Dan Holme Director of Training amp Consulting Intelliem Session Code WSV401 Complete an evaluation on CommNet and enter to win Required Slide Dan Holme Consultant amp Trainer at Intelliem ID: 647390
Download Presentation The PPT/PDF document "Administrators' Idol: Tips and Tricks fo..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
Administrators' Idol: Tips and Tricks for Administrative Automation and Brilliance
Dan
Holme
Director of Training & Consulting
Intelliem
Session Code: WSV401Slide3
Complete an evaluation on
CommNet
and enter to win!
Required SlideSlide4
Dan Holme
Consultant & Trainer at
Intelliemwww.intelliem.comFortune-caliber business, academic & governmentMicrosoft Technologies Consultant, NBC OlympicsContributing Editor, Windows IT Pro magazineAuthor: Microsoft PressMVP: Office SharePoint Serverdanh@intelliem.comhttp://share.intelliem.com BlogScripts and tools for this sessionSlide5
Fire Hose “On”
Goals of session
Show you things you may never have been told and might never find out about anywhere elseDemonstrate (and give you) valuable scripts & toolsCover key tips, tricks & trapsVery important resourceshttp://share.intelliem.comEnhanced slides with details & step-by-stepsScripts and tools!Windows Administration Resource KitSlide6
Provisioning and
ProxyingSlide7
What is Provisioning?
Create a process or workflow
Inject business logicSupport business requirementsRequiresGoing beyond the native toolsetsEnablesAutomationLogging / AuditingSlide8
Provision a computer
Computer_JoinDomain
demoSlide9
Provision New Computer In DomainSlide10
Computer_JoinDomain
Creates computer account in domain
OU based on drop-down list choices (site and type)Names computer based on business logicD or L for Desktop or Laptop, followed by Asset TagUser name is put in Description attributeSlide11
Computer_JoinDomain
Read comments in scripts and change the
CONFIGURATION BLOCKCan switch bLocalJoinMode = TrueRun HTA on clientDetects Asset Tag from BIOS and creates nameCreates computer accountJoins machine to domainSlide12
What Is Proxying?
Performing a task on behalf of a user
User does not have rights to perform taskUser can use provisioning toolProxy performs task with separate credentialsIdeally, a Windows service (service account credentials)Web application (applicaton pool credentials)Scheduled task (easiest – scheduled task credentials)Enforces a provisioned workflow and enablesConsistencySecurityLogging / Reporting / Auditing / ComplianceSlide13
Simple Proxy Application
User requests an action
User credentialsApplication authenticates & authorizes user’s ability to make a requestForms provide UI, data validation, required fields, calculated fieldsSubmitting request enters request in task queueSlide14
Simple Proxy Application
Service executes tasks
Privileged account managed with Windows Service Control ManagerCan even use a scheduled task (see Resource Kit)User does not require such permissionsEnables enforcement of provisioned processCommand queue maintains action requestsService sees open tasks, executes them, logs resultsReportingTask queue and logs as audit trailSlide15
Proxy framework
Windows Administration Resource Kit
demoSlide16
Group Membership ManagerSlide17
Proxying Group Management
Delegate resource management
to the business owners of the resourceDelegate management of access management groups memberships to resource ownersProvide custom tools for group management to resource ownersNon-technical users can “understand” group membershipNot so easy to understand ACLs & ACL editingNot even so easy to understand AD Users & ComputersSlide18
Be informedBe in controlSlide19
Shadow groups
Define group membership based on a query of Active Directory attributes
Group_Shadow.vbsChallengesOptimize accuracy vs. impact on replicationRequires logoff/logon (user) or restart (computer)Slide20
Shadow groups
Group_Shadow
demoSlide21
Self-reporting
Computer_SelfReport
demoSlide22
Self-reporting
Gather information from users or computers
Report information to Active DirectoryChallengesOptimize information vs. impact on startup/logonRequires delegation of attributes (to SELF)e.g. SELF::ALLOW::WRITE PROPERTY::DESCRIPTIONSlide23
Self staging change control
Software_Deploy.vbs
demoSlide24
Self staging change control
Implement one-time changes using Group Policy
ProcessObject added to staging groupScript (startup/logon) makes change.Script deployed with GPO scoped to staging groupLast line of script moves object into reporting groupChallengesRequires delegation of group membershipSlide25
Managing computersSlide26
Computer object management
Windows’ default computer management is highly
over delegated and not least privilegeRedirect default computer container to an OU with appropriate delegation & configurationredircmp "DN of OU for new computer objects“Remove default “any user can join 10 computers”Computers_SetQuota.vbsDelegate creation of computer objectscomputerou_delegate_create.bat "DN of OU" "Domain\group"Delegate joining computers to the domaincomputerou_delegate_join.bat "DN of OU" "Domain\group"Slide27
Computer object management
Prestage
computer accountsNo more joining a workgroup computer to the domain with no prestaged accountReset computer accountsNo more “remove from domain and rejoin domain”Deletes computer objectWipes out group memberships of computerRename computer accountsWhen you give a user a new computer andretire the old oneMaintains group memberships of computerSlide28
Extreme MMC consolesSlide29
Create an extreme MMC console
demoSlide30
The MMC
Simple custom consoles
Start Run mmc.exeAdd snap-ins (File menu)SaveTo (shared or local) location that is accessible byYour (Run As Administrator) administrative credentialsOther administratorsRecommendationDeploy custom consoles & supporting tools/scriptsto administrators in a local location, e.g.c:\Program Files\Contoso Admin Tools\Use Group Policy Preferences to keep it up-to-dateAdminpak (XP) or RSAT (Vista) requiredSlide31
Security Benefit Of Custom Consoles
One tool with multiple snap-ins
makes enforcing Run As Administrator easierOne shortcut configured to Run As Administrator (Shortcut Properties Advanced)Put shortcut in Startup groupCustom console launches immediately after logon, prompting you for your admin credentials.Speaking of Run As… super usefulShellRunAs: Run As Another User (incl Vista & 2008)http://technet.microsoft.com/sysinternalsSlide32
Customized MMC Consoles
Rename the root (Console Root)
Create folders to organize your snap-insFolder per server or per task groupIn the Add or Remove Snap-Ins dialog,click AdvancedSelect “Allow changing the parent snap-in”When adding a snap-in, select the parentbefore clicking AddSlide33
Creating A Hierarchical ConsoleSlide34
Explore an extreme MMC console
demoSlide35
Snap-ins That Rock
Remote Desktops snap-in
Connect to consoleNot available in stand-alone RDP client!Windows Server 2008, you no longer connect to consoleOne snap-in with connections to all serversOne snap-in per server folder withconnection to that serverSlide36
Snap-ins That Rock
Link to Web Address
Expose in MMC an external web resourcehttp://support.microsoft.com/search/?adv=1Exposing in the MMC an intranet web resourcePolicies and procedures documentationPerformance and monitoring reportsEnvironment documentation & diagramsAdmin Web applications, e.g. your help desk ticket systemSharePoint site for admins (or other collaboration site)Note: connection uses MMC's credentialsSlide37
Snap-ins That Rock
Link to Web Address
Exposing a share on a server (totally undocumented)Use a UNC (\\server\share) instead of a URLAdd server to IE Local Intranet or Trusted Sites zoneAdd it as \\server. IE will change it to file:// syntaxConnection uses MMC's (admin) credentialsSimilar to "map drive using another account"Slide38
Leave your OUs behind
Saved QueriesSlide39
Scenario: User ManagementSlide40
Problem: Finding Users EasilySlide41
Solution: The Wrong Solution
Do not use
<Last>, <First> as the common nameLDAP distinguishedName is delimited by commas, so commas are 'escaped'Throws off many scripts and appsdisplayName can be <Last>, <First>Slide42
Solution: Customize MMC View
View
Add / Remove ColumnsLast Name or Display NameSort by Last Name or Display NameSlide43
New problem: View Affects All OUsSlide44
Saved Queries
demoSlide45
Saved Queries
Use SAVED QUERIES for administrative views
Don’t even try using actual OUs/nodes in ADUCBenefitsColumns (View Columns) unique to saved queryAdd Last Name column to a saved query In an OU you get Last Name in every OU “Virtualizes” complex AD structureEfficient administrative viewse.g. disabled users, locked out users, users with passwords set to not expireSlide46
Unique Views Per QuerySlide47
Virtualized View Of Your Enterprise Hides The Complexity Of OU DesignSlide48
Efficient Administrative ViewsSlide49
Manage Users By Group (Not OU)
Create a saved query that lists the (direct) members of a group
(&(objectCategory=user)(memberOf=DN of Group)) no wildcards—DN must be exactSlide50
See KB 321143
Taskpads
InAdministrative ConsolesSlide51
Taskpads
demoSlide52
Create A Taskpad
Create a custom MMC console:
1. Click Start and choose the Run command (Windows XP), or click in the Search box (Windows Vista/Windows Server 2008) type mmc.exe, and then press Enter.An empty MMC console appears. Choose File Add/Remove Snap-In.Add the Active Directory Users and Computers snap-in.Save the console: File Save.Save in a location accessible by both your user an administrative credentialsNow you must create what is called a
taskpad:1. Expand the details pane of the console to an OU that contains users.2. Right-click the OU, and choose New Taskpad View.3. The New Taskpad View Wizard appears. Click Next.
4. On the Taskpad Style page, accept all defaults and click Next.5. On the Taskpad Reuse page, select Selected Tree Item and click Next.
6. On the Name And Description page, accept or change the default name and description and click Next.7. On the Completing page, be sure the check box is selected and click Finish.Slide53
Create A Taskpad Menu Command
You have actually finished creating the
taskpad, and a second wizard launches to help you create the task on the taskpad:Launch the New Task Wizard. Either:Continue to the New Task Wizard from the New Taskpad Wizard, orRight-click the container to which the taskpad is associated Edit Taskpad View Tasks NewThe New Task Wizard appears. Click Next.On the Command Type page, choose Menu Command
and click Next.In the Menu Command box, select the command.See important note on next slideClick Next.On the Name And Description page, in the Task Name box, type a name.Optionally, enter a description.Click Next.On the Task Icon page, select an icon.Custom icons: c:\windows\system32\shell32.dll (XP or later) orc:\windows\system32\ imageres.dll (Vista / 2008)Click Next.
Click Finish.Slide54
Taskpad Menu Command Tips
Menu commands are what you see when you
right-click an objectMajor “trap”: to create a task in a task pad, there must be an object upon which the task can be performed, and you must have rights to perform the task. For example, if you want to add a task to unlock a user account, there must be a LOCKED user account in the node in order for you to add the task to the taskpad. If you want to add tasks for “enable user account” there must be a disabled user account; etc.Find cool icons in system32\shell32.dllSlide55
Taskpads As An "Admin Start Menu"
Create tasks for Shell commands
Can be any command you can run from Start RunFor command-line commands, prefix withcmd.exe /cAnything that launches will launch with same credentials as MMC (admin/alternate creds)SuggestionAdd a folder snap-inRename the folder ToolsCreate a taskpad view with "No List" viewAdd shell command tasksSlide56
Create A Taskpad Shell Command
You have actually finished creating the
taskpad, and a second wizard launches to help you create the task on the taskpad:Launch the New Task Wizard. EitherContinue to the New Task Wizard from the New Taskpad Wizard, orRight-click the container to which the taskpad is associated Edit Taskpad View Tasks NewThe New Task Wizard appears. Click NextOn the Command Type page, choose Shell Command
and click NextIn the Command box, type the commandIn the Parameters box, type the parametersClick NextOn the Name And Description page, in the Task Name box, type a nameOptionally, enter a descriptionClick NextOn the Task Icon page, select an iconCustom icons: c:\windows\system32\shell32.dll (XP or later) orc:\windows\system32\ imageres.dll (Vista / 2008)Click NextClick FinishSlide57
Taskpads for simplified admin
Navigation between
taskpad nodes in a consoleCreate a 'home page' snap-in with a taskpad viewe.g. Link To Web Address snap-in showing IT intranet siteAdd taskpad nodes to Favorites (Favorites menu)Add tasks to the home page taskpad that are “Navigation tasks” to other nodesAdd tasks to each node that are Navigation tasks back to home pageAfter linking each node you can hide the MMC treeView Customize and lock down the MMC UIFile Options, save in a user modeSlide58
Integrating custom tools into the MMCSlide59
Integrating Custom Tools
demoSlide60
Integrate A Custom Command
Locate a useful command, script, or tool
mstsc /v:ComputerName [/h:WindowHeight /w:WindowWidth | /full][/console | /admin]Identify parameters that can be passedComputerNameAdd the command as a shell task to an MMC taskpadSlide61
Create A Taskpad Task
Launch the New Task Wizard. Either
Continue to the New Task Wizard from the New Taskpad Wizard, orRight-click the container to which the taskpad is associated Edit Taskpad View Tasks NewThe New Task Wizard appears. Click Next.On the Command Type page, choose Shell Command and click NextIn the Command box, type mstsc.exeIn the Parameters box, type /v:
With the cursor positioned after the colon, click the arrow (browse button)Select Name as a parameter for computersMost computer-related tasks will use NAME as the parameterMost user and group related tasks will use PRE-WINDOWS 2000 LOGON NAME as the parameterSlide62
Create A Taskpad Task
The Parameters box should look like this: /v:$COL<0>
For a user or group, it will look like this: parameters $COL<9>Click NextOn the Name And Description page, in the Task Name box, type Connect with Remote Desktop. Optionally, enter a descriptionClick NextOn the Task Icon page, select an iconCustom Icon: c:\windows\system32\shell32.dll (XP or later) orc:\windows\system32\ imageres.dll (Vista / 2008)
Click NextClick FinishSlide63
Open Remote Command Prompt
PSExec
for remote command executionDownload from http://technet.microsoft.com/sysinternalsPut in system path (e.g. SYSTEM32) or include full path in task commandpsexec \\computername cmd.exeCreate shell command taskCommand: psexec.exeParameters: \\NAME cmd.exe\\$COL<0> cmd.exeSlide64
Enumerate Group Membership
Active Directory Users & Computers (ADUC)
Member Of drill-downSlide65
Enumerate Group Membership
MemberOf_Report.HTA
Enumerate all membershipsSecurityDistributionPrimary GroupApply business logicSlide66
Group Membership
MemberOf_Report_v2.hta
demoSlide67
MemberOf_Report_V2.hta
Scenario: What groups does <
User> belong to?Problem: ADUC interface does not provide fully enumerated (nested) group membershipSolutionScript enumerates membership incl. primary groupHTML application (HTA) provides user interfaceAbout MemberOf_Report_V2.htaReady to use in your enterpriseSlide68
MemberOf_Report.hta
HTA command line
path\MemberOf_Report.hta "name of user, computer, or group" Save to accessible pathDistribute to custom folder (Recommended!)c:\Program Files\CompanyTools\MemberOf_Report.htaNetwork PathMust be in Local Intranet ZoneSet IE security: allow Access Data Sources Across Domains May still be too many promptsIntegrate into taskpad and/or context menuSlide69
HTA Tasks
1. Edit the
taskpad view and create a new task.2. On the Command Type page, choose Shell Command and click Next3. In the Command box, type mshta.exe4. In the Parameters box, type "Path to the tool\MemberOf_Report.hta“followed by a space5. With the cursor positioned after the space, click the arrow, which is a browse button.6. Select Pre-Windows 2000 Logon Name
