies state statement statements step steps still stop store sub subclasses subprogram subprograms surprise syntax syntaxes take target test theory therefore time tip try txt types undeclared unless unlike us user users v valid value valued values variables various warning vbs version whole wonít work worked works wouldnít year yet yourself

List User Properties with Methods vbs

0 11 11 14 16 17 18 19 20 21 24 36 40 59 61 63 105 223 372 775 807 854 1100 1111 1970 3f able account accountexpirationdate active adapt adsi align aligning allowed almost among anything array arrpropvalues asc attribute attributes b background before binary binarytostring bit bits browse byte bytes c c0 cache character cleaner code colon column com complicated component computers consequently consistent constant contains contrast convert converts correction correspond corresponding cz d data date dates day daylight define defined demonstrate denied deny description detpg difference directory dirty display displays domain dst editor effect employeeid empty error examples expiration expired expires exposes feature ff figures find functions general get gmt guest handle handles handling hard hasnít hexadecimal hour hours htm http iads iadsuser implications includes indicates interface introduce key language learn len lenb length line lines little log loginhours loginworkstations logon logonhours long look looks makes manage mean meaning meaningful method methods microsoft mid missing monday multivalued name names never nice normal now object objects offers origin otherwise our output page part parts permit permitted possibilities postaladdresses pressed previous print properly properties property pstruh put quick read represented restriction restrictions resulting retrieve return returned roughly sample saving schema script scriptís scripts scriptutilities seealso sensibly settings shareware show shown single snap solution special static still store string suited sunday sundays supports tab take techniques therefore things third time times tip tips tool types user users userworkstations utc value valued values variations various warning vbempty vbs vbscript vbtab web week versions very whereas whole works workstation www zero zone

List the Account Options of a User vbs

0 0 0 0 0 0 0 0 0 0 0 10 10 10 10 10 11 21 22 23 24 25 27 32 38 40 43 47 49 61 63 64 66 69 71 73 2000 2003 10222 66082 access account aces acl active actual addition adsi again ago anymore appear appears attribute attributes b better binary bit bits bitwise bolmustchange boolean c calculated calculator cant cause character check code command computers consequent consequently constant constants contains control convert copied corresponding corresponds decimal defined definition definitions delegation determined determines directory display displays documentation domain dont eight enter equals error except exception expire expires explained explore figures file find flags folder four function functional get graphical h h10000 handling harm her hex hexadecimal his home iadsuser include indicate indicates inspect integer intuserflags isaccountlocked jackb jackbís labels lan large level line lines listed lmaccess locked lockout lockouttime logical logon manager meaning method methods mimic name names needed net never nonzero now nt object occurrence off operation options order out output part parts passwd password passwordchg passwordreq performs permissions platform pre property provide pwdlastset remove removing required requirement result results retrieve scientific script scriptís sdk server settings show snap stands state static still store tab ten test third tool trusted twenty twice type types uf us user useraccountcontrol users value values variable warning vbs vbscript view windows visible work years zero

Create a User with Minimum Attributes vbs

11 13 16 17 19 20 21 24 26 27 100 200 222 2000 2003 account active actual actually add adsi anything anyway appear appears argument attribute attributes back before bind box cache call class cn code coded com command commented common completed completes complex computers configuration container contents corresponds couple course creating creation currently dc default defined definition difficult directory disabled display dnsroot domain domains done enabled ensure enterprise error examples excel far folder generated get graphical hard havenít hexadecimal iadscontainer indicate input latter length less line lines listed log logon made mandatory memory method minimum name names needed nothing now object objects our out output partitions password passwords places policy pre present presents process profile properties property provide put quota random read reason release released releases rely request required requirement requires run samaccountname sample sanao schema script scriptís scripts server setinfo setpassword she shouldnít show shown snap solution sources subprogram successfully suffixes symbolize tell time times tip tool trusts uncomment unwilling upn upnsuffixes user userís useraccountcontrol usernames userprincipalname users uu00 uu01 uu02 uu99 value wanted variables various vbs whatever windows write xls yourforestname

Create a User with More Attributes vbs

11 21 23 24 27 28 29 30 34 37 40 43 45 47 48 49 50 58 60 257 $ able account accountdisabled accounts active actual actually adding addition address adsi again almost always appear append application applications appropriate arguments assign attribute attributes automatically b back before bit boxes brown c cache card causes changed character clear coded command common complex computers consequent constant contrast corresponding course created creates creating creation current date default define defined demonstrate depends description desired didnít differences directory disabled display displayname dollar domain enable enabled error excel expand figures files firstname flag flags folder folders four front fs generate get gets global going group hard having her hexadecimal hidden home including indicate indicates individual informational initial initials input integer jack jackb jb large lastname latter least leave length letter likely line lines local logon logs lost mail manipulate mess method middle minimum multivalued name needed normal normally now nt obviously once operator originally our part parts password passwords path paths picked policy precaution predefined preferable present previous process prof profile properties property propery putex pwdlastset read real reason refresh relieve remaining removes replacing representative request require required requirement requires rest result reverse roaming safe sam sample script scripts server sets settings share short show sign significant similar single smart snap special specifies specify static store subprogram summing techniques third time turn type unwilling user userís useraccountcontrol username usernames users usual value values variable various vbs weíve very whereas windows workstation world worry wouldnít write writing

Create a User with a Batch File bat

11 12 15 18 30 2000 2003 ^ aces acl add adsi approach arguments asking assign available bat batch behind benefits blocks brown cacls carets cases cause command commands comparison continues control creates createuser creating discussed done dsadd easier edit editor entries examples fact file filedacls filename finally folder folders full get grants help home incorrectly indicate ineffective inheritance introduced jack job kit launch line lines management managing motivation much nt obvious open option order ordered our p pack permission permissions pl potential previous prior problem pure receive removed replace resource runs script scripting scripts server service share shared sharename shortened shorter show simpler sometimes somewhat supplement tip tool traditional understand user userís username warning vbs vbscript windows wsh xcacls youíll

Create a Home Folder for a User - Ver 1 vbs

11 15 18 20 22 31 able aces allows answer append array ask automate bat batch before c cacls cmd comma command commands complete computer confirmation created creates current dc1 edit element enter exe file finally folder form grants halt hidden hide home implemented include input instantiate jackb keep key kit kits launches letter line lines local locally md method moving net notepad nt object option order our path permissions pressing previous programs prompted reason remove resource rmtshare run sample script server share shares small store sure task therefore tip txt unc unfortunately us user users wait warning vbs ver window windows word work wsh wshshell y yes yourfilename

