Active Directory Recycle Bin can save a Windows Server

The Recycle Bin feature allows objects to be restored via the Active Directory PowerShell environment. For the beta release, this functionality is turned off by default, so the first step is to enable the feature. Figure A shows this step.



Once this is complete, you can view the contents of the Active Directory Recycle Bin. This special location exists as a container that holds the objects as they are deleted.

In my first looks at Windows Server 2008 R2 beta, I set up a test domain running at that function level. The domain, dev.tld, had nothing in the Recycle Bin after it was created. I deleted two objects: one user and one group. Figure B shows the query of what is in the Recycle Bin before the two objects were deleted, then another query after they were deleted.



Notice that some fields were cut off in the display, notably the full GUID (which is needed for the restore). To display the entire GUID and object name, you would run this query:

Get-ADObject -SearchBase "CN=Deleted Objects,DC=dev,DC=tld" -ldapFilter "(objectClass=*)" -includeDeletedObjects | FT ObjectGUID,Name -A

Then, the full GUID is displayed, so a copy and paste operation will allow an easy restore. From the list above, to restore the single user named test, the following command will perform the restore:

Restore-ADObject -Identity 6ff46162-15c2-4d42-8e15-2fcac5c8422e

The object is instantly returned to full existence in Active Directory.

Source: http://blogs.techrepublic.com.com/datacenter/?p=675

Disable the Password for a User in Windows Server 2003 Active Directory domain

Windows Server 2003 provides security policies that ensure that all users select strong passwords. Creating a password policy involves setting the following options in the Default active directory services domain group policy object. These policies, with the exception of those settings related to password lifetime, are enforced on all users in a domain.

The default password filter (Passfilt.dll) included with Windows Server 2003 requires that a password:

Is not based on the user’s account name.
Contains at least six characters.
Contains characters from three of the following four categories:
Uppercase alphabet characters (A–Z)
Lowercase alphabet characters (a–z)
Arabic numerals (0–9)
Nonalphanumeric characters (for example, !$#,%)

Security Warning: Bare in mind that this setting can only be enabled/disabled at the domain level, and NOT on an OU level. Disabling the password requirement for an entire domain will lower your security configuration, and should only be done when absolutely necessary.

In order to disable this requirement you need to edit the Default Domain Policy for your domain.

1. Go to Administrative tools folder.
2. Double-click on the Default Domain Security Policy icon.
3. Note: If for any reason you don't see that icon you can still edit the Default Domain Group Policy from the AD Users and Computers snap-in, or from a GPMC window.
4. Navigate to Security Settings > Account Policies > Password Policy.



5. Right-click on the Minimum Password Length option in the right pane and select Properties.
6. Keep the V on the Define Setting selected! Do not remove the V from that check-box. Removing the V will cause the GPO to revert to the default setting, which is what we are trying to remove in the first place.



7. Enter 0 (zero) for the number of minimum characters required in a password.



8. Now double-click on the Passwords Must Meet Complexity Requirements option in the right pane.



Again, do not remove the V from that check-box. Instead, select Disabled.
9. Click OK all the way out and close the GPO window.

Source: petri.co.il/disable_password_requirement_in_win2003_domain.htm

Active Directory-based soln for UNIX & Linux

Centrify Corporation, a provider of Microsoft Active Directory-based auditing, access control and identity management solutions for non-Microsoft platforms, has announced Centrify DirectAuthorize, a software solution that enables organizations to increase security and compliance by controlling how users access systems and what they can do on those systems.

DirectAuthorize centrally manages and enforces role-based entitlements for fine-grained control of user access and privileges on UNIX and Linux systems. This can eliminate a user's need to use the root account or other privileged accounts, thereby allowing those accounts to be securely locked down.

DirectAuthorize is the industry's first Active Directory-based solution for UNIX and Linux privilege management and delegation of root access. Leveraging a common architecture, DirectAuthorize is seamlessly integrated with Centrify DirectControl and complements DirectControl's comprehensive Active Directory-based authentication, access control and group policy support for non-Microsoft systems and applications.

"Unlike Windows Active Directory, UNIX lacks a simple and scalable model for administrative delegation," observed Ant Allan and Jay Heiser, Research Vice Presidents in the Gartner publication, Controlling UNIX Superuser privileges is Critical. "Organizations that allow root logins to mission- critical UNIX servers run unnecessary risks."

DirectAuthorize meets compliance-driven requirements for "least access" management by allowing organizations to centrally define logical roles (e.g. backup operator, DBA, web developer, application administrator, etc.) that carry with them the specific rights needed to perform duties within a role. DirectAuthorize's role-based architecture enables the following benefits:

• Simplify the execution of privileged commands --- users no longer need to switch to root or other privileged accounts
• Grant users rights to execute commands with elevated privileges, eliminating the need for access to privileged accounts and passwords
• Assign users a Restricted Environment with access only to a specific "whitelist" of commands
• Lockdown sensitive systems with fine-grained access controls that specify who can access a system and how
• Model date- and time-based access windows to match user roles

Like Centrify DirectControl, DirectAuthorize is tightly integrated into Active Directory, meaning no additional servers or infrastructure is required to run DirectAuthorize. DirectAuthorize stores its role and rights data securely in Active Directory Authorization Manager's existing rights-based logical model and data storage schema found in Windows 2003 and above.

