Security functions of common Active Directory tools

Security functions of common Active Directory tools

[align=center] [/align]
[align=left]From Techtarget.com[/align]
[align=left] [/align]
[align=left]Directory tools
[/align]
There are numerous directory tools available in a default installation of Active Directory. These tools are essential to the core function, management and troubleshooting of AD and its related services. There are also resource kit tools that help increase the management capabilities of the directory. As far as security-based tools, almost every tool can be tied back to security in some manner. Security is in almost every aspect of AD and the tools that manage it --from the files that run the directory to the accounts that reside in the directory to the sites that replicate the directory between domain controllers. Tables 2.1 provides the most common built-in, command-line and resource kit tools.

Built-in tools

Tool	Use	Security control
Active Directory Users and Computers	Used by data administrators to manage all security principals, GPOs, contacts, AD shares, AD printers and OUs	User accounts, group accounts, delegation administration, GPO management
Active Directory Domains and Trusts	Used by service administrators to create and manage trusts to external domains	Trusts that go outside of the forest
Active Directory Sites and Services	Used by service administrators to create and manage sites and replication	Controls replication schedule between sites and subnets associated with sites
Computer Management	Controls "computer" aspects such as hard drives, services and the local Security Accounts Manager (SAM)	Local SAM (non-domain controller), services, shared folders, drivers
DNS	Manage DNS	Secure dynamic updates, replication partners, manual DNS entries
Event Viewer	View tracked events for the system, applications, and security	View security logs
Routing and Remote Access	Manage routing and remote access services	Specify RAS protocols and security; determine RAS access for users

Command-line tools

Tool	Use	Security control
Adprep	Prepares your existing Win2K AD for WS2K3	Changes the schema to prepare for WS2K3
Ds* tools	Provides access to AD for creating, querying, deleting and moving objects within the directory	Provides means for someone to access AD remotely from the command line
Shutdown	Allows the shutdown of a server remotely	Can shutdown a server or domain controller remotely from the command line
Bootcfg	Displays and modifies contents of the boot.ini file	Can change the main boot file of a server or domain controller remotely from a command line

Resource kit tools

Tool	Use	Security control
Dumpfsmos	Dumps Flexible Single Master Operations (FSMO) roles from AD	Provides location of all FSMO roles on each domain controller
EventCombMT	Gathers Event Viewer logs from the network computers and organizes them to files in a single folder	Access to security logs remotely
Lockoutstatus (Server 2003)	Dumps the lock out status of user accounts	Access to which accounts are locked out
Ntrights	Sets user rights on servers and domain controllers	Allows for remote user to set user rights from command line
Showacls	Displays the ACL for resources	Access to the ACL to see which users and groups have access

For AD administration, the main tools are those that are built-in and provide a user-friendly graphical interface. These tools are designed to use the Microsoft Management Console. MMC allows for customization beyond the default Administrative Tools that are pre-built and available from the Start menu.
When an organization becomes too large or delegates administration to many different aspects of the AD structure, it becomes a necessity to build custom MMC consoles. Such consoles are easy to create and can be specific in what they show. When an MMC is customized, it is done so by importing snap-ins, which are the administrative tools themselves. There is a snap-in for almost any administrative task for the directory. The following list highlights common MMC snap-ins that are used to control AD and the security of AD:

Active Directory Domains and Trusts
Active Directory Sites and Services
Active Directory Users and Computers
Active Directory Schema
Active Directory Service Interfaces (ADSI) Edit
Computer Management
Dfs
DNS
Event Viewer
Group Policy
IP Security Policy Management
Shared Folders
System Information

Figure 2.1 shows the MMC and a list of snap-ins.



Figure 2.1: MMC with a list of snap-ins.
The benefit of the MMC is that the essential snap-ins can be grouped in a single interface, then saved in the MMC. After it is saved, it can be shared on a central server or sent via e-mail to an administrator that has been delegated administrative access to resources within the snap-in.
For most organizations that use this method, the administrator or non-IT employee will need to have the tools that administer domain controllers, servers, and AD installed. This installation is easily accomplished, as the suite of tools is available on all domain controllers. The file that contains the suite of tools is called adminpak.msi. This installation package can be shared on a central server for installation across the network, sent via email to the administrator, or pushed out through a GPO. After the installation package is installed, the user will have the full list of administrative tools necessary to complete the delegated administrative task.