Table of Contents
Active Directory
————————————————————————————————————————————————-
Configure Microsoft Entra hybrid join
Bringing your devices to Microsoft Entra ID maximizes user productivity through single sign-on (SSO) across your cloud and on-premises resources. You can secure access to your resources with Conditional Access at the same time.
https://learn.microsoft.com/en-us/entra/identity/devices/how-to-hybrid-join
Viewing the active Directory with ADSIEDIT.MSC
http://forums.msexchange.org/m_1800466536/mpage_1/key_/tm.htm#1800466536
Active Directory Search Expression = http://msdn.microsoft.com/en-us/library/ms675768%28v=vs.85%29.aspx
Also: http://technet.microsoft.com/en-us/library/ee198834.aspx
List Active Directory Email Addresses
dsquery user -limit 0 | dsget user -ln -fn -email >employee-list.txt
ADSIEdit:
http://exchangeinbox.com/article.aspx?i=73
File: ListEmailAddresses.zip
http://exchangepedia.com/2005/09/how-to-export-all-email-addresses-from-a-domain.html
Control Panel's Administrator Tool called Active Directory Users and Computers
http://www.cmsconnect.com/praetor/webhelpg2/chapter_7_-_log_viewer/ad_export_users.htm
If all you want is the primary SMTP address then the following will do the trick:
http://www.petri.co.il/forums/showthread.php?t=7690
Another Script
Server4 Aphelian Connection to Active Directory
Host info Name: activedirectory Host: etspowergroup.local Port: 389 Version: 3 Base DN: DC=ETSPowerGroup,DC=local User Info User DN: Matthew Jados,CN=Users,DC=ETSPowerGroup,DC=local Password:
Mac OS/Linux/Windows Single Sign-On
Well Known Security Identifiers
SID: S-1-5-11 Name: Authenticated Users Description: A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
Computer login
2022-04-05
Deny User or Group to Sign in Locally in Windows 10
From <https://winaero.com/deny-user-group-sign-in-locally-windows-10/>
Andre Canis Jalapeno Best Answer Andre Canis Apr 17, 2012 at 6:08 AM A better way would be to do it in the security policy (secpol.msc)
Security Settings > Local Policies > User Rights Assignments > Allow log on locally.
Remove the “Users” group from this policy and
add those users you want to allow to log on.
ChristopherO
Mace
ChristopherO Feb 15, 2012 at 6:54 AM
You could certainly do this in 2003.
If you want to be granular, you will need to update the Users group on each computer
- remove Domain Users and add in the specific accounts/groups that can log into that computer.
If it's going to be the same for a large number of computers (ie, users in the Sales group can log into any computer in the Sales department) you can use Restricted Groups in Group Policy - just remember, with Restricted Groups it will remove ALL other users/groups from that local computer group and ONLY allow in what you set in the policy.
From: https://community.spiceworks.com/topic/338040-how-to-stop-domain-users-from-logging-into-my-pc
From: https://community.spiceworks.com/topic/126427-restrict-certain-users-from-login-on-certain-computers
From: http://windowsitpro.com/security/restricting-interactive-user-logons
Remote Login Active Directory
Local Secpol.msc security “Allow login Through Terminal Services”
PowerBroker Identity Services
From: http://www.powerbrokeropen.org/ Download: http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True
linux login active directory
RE:[linuxadmin-l] Centralized Login Solution For All The Linux And AIX Inbox JJ_AIX Reply from JJ_AIX on Sep 14 at 4:03 PM Thanks guys , I appreciate it , I saw ... 2:34 PM (22 hours ago) nawzs-se 12:55 AM (12 hours ago) Reply from nawzs-se on Sep 15 at 12:49 AM Well, Powerbroker Open is free, if you can manage without a support agreement. .. It'll take care of the unified logon, the paid version can also handle GPOs for your linux and unix systems. On the other hand, we use sssd and that one works well too. One small but important difference between the two setups is that with sssd (or nslcd) you need to set the unix attributes in your ldap directory ( such as uid,gid,unixhome and loginshell). If you go with Powerbroker it'll take care of that for you by hashing the SIDs for uid, gid and assigning defaults for the rest. Defaults are customizable.