This means no Active Directory schema extensions are required to install and use DirectAuthorize, and customers can leverage the pre-existing Authorization Manager (AzMan) tools and APIs to access DirectAuthorize's roles and rights data. DirectAuthorize is built on top of the DirectControl architecture, meaning the DirectAuthorize user interface is integrated with the DirectControl Administrator's Console and the DirectAuthorize rights enforcers are integrated into the DirectControl Agent. And unlike other solutions, DirectAuthorize requires no UNIX kernel changes or system reboots.

Via:ciol.com

Macs to gain smart card-based login to Active Directory

Just like their Windows coworkers, Mac users in the enterprise will have more options to log into Windows Active Directory services using smart card technology. According to access-control management company Centrify support for smart card-based login will be available next month. A beta version is available now.

On Wednesday, Centrify announced the release of its DirectControl 4.2 for Mac OS X software as well as the card client software supports Common Access Cards (CAC) and Personal Identity Verification (PIV) cards as well as with other cards that support the Apple TokenD interface. Dubbed Centrify DirectControl for Mac OS X Smart Card edition, the software will cost $90 for a single copy.

DirectControl 4.2 will come with some new security policies, the company said.

Finder Lock is one of more than 200 Mac-specific Group Policies that Centrify has developed to help administer Macs from the same centralized administrative tools from which Windows computers are managed. Other policies added in this release include enforcement of a computer policy to require smart card login, a removal policy to either lock the screen or force a logout when the smart card is removed, and additional security controls.

Improved support for Active Directory policies is one of the Mac headaches for IT managers in the enterprise. Smart card login will improve user experience.

For example, longtime Mac connectivity vendor Group Logic (the maker of Mass Transit) last month released the results of a survey of 350 IT pros about Mac/Windows IT issues. Some 70 percent of the respondents said they currently had Macs in their companies and an additional 6 percent were planning to bring in Macs in the “near term.”

Here was the hot list of Mac integration issues from the survey:

1. Adapting Active Directory policy to support Macs — 38 percent.
2. Help desk calls from Mac users — 35 percent.
3. Compatibility and/or data corruption issues — 27 percent.
4. Lack of IT/file naming policy enforcement tools — 25 percent.
5. Maintaining the full “Mac Experience” for their end-users — 24 percent.

Source:zdnet

How To Use Ntdsutil to Manage Active Directory Files from the Command Line in Windows Server 2003

How to Start Your Computer in Directory Services Restore Mode

Windows Server 2003 Directory Service opens its files in exclusive mode. This means that the files cannot be managed while the server is operating as a domain controller.

To start the server in Directory Services Restore mode, follow these steps:
1. Restart the computer.
2. After the BIOS information is displayed, press F8.
3. Use the DOWN ARROW to select Directory Services Restore Mode(Windows Server 2003 domain controllers only), and then press ENTER.
4. Use the UP and DOWN ARROWS to select the Windows Server 2003 operating system, and then press ENTER.
5. Log on with your administrative account and password.

How to Install Support Tools and Start Ntdsutil

To install Windows Support Tools, follow these steps:
1. Insert the Windows Server 2003 installation CD in the CD-ROM or DVD-ROM drive.
2. Click Start, click Run, type drive_letter:\Support\Tools\suptools.msi, and then press ENTER.
To start Ntdsutil, click Start, click Run, type ntdsutil in the Open box, and then press ENTER.

NOTE: To access the list of available commands, type ?, and then press ENTER.

How to Move the Database

You can move the Ntds.dit data file to a new folder. If you do so, the registry is updated so that active directory service uses the new location when you restart the server.

To move the data file to another folder, follow these steps:
1. Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.
2. At the Ntdsutil command prompt, type files, and then press ENTER.
3. At the file maintenance command prompt, type move DB to new location (where new location is an existing folder that you have created for this purpose), and then press ENTER.
4. To quit Ntdsutil, type quit, and then press ENTER.
5. Restart the computer.

How to Move Log Files

Use the move logs to command to move the directory service log files to another folder. For the new settings to take effect, restart the computer after you move the log files.
To move the log files, follow these steps:
1. Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.
2. At the Ntdsutil command prompt, type files, and then press ENTER.
3. At the file maintenance command prompt, type move logs to new location (where new location is an existing folder that you have created for this purpose), and then press ENTER.
4. Type quit, and then press ENTER.
5. Restart the computer.

