Post on 30-Oct-2014
Active Directory Tips & TricksClay Walker
BISD Network Overview - Infrastructure Windows 2003 Servers using AD 95% Clients = Windows XP SP2
5%=Windows 2000 Fiber connection to every campus (no
slow links) 5 Mbps DSL is primary ISP T1 (1/2 for data) directly to ESC for
services
BISD Network Overview-User Environment Students 3rd – 12th have username and
passwords All home drives on servers (no data
stored on local PC) My Documents redirected to server Favorites redirected to server Ubiquity – except for some special
software (CAD, HR, Payroll, Student Data) all computers have same software
BISD Network Overview-User Environment All users have h: drive (student and
adult) Enable quotas as needed
One R: drive acts as district shared folder Permissions control access to files
Q: drive for each campus for applications Login script maps correct share
Campus Shortcuts folder in q: Include shortcuts for:
Faculty Applications Student Applications Network Printers
Access Based Enumeration
With ABE installed, users only see what they have permission to read and/or write.Administrator Logged In Sees: Student Logged in Sees:
Access Based Enumeration
Windows 2003 Server only
Installed on server that shares the files
Quick and easy to install and configurehttp://www.microsoft.com/downloads/details.aspx?FamilyID
=04a563d9-78d9-4342-a485-b030ac442084&displaylang=en
Active Directory Fundamentals Container – default for AD (Computers,
Users, Domain Controllers) Can not add group policies Can not add “sub-containers”
OU – Organizational Unit – created by Net Admin Able to nest Able to add group policies
Why OU’s
Organization: allows easy access to information (<200 objects per OU)
Group policy application can be very specific or broad based
BISD Key OU’s
Fac-Staff: Campuses, Principal, Secty, Supt
Servers (member servers) Students: Each grade level by grad
year SuperUsers W2K-Computers
BISD W2k-Computers OU Student Computer
OU Teacher/others OU’s
at each campus Office OU’s at each
campus Secretary OU Servers NOT
included Laptops NOT
included
CampusAdmin CampusClassroom Laptop Library Search
Kiosks Secretary TechLab CentralOffice
BISD Student Computer OU HS
HSLab1 HSLab2 HSLibrary
MS MSLab1...
Allows policies to be set by: District wide Just student computers Campus wide Lab specific
BISD Students Accounts
Organized by graduation year Student usernames = grad year+first
initial +last name:07JSmith
Home directory = username In AD, have full name to allow net
admins to easily find info
BISD Student Accounts
Export Students from WinSchool (SMS)
Parse data using Excel
Use command line to batch add names DSAdd or adduser mkdir cacls
Tools MMC – Microsoft Management Console.
One stop shopping (add snapins) GPMC – Group Policy Management
Console Active Directory Sites and Services
(force replication) Remote Desktop (mstsc.exe /console) VNC on clients – AD integrated, turn off
Systray icon Quotas on home directories adminpak.msi (from 2003 SP1 server)
MMCCreate a custom MMC with common tools used daily
Active Directory Users & Computers Active Directory Sites & Services (used for replication) DHCP DNS WINS (not used as much if any) GPMC Exchange System Manager IIS (maybe) Remote Desktop Anti-Virus Content Filter/traffic shaper
Admin Tools
Adminpak.msi http://www.microsoft.com/downloads/details.a
spx?FamilyID=C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=en
c:\windows\system32 folder on server
Install specific tools from the adminpak
http://www.petri.co.il/extract_specific_tools_from_adminpak_msi.htm
Essential Command Line cacls - set permissions
(file/directory) takeown – take
ownership (file/directory)
Win2003 Resource Kit dsquery dsmod adduser
“gpupdate /force” – forces XP client to refresh Group Policies from DC“secedit /refreshpolicy machine_policy /enforce” – forces 2K client to refresh Group Policies from DC
Group Policy Fundamentals
Group Policies can ONLY be applied to OU’s
If the user is an administrator on the local machine, most (if any) restrictions will NOT work
You can use Group Policies to open up enough of your PC’s so users DO NOT NEED to be local admins
Group Policies Use GPMC from XP
SP2 to edit Setup Test OU Turn on Loopback Lockout registry* Install software Block “illegal”
software Set file permissions Set registry
permissions
Redirect My Documents
