Windows Server 2012: Installing Active Directory Users and Computers and Group Policy Management Console – 404 Tech Support #active #directory #users #and #computers #windows # #snap #in


#

You are here: Home / Articles / Operating Systems / Windows Server 2012: Installing Active Directory Users and Computers and Group Policy Management Console

Windows Server 2012: Installing Active Directory Users and Computers and Group Policy Management Console

Managing Active Directory and Group Policy can be a little obscure due to the prerequisite of installing the Remote Server Administration Tools on Windows 7 and 8. In Server 2012, there is no separate install of the RSAT tools, you just have to know where to look. Fortunately, it proves consistent by being part of the Add/Remove Roles and Features part of the Windows Server operating system. I like the role-based installations because it greatly simplifies the install process, provides you a list of Server s native capabilities, and keeps the installation minimal by allowing you to manually choose what you want installed after the fact.

To get the Active Directory Users and Computers, you want to be sure to install just the tools you need, not the entire domain services on your server. That is, unless you wish to make your server a domain controller.

Open up Server Manager by clicking the icon pinned to the Taskbar or right-clicking Computer and going to Manage. In the top-right corner of the window, go up to the Manage menu and click Add Roles and Features .

From here, you will go through a dialog wizard. Follow the on-screen instructions to get to the install on the server you want configured. Choose Role-based or feature-based installation and select your server.

Unless there are other roles you would like installed, skip Server Roles and hit Next to get to the Features.

On the Features page, check Group Policy Management Tools.

The description reads: Group Policy Management is a scriptable Microsoft Management Console (MMC) snap-in, providing a single administrative tool for managing Group Policy across the Enterprise. Group Policy Management is the standard tool for managing Group Policy.

Scroll down a little bit to get to and Remote Server Administration Tools – Role Administration Tools – AD DS and AD LDS Tools and check those boxes, particularly AD DS Snap-Ins and Command-Line Tools.

The description reads: Active Directory Domain Services Snap-Ins and Command-Line tools includes Active Directory Users and Computers, Active Directory Domains and Trusts, Active Directory Sites and Services, and other snap-ins and command-line tools for remotely managing Active Directory domain controllers.

You can also select other tools you want like the Active Directory Administrative Center but to specifically get just Active Directory Users and Computers, check the box in front of AD DS Snap-Ins and Command-Line Tools.

Confirm your selections and let the install do its work.

Once the installation completes, you will see Active Directory Users and Computers and Group Policy Management Console on the Start Screen. You can also find them under the Administrative Tools folder should you want to copy a shortcut to your desktop. Note: using the GPMC from Server 2012 gives you access to New Windows 8 and Server 2012 Group Policies .

Share this:


MaxPowerSoft, Maker of Active Directory Reports, LDAP Reporting Tool #active #directory #user #report


#

Active Directory Reports Professional

  • Download 32-bit
    Download 64-bit
    Download for Windows 2003
  • 14 Day Trial Registration
  • Purchase a License

    Why use Active Directory Reports software for your auditing needs?

    • Scheduler as Windows Service.
    • More than 300 of predefined User, Group, OU, Computer, GPO, Contact, Exchange, Printer and NTFS reports
    • Build-in scheduler . Run any number of reports anytime
    • Customize existing or create and save your own custom reports
    • Save report settings for the selected domain or for all domains in the current forest
    • Export reports to PDF, CSV, TXT, XLS, RTF, HTML and other formats.
    • LDAP query builder. Create you own LDAP query and apply it to any report.
    • True information from not replicated attributes including lastLogon, badPasswordTime, badPwdCount, logonCount and whenChanged
    • True locked out User report based on domain lockout policy.
    • True Last Logon information.
    • Ability to exclude domain controllers from scanning. Select only domain controllers you want to scan.
    • AD Reports automatically exclude inaccessible domain controllers from scanning for better performance.
    • Start your search from any container or search the entire domain
    • Group members. Load direct or/and nested members. Include nested group name and primary membership.
    • User membership. Load direct or all security and distribution groups with nested groups including primary group.
    • Translate Foreign Security principals into NT Account name.
    • Current forest and selected domain information
    • Domain security and lockout policy, domain LDAP attributes
    • Detailed information of any selected Active Directory object, including General Information, Security Information, Membership and LDAP attributes.
    • Use predefined or any active directory attributes
    • Customizable Print Preview. Apply your own watermark, create your own headers / footers, send a report via e-mail.
    • Built-in grid grouping, sorting and filtering
    • Many different skins from professional to funny if you want have some fun while you are waiting for your reports 🙂

    • Active Directory Reports Tutorial Videos

    Active Directory Reports screen shots

    Software Requirements. Windows. Net Framework 4.5.1
    AD Reports can be installed on a domain server or a workstation joined to Active Directory.


