Security functions of common Active Directory tools

News Analysis

Security functions of common Active Directory tools

Derek Melber and Dave Kearns

Administrator shortcut guide to Active Directory The following excerpt is from Chapter 2 of the free eBook "Administrator shortcut guide to Active Directory security" written by Derek Melber and Dave Kearns and available at Realtimepublishers.com. Click for the complete book excerpt series.

 

 



Directory tools
 

There are numerous directory tools available in a default installation of Active Directory. These tools are essential to the core function, management and troubleshooting of AD and its related services. There are also resource kit tools that help increase the management capabilities of the directory. As far as security-based tools, almost every tool can be tied back to security in some manner. Security is in almost every aspect of AD and the tools that manage it --from the files that run the directory to the accounts that reside in the directory to the sites that replicate the directory between domain controllers. Tables 2.1 provides the most common built-in, command-line and resource kit tools.

 

Built-in tools

Tool Use Security control
Active Directory Users and Computers Used by data administrators to manage all security principals, GPOs, contacts, AD shares, AD printers and OUs User accounts, group accounts, delegation administration, GPO management
Active Directory Domains and Trusts Used by service administrators to create and manage trusts to external domains Trusts that go outside of the forest
Active Directory Sites and Services Used by service administrators to create and manage sites and replication Controls replication schedule between sites and subnets associated with sites
Computer Management Controls "computer" aspects such as hard drives, services and the local Security Accounts Manager (SAM) Local SAM (non-domain controller), services, shared folders, drivers
DNS Manage DNS Secure dynamic updates, replication partners, manual DNS entries
Event Viewer View tracked events for the system, applications, and security View security logs
Routing and Remote Access Manage routing and remote access services Specify RAS protocols and security; determine RAS access for users

 

Command-line tools

Tool Use Security control
Adprep Prepares your existing Win2K AD for WS2K3 Changes the schema to prepare for WS2K3
Ds* tools Provides access to AD for creating, querying, deleting and moving objects within the directory Provides means for someone to access AD remotely from the command line
Shutdown Allows the shutdown of a server remotely Can shutdown a server or domain controller remotely from the command line
Bootcfg Displays and modifies contents of the boot.ini file Can change the main boot file of a server or domain controller remotely from a command line

 

Resource kit tools

Tool Use Security control
Dumpfsmos Dumps Flexible Single Master Operations (FSMO) roles from AD Provides location of all FSMO roles on each domain controller
EventCombMT Gathers Event Viewer logs from the network computers and organizes them to files in a single folder Access to security logs remotely
Lockoutstatus (Server 2003) Dumps the lock out status of user accounts Access to which accounts are locked out
Ntrights Sets user rights on servers and domain controllers Allows for remote user to set user rights from command line
Showacls Displays the ACL for resources Access to the ACL to see which users and groups have access

For AD administration, the main tools are those that are built-in and provide a user-friendly graphical interface. These tools are designed to use the Microsoft Management Console. MMC allows for customization beyond the default Administrative Tools that are pre-built and available from the Start menu.

When an organization becomes too large or delegates administration to many different aspects of the AD structure, it becomes a necessity to build custom MMC consoles. Such consoles are easy to create and can be specific in what they show. When an MMC is customized, it is done so by importing snap-ins, which are the administrative tools themselves. There is a snap-in for almost any administrative task for the directory. The following list highlights common MMC snap-ins that are used to control AD and the security of AD:

  • Active Directory Domains and Trusts
  • Active Directory Sites and Services
  • Active Directory Users and Computers
  • Active Directory Schema
  • Active Directory Service Interfaces (ADSI) Edit
  • Computer Management
  • Dfs
  • DNS
  • Event Viewer
  • Group Policy
  • IP Security Policy Management
  • Shared Folders
  • System Information

Figure 2.1 shows the MMC and a list of snap-ins.

Figure 2.1: MMC with a list of snap-ins.

The benefit of the MMC is that the essential snap-ins can be grouped in a single interface, then saved in the MMC. After it is saved, it can be shared on a central server or sent via e-mail to an administrator that has been delegated administrative access to resources within the snap-in.

For most organizations that use this method, the administrator or non-IT employee will need to have the tools that administer domain controllers, servers, and AD installed. This installation is easily accomplished, as the suite of tools is available on all domain controllers. The file that contains the suite of tools is called adminpak.msi. This installation package can be shared on a central server for installation across the network, sent via email to the administrator, or pushed out through a GPO. After the installation package is installed, the user will have the full list of administrative tools necessary to complete the delegated administrative task.

Click for the next excerpt in this series: Directory tools, part 2.

 


Click for the book excerpt series or visit Realtimepublishers.com to obtain the complete book.


 


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy