====== Active Directory ======
-------------------------------------------------------------------------------------------------------------------------------------------------\\
====== Configure Microsoft Entra hybrid join ======
Bringing your devices to Microsoft Entra ID maximizes user productivity through single sign-on (SSO) across your cloud and on-premises resources. You can secure access to your resources with Conditional Access at the same time.
https://learn.microsoft.com/en-us/entra/identity/devices/how-to-hybrid-join
====== Viewing the active Directory with ADSIEDIT.MSC ======
http://forums.msexchange.org/m_1800466536/mpage_1/key_/tm.htm#1800466536
Active Directory Search Expression = http://msdn.microsoft.com/en-us/library/ms675768%28v=vs.85%29.aspx
Also: http://technet.microsoft.com/en-us/library/ee198834.aspx
====== List Active Directory Email Addresses ======
dsquery user -limit 0 | dsget user -ln -fn -email >employee-list.txt
ADSIEdit:
http://exchangeinbox.com/article.aspx?i=73
File: ListEmailAddresses.zip
http://exchangepedia.com/2005/09/how-to-export-all-email-addresses-from-a-domain.html
Control Panel's Administrator Tool called Active Directory Users and Computers
http://www.cmsconnect.com/praetor/webhelpg2/chapter_7_-_log_viewer/ad_export_users.htm
If all you want is the primary SMTP address then the following will do the trick:
http://www.petri.co.il/forums/showthread.php?t=7690
Another Script
http://forums.techarena.in/active-directory/64389.htm
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/uncovering-new-export-list-feature-exchange-server-2007-service-pack1.html
====== Server4 Aphelian Connection to Active Directory ======
Host info
Name: activedirectory
Host: etspowergroup.local
Port: 389
Version: 3
Base DN: DC=ETSPowerGroup,DC=local
User Info
User DN: Matthew Jados,CN=Users,DC=ETSPowerGroup,DC=local
Password:
====== Mac OS/Linux/Windows Single Sign-On ======
http://weblog.bignerdranch.com/?p=6
====== Well Known Security Identifiers ======
From: https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
SID: S-1-5-11
Name: Authenticated Users
Description: A group that includes all users whose identities were authenticated when they logged on.
Membership is controlled by the operating system.
====== Computer login ======
2022-04-05
Deny User or Group to Sign in Locally in Windows 10
From
From: https://community.spiceworks.com/topic/216823-implications-of-removing-nt-authority-authenticated-users-user-from-users-list
Andre Canis
Jalapeno
Best Answer
Andre Canis Apr 17, 2012 at 6:08 AM
A better way would be to do it in the security policy (secpol.msc)
Security Settings > Local Policies > User Rights Assignments > **Allow log on locally**.\\
Remove the "Users" group from this policy and\\
add those users you want to allow to log on.
From: https://community.spiceworks.com/topic/199167-active-directory-2008-r2-control-user-login-to-computer
ChristopherO
Mace
ChristopherO Feb 15, 2012 at 6:54 AM \\
You could certainly do this in 2003.\\
If you want to be granular, you will need to update the Users group on each computer\\
- remove Domain Users and add in the specific accounts/groups that can log into that computer.\\
If it's going to be the same for a large number of computers (ie, users in the Sales group can log into any computer in the Sales department) you can use Restricted Groups in Group Policy - just remember, with Restricted Groups it will remove ALL other users/groups from that local computer group and ONLY allow in what you set in the policy.
From: https://community.spiceworks.com/topic/338040-how-to-stop-domain-users-from-logging-into-my-pc
From: https://community.spiceworks.com/topic/126427-restrict-certain-users-from-login-on-certain-computers
From: http://windowsitpro.com/security/restricting-interactive-user-logons
====== Remote Login Active Directory ======
Local Secpol.msc security "Allow login Through Terminal Services"
====== PowerBroker Identity Services ======
From: http://www.powerbrokeropen.org/
Download: http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True
linux login active directory
RE:[linuxadmin-l] Centralized Login Solution For All The Linux And AIX
Inbox
JJ_AIX
Reply from JJ_AIX on Sep 14 at 4:03 PM Thanks guys , I appreciate it , I saw ...
2:34 PM (22 hours ago)
nawzs-se
12:55 AM (12 hours ago)
Reply from nawzs-se on Sep 15 at 12:49 AM
Well, Powerbroker Open is free, if you can manage without a support agreement. ..
It'll take care of the unified logon, the paid version can also handle GPOs for your linux and unix systems.
On the other hand, we use sssd and that one works well too.