Create a Home Folder for a User - Ver 2 vbs

11 13 15 17 19 20 22 23 24 26 27 32 2000 2003 access accounts aces active add adsi adssecurityutility apply attributes available bat batch bind binding cacls changed choice com combine command complete components computer connect constant contents control created createfolder creation default described directory domain done enhanced everyone except file filesystemobject folder folders full grant graphical home iadssecurityutility interface laborious lanmanserver limit line lines local machine maxusercount method modifies modify much name net netbios normal now object objects objserver owned path permission permissions present previous problem provider read refer remotely right root run save script scriptís server service share shares sharing show similar still string therefore things time unc unlimited user userís wanted warning vbs ver version windows winnt work workstation wsh xp

Read User Information from Excel xls

11 33 34 a2 activate add alt appear application arguments attributes basic box call cell controlling createobject createuser data despite dialog directly dumped editor elements empty environment excel excelís f11 fake file get indicates input inside line lines long looped macro macros main manually menu module move name names now object opens outside part press program read real refer remember repeated replace retrieve run sample screen script similar something spreadsheet subprogram subprograms take title typing user usernames ways vba vbs vbscript via visual words wscript wsh xls youíll

Read User Information from Standard Input vbs

command error including input keystrokes latter lines options output program read running script show standard typically while window write wsh

About Standard I O

2003 add adding anotherprogram append application background become before capture capturing cases character clip clipboard command destroy did dir echo error errors events experiment file files follows graphical greater input inside learn least less lines listusers log morepossibleerrors moreuserlist morning myinput mysterious night notepad o old otherwise our output part paste pipe possibleerrors previous process program programs read redirect redirecting redirection result run sample saving schedule script scripts server shown sign someprogram sometimes standard therefore tip txt type useful userlist windows wscript

The Read User Information from Standard Input Sample Script

10 11 35 36 access accessed array arrinfo associating beauty beginning c choice command const contents course createobject cscript current data default documentation easier element elements enables environment excel exec fact feature file filename filesystemobject folder forget forreading function functionality goes havenít include included including input inside itself launches line lines long loop method name named names now objfile objfs often omit open opentextfile our output pass presented previous program property rather reached read readuserinfo replacing result sample script scripting separate separated shortened shown somewhat split spreadsheet standard stdin stream subprogram tab test txt user userís userinfo variable vbs vbscript wscript wsh

Schema Access

access before concepts describe samples schema script show


11 abstract access active adsi adspath adspaths advantages aggregate allows attribute attributes attributeschema available binding briefly browse check choices class classes classschema cn com combine common compare concept configuration contain container creates dc dc1 definition directory discussed easier extensions feature forest form givenname identify indicate introduced latter ldap modifications modify name names object objects properties property real root sanao schema shorter show specify strings subschema subsection subset superior syntax user value ways while yes False True

Properties of the Abstract Schema Objects

10 11 abstract access accordingly adsi array attribute attributes automation auxderivedfrom auxiliary check children class classes cn container containment data depending derivedfrom description element friendly handle harder iadsclass iadsproperty iadssyntax id indicates interface interfaces ldap little makes mandatory mandatoryproperties maps maximum maxrange method minimum minrange multivalued name names naming namingproperties object objects oid ole oleautodatatype optional optionalproperties otherwise ou parents possiblesuperiors properties property read relevant respectively returns s schema scripts string subclassof subschema superclass superior syntax syntaxes type value warning write writing False True

Retrieving the Path to an Abstract Schema Class Object

10 abstract access bind class concepts contain corresponds getobject help iads interface introduced jack ldap line move now objadobject objclass object objects properties respectively sample schema scripts time understanding user values

Schema Sample Scripts

14 15 16 17 18 19 20 21 22 23 24 abstract access adsi anr attribute attributes attributeschemas catalog ch11 class classschemas constructed container examples excel global indexed leaf member nonreplicated objects present properties property real rest sample schema scripts show vbs

List All Abstract Schema Objects vbs

11 35 37 38 70 191 abstract adsi beginning category classes command depending entire extra fields file greater line lines loop object objects order our output part print properties reads redirect sample schema script short show sign syntaxes type vbs

List the Member Attributes of a Given Class vbs

11 39 40 abstract adsi again argument attributes auxiliary beginning bind class classes classschema cn command contents file get greater ldap line lines mandatory maycontain member mustcontain name names objclass object optional output properties property real reason redirect schema script scriptís sign similar specified sum superclasses systemmaycontain systemmustcontain takes user vbs

List the Member Attributes of a Given Class to Excel vbs

11 28 31 41 a1 activate activecell activesheet add adjusted adsi application ask attr attribute attributes attrs beginning besides bolded box call class column contents createobject data dim documentation dump echo enter error excel explicit extends file finally get getobject greater headers import input inputbox inside ldap left len line lines m manage mandatory mandatoryproperties manually maxrange member minrange multivalued name names nice nicely now o objattribute objclass objects objexcel offset oid onscreen option optional optionalproperties output particular playing previous print properties put range redirect resume schema script scriptís show showattrandfeatures sign something statement strgivenclass strmanoropt strpropname strsheetname sub suited syntax tables tabs time tip value vbs while widths visible workbooks write wscript youíll True

Show Property Properties vbs

11 42 43 adsi argument attribute check command contents handy introduce ldap line name output previous properties property quickly script scriptís show small subset takes techniques vbs

Container or Leaf vbs

11 44 45 abstract add added adsi attribute binds check child class cn computers contact container containers contains contents corresponding default display group groups hosting ldap leaf leafs lines longer names object objects our output property really schema script scriptís snap specifier specify string technically times treat treatasleaf user users wanted vbs works

List All Real Schema Objects vbs

11 46 47 70 191 able abstract add adsi aggregate attributes begin beginning category class classes common container contains contents definitions display error exist get implement ldap ldapdisplayname line lines loop method name named objchild object objects output part property reads real retrieves sample schema script scriptís show single sort subschema syntaxes time vbs

List Indexed Attributes vbs

11 48 49 abstract add adsi attribute attributes attributeschema base bit browses checks contents described error forest indexed least lines modify objects output purposes real resume sample schema script scriptís searchflags statement subsection test unless vbs wonít work

List ANR Nonreplicated and Constructed Attributes

40 anr attr attribute attributes attributeschema avoid base checking const constants constructed copy defined deletion discussed dynamic easiest equal error evaluation explicit extra flag flags found gc get h1 h10 h2 h4 h8 indexed ldapname line lines little looks method modify now objchild objects obviously part property remove replace replicated resulting retrieve scan scans schema script search searchflags statement survive syntax system systemflags therefore user value vbempty

