Active Directory Cookbook for windows server 2003- P22 pptx

Wscript.Echo " " & strObjectDN next end if 6.30.3 Discussion The managedObjects attribute is linked to the managedBy attribute that can be set on certain objects in Active Directory

Trang 1

6.29.2 Solution

6.29.2.1 Using a graphical user interface

1 Open the Active Directory Users and Computers snap-in

2 In the left pane, right-click on the domain and select Find

3 Select the appropriate domain beside In

4 Beside Name, type the name of the user and click Find Now

5 In the Search Results, double-click on the user

6 Click the Profile tab

7 Modify the various profile settings as necessary

8 Click OK

6.29.2.2 Using a command-line interface

> dsmod user "<UserDN>" loscr <ScriptPath> profile <ProfilePath>

-hmdir[RETURN]

<HomeDir> -hmdrv <DriveLetter>

6.29.2.3 Using VBScript

' This code sets the various profile related attributes for a user

strUserDN = "<UserDN>" ' e.g cn=jsmith,cn=Users,dc=rallencorp,dc=com

set objUser = GetObject("LDAP://" & strUserDN)

objUser.Put "homeDirectory", "\\fileserver\" & objUser.Get("sAMAccountName") objUser.Put "homeDrive", "z:"

objUser.Put "profilePath", "\\fileserver\" & _

objUser.Get("sAMAccountName") & "\profile"

objUser.Put "scriptPath", "login.vbs"

objUser.SetInfo

Wscript.Echo "Profile info for " & objUser.Get("sAMAccountName") & " updated"

6.29.3 Discussion

The four attributes that make up a user's profile settings include the following:

UNC path to home directory

homeDrive

Drive letter (e.g., z:) to map home directory

UNC path to profile directory

scriptPath

Trang 2

Path to logon script

When you set the homeDirectory attribute, the folder being referenced needs to already exist For an example on creating shares for users, see MS KB 234746

6.29.4 See Also

MS KB 234746 (How to Create User Shares for All Users in a Domain with ADSI), MS KB

271657 (Scripted Home Directory Paths Require That Folders Exist), and MS KB 320043 (HOW TO: Assign a Home Directory to a User)

Recipe 6.30 Viewing a User's Managed Objects

6.30.1 Problem

You want to view the objects owned by a user

6.30.2 Solution

1 Open ADSI Edit

2 If an entry for the naming context you want to browse is not already displayed, do the following:

3 Right-click on ADSI Edit in the right pane and click Connect to

4 Fill in the information for the naming context, container, or OU you want to add an object

to Click on the Advanced button if you need to enter alternate credentials

5 In the left pane, browse to the naming context, container, or OU the object you want to view Once you've found the object, right-click on it and select Properties

6 View the managedObjects attribute

> enumprop /ATTR:managedObjects "LDAP://<UserDN>"

' This code displays the managed objects for a user

' - SCRIPT CONFIGURATION -

strUserDN = "<UserDN>" ' e.g cn=jsmith,cn=Users,dc=rallencorp,dc=com

' - END CONFIGURATION -

on error resume next

set objUser = GetObject("LDAP://" & strUserDN)

Wscript.Echo objUser.Get("cn") & "'s Managed Objects:"

colObjects = objUser.GetEx("managedObjects")

if Err.Number = -2147463155 then

Wscript.Echo " none"

else

for each strObjectDN in colObjects

Trang 3

Wscript.Echo " " & strObjectDN

The managedObjects attribute is linked to the managedBy attribute that can be set on certain objects in Active Directory like computers and groups Setting the managedBy attribute provides

a quick and dirty way to define who owns an object If you do use it, you can use the

managedObjects attribute on user objects to get the list of objects the user has been configured

in the managedBy attribute for

Recipe 6.31 Modifying the Default Display Name Used When Creating Users in ADUC

6.31.1 Problem

You want to modify how the default display name gets generated when you create a new user through the Active Directory Users and Computers snap-in

6.31.2 Solution

1 Open ADSI Edit

2 In the Configuration Naming Context browse to DisplaySpecifiers <Locale> where

<Locale> is the locale for your language (e.g., the US English locale is 409)

3 Double-click on cn=user-Display

4 Edit the createDialog attribute with the value you want the new default to be (e.g.,

%<sn>, %<givenName>)

5 Click OK

' This code modifies the default ADUC display name

strNewDefault = "%<sn>, %<givenName>"

strForestName = "<ForestDNSName>" ' e.g rallencorp.com

Set objRootDSE = GetObject("LDAP://" & strForestName & "/RootDSE")

Set objDispSpec = GetObject("LDAP://cn=User-Display,cn=409," & _

"cn=DisplaySpecifiers," & _

objRootDSE.Get("ConfigurationNamingContext")) objDispSpec.Put "createDialog", strNewDefault

objDispSpec.SetInfo

WScript.Echo "New default for user's display name has been set to: " & _ strNewDefault

Trang 4

When you create a new user object in the Active Directory Users and Computers snap-in, it will automatically fill in the Full Name field as you type in the First Name, Initials, and Last Name fields As a convenience, you may want to alter that behavior so that it automatically fills in a different value To do that, you need to modify the User-Display display specifier, which has the following distinguished name:

cn=user-Display,cn=<Locale>,cn=DisplaySpecifiers,cn=Configuration,<ForestRootDN>

<Locale> should be replaced with your language specific locale and <ForestRootDN> should contain the distinguished name for your forest root domain You need to modify the

createDialog attribute, which by default has no value Replacement variables are presented by

%<attribute>, where attribute is an attribute name For example, if you wanted to make the

default be "LastName, FirstName" you would use the following value:

%<sn>, %<givenName>

6.31.4 See Also

MS KB 250455 (XADM: How to Change Display Names of Active Directory Users)

Recipe 6.32 Creating a UPN Suffix for a Forest

6.32.1 Problem

You want users to have a different User Principal Name (UPN) suffix from the default provided

by your forest

6.32.2 Solution

1 Open the Active Directory Domains and Trusts snap-in

2 In the left pane, right-click Active Directory Domains and Trusts and select Properties

3 Under Alternate UPN suffixes, type the name of the suffix you want to add

4 Click Add and OK

' This code adds a new UPN suffix

strNewSuffix = "<NewSuffix>" ' e.g othercorp.com

strDomain = "<DomainDNSName>" ' e.g rallencorp.com

set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")

Trang 5

set objPartitions = GetObject("LDAP://cn=Partitions," & _

objRootDSE.Get("ConfigurationNamingContext")) objPartitions.PutEx ADS_PROPERTY_APPEND, "uPNSuffixes", Array(strNewSuffix) objPartitions.SetInfo

The UPN allows users to log on with a friendly name that may even correspond to their email address UPN logons also do not require the domain to be known so that it can be abstracted

away from the user You may need to create an additional UPN suffix (e.g., @rallencorp.com) if

you want UPNs to map to email addresses, but your AD forest is rooted at a different domain

name (e.g., ad.rallencorp.com) than the domain name used in email addresses (e.g.,

rallencorp.com)

UPN suffixes are stored in the multivalued uPNSuffixes attribute on the Partitions container

in the configuration-naming context The default forest UPN suffix is assumed and not stored in that attribute

6.32.4 See Also

MS KB 243280 (Users Can Log On Using User Name or User Principal Name), MS KB 243629 (HOW TO: Add UPN Suffixes to a Forest), and MS KB 269441 (HOWTO: Use ADSI to List the UPN Suffixes That Are Defined in Active Directory)

Trang 6

Chapter 7 Groups

Introduction

Recipe 7.1 Creating a Group

Recipe 7.2 Viewing the Direct Members of a Group

Recipe 7.3 Viewing the Nested Members of a Group

Recipe 7.4 Adding and Removing Members of a Group

Recipe 7.5 Moving a Group

Recipe 7.6 Changing the Scope or Type of a Group

Recipe 7.7 Delegating Control for Managing Membership of a Group

Recipe 7.8 Resolving a Primary Group ID

Recipe 7.9 Enabling Universal Group Membership Caching

Introduction

A group is a simple concept that has been used in many different types of systems over the years

In generic terms, a group is just a collection of things Groups are used most frequently in a security context whereby you set up a group of users and apply certain permissions or rights to that group Using a group is much easier when applying security than using individual users because you have to apply the security only once instead of once per user

In Active Directory, groups are flexible objects that can contain virtually any other type of object

as a member Active Directory groups can be used for many different purposes including

controlling access to resources, defining a filter for the application of group policies, and as an email distribution list

The scope and type of a group defines how the group can be used in a forest The type of a group can be either security or distribution Security groups can be used to restrict access to resources whereas distribution groups can be used only as a simple grouping mechanism Both group types can be used as email lists The scope of a group determines where members of the group can be located in the forest and where in the forest you can use the group in ACLs The supported group scopes include universal, global, and domain local Universal groups and domain local groups

Trang 7

can have members that are part of any domain in the forest Global groups can only have

members that are part of the same domain the group is in

The Anatomy of a Group

Groups are represented in Active Directory by group objects Table 7-1 contains a list of some

of the noteworthy attributes that are available on group objects

Table 7-1 Attributes of group objects

Attribute Description

cn Relative distinguished name of group objects

createTimestamp Timestamp of when the OU was created

description Textual description of the group

groupType Flag containing the group scope and type See Recipe 7.6 for more

information

info Additional notes about a group

primaryGroupToken Local RID for the group This matches the primaryGroupID attribute that

is set on user objects

managedBy DN of a user or group that is the owner of the group

managedObjects List of DNs of objects this group is listed in the managedBy attribute for

member List of DNs of members of the group

memberOf List of DNs of the groups this group is a member of

modifyTimestamp Timestamp of when the OU was last modified

sAMAccountName Down-level account name for the group Typically this is the same as the

cn attribute

wWWHomePage URL of the home page for the group

Recipe 7.1 Creating a Group

7.1.1 Problem

You want to create a group

7.1.2 Solution

Trang 8

1 Open the Active Directory Users and Computers (ADUC) snap-in

2 If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name and click OK

3 In the left pane, browse to the parent container of the new group, right-click on it, and select New Group

4 Enter the name of the group and select the group scope (global, domain local, or

universal) and group type (security or distribution)

