Active Directory Security and Active Directory Delegation play a mission-critical role in global security and present an open challenge. A good Active Directory Audit Tool / Active Directory Reporting Tool / Active Directory Auditing Tool / Permissions Analyzer for Active Directory can help Audit Active Directory, generate Active Directory Reports and mitigate Active Directory Risks such as Active Directory Privilege Escalation, and find out who can reset your windows password. Today, even the US Department of Homeland Security runs on Active Directory.Today, tools like the Active Directory Effective Permissions Tab and Active Directory Permissions Analyzer can be used to perform Active Directory Permissions Analysis, prevent Token Bloat, Dump Active Directory ACLs, perform an Active Directory Audit and an Active Directory Access Audit.
Wednesday, June 30, 2010
What is the Active Directory Administrative Center?
It comes standard with Windows Server 2008 R2 and it can be used to perform common Active Directory object management tasks through both data-driven navigation and task-oriented navigation. It is meant to be the replacement of Active Directory Users and Computer (ADU&C) Snap-In and it certainly offers an enhanced management experience for IT administrators.
It can be used to manage domain user and computer accounts, domain security groups and of course Organizational Units and containers. It can also be used to filter data by using query-building search.
One of the key benefits of the Active Directory Administrative Center is that it can be used to manage objects across multiple domains, as long as they belong to the same Active Directory forest, or there exists a trust path between the local and the target domain.
One neat new feature of the Active Directory Administrative Center is the breadcrumb bar, which can be used to directly enter the location of a specific Active Directory object, so that you can directly navigate to that object.
Another neat feature is that it can be used to query the Active Directory based on richer criteria, such as the to find a list of locked user accounts. It however falls short in providing accurate information on last logons, as it does NOT query each DC, but instead relies on the approximation method which is based on the lastLogonTimeStamp attribute.
You can open the Active Directory Administrative Center is one of two ways - you can either click Start, then select Administrative Tools, then click on Active Directory Administrative Center, or you can click Start, then click Run, and then type dsac.exe.
It however can currently only run on running the Windows Server 2008 R2 operating system (and on Windows 7 clients using (RSAT)), and it cannot be used to manage Active Directory Lightweight Directory Services (AD LDS) instances and configuration sets.
It is not without its downsides however in that it cannot be used to generate pretty printed reports which might be needed for security audits and compliance reporting, as the best one can do is perhaps export to CSV.
Also, because under the hood Active Directory Administrative Center, It is powered by PowerShell, and so while it is certainly more powerful than the its predecessor, the Active Directory Users and Computer MMC Snap-In, it can be sluggish at time.
In summary, the Active Directory Administrative Center is the first major revision to the Active Directory data management tools since the initial release of Active Directory way back in 2000. It certainly offers numerous visual and capability enhancements, but is neither intended to and cannot replace the need for dedicated/advanced Active Directory based reporting solutions.
Monday, May 24, 2010
What is delegation of administration?
An IT infrastructure of a typical medium and large organization is comprised of thousands of IT assets such as user accounts, computers, files and databases, applications and vital services (name resolution, service location, email and instant messaging, remote access, etc.), each of which needs to be adequately administered. In such IT infrastructures, it is not possible for a handful of administrators to adequately administer all aspects of the IT infrastructure.
Thus, in most IT infrastructures, administrative responsibilities for managing the various IT assets that together comprise the IT infrastructure are distributed (or delegated) amongst an adequate (and typically larger) number of (usually less-privileged) administrators, who are then individually or collectively responsible for managing smaller specific portions of the IT infrastructure.
The act of provisioning sufficient access so as to grant a delegated administrator the ability to carry out designated responsibilities is commonly referred to as administrative delegation.
Wednesday, May 12, 2010
What is Active Directory?
Clients can use the Active Directory to locate IT resources such as computers, network shares, and services. Active Directory provides access to its clients by virtue of the industry standard Lightweight Directory Access Protocol (LDAP) protocol.
It is also used to store and protect domain user accounts, security groups, computer accounts, service connection points, group policies and Microsoft Exchange mailboxes and distribution groups. It thus plays a central role in IT management, delegation of administrative responsibilities and the specification and deployment of host security and management policies.
Active Directory can be used to fulfill numerous IT requirements, ranging from the deployment of a NOS directory-service to the deployment of light-weight directory enabled applications.