List Global Catalog Attributes vbs

11 12 50 51 adsi approach attribute attributes avoid catalog causes considers contents dealing directly error found get global ismemberofpartialattributeset ldapname line lines missing objchild output part present previous property retrieve script scriptís situation statement syntax therefore value vbempty vbs False

List All classSchemas to Excel vbs

10 11 12 13 14 52 a1 activate activecell activesheet add adjusted admindescription admindisplayname adsi application arrparamlist attribute attributes binary bolded browse categories chosen class classschema classschemas clear cleared cn code column constructed container containment cooler createobject defaulthidingvalue defaultobjectcategory defaultsecuritydescriptor didnít dim displayname distinguishedname dumps easy enhance err error examples excel explicit follows found freeze get getobject governsid guest guid havenít identifiers include includes inheritance interested introduced lbound ldap ldapdisplayname line listed manually miscellaneous modified move move multivalued name names names none objchild objdse object objectcategory objectclasscategory objects objexcel objschema offset omitted option options order output panes picking previous properties property range rdnattid read reading replace resulting resume rootdse rules schema schemanamingcontext script showed spreadsheet structure subclassof systemflags systemonly target techniques time ubound user value varvalue vbs widths visible words workbooks wscript yet True

List All attributeSchemas to Excel vbs

10 11 12 13 14 15 16 17 18 53 a1 action actions activate activecell activesheet add adjusted admindescription admindisplayname adsi again application arrparamlist attributeid attributes attributeschema attributeschemas attributesyntax bolded chosen class clear cn column combined content createobject data dim distinguishedname err error excel except explicit extendedcharsallowed follows found freeze get getobject havenít identical identifiers independent ismemberofpartialattributeset issinglevalued lbound ldap ldapdisplayname line linkid manually mapiid miscellaneous move move name names naturally now objchild objdse objectcategory objects objexcel objschema offset omsyntax option output panes perform pick preferred previous property range rangelower rangeupper resulting resume rootdse rules schemanamingcontext script scripts searches searchflags short similar slightly spreadsheet subprogram syntax systemflags systemonly ubound value varvalue vbs widths visible workbooks wscript yet True

Create an Attribute and a Class vbs

10 11 20 54 55 56 123123123 accidentally add adding admindescription adsi adsysteminfo allowed alternative anyway apply array arrays assignment attribute attributeid attributes attributeschema attributesyntax away base beginning bind binding box cache call call call call changing checkiferror class classschema clear cn code com commented configuration confirmation consequently consistent const container contains controller couldn't created createobject creating data dc dc1 default defaulthidingvalue definition demonstrate described dim domain double ds easiest echo edit element emphasize ensure err err error errorlevel errors exists explicit extending extensions fail far follows forest former forward get getobject go goes going governsid h8007200a h80072035 had havenít hex iadsadsysteminfo identifiers include included instances interface intyesno issinglevalued keyword latter ldap ldapdisplayname lines main manually master message minute modify msgbox multivalued mustcontain myproduct myproductconfiginfo myproductuserdata name names nature no nor objattr objclass objdse objdse object objectclasscategory objects objschema objsysteminfo occurs omsyntax operation operations option our out output part perform period posssuperiors precautions put quit rangelower rangeupper reason refreshschemacache request result resume right rootdse run runs sanao saves schema schemaupdatenow script searchflags server serverless set setinfo showinadvancedviewonly shown six something specify strattemptedoperation string strings structural sub subclassof subsequent succeed take there time times top trick trigger trigger triggering try uncommented unwilling update updated updates us user waiting value values wanted vbcritical vbcrlf vbdefaultbutton2 vbno vbokonly vbquestion vbs vbyesno very works wouldnít write write wrong wscript wscript True

Configuration Information

25 26 27 28 29 30 31 32 access active adsfsmo adsi adsysteminfo attribute attributes cache ch11 class configuration dc directory display examples gpo guids masters modify mostly names namespaces objects operations partition presents property rootdse sample scripts supported things vbs

List the Supported Namespaces vbs

11 57 58 ads adsi appears binding category computer configuration contents currently had iis installed namespace namespaces output run running sample script scriptís service short special string supported vbs

List Attribute Display Names vbs

11 59 60 adsi argument attribute attributedisplaynames browse character class comma command consists contents correspond display filters function interface ldap line lines loop manage multivalued name names object objects output pair read resides sample script scriptís separator specifier split splits takes user value values vbs versus

List the DC GUIDs vbs

11 14 61 62 63 active adsi attribute binary column command common configuration container containing controller controllers correct dc dc1 dcguids1 dcguids2 deep delete determine directory document domain easiest easy file finally forest format get guid guids hierarchy iads interface lines listed loops memory method name nested nice ntds object objectguid objects order output outputs partition property reach read reads redirect refer refresh replica result retrieve returns ring sample script scriptís server services settings site sites snap sort sorts statements things txt under vbs

List the rootDSE Property Cache vbs

10 11 64 65 adsi bind cache coding contents displays domain everything explained far hard name objects output properties property reads rootdse script scriptís vbs

List the GPO GUIDs vbs

11 66 67 active adsi attribute binary common contents default directory domain easy exist file folder gpo gpos group guid guids listed name names object objects output policy retrieve sample script scriptís system vbs

List the Operations Masters vbs

11 14 68 $ active adsi argument attribute attributes box call cancel clicked cn configurationnamingcontext contain controller default defaultnamingcontext dim directory displays distinguished dnshostname domain echo enter explicit follows forest fsmoroleowner get get getobject infrastructure input inputbox intgap ldap len listed manager master masters name naming ntds obj objdc objdom objdse object objects objinfra objntds objpartitions objpointerobj objrid objschema operations option output owner owners parent partitions pass pdc pointer pointer points quit reads rid role roles rootdse schema schemanamingcontext script scriptís server settings showfsmo strdefaultdom strdom string strname sub subprogram system user variable vbcrlf vbs vbscript wscript

Changing an Operations Master

80072035 add appropriate atomic attempting attribute attributes becomedomainmaster becomeinfrastructuremaster becomepdc becomeridmaster becomeschemamaster before binary briefly call checking class code com configuration controller cooperation correspond corresponding corrupt dc dc2 domain error executing explained failed follows forest format fsmoroleowner get getobject great handling including incorporate infrastructure infrequent initiate introduce ldap lines listed listing manually master objdomain objdse object objects objectsid occurs operational operations otherwise owner perform performing pointer practice preceding presented previous principles provide put refer requires result role roles rootdse sanao script seize seizure seizures server setinfo shouldnít sid special sure synchronization tasks throroughly transfer transferring transfers understand unwilling value warning vbs vital write wrong

