Security functions of common Active Directory tools
2007-01-17 11:22
615 查看
Security functions of common Active Directory tools
[align=center] [/align][align=left]From Techtarget.com[/align]
[align=left] [/align]
[align=left]Directory tools
[/align]
There are numerous directory tools available in a default installation of Active Directory. These tools are essential to the core function, management and troubleshooting of AD and its related services. There are also resource kit tools that help increase the management capabilities of the directory. As far as security-based tools, almost every tool can be tied back to security in some manner. Security is in almost every aspect of AD and the tools that manage it --from the files that run the directory to the accounts that reside in the directory to the sites that replicate the directory between domain controllers. Tables 2.1 provides the most common built-in, command-line and resource kit tools.
Built-in tools
Tool | Use | Security control |
Active Directory Users and Computers | Used by data administrators to manage all security principals, GPOs, contacts, AD shares, AD printers and OUs | User accounts, group accounts, delegation administration, GPO management |
Active Directory Domains and Trusts | Used by service administrators to create and manage trusts to external domains | Trusts that go outside of the forest |
Active Directory Sites and Services | Used by service administrators to create and manage sites and replication | Controls replication schedule between sites and subnets associated with sites |
Computer Management | Controls "computer" aspects such as hard drives, services and the local Security Accounts Manager (SAM) | Local SAM (non-domain controller), services, shared folders, drivers |
DNS | Manage DNS | Secure dynamic updates, replication partners, manual DNS entries |
Event Viewer | View tracked events for the system, applications, and security | View security logs |
Routing and Remote Access | Manage routing and remote access services | Specify RAS protocols and security; determine RAS access for users |
Command-line tools
Tool | Use | Security control |
Adprep | Prepares your existing Win2K AD for WS2K3 | Changes the schema to prepare for WS2K3 |
Ds* tools | Provides access to AD for creating, querying, deleting and moving objects within the directory | Provides means for someone to access AD remotely from the command line |
Shutdown | Allows the shutdown of a server remotely | Can shutdown a server or domain controller remotely from the command line |
Bootcfg | Displays and modifies contents of the boot.ini file | Can change the main boot file of a server or domain controller remotely from a command line |
Resource kit tools
Tool | Use | Security control |
Dumpfsmos | Dumps Flexible Single Master Operations (FSMO) roles from AD | Provides location of all FSMO roles on each domain controller |
EventCombMT | Gathers Event Viewer logs from the network computers and organizes them to files in a single folder | Access to security logs remotely |
Lockoutstatus (Server 2003) | Dumps the lock out status of user accounts | Access to which accounts are locked out |
Ntrights | Sets user rights on servers and domain controllers | Allows for remote user to set user rights from command line |
Showacls | Displays the ACL for resources | Access to the ACL to see which users and groups have access |
When an organization becomes too large or delegates administration to many different aspects of the AD structure, it becomes a necessity to build custom MMC consoles. Such consoles are easy to create and can be specific in what they show. When an MMC is customized, it is done so by importing snap-ins, which are the administrative tools themselves. There is a snap-in for almost any administrative task for the directory. The following list highlights common MMC snap-ins that are used to control AD and the security of AD:
Active Directory Domains and Trusts
Active Directory Sites and Services
Active Directory Users and Computers
Active Directory Schema
Active Directory Service Interfaces (ADSI) Edit
Computer Management
Dfs
DNS
Event Viewer
Group Policy
IP Security Policy Management
Shared Folders
System Information
Figure 2.1 shows the MMC and a list of snap-ins.
Figure 2.1: MMC with a list of snap-ins.
The benefit of the MMC is that the essential snap-ins can be grouped in a single interface, then saved in the MMC. After it is saved, it can be shared on a central server or sent via e-mail to an administrator that has been delegated administrative access to resources within the snap-in.
For most organizations that use this method, the administrator or non-IT employee will need to have the tools that administer domain controllers, servers, and AD installed. This installation is easily accomplished, as the suite of tools is available on all domain controllers. The file that contains the suite of tools is called adminpak.msi. This installation package can be shared on a central server for installation across the network, sent via email to the administrator, or pushed out through a GPO. After the installation package is installed, the user will have the full list of administrative tools necessary to complete the delegated administrative task.
相关文章推荐
- Overview of Active Directory Security
- Active Directory participation features and security extensions
- vs2012 无法使用命令行提示符?ERROR: Cannot determine the location of the VS Common Tools folder.
- The Ultimate List of Open Source Static Code Analysis Security Tools
- Get the SID of an Active Directory User
- Managing an Active Directory Environment With Thousands of Subnets
- Change password of ActiveDirectory
- cannot determine the location of the vs common tools folder
- 【问题解决】vs2013 command prompt错误:cannot determine the location of the vs common tools folder
- Cannot determine the location of the VS Common Tools folder.
- VS2010 Command Prompt Error:Cannot determine the location of the VS Common Tools folder
- Common directory names of large projects and their meanings
- VMware-tools安装错误the location of the directory of C header files that match your running问题的解决办法
- xcodebuild' requires Xcode, but active developer directory '/Library/Developer/CommandLineTools' is
- 安装Active Directory Tools For SharePoint 后无法添加到页面的原因
- Error: Cannot Determine the location of the VS common tools folder
- Performing Authoritative Restore of Active Directory Objects
- ERROR Cannot determine the location of the VS Common Tools Folder
- How to configure security of ActiveMQ ?
- a common misunderstanding of string.Trim functions