The following excerpt is from Chapter 2 of the free eBook "Administrator shortcut guide to Active Directory security" written by Derek Melber and Dave Kearns and available at Realtimepublishers.com. Click for the complete book excerpt series.
There are numerous directory tools available in a default installation of Active Directory. These tools are essential to the core function, management and troubleshooting of AD and its related services. There are also resource kit tools that help increase the management capabilities of the directory. As far as security-based tools, almost every tool can be tied back to security in some manner. Security is in almost every aspect of AD and the tools that manage it --from the files that run the directory to the accounts that reside in the directory to the sites that replicate the directory between domain controllers. Tables 2.1 provides the most common built-in, command-line and resource kit tools.
|Active Directory Users and Computers||Used by data administrators to manage all security principals, GPOs, contacts, AD shares, AD printers and OUs||User accounts, group accounts, delegation administration, GPO management|
|Active Directory Domains and Trusts||Used by service administrators to create and manage trusts to external domains||Trusts that go outside of the forest|
|Active Directory Sites and Services||Used by service administrators to create and manage sites and replication||Controls replication schedule between sites and subnets associated with sites|
|Computer Management||Controls "computer" aspects such as hard drives, services and the local Security Accounts Manager (SAM)||Local SAM (non-domain controller), services, shared folders, drivers|
|DNS||Manage DNS||Secure dynamic updates, replication partners, manual DNS entries|
|Event Viewer||View tracked events for the system, applications, and security||View security logs|
|Routing and Remote Access||Manage routing and remote access services||Specify RAS protocols and security; determine RAS access for users|
|Adprep||Prepares your existing Win2K AD for WS2K3||Changes the schema to prepare for WS2K3|
|Ds* tools||Provides access to AD for creating, querying, deleting and moving objects within the directory||Provides means for someone to access AD remotely from the command line|
|Shutdown||Allows the shutdown of a server remotely||Can shutdown a server or domain controller remotely from the command line|
|Bootcfg||Displays and modifies contents of the boot.ini file||Can change the main boot file of a server or domain controller remotely from a command line|
Resource kit tools
|Dumpfsmos||Dumps Flexible Single Master Operations (FSMO) roles from AD||Provides location of all FSMO roles on each domain controller|
|EventCombMT||Gathers Event Viewer logs from the network computers and organizes them to files in a single folder||Access to security logs remotely|
|Lockoutstatus (Server 2003)||Dumps the lock out status of user accounts||Access to which accounts are locked out|
|Ntrights||Sets user rights on servers and domain controllers||Allows for remote user to set user rights from command line|
|Showacls||Displays the ACL for resources||Access to the ACL to see which users and groups have access|
For AD administration, the main tools are those that are built-in and provide a user-friendly graphical interface. These tools are designed to use the Microsoft Management Console. MMC allows for customization beyond the default Administrative Tools that are pre-built and available from the Start menu.
When an organization becomes too large or delegates administration to many different aspects of the AD structure, it becomes a necessity to build custom MMC consoles. Such consoles are easy to create and can be specific in what they show. When an MMC is customized, it is done so by importing snap-ins, which are the administrative tools themselves. There is a snap-in for almost any administrative task for the directory. The following list highlights common MMC snap-ins that are used to control AD and the security of AD:
- Active Directory Domains and Trusts
- Active Directory Sites and Services
- Active Directory Users and Computers
- Active Directory Schema
- Active Directory Service Interfaces (ADSI) Edit
- Computer Management
- Event Viewer
- Group Policy
- IP Security Policy Management
- Shared Folders
- System Information
Figure 2.1 shows the MMC and a list of snap-ins.
Figure 2.1: MMC with a list of snap-ins.
The benefit of the MMC is that the essential snap-ins can be grouped in a single interface, then saved in the MMC. After it is saved, it can be shared on a central server or sent via e-mail to an administrator that has been delegated administrative access to resources within the snap-in.
For most organizations that use this method, the administrator or non-IT employee will need to have the tools that administer domain controllers, servers, and AD installed. This installation is easily accomplished, as the suite of tools is available on all domain controllers. The file that contains the suite of tools is called adminpak.msi. This installation package can be shared on a central server for installation across the network, sent via email to the administrator, or pushed out through a GPO. After the installation package is installed, the user will have the full list of administrative tools necessary to complete the delegated administrative task.
Click for the next excerpt in this series: Directory tools, part 2.