Setting fine grained passwords.

Fine grained passwords apply to groups not OU’s.

If you need a different password policy applying to members of an OU. Then a good way to do this is to create a shadow group which is just a security group named after the OU.

I am going to demonstrate this on the Gold Coast OU so I created a group called Gold Coast

from PowerShell enter the following command on one line.

PS C:\Users\Administrator> New-ADFineGrainedPasswordPolicy GoldCoastPolicy -ComplexityEnabled:$true -LockoutDuration:”00
:30:00″ -LockoutObservationWindow:”00:30:00″ -LockoutThreshold:”0″ -MaxPasswordAge:”42.00:00:00″ -MinPasswordAge:”1.00:0
0:00″ -MinPasswordLength:”9″ -PasswordHistoryCount:”10″ -Precedence:”1″ -ReversibleEncryptionEnabled:$false -ProtectedFr
omAccidentalDeletion:$true

h21

 

Then to apply the fine grained policy to a group:

Add-ADFineGrainedPasswordPolicySubject GoldCoastPolicy -Subjects ‘Gold Coast’

 

Or in ADAC navigate to Domain > System > Password Setting Container

h22

h23

Delegating Control

You can give a users the rights to do certain tasks that they would not ordinarily have the right to do based on their group membership.

This can be applied at the Domain or OU level.

In the example I am about to do it give GoldCoastUser1 the right to change passwords in the Gold Coast OU

h16

h17

 

Click add and add the user you want to delegate control to.

 

 

 

h18

 

Click next

h19

Here you have the choice of delegating common preset tasks or creating a custom task to delegate.

h20

Click finish and that is all there is to do for a preset task like changing passwords.

 

Setting up local account policies

The first way to manage local account policies is through the Local Group Policy Editor.

you open it by typing gpedit.msc at the run prompt.

h1

From here you can set Password policy and Account Lockout Policy.

h2

h3

Set these setting as required by double clicking on any setting and changing the setting as required.

h4

The explain tab explains what the setting does.

h5

Another way of doing this is using local security policy type secpol.msc at a prompt to open it.

h6

This displays the same security settings as the local group policy editor and they are edited in much the same way.

Another way is to use security templates.

Open an MMC console and add:

Security Configuration and Analysis and Security Templates.

h7

 

start with the security template

h9

h10

h11

Make changed to the template as required.

Then go to security configuration and analysis and right click and choose open database.

h12

h13

 

h14

select the example.inf created previously and click open.

h15

Now either choose Analyse computer now which will tell you where your computer is different to the template or Configure computer now which will configure your computer as per the template.

Restoring Active Directory

There are two types of AD restores authoritative and non authoritative.

To do an AD restore you should be in AD restore mode but as my server is in the AWS cloud I can not do that so I will demonstrate all the steps that it allows me to.

To put the DC into Directory Services Restore Mode you can use:

bcdedit /set safeboot dsrepair
shutdown -r -t 0

Go to Windows server backup and from the actions menu select recover.

g17

g18

g19

Select the last backup that contains the system state.

g20

Select the system state to restore

g21

g22

to remove safeboot use:

bcdedit /deletevalue safeboot

 

 

 

 

 

Backing up Active Directory

There are two ways to do an Active Directory Backup natively. The first is Windows Server Backup and the second is WBADMIN.

Before you use windows server backup you need to install the Windows Server Backup feature

g1a

 

Open Windows Server Backup from the tools menu.

g2

g3

you can choose a local or online backup (I am demonstrating local)

g4

g5

Click Next

g6

Select custom and click next

In the select items for backup dialog box select add items and select the system state and click ok.

g7

g8

Click next

Select a schedule that suits your environment and click next

g9

g10

Select a destination that suits you and click next

If your backup destination it not showing click Show all available Disks

g11

Select the one you want and click Ok.

Select the correct backup disk and click next

g12

g13

At the conformation screen click finish

g14

g15

the Scheduled task can be viewed in Task Scheduler

g16

or with wbadmin

wbadmin start systemstatebackup -backupTarget:d:

You could put that in a batch file and schedule it.

 

 

viewing and changing operations masters

Using the GUI you can find RID PDC and Infrastructure roles from Active Directory users and computers

f10

f11

And by clicking the change button you can change the domain controller they are hosted on.

f12

 

before doing that you need to connect to the other domain controller.

To view and change the Domain Naming Master Role you need to use Active Directory Domains and Trusts

Right click on the root of the forest and select operations master

f13

f14

To view the Schema Master Role you need to open Active Directory Schema from an MMC console right click on the forest root and select operations master.

f15

f16

A quicker way of viewing these roles is with netdom or PowerShell

netdom query fsmo

f17

with PowerShell get-addomain can find the domain level roles

Get-ADDomain |select PDCEmulator,RIDMaster,InfrastructureMaster

f18

and Get-ADForest shows the forest level roles.

f19

The ntdsutil can be used to transfer roles if you do not have access to the GUI.

 

 

f21

f22

transferring the other roles is the same except for the transfer PDC line.

the options are

Transfer infrastructure master
Transfer naming master
Transfer PDC
Transfer RID master
Transfer schema master

Note in the connect to server line connect to the server you want to transfer the roles to.

 

 

There are also options for seizing which you would only do if the server contains the master roles was permanently offline.

 

 

 

 

Setting up offline files

Right click on the share you want to make available offline select properties

f1

go to the sharing tab and click advanced sharing.

f2

click on Caching

f3

Here there are three choices files users select none and everything choose the one that is appropriate.

click ok to close dialog boxes.

then open the folder from another computer

f4

and to make it available offline select Always available offline.