5 Click OK

In the following example, <GroupDN> should be replaced with the DN of the group to create,

<GroupScope> should be l, g, or u for domain local, global, and universal groups, respectively, and -secgroup should be set to yes if the group is a security group or no otherwise Another recommended option is to set -desc for specifying a group description

> dsadd group "<GroupDN>" -scope <GroupScope> -secgrp yes|no -desc

"<GroupDesc>"

' The following code creates a global security group

strGroupParentDN = "<GroupParentDN>" ' e.g ou=Groups,dc=rallencorp,dc=com strGroupName = "<GroupName>" ' e.g ExecAdminsSales

strGroupDescr = "<GroupDesc>" ' e.g Executive Admins for Sales group

' Constants taken from ADS_GROUP_TYPE_ENUM

Const ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 1

Const ADS_GROUP_TYPE_GLOBAL_GROUP = 2

Const ADS_GROUP_TYPE_LOCAL_GROUP = 4

Const ADS_GROUP_TYPE_SECURITY_ENABLED = -2147483648

Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = 8

set objOU = GetObject("LDAP://" & strGroupParentDN)

set objGroup = objDomain.Create("group","cn=" & strGroupName)

objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP _

Or ADS_GROUP_TYPE_SECURITY_ENABLED

objOU.Put "description", strGroupDescr

objOU.SetInfo

In each solution, a group was created with no members For more information on how to add and remove members, see Recipe 7.4

The groupType attribute contains a flag indicating both group scope and type The available flag values are defined in the ADS_GROUP_TYPE_ENUM enumeration Recipe 7.6 contains more

information on setting the group scopes and types

Trang 9

7.1.4 See Also

Recipe 7.4 for adding and removing group members, Recipe 7.6 for setting group scope and type,

MS KB 231273 (Group Type and Scope Usage in Windows), MS KB 232241 (Group

Management with ADSI in Windows 2000), MS KB 320054 (HOW TO: Manage Groups in Active Directory in Windows 2000), and MSDN: ADS_GROUP_TYPE_ENUM

Recipe 7.2 Viewing the Direct Members of a Group

7.2.1 Problem

You want to view the direct members of a group

7.2.2 Solution

2 If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK

4 Enter the name of the group and click Find Now

5 Double-click on the group in the bottom results pane

6 Click the Members tab

> dsget group "<GroupDN>" -members

' This code prints the direct members of the specified group

strGroupDN = "<GroupDN>" ' e.g cn=SalesGroup,ou=Groups,dc=rallencorp,dc=com

set objGroup = GetObject("LDAP://" & strGroupDN)

Wscript.Echo "Members of " & objGroup.Name & ":"

for each objMember in objGroup.Members

Wscript.Echo objMember.Name

of the group By direct members, I mean the members that have been directly added to the group This is in contrast to indirect group members, which are members of the group due to nested group membership See Recipe 7.3 for how to find the nested membership of a group

Trang 10

7.2.4 See Also

Recipe 7.3 for viewing nested group membership

Recipe 7.3 Viewing the Nested Members of a Group

7.3.1 Problem

You want to view the nested members of a group

7.3.2 Solution

2 If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK

4 Enter the name of the group and click Find Now

5 Double-click on the group in the bottom results pane

6 Click the Members tab

7 You now have to double-click on each group member to view its membership

> dsget group "<GroupDN>" -members -expand

' This code prints the nested membership of a group

strGroupDN = "<GroupDN>" ' e.g cn=SalesGroup,ou=Groups,dc=rallencorp,dc=com

strSpaces = " "

set dicSeenGroupMember = CreateObject("Scripting.Dictionary")

Wscript.Echo "Members of " & strGroupDN & ":"

DisplayMembers "LDAP://" & strGroupDN, strSpaces, dicSeenGroupMember

Function DisplayMembers ( strGroupADsPath, strSpaces, dicSeenGroupMember) set objGroup = GetObject(strGroupADsPath)

for each objMember In objGroup.Members

Wscript.Echo strSpaces & objMember.Name

if objMember.Class = "group" then

if dicSeenGroupMember.Exists(objMember.ADsPath) then

Wscript.Echo strSpaces & " ^ already seen group member " & _ "(stopping to avoid loop)"

else

dicSeenGroupMember.Add objMember.ADsPath, 1

DisplayMembers objMember.ADsPath, strSpaces & " ", _

Định dạng
Số trang	10
Dung lượng	35,13 KB