CSVDE – Examples bulk import user accounts into Active Directory #csvde, #csvde #import, #bulk #import, #ldap, #ldap #field, #active #directory, #spreadsheet, #users


CSVDE Import

Introduction to CSVDE -i Bulk Import

The purpose of this page is to show you how to bulk import user accounts into Active Directory using CSVDE. Here are scenarios where CSVDE will save you repetitive work:

  • To create hundreds of new users in a Windows Server 2003 or 2000 domain.
  • To import thousands of NT 4.0 users into a brand new Active Directory domain.
  • To migrate directory services from Exchange 5.5 into Active Directory.

Topics for CSVDE Import

1) Practice with CSVDE Export. Remember that seven minutes of planning will save you an hour or rework. It may seem eccentric to start with an export when all you want to do is import, but trust me always start with CSVDE export. Here is my reasoning: gain experience of CSVDE switches in conditions where you can do no harm to Active Directory.

When you use CSVDE -i filename to import user accounts, you make changes that will be difficult to reverse. In export mode, you can do no harm to Active Directory, also starting with CSVDE -f filename.csv will help build up your understanding of the switches, or what Microsoft call the parameters.

2) Learn the precise spelling of LDAP fields, for example sAMAccountName is correct, sAMAaccountNames has two mistakes and would cause the import to fail. (This LDAP name is singular, and the double Aa is incorrect.)

3) Create a good .CSV file and learn as much as you can about the LDAP fields in the first row. When you export a user, you get a spreadsheet full of a LDAP attributes, for example, sn, phone, email and many more besides. My advice is to investigate which of the LDAP fields in the first row are compulsory, which are optional, which have strange numeric data, and which you can safely ignore when you switch CSVDE to import mode.

My theme is getting you started. Imagine the scenario: your manager wants 500 users added to his Windows 2003 domain. Fortunately, human resources have all the new joiners in a spreadsheet called Newport.csv. So, let us begin with a simple spreadsheet with only 3 LDAP columns: objectClass, sAMAccountName and DN.

A) objectClass – User. Simple and easy we want to create a user and not a computer and not an OU.

B) sAMAccountName – This is the logon name, maximum of 11 characters. What the user should put in the Ctrl, Alt Delete logon box. Keep this name simple for now. Remember we just want to get the prototype import working and then we can add more LDAP fields.

C) DN – Distinguished name, for example, CN= Firstname Surname,OU=Newport,dc=domain,dc=com

DN is the hardest LDAP field to create. Let us break it down into 3 elements.

1) User name – CN= Firstname Surname. If it were me, the value would be CN=Guy Thomas. In this context think of CN= as meaning common name, or just plain name.

2) Organizational name – OU=Newport. All you have to worry about is have you created an OU called Newport in your domain? If not, then either create one, or change this value to OU=YourOU.

3) Domain name – dc=domain, dc=com. Is your domain called something like mydom.com? or is it plain mydom (no .com. net or .co.uk). It is essential to find out what your domain is called, and only you know the answer.

What would you say the Domain name is for this screen shot? cp, cp.com, cp.local? The answer is cp.com.

So of this were your domain the third DN element would be, dc=cp,dc=com. Incidentally, dc stands for domain context not domain controller.

Guy Recommends: SolarWinds’ Free Bulk Import Tool

Import users from a spreadsheet. Just provide a list of the users with their fields in the top row, and save as .csv file. Then launch this FREE utility and match your fields with AD’s attributes, click and import the users.

Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.

