I started my career as a web content developer. I still remember my first day at work. It was a small software development company with about 20 engineers. I didn't know anything about Active Directory (AD) back then. On my first day, after the introduction process, my manager showed me to my desk. Then he told me my username and password for login. So, I turned on the computer and typed in my username and password to log in. Then, an on-screen message appeared saying I needed to set a new password. I typed in the most complex password I could think of for extra security, as instructed by my manager. After that, I logged in and started working. It was a pretty busy morning. After a quick break in the late afternoon, I came back to my seat to continue my work. I typed in my complex password to log in but failed. I tried it again but had the same result. I kept on trying, and after a few attempts I saw an account lockout message. I was kind of...

There are different tools and methods we can use to manage AD objects. When you install AD DS on a server, it will also enable access to these management tools. There are other third-party vendors who build AD management tools as well. But in this chapter, we will only be using built-in tools on Windows Server systems.

Windows Admin Center

Windows Admin Center is the latest Microsoft server management tool. It is a web-based application that you can use to manage Windows Server instances, Windows 10 PCs, clusters, and hyper-converged systems in an infrastructure. We also can use this tool to manage AD servers and AD objects. Before we look at that, let's study the architecture behind Windows Admin Center:

Figure 7.1: Windows Admin Center architecture

Once deployed, Windows Admin Center can be accessed from anywhere as long as the necessary firewall rules are in place. Windows Admin Center is a lightweight installation...

PowerShell provides more control over Windows' system functions and operations. PowerShell also simplifies the service/role configuration and management process. A single-line command can sometimes replace 10-15 clicks on a GUI. AD DS comes with the AD PowerShell module, which can be used to manage AD DS, Active Directory Lightweight Directory Services (AD LDS), and objects. AD objects can still be managed using Command Prompt, but PowerShell provides advanced, centralized control over AD components and services.

Any server that runs AD DS or AD LDS role services has the AD PowerShell module by default. It can also be enabled on a desktop computer or member server by installing RSAT.

Creating, modifying, and removing objects in AD

Creating, modifying, and removing...

When a desktop computer or member server is joined to a domain, it will create a computer object in AD.

This computer object can be created before being added to the domain. This will not add the device to the domain, but it can be used with offline domain joins and RODC domain joins.

In order to create a computer object, we can use the New-ADComputer cmdlet. To view the complete syntax of the command, use this:

Get-Command New-ADComputer -Syntax

The attribute you need to create a computer object is -Name:

New-ADComputer -Name "REBEL-PC-01" -SamAccountName "REBEL-PC-01" -Path "OU=Computers,OU=Europe,DC=rebeladmin,DC=com"

In the preceding example, the command will create the REBEL-PC01 computer object in the OU=Computers,OU=Europe,DC=rebeladmin,DC=com OU. If you do not define the path, it will create the object under the default computer container, CN=Computers, DC=rebeladmin, DC=com.

We very rarely...

When we create objects, we define values for attributes. After we've created the objects, there may be situations where we need to edit the values of those attributes or add values to empty attributes.

We can use the Set-ADUser cmdlet to change and add attribute values to existing AD user objects:

Set-ADUser tidris -OfficePhone "0912291120" -City "London"

In the preceding sample command, we're adding values for the -OfficePhone and -City attributes for the tidris user.

There are occasions where you may need to change the existing value of an attribute:

Set-ADUser tidris -OfficePhone "0112291120"

In the preceding command, I'm replacing an existing value with a new one.

In the aforementioned commands, I defined the exact user account, but it's not practical if you need to do this for a large number of accounts. To do that, we need to combine the Set-ADUser cmdlet with the Get-ADuser...

In order to remove AD user objects, we can use the Remove-ADUser cmdlet. We can find the complete syntax information using the following command:

Get-Command Remove-ADUser -Syntax

When using the cmdlet, we need to use a value for the -Identity parameter to specify the account. We can use a distinguished name, GUID, SID, or the SamAccountName value to identify the account. If it is an LDS environment, we need to define the object partition parameter too:

Remove-ADUser -Identity "dzhang"

The preceding command will remove the AD user object called dzhang from the directory. It will ask for confirmation before it removes the object.

This cmdlet can also be combined with the search query to find objects before removing them:

Get-ADUser -Filter {Name -like "Test1*"} | Remove-ADUser

In the preceding command, we search the entire directory for the user whose name starts with Test1 and then remove that user.

The Remove...

The AD NTDS database can store more than two billion objects. So how easily can we locate a specific AD object? The most common way to locate an object in AD is to use ADAC or ADUC and browse through the containers. As the number of objects increases, so does the difficulty of locating objects in AD. In this section, we are going to look at more efficient ways of locating objects in an AD environment.

ADAC has enhanced query and filter capabilities. Since it's used via a GUI, it helps us to retrieve results faster compared to PowerShell.

In its management list, there is a filter box in the top section (once you've clicked on the domain name in the navigation pane). It doesn't change the view as you navigate through the containers. It helps you to filter the data displayed in the management list quickly. However, it doesn't search for objects at multiple levels (in different child containers):

Figure 7.22: Searching for AD...

When working with AD objects, it is possible to delete an AD object accidentally. When an AD object is deleted accidentally, the impact on the business will depend on the AD object's role. As an example, if a service account for a critical service is deleted, the business impact will be higher than for the deletion of a test user account. With AD DS 2008, Microsoft introduced a small but important feature to prevent accidental AD object deletion. This is not a solution to recover from disasters but a solution to prevent disasters. In every AD object, under the Object tab, there is a small checkbox to enable this feature. This can be enabled when we create objects using PowerShell. Even if we're not using PowerShell, it can still be enabled using the Object properties window at any time. When creating an OU, this feature is enabled by default:

Figure 7.27: Protect object from accidental deletion

When this option is...

When an object is deleted from AD, it is not permanently deleted. As soon as an object is deleted, the system will set the isDeleted attribute value to True and move the object to CN=Deleted Objects:

Figure 7.29: Deleted AD object

Then, the deleted object will stay there until the system reaches the tombstone lifetime value. By default, this is 180 days, and it can be changed if required. As soon as the object passes the tombstone lifetime value, it can be permanently deleted.

An essential function of an AD database is online defragmentation. This process uses the garbage collector service to remove deleted objects from the AD database and release space back to the database. This service runs every 12 hours. Once the deleted object exceeds the tombstone lifetime value, the object will be permanently removed in the next garbage collector service cycle. The problem with this is that during the tombstone process, most of the object values are stripped...

There are lots of different tools out there for managing AD objects. In this chapter, we looked at the tools built by Microsoft to manage AD objects. Each and every tool has different characteristics, and we learned how we can use them to add, edit, and remove AD objects effectively. We also learned how we can use different tools and technologies to search for specific AD objects and attribute values. Last but not least, we looked at features that we can use to prevent the accidental deletion of AD objects.

In the next chapter, we will dive deep into AD objects and attributes, evaluating different types of objects and their roles in an AD environment.