List the Operations Masters with ADsFSMO vbs

11 69 adsfsmo adsi away c command component components connect controller copy current determines dll dllregisterserver domain easier educational file files folder former include indicating kit knows leave listed locate location master masters message microsoft much now object operations owners perform perhaps platform pop previous program query ready register regsvr32 resource resourcekit right role roles samples script sdk shorter shown steps succeeded system32 too utilities wanted vbs winnt

List ADSystemInfo vbs

11 70 71 adsi adsysteminfo attribute class configuration contents explained general includes interface method output refreshschemacache scriptís vbs

Access Control Lists

2003 access aces active add adsi control directory enables explain file files folder folders fourth iadssecurityutility include interface interfaces keys manipulate modify ntfs objects permissions registry sample scripts security server shares show vbs versions windows xp

Security Interfaces

11 72 access ace aces acl acls active again attribute being control depending descriptor descriptors detail directory discretionary drawn enables entries enumerate explain fields follows get gives hands he iadsaccesscontrolentry iadsaccesscontrollist iadssecuritydescriptor individual interesting interface interfaces kind memory ntsecuritydescriptor objace object pages perhaps reading refresh represent script security system time variable variables work

The Access Control List Sample Scripts

33 34 35 36 37 38 aces add adsi binary ch11 examples excel folder guids introduction long practice present script short useful vbs

List ACEs - Short vbs

11 73 74 access aces active adsi box cn container contents control directory discretionary enter excel filter full hf01ff input inside interpret loop mask name object out output part put sample say script scriptís short something statement unwanted users vbs

List ACEs to Excel - Short vbs

11 12 16 18 19 23 24 75 20094 a1 above access accessmask ace aceflags aces acetype acl activate activecell activesheet ad2000 add adsi application applies apply applying architecture bf967aba bug cancel child clicked cn comments compare complete computers container control createobject default defaultnamingcontext dim discretionaryacl discussion distinguished dump editor enter entries excel except explanatory explicit f01ff far flags follows format full get getobject going goto goto guids hex identical inetorgperson inherited inheritedobjecttype inputbox interface knowledge ldap line lines logical name nearly nice notice ntsecuritydescriptor objace objadobject objdacl objdse object objects objecttype objexcel objsecdesc offset ones open option output page part permission permissions presented previous properties property provide provided quit range read redundant refer repeat resulting rootdse samples script self sets short show shown slight snap somehow spreadsheet starting strdefaultdn strdn ten time trustee user user users value wanted various vbcrlf vbs visible workbooks write wscript youíll True

List Binary GUIDs vbs

11 12 16 20 76 77 00aa003049e2 0de6 11d0 a285 access aces acls active actually add adsi aggregate attribute attributes attributesecurityguid automate ba7a96bf ba7a96bfe60dd011a28500aa003049e2 bf967aba binary braces bytes check class classes cn compare complete contents control conversion convert curly d011 data directory displays e60d entries examine exist filters final format get guid guids handle hyphens iads include interfaces line lines listing long mainly method methods middle modifying objchild object objectguid order our out output placed process properties property representation result returns rightsguid sample samples schemaidguid script scriptís similar solution string swap turn type user value values variable vartype vbempty vbs

List ACEs - Long vbs

10 11 12 13 14 15 16 17 18 30 78 80 250 320 19 1a 2 6 6 a access accessmask ace acecount aceflag aceflags aces acetype acetypes actrl actually ads adsi again allowed alone alternative amount approach arradsaceflags arradsacetypes arradsflags arradsrights array arrays arrbits arrbytes arrvalue ascb attribute attributeschema audit better binary bit bitfield bitfields bits bytes cancel careful check child children class classschema clicked cn compare compares comparison configurationnamingcontext confused consequently considerable const constant constants constants constants constants constants contain container containing contains contents control controlaccessright controller convert converting correspond corresponds cpu cryptic dac defaultnamingcontext define definitions delete denied didn't dim discretionaryacl display displayname distinguished domain ds echo elements english enter environment examples execute exit explicit extended failed fields filter finally find flag flags flags follows format full function generic get getinheritedobjecttype getobject getobjecttype getschemaidguid getstringacetype getstringbits go guid guidbinformattostrformat h1 h10 h100 h10000 h100000 h1000000 h10000000 h2 h20 h20000 h20000000 h4 h40 h40000 h40000000 h5 h6 h7 h8 h80 h80000 h80000000 hand handle hex hf01ff including indicating inherit inheritance inherited inheritedobjecttype inherits inputbox inside intacetype intbitfield interpret interpreted interpreting latter lbound ldap ldapdisplayname len lenb length less lines long longer loop loops main mainly makes mapguidtomatchingname mask match mentioned mid midb name names needs nothing now ntsecuritydescriptor numbers objace objadobject objchild objdacl objdse object objects objecttype objextrights objschema objschemaobj objsecdesc option others out output owner pairs part percent permissions plain present previous production program prop propagate property put quit read requires results right rights rightsguid rootdse run saw schemaidguid schemanamingcontext script scriptís security seem self separate sets slightly something statements strbyte strdefaultdn strdest strdn strguid strguidasstring strguidbin string strname strout successful synchronize system takes third time total traditional tree trustee type ubound ucase unfortunately unknown unwanted user users value values various vbcrlf vbs we works write wscript

Using Regular Expressions to Convert the GUID

12 16 30 32 $ -$ add again anyone approach braces characters chop chops complex convert curly dim editor enable expressions familiar feature fewer format function functions get guid guidbinformattostrformat hex hyphens implementation implemented includes introduce latter lines long manipulation nine objregexp opted our pattern percent perform rearrange rearranging regexp regular remember replace result script search sed show slower steps streaming strguidbin string strrearranged support take ten therefore together traditional tried unix wanted vbscript

Add ACEs vbs

ace aces active add appropriate contents demonstrates directory done easy events explain explained flags generic get imagine job lines objects order permissions presenting reasons right sample scenario scenarios script settings subsection subsections thoroughly trustees various

Knowing What to Add

20094 access ace aces acl actrl actual add adsi apply become bits children computers constants container contains control correspond delegation descriptive documentation ds editor exact file find flags four greater hex inherit inheritance interpretations knowing lazy little long mask necessary notepad notice now object open out output perhaps permissions presented prop propagate put read redirect remove script settings short sign snap steps take target test together trustee user users value values various vbs wizard