rd-gateway-ports-and-certificates
In this deployment, RD Gateway needs the ports to be opened on the internal firewall for the following purposes: To authenticate users To authorize users To resolve the DSN names of internal resources To forward RDP packets from the client To get the Certificate Revocation List To send RADIUS requests (in a central NPS server scenario)
ADSI Edit
ADSI Edit is implemented as a snap-in that runs in the Microsoft Management Console (MMC). The name of the default console containing ADSI Edit is AdsiEdit.msc. You can add the snap-in to any .msc file through the Add/Remove Snap-in menu option in the MMC, or you can just open the AdsiEdit.msc file from Windows Explorer.
Backup of Active Directory
From: http://support.microsoft.com/kb/888794
An Active Directory domain controller requires regular system state backups to recover from user, hardware, software, or environmental problems. The default useful life of a system state backup is 60 or 180 days, depending on the operating system version and the service pack revision at play during the installation. This useful life is controlled by the tombstone lifetime attribute in Active Directory. At least one domain controller in every domain in the forest should be backed up every tombstone lifetime number of days. Note the value in the Value column. If the value is <not set>, the value is 60 days.
Things to consider when you host Active Directory domain controllers in virtual hosting environments
From: http://support.microsoft.com/kb/888794
Virtualized DCs in clustered hosts In order for the nodes, disks and other resources on a clustered computer to auto-start, authentication requests from the clustered computer must be serviced by a DC in the cluster computer's domain. To insure that such a DC exists during cluster OS startup, deploy at least 2 domain controllers in the clustered host computer's domain on physical hardware. The physical DCs should be kept online and be network accessible (in DNS + all required ports and protocols) to the clustered hosts. If the only DC’s that can service authentication request during cluster startup reside on a cluster computer that is being restarted, authentication requests will fail and manual recovery steps will be required to make the cluster operational. Note: Always have at least one DC that is on physical hardware so that failover clusters and other infrastructure can start.
Free Active Directory Tools
ADManager Plus presents a complete suite of Active Directory tools that will certainly help the Windows Active Directory administrators and users in efficient handling of all the Active Directory Data. You can download 'RIGHT NOW' the entire suite at absolutely NO COST!.
Permissions Analyzer for Active Directory
From: http://www.solarwinds.com/downloads/
Not a whole lot of help can get same results from going to folder or file and checking permissions
JXplorer The World's Finest Ldap Browser
JXplorer is an open source ldap browser originally developed by Computer Associates' eTrust Directory development lab. It is a standards compliant general purpose ldap browser that can be used to read and search any ldap directory, or any X500 directory with an ldap interface. It is available for immediate free download under a standard OSI-style open source licence.
See: https://confluence.atlassian.com/display/DEV/Identifying+Active+Directory+connection+details for details of configuration parameters for Active Directory
Microsoft Active Directory Credentials
From: https://confluence.atlassian.com/display/DEV/Identifying+Active+Directory+connection+details
ad.atlassian.com is the DNS name of our AD server so that's how we worked out CN=Administrator,CN=Users,DC=ad,DC=atlassian,DC=com. We prefixed each part of the DNS name with DC (which stands for Domain Component). Any folders or subfolders that branch from the server, we prefix with CN, hence CN=Administrator,CN=Users,DC=ad,DC=atlassian,DC=com (as the Administrator user account sits in the Users folder). Please specify the full name of the account for CN. So, if the user is John Smith, you would use: CN=John Smith,CN=Users,DC=ad,DC=atlassian,DC=com For baseContext, just specify DC=ad,DC=atlassian,DC=com (the DNS name prefixed with DC's)