One small but important difference between the two setups is that with sssd (or nslcd) you need to set the unix attributes in your ldap directory ( such as uid,gid,unixhome and loginshell). If you go with Powerbroker it'll take care of that for you by hashing the SIDs for uid, gid and assigning defaults for the rest. Defaults are customizable.
====== rd-gateway-ports-and-certificates ======
From: https://social.technet.microsoft.com/Forums/windowsserver/en-US/a241a5be-e39d-4dfc-a513-e4f83c4dc906/rd-gateway-ports-and-certificates?forum=winserverTS
In this deployment, RD Gateway needs the ports to be opened on the internal firewall for the following purposes:
To authenticate users
To authorize users
To resolve the DSN names of internal resources
To forward RDP packets from the client
To get the Certificate Revocation List
To send RADIUS requests (in a central NPS server scenario)
====== ADSI Edit ======
From: https://technet.microsoft.com/en-us/library/Bb124152%28v=EXCHG.65%29.aspx?f=255&MSPPError=-2147217396
ADSI Edit is implemented as a snap-in that runs in the Microsoft Management Console (MMC). The
name of the default console containing ADSI Edit is AdsiEdit.msc. You can add the snap-in to any
.msc file through the Add/Remove Snap-in menu option in the MMC, or you can just open the AdsiEdit.msc
file from Windows Explorer.
====== Backup of Active Directory ======
From: http://support.microsoft.com/kb/888794
An Active Directory domain controller requires regular system state backups to recover from user, hardware,
software, or environmental problems. The default useful life of a system state backup is 60 or 180 days,
depending on the operating system version and the service pack revision at play during the installation.
This useful life is controlled by the tombstone lifetime attribute in Active Directory. At least one domain
controller in every domain in the forest should be backed up every tombstone lifetime number of days.
Note the value in the Value column. If the value is , the value is 60 days.
====== Things to consider when you host Active Directory domain controllers in virtual hosting environments ======
From: http://support.microsoft.com/kb/888794
Virtualized DCs in clustered hosts
In order for the nodes, disks and other resources on a clustered computer to auto-start, authentication
requests from the clustered computer must be serviced by a DC in the cluster computer's domain.
To insure that such a DC exists during cluster OS startup, deploy at least 2 domain controllers in the
clustered host computer's domain on physical hardware. The physical DCs should be kept online and be
network accessible (in DNS + all required ports and protocols) to the clustered hosts. If the only DC’s
that can service authentication request during cluster startup reside on a cluster computer that is being
restarted, authentication requests will fail and manual recovery steps will be required to make the cluster
operational.
Note: Always have at least one DC that is on physical hardware so that failover clusters and other infrastructure
can start.
====== Free Active Directory Tools ======
From: http://www.manageengine.com/products/free-windows-active-directory-tools/free-active-directory-tools-index.html
ADManager Plus presents a complete suite of Active Directory tools that will certainly
help the Windows Active Directory administrators and users in efficient handling of all
the Active Directory Data. You can download 'RIGHT NOW' the entire suite at absolutely
NO COST!.
====== Permissions Analyzer for Active Directory ======
From: http://www.solarwinds.com/downloads/
Not a whole lot of help
can get same results from going to folder or file and checking permissions
====== JXplorer The World's Finest Ldap Browser ======
http://jxplorer.org/
JXplorer is an open source ldap browser originally developed by Computer Associates' eTrust Directory development lab. It is a standards compliant general purpose ldap browser that can be used to read and search any ldap directory, or any X500 directory with an ldap interface. It is available for immediate free download under a standard OSI-style open source licence.
See: https://confluence.atlassian.com/display/DEV/Identifying+Active+Directory+connection+details
for details of configuration parameters for Active Directory
====== Microsoft Active Directory Credentials ======
From: https://confluence.atlassian.com/display/DEV/Identifying+Active+Directory+connection+details
ad.atlassian.com is the DNS name of our AD server so that's how we worked out
CN=Administrator,CN=Users,DC=ad,DC=atlassian,DC=com.
We prefixed each part of the DNS name with DC (which stands for Domain Component).
Any folders or subfolders that branch from the server, we prefix with CN,
hence CN=Administrator,CN=Users,DC=ad,DC=atlassian,DC=com (as the Administrator user
account sits in the Users folder).
Please specify the full name of the account for CN. So, if the user
is John Smith, you would use: CN=John Smith,CN=Users,DC=ad,DC=atlassian,DC=com
For baseContext, just specify DC=ad,DC=atlassian,DC=com (the DNS name prefixed with DC's)
[[https://confluence.atlassian.com/download/attachments/164873/jxplorer_connect.gif?version=1&modificationDate=1141791701655&api=v2]]