The Add ACEs Sample Script

13 40 ------------ ------------- ----------------------------------------------------- ---------------------------------------------------------------- ------------------------------------------------------------------- 00aa003049e2 0de6 0e4c 11d0 5cb41ed0 a285 a286 access accesscontrolentry accessmask accounts ace ace ace acecount acedemo aceflag aceflags aces acetype acl actrl add add addace added adds ads all allowed apply arranged audit automatically back baron beforehand below bf967a86 bf967a9c bf967aa5 bf967aa8 bf967aba bits call child class classes clean com compact computer const constant constants contact control convenience create create create create created createobject current dac defaultnamingcontext define definitions delegation delete denied depending differently dim discretionary discretionaryacl ds echo effect execute explain explicit failed flag flags flags full generic get getobject group h1 h10 h100 h10000 h100000 h1000000 h10000000 h2 h20 h20000 h20000000 h4 h40 h40000 h40000000 h5 h6 h7 h8 h80 h80000 h80000000 had hf01ff important inherit inheritance inherited inheritedobjecttype itself ldap lines little manage manually mask no no ntsecuritydescriptor objace objace1 objace1 objace1 objace2 objace2 objace3 objace3 objdacl objdom objdse object objects objecttype objou objsecdesc ones option order organizationalunit ou owner permission permissions present printer printqueue prop propagate properties put read reason red redbaron retrieve right rootdse run sanao schemaidguid schemaidguids script scripts security self setinfo some subsection subtree successful synchronize system target test third together tree trustee type types user wanted variable wizard write wscript

Order of ACEs

11 79 2000 2003 access ace aces acetype acl active add addace ads allow allowed appear applies apply appropriate article automatically base before beginning button categories class consequently correct corresponding dacl default defined denied deny depending depends determine directory displayed divides editor effect empty enough error evaluate extended file find follows found get go goes grant grayed hand handled he hierarchical hierarchies hierarchy him hurt illustrates indicate indicates inherited inheritedobjecttype jack knowledge lead level levels likely listed long message method microsoft needed noninherited nothing object objectís objecttype ok once open opened opening order ordering out outcome page particular perform permissions place pools preceding preferred property puts q279682 rebuilds remember reorderdacl reordering right run runs saved securable security server shouldnít shown situation sort specify starts subobject subprogram take think third type types versus windows within wrong

Defining Trustees

11 21 32 545 1143 2000 1030254238 1078345429 1718597718 $ authenticated authority baron belongs builtin category character cn com common computer computers corresponding dc dc1 depends discussion distinguished dollar domain examples format formats groups iadsaccesscontrolentry interface known name named netbios nt pre principal principals property red redbaron representation s sam sanao security sid sids sign string trustee trustees user users windows

Using the Generic Permissions

11 13 19 2000 20004 20028 20094 access aces acl active actrl actually added ads bits column consequently constants contains contents control converted corresponded corresponding corresponds counterparts definition difference directory discussed disk dropped ds editor equal execute explained f01ff final folder four full generic get got graphical guess he include interface listed map mapped mappings maps mask meaning never now object out permission permissions prerelease process programmatically programming prop read release remaining remember right script security self show someone special standard synchronize system therefore user version windows write wrote

Add ACEs to a Folder vbs

79 2000 ----------------- --------------------------- ----------------------------------------------------------------- 11 14 access accesscontrolentry accessing accessmask ace ace ace acedemo aceflags aces acetype acl active add add addace added adding adds ads adsi adssecurity adssecurityutility alarm all all allowed append apply article assumes attributes audit available baron base before bits c call check child com component compound consequently const constant constants contain container contents control create create createfolder createobject creates d dac dacl data defined definitions delete denied descriptor descriptors differences dim directory discretionary discretionaryacl discussed documentation ea editor entire enum environment error execute exist explicit failed file file file file file file file files fileshare filesystemobject flag flags flags folder folder folder folder folder folder format full generic get getsecuritydescriptor grants h h0 h1 h10 h100 h10000 h100000 h1000000 h10000000 h1301bf h1f01ff h2 h20 h20000 h20000000 h3 h4 h40 h40000 h40000000 h5 h6 h7 h8 h80 h80000 h80000000 hadnít having header hexstring http iads iadssecurityutility iadssecurityutility iadssecurityutility iid inherit inherited instance interface interfaces kit knowledge kouti listed long mask meaning meanings message method microsoft modify name named objace objadssec objdacl object objects objfs objsecdesc option order ordering owner part path pathtype permission permissions pipe platform preceding present presented propagate property q279682 raw read red registry reorderdacl requires resource sample sanao script scripting sd sdk security securitymask setsecuritydescriptor similar slight somewhat subdirectory subprogram subtree successful synchronize system tip traverse trustee type types version versus whole windows winnt wouldnít write written www

OU Group and Computer Management

39 40 41 add adsi ch11 clip clips complete computer computers full group groups independent line manage managing object objects ou ous present script scripts show users vbs working

OU Management

cover creating deleting management moving objects ou shown tasks user users weíll weíve

Creating an OU

active call com dc directory domain getobject iadscontainer ldap lines method objcontainer object objou organizationalunit ou root sales sanao save setinfo under usual

Deleting an OU

according active argument b bind call careful child choice com container dc delete deleted deleteobject deletes directory documentation empty entire future getobject iadscontainer iadsdeleteops interface itself ldap lines meaning method nonempty objcontainer object objects objobject organizationalunit ou parent platform reserved sales sanao sdk setinfo tree ways

Moving Users of One OU to Another

adspath array call class com computer computers container dc filter getobject iadscontainer includes ldap lines mentioned method move movehere name objects objsourcecontainer objtargetcontainer objuser ou rd sales sanao show subclass third user users

Deleting Objects of One OU

call careful child class code com container dc delete deleteobject deleting getobject ldap lines method name needless objadobject objcontainer objects ou sales sanao say script user

Group Management

10 adding addition cover creating deleting group groups management members ou showed tasks user users weíll

Create a Group vbs

11 80 2000 2003 actually adsi attribute better corresponds default define defines difficult distribution enabled flag generated global group groups grouptype include kick lines local logon name omit practice pre provide random rely samaccountname scope security server she shouldnít show shown specified specify type universal upn user wanted vbs windows

Deleting a Group

before call cn com dc delete getobject group ldap lines members objcontainer object ou remove sales salesmen sanao type

Add Users of One OU to a Group vbs

11 81 add adds adsi argument browses cn group little members method ou path permissions remove sales script security therefore unless users vbs works

