Active Directory Administrative Center
The other day I wrote about Powershell as one of the basic tools that the administration of any supported Microsoft platform rises to highest level of automation and configuration. I can not emphasize enough how important it is for Windows Server administrators to begin to learn Powershell, I think everyone slowly but surely will realize that.
In addition I want to devote attention on two "new" tools for administering Server 2008R2 an Server 2012. One Active Directory Administrative Center, which runs completely on Powershell and Server Manger which is an entirely integrated into PS.
In Windows Server 2003 and Windows Server 2008 operating systems, administrators can manage and to disclose information in their Active Directory environment by using Active Directory snap-ins linke AD Users and Computers Microsoft Management Console ( MMC ) snap -in . Beginning in Windows Server 2008 R2, now and in the Server 2012 ( and in all other subsequent ) in favor of using the Active Directory Users and Computers, administrators can manage their directories by using the new Active Directory Administrative Center.
As i said earlier, tool that works "on top" of PS, it actually means that each click or each operation via the graphical interface is powershell command that is executed in the background, quite transparently for the user. The same we have already saw in Exchange Server 2010 with the Exchange console.
The version of the Active Directory Administrative Center in Windows Server 2012 has additional improvements, including PowerShell Windows History Viewer that will help you learn the Active Directory cmdlets.
You can use Active Directory Administrative Center to perform the following Active Directory administrative tasks:
Creating new users (Users) or managing existing ones.
Create a new group (Group) or management of existing. Create new computer (account) or managing existing ones.
Creating new computer (account) or managing existing ones.
Creating new organizational units (OUs) and containers or manage existing OU.
Connecting to one or several (domain) or (domain controllers) simultaneously to view or manage the desired Active Directory (AD DS).
Filter AD DS and search the database (query).
In addition, you can use the GUI and modify it according to your needs and desires,meaning you can use a (custom) administrative center . This can help to improve your productivity and efficiency .
Active Directory Administrative includes features that are described in the following chapters . The following illustration shows the graphical user interface (GUI) and the administrative center and how it is organized
In addition I want to devote attention on two "new" tools for administering Server 2008R2 an Server 2012. One Active Directory Administrative Center, which runs completely on Powershell and Server Manger which is an entirely integrated into PS.
In Windows Server 2003 and Windows Server 2008 operating systems, administrators can manage and to disclose information in their Active Directory environment by using Active Directory snap-ins linke AD Users and Computers Microsoft Management Console ( MMC ) snap -in . Beginning in Windows Server 2008 R2, now and in the Server 2012 ( and in all other subsequent ) in favor of using the Active Directory Users and Computers, administrators can manage their directories by using the new Active Directory Administrative Center.
As i said earlier, tool that works "on top" of PS, it actually means that each click or each operation via the graphical interface is powershell command that is executed in the background, quite transparently for the user. The same we have already saw in Exchange Server 2010 with the Exchange console.
The version of the Active Directory Administrative Center in Windows Server 2012 has additional improvements, including PowerShell Windows History Viewer that will help you learn the Active Directory cmdlets.
You can use Active Directory Administrative Center to perform the following Active Directory administrative tasks:
Creating new users (Users) or managing existing ones.
Create a new group (Group) or management of existing. Create new computer (account) or managing existing ones.
Creating new computer (account) or managing existing ones.
Creating new organizational units (OUs) and containers or manage existing OU.
Connecting to one or several (domain) or (domain controllers) simultaneously to view or manage the desired Active Directory (AD DS).
Filter AD DS and search the database (query).
In addition, you can use the GUI and modify it according to your needs and desires,meaning you can use a (custom) administrative center . This can help to improve your productivity and efficiency .
Active Directory Administrative includes features that are described in the following chapters . The following illustration shows the graphical user interface (GUI) and the administrative center and how it is organized
On the navigation panel you can see your available domain, global search and the option "dynamic access control" which is native to the Server 2012. "Dynamic Access Control" in the "Windows Server 2012" offers a new way of controlling access to resources.
In most cases data in an organization is stored on file servers, administrators must provide security and access control to file server resources.At the end DAC is a new access control mechanism for file-system resources. It will enable administrators to use a mechanism with which they can apply "central file-access policies" to every file server in the organization.