Set update policies (WSUS Server)
Run login scripts (map drives)
Lockdown Desktops Connect Network
Printers
Software Restriction Policy 2 types
Path = specific filename and path (version irrelevant) Win2K & XP
Hash = “signature” (regardless of path or file name) – XP only
Need to have a sample file (exe)
Can have multiple files in one policy
How to create a Hash Software Restriction
Create new policy Edit policy
Computer Configuration, Windows Settings, Security Settings, Software Restriction Policies
RC – New Software Restriction Policy
-> Additional Rules, RC New Hash Rule, Browse, OK
Allow time to replicate gpupdate /force
Software Hash Video
VBS Scripting
Use Microsoft MSDN Library Printer script came from
Enumerate printers Delete printers Add printers
BISD Network Printers Use GPO to run VBS script to setup
printers for lab computers Only runs on student accounts Prevents printing across campus Students still have access to connect to
other printers if needed (campus shortcuts)
Algorithm: Deletes existing network printer connections Adds Lab Printer connections Sets B/W lab laser as default printer
Network Printers/loopback Printer connections are User based When you want them to be “computer” based, you
have to enable loopback processing in GPO I recommend setting this on ALL computers
regardless
WSUS
Windows Software Update Serviceshttp://www.microsoft.com/windowsserversystem/updateservices/default.mspx
Installed on a Win2003 Server This along with GPO settings, all PC’s
automatically updated when new updates released
Windows, Office and other M$ Software updates
Internet Bandwidth
Monitor with MRTG http://people.ee.ethz.ch/~oetiker/webtools/mrtg/ Can be used for switches, routers, firewalls,
servers, etc.
Use bandwidth shaper to control We use Lightspeed Total Traffic Control (
www.lightspeedsystems.com) Consortium Pricing maybe available Brian Thomas (brian@lightspeedsystems.com)
Best results by DHCP reservations for lab computers (specific ranges to labs)
DHCP Reservations Setup DHCP scope
so there is a “Reservation only” area and a “Dynamic” area
Decide what is critical to manage (secondary labs’ bandwidth)
Assign IP addresses via reservations to above machines
0.0 Network
10.19.x.x Reservation
Only
10.0 Admin
20.0 ES
30.0 IS
40.0 MS
50.0 HS
60.0 ACE
70.0 Sp. Ed
80.0
90.0
100.0
110.0
120.0
130.0
140.0
150.0
160.0
170.0
180.0
190.0
200.0
10.19.x.x Dynamic
210.0
220.0
230.0
240.0
250.0
Sysprep
Use correct sysprep: different versions for XP, XP SP2, Win2K, and Win2003
BISD’s (Mark Buckner) guide to building images: http://www.ntatd.org/index.php?module=documents&JAS_DocumentManager_op=viewDocument&JAS_Document_id=2
Sample sysprep.inf at above link
VNC Install latest UltraVNC Option to authenticate with AD Add 2 Global Groups: VNC-ReadOnly, VNC-
FullControl Give VNC-FullControl R/W perms to PC Give VNC-ReadOnly View only perms to PC Add users to groups (default admins have
FullControl) Check box for Hide SysTrayIcon and turn off
remove Desktop Wallpaper
Misc
Exchange: Distribution lists, only allow members to send to the list (ie HS faculty can not send to MS Dist List)
Filemon/regmon to monitor which files/registry keys are being accessed by programs www.sysinternals.com
List Servers
Microsoft Windows Administration Very active list (400-500 messages per
week) http://www.sunbeltsoftware.com/community.cfm
Click on NTSYSADMIN List
North Texas Association of Technology Directors (NTATD) www.ntatd.org
Other Cool Tools (non-admin)
Microsoft FREE software Producer for Power Point 2003 Microsoft Photo Story Windows Media Encoder
Resources Managing Disk Quotas
http://www.microsoft.com/technet/scriptcenter/topics/win2003/quotas.mspx
Enterprise Management with Group Policy Management Console
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
Configure Automatic Updates by using Group Policy (WSUS Server)
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/WSUS/WSUSDeploymentGuideTC/51c8a814-6665-4d50-a0d8-2ae27e69ca7c.mspx
Sysprep http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/
en-us/prbc_cai_vnve.asp http://www.ntatd.org/index.php?
module=documents&JAS_DocumentManager_op=viewDocument&JAS_Document_id=2
Access Based Enumeration http://thelazyadmin.com/index.php?/archives/72-Access-Based-
Enumeration.html
This presentation is available at:
www.ntatd.org/clay