Create a Computer Object vbs

100 2000 5306 9020 315273 $ 0000f80367c1 00aa003049e2 00aa006c33ed 00aa006e0529 00c04fc2d4cf 00c04fd8d5cd 0de6 11d0 11d1 126a 20c0 3e0abfd0 4c164200 5f202010 72e39547 79a5 7b18 a060 a285 a768 a9c5 access accesscontrolentry accessmask account accountdisable accounts aceflags acetype actrl adapt addace adef administrator ads adsi allowed always appended applies article attribute baron base becomes below bf967950 bf967953 call character cn code com combination common computer computername computers const contains contents control createcomputer created createobject creates creating creation currently defaultnamingcontext delete description dim disable discretionaryacl display dns dnshost dollar domain ds easily echo eight empty enable explicit extended f3a64788 flag flags full get getobject grants group groups guid h0002 h0020 h1 h10 h100 h1000 h10000 h20 h20000 h4 h40 h5 h8 h80 havenít host implemented inís inheritance inheritedobjecttype initial join knowledge ldap lines listed logon member microsoft ms much name necessary needed no no no no no no no no normal notreqd ntsecuritydescriptor objace1 objace1 objace2 objace2 objace3 objace3 objace4 objace4 objace5 objace5 objace6 objace6 objace7 objace7 objace8 objace8 objace8 objcomputer objcomputerscontainer objdacl objdse object objects objecttype objsecdesc obviously option or ou passwd password path pc17 perform permission permissions pre present previous principal prop properties property put read red require requires restrictions resulting right rights rightsguids rootdse safest sam samaccountname sample sanao saw schemaidguids script self server service setinfo settings shorter sign similar skip snap special specify spn strcomputername strwhocanjoin sub subprogram subtree tested things tree trust trustee type uf user useraccountcontrol users validated windows works workstation write ws wscript youíd

ADSI without Active Directory

10 42 43 44 45 46 2000 active adsi alone apply book ch11 class computers controllers cover directory domain examples extensively file functions groups little managing member nt preceding primarily print properties provide provider publish queues recall script server servers services sessions share shares short stand tasks taste user users vbs windows winnt workstation workstations

List Services vbs

10 11 82 83 2000 active add administrative ads adsi alerter applet apply automatic b binding bitfield book browse button characters choose class code column command computer const constants container contains continue ctrl dc1 defined demand dfssvc directory distributed domain dynamic easy elements enter error esc excel exe explaining f familiar file filter find groups h10 h20 hexadecimal hints iadsservice iadsserviceoperations include interface interfaces internal k knows ldap line lines listed load local looks loop manager manual msinfo32 name net network nt object open options others output outside part path pause paused pending persistent places press pressing pretty print process processes prompt properties property queues read redirect refer remaining resist run running sanao scope script service services shift shown simultaneously snap status stop stopped string system tab task temptation time type ugly users value ways vbs whereas while win32 windows winnt wsh

List Users Groups and Print Queues

classes filter group groups obviously previous print printqueue properties queues read replace respectively script service user users

List Shares vbs

11 20 84 85 2000 2003 $ admin adsi again anymore append automatically best binding book browse c children code column command computer connect consequently contained contains created creates d defined differences display domain excel extra f file filter find format get hard hidden iadsfileshare include included interface internal ipc key lan lanman lanmanserver limit lines listed logged manager member mentioned method name names net netbios network normal now object objfileshare open our output previous property reason redirect refers registry remove result returns run running script seconds server service share shares shown similar started statement still string target therefore time times tries user userdomain users wait value variables vartype ways vbempty vbs windows wonít work works workstation wsh

Create a Share vbs

11 18 86 2000 2003 20003 aces active add adsi allow c caching call cn command connect container control count created creates default demo demonstrated directory discussed domain domains else enough everyone except file folder full home iadssecurityutility include interface line lines manage max maxusercount method modify net normally ntfs path permissions physical publish published redirected refers run script server settings share sharedemo shares shown something somewhere target task time unc unlimited user users vbs ver windows work

List WinNT Properties of User Class vbs

11 25 87 88 200 2000 2003 abstract accountdisabled acls active actually addition adsi alone becomes bits cant card class classes computer controller corresponds didnít directory domain dropped empty except exposes extra fake feature fewer find four iadsuser implements include includes indicates inside isaccountlocked ldap length lines loop mandatory meant member methods minimum name now nt objects old optional out output passwd password passwordage passwordexpirationdate passwordrequired path pc17 properties property provider read reads real remove requirement run schema script seconds server servers settings shown smart something somewhat stand statement static still support supported test uf unlike user useraccountcontrol userflags vbs whereas while why windows winnt workstations wouldnít xp

Create a User in a Workstation vbs

11 89 adsi attribute choose cn computer created emphasize except explicit four get inside jack ldap lines listed local method methods name names now previous properties property put show static time user users vbs weíll winnt workstation

Additional Techniques

47 48 49 50 51 addition adsi bind binding briefly catalog ch11 checking cmdtool command complete credentials error explain explaining follows global line lines listing objects present rename safely scripts show subtree technique techniques users vbs wkguid wkguids

Binding with Credentials

2000 access active actually added addition administrative administrator ads adsi adspath allowed allows alternate anonymous appropriate arguments authenticate authentication avoid baron bind binding caches call calls clear cn com computers conditions consecutive const constant constants convenient course credentials dc defaultnamingcontext define delegation directory distinguished documentation domain download empty encode encoder encryption exactly explained extra far fast feature get getobject guest h1 h10 h100 h2 h20 h200 h4 h40 h8 h80 involved keep keeping kerberos ldap least lines log logged logon logs marks method methods microsoft name namespace needless netbios normal nt ntlm null objcontainer objdse object objldap objuser occasionally old open opendsobject operator option options password passwords picture plain principal prompt protocol quotation readonly real red redbaron refer requires result rootdse run runas sam sanao say script scripts sealing secure server serverless session showed shown signing somesecret specify specifying ssl step storing strings subsequent supplied talking time together traditional underlying upn user username usernames users valid vbnullstring windows works True

Binding with WKGUIDs

32 128 active adsi allow always behind bind binding binds bit braces characters cn command container corresponding curly default directory discussed explain follows getobject guid hexadecimal hyphens inside known ldap name objcontainer object parentcontainerdn reason redirusr rename results safe script scripts show someguid special specifies still string strings syntax users value wkguid wkguids work works