. Choose Name to perform this task for computers, and choose Pre-Windows 2000 Logon Name for users and groupsSlide70
HTA Tasks
7. The Parameters box should look like this:
"Path to the tool\MemberOf_Report.hta" $COL<9> For a computer, it will look like this: " Path to the tool\MemberOf_Report.hta " $COL<0>8. In the Start In box, type "Path to the tool"9. Click Next10. On the Name And Description page, in the Task Name box, type Group Membership Report. Optionally, enter a description
11. Click Next12. On the Task Icon page, select an icon. There are several that evoke “group.” Custom Icon: c:\windows\system32\shell32.dll (XP or later) orc:\windows\system32\ imageres.dll (Vista / 2008)13. Click Next14. Click FinishSlide71
Critical Custom Task Step
Now there’s one more
very important step. This step is so easy to forget and so confusing to solve if you forget it that I recommend you don’t forget this step! Any column referenced as a parameter for the task must be visible. Otherwise, the task won’t appear when you select an object.1. Click View and then click Add/Remove Columns.2. Select Pre-Windows 2000 Logon Name, and click Add.3. Click OK to close the Add/Remove Columns dialog box.4. Save the console.Slide72
A Custom Shell TaskSlide73
Remove A Task Or Taskpad
Remove a task
Right-click OU Edit Taskpad View Tasks tab task RemoveRemove taskpad viewRight-click OU Delete Taskpad ViewSlide74
Making More of Active DirectorySlide75
Leveraging Underutilized Attributes
Examples of user attributes
employeeNumber and employeeIDemployeeTypeassistant and secretarycarLicenseEvaluate unused attributesUnderstand the attribute's propertiesResearch the use of the LDAP attributeUse attributes as they are meant to be usedDocument what you doEvaluate all AD-aware apps before deploying themSlide76
Exposing unused attributes
Object_Attribute.hta
demoSlide77
Extending The Schema
Standard caveats and disclaimers
"The world will end if you change the schema"Fully test in lab: you can't "undo" in productionObtain a base object identifier (OID)OIDGen.vbsCreate an attributeCreate a custom object classAssociate the attribute with the object classAssociate your custom object class as anauxiliary class with standard objects such asuser, computer, or groupSlide78
User/Computer Assignments
Create forward link attribute
computerAssignedToMake note of its attributeIDSet its linkID to 1.2.840.113556.1.2.50 using scriptReload schema cacheCreate back link attributeassignedComputersSet its linkID to the attributeID of forward linkCreate object classes & associate attributescontoso-ComputerInfo and contoso-UserInfoAssociate custom classes with user, computerSlide79
Extending The Schema
Schema_Create_AssignedComputers.vbs
* Do not try at home without reading the Resource Kit and testing! Parental supervision required!demoSlide80
Resources
Windows Administration Resource Kit:
Productivity Solutions for IT Professionalshttp://share.intelliem.comSlides, scripts, tools & blogdanh@intelliem.comSession evaluations: WSV401Q & ASlide81
question & answerSlide82
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification and Training
R
esources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Required Slide
Speakers,
TechEd 2009 is not producing
a DVD. Please announce that
attendees can
access session
recordings at TechEd Online. Slide83
Windows Server Resources
Make sure you pick up your copy of Windows Server 2008 R2 RC from the Materials Distribution Counter
Learn More about Windows Server 2008 R2: www.microsoft.com/WindowsServer2008R2 Technical Learning Center (Orange Section): Highlighting Windows Server 2008 and R2 technologiesOver 15 booths and experts from Microsoft and our partnersRequired SlideTrack PMs will supply the content for this slide, which will be inserted during the final scrub.Slide84
©
2009 Microsoft
Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Required Slide