Differences

This shows you the differences between two versions of the page.

--- software:microsoft:windows:activedirectory [2015/09/10 02:42] – superwizard
+++ software:microsoft:windows:activedirectory [2024/03/02 22:28] (current) – [Viewing the active Directory with ADSIEDIT.MSC] superwizard
@@ Line 1: / Line 1: @@
+====== Active Directory ======
+-------------------------------------------------------------------------------------------------------------------------------------------------\\
+====== Configure Microsoft Entra hybrid join ======
+<WRAP center round box >
+Bringing your devices to Microsoft Entra ID maximizes user productivity through single sign-on (SSO) across your cloud and on-premises resources. You can secure access to your resources with Conditional Access at the same time.
+https://learn.microsoft.com/en-us/entra/identity/devices/how-to-hybrid-join
+</WRAP>
+====== Viewing the active Directory with ADSIEDIT.MSC ======
+http://forums.msexchange.org/m_1800466536/mpage_1/key_/tm.htm#1800466536
+Active Directory Search Expression = http://msdn.microsoft.com/en-us/library/ms675768%28v=vs.85%29.aspx
+Also: http://technet.microsoft.com/en-us/library/ee198834.aspx
+====== List Active Directory Email Addresses ======
+dsquery user -limit 0 | dsget user -ln -fn -email >employee-list.txt
+ADSIEdit:
+http://exchangeinbox.com/article.aspx?i=73
+File: ListEmailAddresses.zip
+http://exchangepedia.com/2005/09/how-to-export-all-email-addresses-from-a-domain.html
+Control Panel's Administrator Tool called Active Directory Users and Computers
+http://www.cmsconnect.com/praetor/webhelpg2/chapter_7_-_log_viewer/ad_export_users.htm
+If all you want is the primary SMTP address then the following will do the trick:
+http://www.petri.co.il/forums/showthread.php?t=7690
+Another Script
+http://forums.techarena.in/active-directory/64389.htm
+http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/uncovering-new-export-list-feature-exchange-server-2007-service-pack1.html
+====== Server4 Aphelian Connection to Active Directory ======
+  Host info
+  Name: activedirectory
+  Host: etspowergroup.local
+  Port: 389
+  Version: 3
+  Base DN: DC=ETSPowerGroup,DC=local
+  User Info
+  User DN: Matthew Jados,CN=Users,DC=ETSPowerGroup,DC=local
+  Password:
+====== Mac OS/Linux/Windows Single Sign-On ======
+http://weblog.bignerdranch.com/?p=6
+====== Well Known Security Identifiers ======
+From: https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
+<code>
+SID: S-1-5-11
+Name: Authenticated Users
+Description: A group that includes all users whose identities were authenticated when they logged on.
+Membership is controlled by the operating system.
+</code>
+====== Computer login ======
+<WRAP center round box >
+-04-05
+Deny User or Group to Sign in Locally in Windows 10
+From <https://winaero.com/deny-user-group-sign-in-locally-windows-10/>
+From: https://community.spiceworks.com/topic/216823-implications-of-removing-nt-authority-authenticated-users-user-from-users-list
+Andre Canis
+Jalapeno
+Best Answer
+Andre Canis Apr 17, 2012 at 6:08 AM
+A better way would be to do it in the security policy (secpol.msc)
+Security Settings > Local Policies > User Rights Assignments > **Allow log on locally**.\\
+Remove the "Users" group from this policy and\\
+add those users you want to allow to log on.
+From: https://community.spiceworks.com/topic/199167-active-directory-2008-r2-control-user-login-to-computer
+ChristopherO
+Mace
+ChristopherO Feb 15, 2012 at 6:54 AM \\
+You could certainly do this in 2003.\\
+If you want to be granular, you will need to update the Users group on each computer\\
+- remove Domain Users and add in the specific accounts/groups that can log into that computer.\\
+If it's going to be the same for a large number of computers (ie, users in the Sales group can log into any computer in the Sales department) you can use Restricted Groups in Group Policy - just remember, with Restricted Groups it will remove ALL other users/groups from that local computer group and ONLY allow in what you set in the policy.
+From: https://community.spiceworks.com/topic/338040-how-to-stop-domain-users-from-logging-into-my-pc
+From: https://community.spiceworks.com/topic/126427-restrict-certain-users-from-login-on-certain-computers
+From: http://windowsitpro.com/security/restricting-interactive-user-logons
+</WRAP>
+====== Remote Login Active Directory ======
+Local Secpol.msc security "Allow login Through Terminal Services"
+====== PowerBroker Identity Services ======
+From: http://www.powerbrokeropen.org/
+Download: http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True
+linux login active directory
+<code>
+RE:[linuxadmin-l] Centralized Login Solution For All The Linux And AIX
+Inbox
+JJ_AIX
+Reply from JJ_AIX on Sep 14 at 4:03 PM Thanks guys , I appreciate it , I saw ...
+:34 PM (22 hours ago)
+nawzs-se
+:55 AM (12 hours ago)
+Reply from nawzs-se on Sep 15 at 12:49 AM
+Well, Powerbroker Open is free, if you can manage without a support agreement. ..
+It'll take care of the unified logon, the paid version can also handle GPOs for your linux and unix systems.
+On the other hand, we use sssd and that one works well too.
+One small but important difference between the two setups is that with sssd (or nslcd) you need to set the unix attributes in your ldap directory ( such as uid,gid,unixhome and loginshell). If you go with Powerbroker it'll take care of that for you by hashing the SIDs for uid, gid and assigning defaults for the rest. Defaults are customizable.
+</code>
 ====== rd-gateway-ports-and-certificates ======