In most cases data in an organization is stored on file servers, administrators must provide security and access control to file server resources.At the end DAC is a new access control mechanism for file-system resources. It will enable administrators to use a mechanism with which they can apply "central file-access policies" to every file server in the organization.
“
Dynamic Access Control: An Active Directory Game Changer “
On the navigation panel you can see your available domain, global search and the option "dynamic access control" which is native to the Server 2012. "Dynamic Access Control" in the "Windows Server 2012" offers a new way of controlling access to resources.
In most cases data in an organization is stored on file servers, administrators must provide security and access control to file server resources. At the end DAC is a new access control mechanism for file-system resources. It will enable administrators to use a mechanism with which they can apply "central file-access policies" to every file server in the organization.
Dynamic Access Control provides:
Data classification - You can use automatic and manual classification of files to tag data in file servers across the organization.
Access control to files - Central access policies enable organizations to define who can access particular data.
Auditing of access to files. Central audit policies facilitate compliance reporting and forensic analysis.
In previous versions of Windows Server, the basic mechanism for file and folder access control was NTFS permissions. By using NTFS permissions and
their ACLs, administrators can control access to
resources, based on user name or group membership, and the level of access, such as Read-only, Change, or Full Control. However, once you
provide someone with Read-only access to a document, you cannot prevent that person from copying the content of that document into a new document or printing the document. Yes you coud do that with RMS but the main thing of DAC is that for the first time you can set conditional access to files.Example, you can set permissions in a way that users could access a document if they were a
member of a specific group A and another group B or had the attribute EmployeeType set to "Full Time Employee". Or, you might want to set permissions so that only users that have a department attribute populated with the
same value as the department attribute for the resource can access the content.
"Dynamic Access Control" will allow you to identify data using auto or manual file classification (classification rules). For example, you can through tagged data files to any servers (file servers) in the organization of a rule base.
Also allows control of access to files by using the (safety-net policies) that use (central access policies).
http://technet.microsoft.com/en-us/library/hh831425.aspx
Provides access Audit (Audit) to files using the (central access) policies for compliance reporting (compliance) and forensic analysis. For example, you can determine which access to highly sensitive information in the company and therefore the security of the data to rise to a much higher level.
You can even integrate and DAC and RMS (Rights Management Services) protection using automatic RMS encryption on sensitive documents.For example, you can configure RMS to auto encrypt all documents containing personal or health insurance information.
Dynamic Access Control "Dynamic Access Control" in Windows Server 2012 can help improve authentication and authorization. Definitely new and great way that will help protect primary data across the company regardless of which server is located.
In this blog for those who already are working with administrative center in Server 2008R2 but still have not worked in Server 2012 and those who are already at an advanced level i will focus more on Dynamic Access Control, because I believe that is one of the most important improvements in server 2012 and that you need to pay attention.
Imagine the following scenario.
Department of finance and operations has a need for central policy to protect sensitive archived financial data stored on file servers . Archived finance information from each country can be accessed as read-only by the finance staff from the same country . A central financial (admin) group can access finance information from all countries .
So financial documents should be read only by members of the finance department . Members of the finance department only need to access documents in their own country . Only Finance Administrators need to have Write access. Exceptions will be allowed for members of FinanceException group. This group will have read access .
You start by creating a "Claim" type of ( proof) that the user that is requesting access is who he claim he is. This Claim will later be used in "Central Access Rules", but remember Server 2008 Domain Controller under default does not support authentication Claim and you will have to enable it. You can do that with GPO:
Group Policy Management - Domain Controllers - Default Domain Controllers Policy - Edit
Group Policy Management Editor - Computer Configuration – Policies - Administrative Templates - System – KDC
KDC Support for claims, compound authentication and Kerberos armoring - Options -
Enabled - Supported
Next create new Claim Type from Dynamic Access Control tasks panel.