Bind to a WKGUID vbs

09460c08ae1e4a4ea0f64aee7daa1e5a 18e2ea80684f11d2b9aa00c04f79f805 22b70c67d56e4efb91e9300fca3dc1aa 2fbac1870ade11d297c400c04fd8d5cd 6227f0af1fc2410d8e3bb10615bb5b0f a361b2ffffd211d1aa4b00c04fd7d83a a9d1ca15768811d1aded00c04fd8d5cd aa312825768811d1aded00c04fd8d5cd ab1d30f3768811d1aded00c04fd8d5cd ab8153b7768811d1aded00c04fd8d5cd attributes available away avoid better bind binding binds bound child cn com computrs configuration const container controllers data dc deleted description descriptions despite didnít dim distinguished distinguishedname domain echo errors explicit extra f4be92a4c777485e878e9421d53087db file foreignsecurityprincipals formed found get getobject guid h infrastructure interfaces ldap leaf likely lines little lostandfound microsoft misleading name names ntds ntdsapi objchild objcontainer object objects option part perform platform program properties property quotas refers right rootdse s sanao script sdk show strcontainerdn string system systems therefore time took users values vbtab wkguid wscript

List WKGUIDs vbs

11 90 91 active ad2003 adsi always arrvalues ascb attribute attributes base benefit binary binaryvalue binval child command consequently container containers contains contents corresponding current d data default defaultnamingcontext defined dim directory distinguished dn dnstring domain echo edit exotic explicit f file get getex getobject guid handle hex iadsdnwithbinary indicate interested interface invisible known l ldap ldifde len lenb lines logged methods midb name names objdom objdse object objectguids objects objval option output p pair parent part properties resulting root rootdse script search semicolons show shown special specifies strbyte strguid ten txt type update user value values vbs wellknownobjects wkguids wscript

Rename-Safe Binding to Other Objects

11 92 2849 4e8a aa63b9fc add adding addition addotherwk administrators adsi again allows array attribute attributes b235 base64 best binary bind braces byte bytes cf3556517d32 character characters com command common component contain contains contents curly dc default delete developers digest distinguished dn domain e8bb encoding european explained export f fcb963aabbe88a4eb235cf3556517d32 file generate get getobject guid guids handling hyphens iadsdnwithbinary import interface kicks laborious ldap ldf ldif ldifde line look looks mandates missing modifies modify much name now object objects objou ones otherwellknownobjects ou perform platform qjozmjpgq0i5 remove rename representation returned rfc root run safe sales sanao saw sdk show similar somewhat special specifies specify steps straightforward string strings swap system target therefore umlaut unsafe utf8 uuidgen value vbs vbscript wellknownobjects wkguid wkguids works š

Binding to the Global Catalog

70 150 ad2003 ado adsi advantage apply attributes base below benefits biggest bind binding c catalog characteristics child choice cn com communicate container contains couple course dc designated difference distinguished dn domain domains empty enables enterprise enumerate examples explained forest gc get global includes item items ldap letters limit local located location modify name naturally object objects option options out part path perform programmers provided query read related replace require root sample sanao schema script scripts search searches searching seems server serverless show single site specify still string target therefore third time tree trees unfortunately users vbscript whole work

List the Users of a Subtree vbs

11 93 94 added adsi call calling children cn container contents couple domain done enumerate enumerated enumeration far find include itself listusers notices ou our output perform produce recursion sales sample script scriptís show shown single subprogram subtree target time users vbs whole

Error Checking vbs

actual attribute cases categories checking code complete consequently done environments error errors expected finally increases indication introduce mechanics occasionally prepare react real received run say script scripts situations told traditional unexpected us wanted various words write

Error Mechanics

add adding adsi anymore automatically beginning biggest call calls clear cleared code confused consequence default depending drawback easier effect err error errors executed execution exit explained extra fails find fine function get goto handle handling hands knowing line lines location needs normally object occurred old perfectly perhaps properties property read reading refer relying remember resume retrieve reverse script statement statements sub subprogram successful take terminate try trying user value vbs vbscript yourself

Error Categories

438 1988 2030 8007 8240 80004001 80070005 80072030 8000500d access ads adsi appears around back beginning categories category code codes com command compilation converting course dating decimal declare denied despair digits displays documentation doing dos ds easy error errors expected fall find forgot format found four generic get help helpmsg hex hide identifier implemented includes kinds lan launch ldap line locate logical manager maps message messages method ms net notice notimpl object paragraph partly plain point prepare produce programming property provider quotes resume run runtime script scripts since something sources standard support syntax taking test time traditional try typing variable vbscript win32 wonít writing

The Error-Checking Sample Script

11 16 95 96 97 65535 80071392 65535 8007xxxx action adsi anyway appear application argument attempted automatically back bad batch before better bind binding bits box build built call calls check checkiferror checks clear clicks cn code com command const continues convert correct corrective couldn't couple created dc decimal dedicate dedication demonstrate description desired difference digits dim display displays documentation ds echo else enter err errnumber error errorlevel errors evaluate exists exit expect explicit expression fancy feedback file find follows forced forest format four functionality get getobject h200 h80070000 h80071392 h80072030 handle handling help helpmsg hex hexadecimal hffff hffff0000 highly hint immediately include including interrcode jack latter launched ldap level likely line lines logic logical looking lower message messages msgbox much name net news objcontainer object objnewuser occur offers ok old omitted operation option others otherwise ou our particular party pass password play plenty previous quit quits read real reason reasons referral reports result resulting resume return returned right running safe sales samaccountname sample sanao script scripts secret server setinfo setpassword show sn specified statement string strmessage strname stroperation sub subprogram suggested sure tell terminate texts there therefore type typing unexpected unfortunately unknown unlikely useful user useraccountcontrol userprincipalname value values vbcritical vbcrlf vbokonly vbscript went why win32 wonder wouldnít write wrong wscript yourself

Scripts as Command-Line Tools

accomplished accordingly add adjust allows anything approaches arguments automates basic behavior changing choose command commands copy degree determine documentation element enable enter examining exe feature files former function functions handling implement includes jack kind kit latter line manipulate mission modifying mostly named once operation operations option options order perform performed purpose query random ready reg registry related resource s sample save script scripts show skeleton slightly somewhat specify specifying subfolders time tool traditional user username various windows wsh xcopy xcopyís yet

CmdTool vbs

11 20 98 active add addobject adds ado almost and and anything application appropriate argument arguments batch before boxes call calling chances check checkwshenvironment cmdtool cn com command const constants couldnt count course cscript dc default define del delete deleteobject deletes describes descriptive dim directory displayed displaying dn echo else enables enhance entered environment error examples exe explicit file find follows fullname function h happened help hundreds implement important includes indicate instrrev intresult item jack jill kouti len line lines long main manage mean message msgbox name nothing objarguments object objectdn objectrdn option options ou our outside parent parentdn program quit rdn repeat requested requires return returning right run running sakari sales sample sanao screen script scripts searches showhelp skeleton statement strobjectdn strobjectrdn strparentdn strscripthostname sub subprogram syntax tens terminates the too tool type ucase user utility value vbcritical vbcrlf vbokonly vbs we went world wrong wrong wscript wsh