How to Recover the Database

To recover the database, follow these steps:
1. Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.
2. At the Ntdsutil command prompt, type files, and then press ENTER.
3. At the file maintenance command prompt, type recover, and then press ENTER.
4. Type quit, and then press ENTER.
5. Restart the computer.
NOTE: You can also use Esentutl.exe to perform database recovery when the procedure described earlier in this article fails (for example, the procedure may fail when the database is inconsistent). To use Esentutl.exe to perform database recovery, follow these steps:
1. Click Start, click Run, type cmd in the Open box, and then press ENTER.
2. Type esentutl /r path\ntds.dit, and then press ENTER. path refers to the current location of the Ntds.dit file.
3. Delete the database log files (.log) from the WINDOWS\Ntds folder.
4. Restart the computer.
For additional information about the esentutl.exe utility, at the command prompt, type esentutl /?, and then press ENTER.

NOTE: This procedure involves transaction logs to recover data. Transaction logs are used to make sure that committed transactions are not lost if your computer fails or if it experiences unexpected power loss. Transaction data is written first to a log file, and then it is written to the data file. After you restart the computer after it fails, you can rerun the log to reproduce the transactions that were committed but that were not recorded to the data file.

How to Set Paths

You can use the set path command to set the path for the following items:
• Backup: Use this parameter with the set path command to set the disk-to-disk backup target to the folder that is specified by the location variable. You can configure Directory Service to perform an online disk-to-disk backup at scheduled intervals.
• Database: Use this parameter with the set path command to update the part of the registry that identifies the location and file name of the data file. Use this command only to rebuild a domain controller that has lost its data file and that is not being restored by means of typical restoration procedures.
• Logs: Use this parameter with the set path command to update the part of the registry that identifies the location of the log files. Use this command only if you are rebuilding a domain controller that has lost its log files and is not being restored by means of typical restoration procedures.
• Working Directory: Use this parameter with the set path command to set the part of the registry that identifies Directory Service's working folder to the folder that is specified by the location variable.
To run the set path command, follow these steps:
1. Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.
2. At the Ntdsutil command prompt, type files, and then press ENTER.
3. At the file maintenance command prompt, type set path object location, and then press ENTER. object refers to one of the following items:
• Backup
• Database
• Logs
• Working Directory
location refers to the location (folder) to which you want to set the object identified in the command.
4. Type quit, and then press ENTER.

Source: support.microsoft.com/kb/816120

Active Directory management

AD data is stored in a central, organized, accessible database. Active Directory networks can vary from a small installation with just a few hundred objects to millions of them. It is a key component when it comes to managing very large networks.

Their manager calls the help desk, which calls IT support to action the changes in AD. Once these are made, the manager is notified that the user has been set up. This can take hours, sometimes days. Not only does this process tie up IT with mundane admin chores, but it can mean that staff can't be productive during this hiatus. The other side of the coin applies equally - you can't remove a user's access rights immediately.

Active Directory offers a cost-effective solution. It neatly overcomes these AD admin headaches by effectively delegating AD object management to line managers. If changes have to be made, managers can make them on the spot, with changes going live in as little as ten seconds.

Active Directory uses a web-based AD management interface - it can be installed quickly through a company's internal network as there are no desktop clients to install, and the familiar web-browser user interface cuts the need for training. In fact, it's so simple and intuitive that most staff probably won't need any training.

Active Directory provides granular access control to entrusted staff with no limitations. Once logged in your presented with a home page offering just three options: update access, view access groups and view audited history. Changes to the AD are made via a wizard. A search option is provided, useful if you have thousands of AD objects to contend with.

When you have finished making your changes you simply click the "update all groups" button and it's done.

Paperwork is kept to a minimum. Changes to working practices and user privileges are managed through work flow emails. As well as greatly simplifying AD admin for both line managers and IT support staff, security is also improved by automating a usually manual security process. All Active Directory updates are logged to allow for auditing, which is essential to meet compliance standards.

In fact, Active Directory management can be standardized worldwide and can be used as part of the enterprise's Quality Management. The audit history option on the home page lets you view log information by group/role, date or user. Data can be downloaded and displayed in Excel.

Although Active Directory is a standalone product and doesn't integrate with other network management tools, its web services programming interface (API) will allow the integration of separate systems. As a result, Active Directory can complement existing identity management or account provisioning solutions. At the moment, Active Directory can support up to 100,000 users. System pre-requisites include Windows Server 2000/2003, IIS 6,.NET Framework 1.1, an SMTP e-mail server and MS SL Server, either 2000, 2005 or Express 2005 - most organizations contemplating deploying Active Directory will most likely meet these criteria from the off.

Installation is a doddle - in fact, if you spend more than ten minutes on it, you're probably doing something wrong.

In conclusion, Active Directory is an AD management tool that's well-suited to organizations with more than 300 seats, as well as to managed-data centers looking for a painless and secure method of passing security management tasks back to the client.

Source:securecomputing.net