UI
Source Attribute – department - Display name – department – ок
Source Attribute - Country-Name - Display name – country
Suggested Values - The following values are suggested - Add
Value and Display name fields – US – ок
Suggested Values - The following values are suggested - Add
Value and Display name fields – ЈP – ок
This would be much more simpler with powershell J
New-ADClaimType country -SourceAttribute c
-SuggestedValues:@((New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("US","US","")),
(New-Object
Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("JP","JP","")))
New-ADClaimType department -SourceAttribute department
Next step is to create the "resource properties" which is auto-added to the Global Resource Properties list located on the domain controller and is available to all file servers in the company is involved. "Resource Properties" are properties (such as labels) that describe a file and are assigned to files by using automatic classification or manual classification. Examples include: Sensitivity, Project, and Retention period.
UI
Tasks - New - Reference Resource
Property
Select a claim
type to share its suggested values list – country
Display name - country – OK
Resource
Properties - Department - Еnable.
PS
New-ADResourceProperty Country -IsSecured $true
-ResourcePropertyValueType MS-DS-MultivaluedChoice -SharesValuesWith country
Set-ADResourceProperty Department_MS -Enabled $true
Add-ADResourcePropertyListMember "Global Resource Property
List" -Members Country
Add-ADResourcePropertyListMember "Global Resource Property
List" -Members Department_MS
Next is to create a "Central Access Rules" with which you will determine who on will have access to specific data based on previously created claim.
Central Access Rules is a rule that includes a condition and an access expression.
UI
Central Access Rules – New - Central Access Rule
Name - Finance Documents Rule
Target Resources - Edit -
Central Access Rule - Add a condition - [Resource] [Department] [Equals] [Value] [Finance - OK
Permissions section, - select Use following permissions as current permissions - Edit - Advanced Security Settings for Permissions - Add
Permission entry for Permissions dialog box, - Select a principal, type Authenticated Users – OK
Permission Entry for Permissions dialog box - Add a condition - [User] [country] [Any of] [Resource] [country]
[User] [Department] [Any of] [Resource] [Department]. Set the Permissions to Read.
PS
$countryClaimType = Get-ADClaimType country
$departmentClaimType = Get-ADClaimType department
$countryResourceProperty = Get-ADResourceProperty
Country
$departmentResourceProperty =
Get-ADResourceProperty Department
$currentAcl =
"O:SYG:SYD:AR(A;;FA;;;OW)(A;;FA;;;BA)(A;;0x1200a9;;;S-1-5-21-1787166779-1215870801-2157059049-1113)(A;;0x1301bf;;;S-1-5-21-1787166779-1215870801-2157059049-1112)(A;;FA;;;SY)(XA;;0x1200a9;;;AU;((@USER."
+ $countryClaimType.Name + " Any_of @RESOURCE." +
$countryResourceProperty.Name + ") && (@USER." +
$departmentClaimType.Name + " Any_of @RESOURCE." +
$departmentResourceProperty.Name + ")))"
$resourceCondition = "(@RESOURCE." +
$departmentResourceProperty.Name + " Contains
{`"Finance`"})"
New-ADCentralAccessRule
"Finance Documents Rule" -CurrentAcl $currentAcl -ResourceCondition
$resourceCondition
Note that in the above scripted command SID of the group should be replaced with your group SID (S-1-5-21-1787166779 to 1215870801-2157059049-1113)
To find SID the User or Group object in your AD DS you can use the PS command
$objGroup = New-Object
System.Security.Principal.NTAccount("adatum", "IT")
$strSID =
$objGroup.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value
$objUser = New-Object System.Security.Principal.NTAccount("adatum",
"IT")
With previous command I have created a new rule for central access Central Access Rule.
Next step will be to add this rule (Central Access Rule) in the central access policy (Central Access Policies).
Next step will be to add this rule (Central Access Rule) in the central access policy (Central Access Policies).
UI
Tasks – New – Policy
Create Central Access
Policy - Name - Finance Policy
Member central access
rules - Add - Add the
following central access rules - Finance Documents Rule – ok
PS
New-ADCentralAccessPolicy "Finance
Policy"
Add-ADCentralAccessPolicyMember -Identity "Finance Policy" -Member "Finance Documents Rule"
Next step will be to apply this policy Central Access Policies across all file servers in the company via GPO. In 2012 Server there is a new type of policy that we can use.
This would be roughly how the Dynamic Access Control with respect to the Central Access Policies, technology, I am confident you will pay a lot of attention.
How to use Powershell History?
How to use Powershell History?
No comments:
Post a Comment