Using ADO

52 53 54 55 acl active activex administration ado adsi basic blocked boundaries catalog ch11 chasing component concepts data database db describe directory discuss driver examples global implemented inheritance interface modifying objects offer ole ones oracle partition pass place programmatic provide provider referral script scripts server source sources sql subset successfully together turning vbs

ADO Concepts

11 99 active ado adsi analogy architecture choose com complement data databases depends designed directory doing engine interface ldap locator microsoft opening page pages presents programming provider rather read relates relational resource script search searching server sources sql top typing uniform url web versus

ADSI versus ADO

11 137 administration ado adsi ask attribute attributes authentication available bind binding class common compare comparison con cons containers copy credentials criteria default directory distinguished domains easily enumerate enumerating feature file fill filter filtering filters folder found fsmoroleowner full home hurt latter ldap limited listed locate logged match missing modify name names nature nondefault numbers object objects operation others ous out particular path paths perform philosophies phone power print pro pros purpose purposes read reading really recursion remember report requires retrieve returns say search searching settings show slightly someone specify usage user userís users yes zero

ADO Mechanics

access active ado among appear arguments array attribute before book call calling column command connection continue corresponds data dimensional directory discussion execute explain follows includes interested introduces kind least mentioned method methods model object objectís objects open options others password perform present properties query read reading recordset relevant represents returned row script scripts search settings show source sources specify specifying think username variety various ways very work working

Basic Example vbs

11 12 14 18 20 23 24 28 30 100 101 1960s acronym active ado adsi argument around attribute attributes basic becomes beginning book bookmarks bother browse call chosen command committed computers connection contacts container contains contents covers credentials currently cursor data db default describe didnít directory display displays distinguished domain eof fields file get help index indicate itís ldap learning line lines logged long loop made matter method microsoft move movefirst name names now object objects objrecordset ole open opened our output password perform perhaps picks programming property provider purposes query read ready recommend record recordset retrieved return run script scriptís search since skills specifies specify specifying stands starting string subsection sufficient syntax tell test time userís username users value vbs True

The LDAP Search String

11 14 15 18 19 26 34 active actually ado adsi always around attribute attributes base beef boundaries brief com comments consists contain contents context correspond criteria cross dc default define described dialect directory distinguishedname domain dressing enables essence explain filter four fourth givenname goes included introduce keyword ldap line lines main mandatory matter meet multipartition multiple names naming notice object objectcategory omit onelevel parameters part partition partitions parts path perform perhaps person queries query reach rest result returned sanao say scope script search semicolons separated show slight sn specifies sql string study subtree summary syntax therefore value variance wrapper youíll

Basic Example with SQL vbs

11 14 15 16 17 18 102 ado adsi apostrophe attributes basic beef before book catch changed character command data databases db default define describe described dialect easily element elements familiar identical implemented indexed language ldap learn line lines manage marks microsoft modified name now object ole order otherwise parameters part present previous pronounced provider query quotation read relational roots scope script search sequel server shouldnít show shown sn sort sorting space specify sql strings structured subtree surroundings teach therefore thing unless vbs word work write

Modifying Objects vbs

11 15 16 17 19 25 29 30 32 41 42 45 103 104 add addition admit ado adsi adspath again alone approach argument attribute avoid b beginning best big bind browse call changed changing characters circumvent commands computer condition conditions contact contain contents deal demonstrates distinguished domain easy effect efficient exclamation exists filter finally finds folder get handles her home indexed latter ldap line lines loop makes modify modifying name names needed negates network now object objects once output part parts passing point properties read recordset report restriction retrieve retrieving return returned script search sets seven show string subprogram sure technique user users value wanted vbs

Multipartition Queries

ado catalog chasing configuration context discuss domains examples far global include limited mentioned naming options partition partitions query referral schema scope single still subsections subtree turn ways

Using the Global Catalog

11 105 approach attributes automatically base catalog chasing child communication configuration couple decent describe direct domain domains easy efficient forest form gc global help include independent ldap letters limitation link logical long nearest network object obvious option part partition partitions path performance query referral retrieve root schema search server specifying subtree targeted terms together tree turn utilization visualize

Referral Chasing

add adding addition ado ads adsi always attributes base belongs catalog chase chasing check child choice choices client cn com command communicating component computer configuration confusing consider const contact contain container controller controllers crossref dc default description directory distinguished dll dnsroot domain domains edit exist explain explicitly external forest gathering get global h20 h40 h60 home immediate include included includes interested large ldap limitations limited lines little mean member mentioned name ncname needed network never notice objcommand object objectís objects off option parameters part particular partition partitions path point points properties query read referral referrals requested reside results return returned returns root sales sanao schema script seem server show specify specifying starts stated subordinate suggests target ten trees trustparent turn unless wanted warning wldap32 wonít words world wrapped

Additional Settings

command connection explained object properties settings specify subsections

The Connection Object Properties

addition ads adsi authentication before binding brown cn com connection credentials dc discussion encrypt flag flags id jack listed objconnection opening ou password properties property sales sanao secure somesecret specify user username True

Search Options as Command Object Parameters

0 11 15 500 active actually add ado ads adsi alias aliases asynchronous attribute attributes automatically available avoid back base before beneficial browse burden cache cached care chase chasing choices chunk client column command conclude const constants consumes contains control default deref dereferenced described description determine directory discussion enough explains fail far forth found fourth fulfill gathering general get good idea indexed ldap least lessen limit line lines meaning memory move name names network never none objcommand object objectcategory objects once onelevel ones option options our out overloading page paging part present previous program properties query read reason records recordset referral referrals results retrieve return returned returns row rows run scope script scripts search searches searchscope seconds sends server size sort sorted specified specifies specify specifying spend string subordinates subsection subtree supported takes target time timeout try turns unlike wait waiting value values vbscript willing work False True

List Objects That Have Blocked ACL Inheritance vbs

11 15 19 38 49 106 107 above access aces acl ado advanced always argument attribute available b back bind bit blocked blocking call calling changed complete control corresponding default descriptor displays domain exceptions excluding field filter general get incremented individually inherit inheritance inspect integer job ldap likely line lines little manage missing narrow ntsecuritydescriptor object objects obviously page part parts pass passed permissions program property read recommended ref result script search security show size strategy subprogram syntax system us value variable vbs view visible wonít wouldnít False True


active administer architecture directory having knowledge learned network read sample scripts skills sound studied things time