1) Copy my example below and paste into an Excel spreadsheet at precisely cell A1.

objectClass,sAMAccountName,dn
user,Petergr, CN=Peter Graham,OU=Newport,DC=cp,dc=com
user,Janiebo, CN=Janie Bourne,OU=Newport,DC=cp,dc=com
user,Edgardu, CN=Edgar Dunn,OU=Newport,DC=cp,dc=com
user,Belindaha, CN=Belinda Hart,OU=Newport,DC=cp,dc=com
user,Mayja, CN=May Jamieson,OU=Newport,DC=cp,dc=com
user,Leroyot, CN=Leroy Ota,OU=Newport,DC=cp,dc=com

2) In Excel, select the Data Menu and then Text to Columns. Naturally, choose the comma delimiter. Save the file as .csv for example, Newort.csv

3) Make sure that the 3 LDAP fields are in the first row. (ObjectClass, sAMAccountName, and DN.)

4) Once you have opened the file in Excel, it is easier to manipulate the values. For example, you may wish to find and replace dc=cp, dc=com with the name of your domain as we discussed earlier.

5) When you have finished preparing the spreadsheet to your liking, then Save As and make sure you select Save as t ype CSV (Comma delimiter). Since the next step is the command prompt, save the file into an easily accessible folder. E.g. C:\csv.

After all the hard work in preparing the spreadsheet, we are now ready for the import. Open the CMD prompt, navigate to the folder where you saved your .csv file.

Type this command: CSVDE -i -f Newport.csv

To check your new users, launch Active Directory Users and Computers and examine the Newport Organizational Unit. After each import, right-click the OU and select Refresh from the short cut menu. Simply pressing F5 is not good enough.

Next step – Try an advanced import. More fields, more spreadsheet functions.

Recommended: Solarwinds’ Permissions Analyzer – Free Active Directory Tool

I like the Permissions Analyzer because it enables me to see WHO has permissions to do WHAT at a glance. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, and takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free SolarWinds utility saves when you are troubleshooting authorization problems for user’s access to a resource. Give this permissions monitor a try – it’s free!

CSVDE is unable to add passwords.

Your solution is to change the domain policy to allow blank passwords. You can revert to the previous security setting once you successfully import the accounts. Also see this VBScript.

4) The key disadvantage of CSVDE is that you cannot set passwords with this program. So, use a separate VBScript to set the passwords and enable accounts. Sadly once created, you cannot you alter the accounts in anyway with CSVDE. See here for a VBScript to reset passwords.

The point is use the right tool for the right job. For a quick import of hundreds of user accounts, you cannot beat CSVDE. However if you need to alter accounts or add passwords then turn to VBScript. Both CSVDE and VBScript ‘feed’ off spreadsheets, to me, this is their killer advantage over LDIFDE. I find that it is so useful to have all the accounts and their values set out in my Excel spreadsheet.

  • Check that you understand the: DC=domain, DC=COM (LDAP attributes).
  • If your ADSI Edit says: DC=mydom, then change, dc=cp,dc=com to dc=mydom.
  • Check you created an OU called Newport.
  • Check out the Error Messages .
  • Experiment with different syntax. Try a different output filename.
  • Open and close the CMD command prompt.

CSVDE is an ideal program to bulk import users into Active Directory. The executable is built-in to Windows Server 2003 and 2008. The key advantage of CSVDE is the way than it interacts with spreadsheets to import or export LDAP data.

See Also


Managing Active Directory with Forefront Identity Manager (FIM) 2010 #active #directory #user #picture


#

Managing Active Directory with Forefront Identity Manager (FIM) 2010

Introduction

It’s hard to find a Windows environment that doesn’t rely heavily on Active Directory these days. Indeed, since the inception of AD in the late 90s and early 2000s it has become the de-facto directory of choice and the ‘single source of truth’ for logon credentials, username schemas, mailboxes and many other identity-related facets of an organization. Many organizations simply synchronize data from their HR system directly into Active Directory and populate a few fields of information, but how does this data get managed inside the directory? Provisioning and de-provisioning become a big issue, as is synchronization of credentials and automating workflows in other tools that rely on the directory. Forefront Identity Manager (FIM) 2010 simplifies a lot of these tasks while helping enterprises clean up their Active Directory environment as well. In this article, we’ll walk through some of the features and capabilities of FIM to help you decide if it’s right for your company.

What is FIM and what is it good at?

When evaluating Identity and Access tools, it can be difficult to decide how much to bite off and what an organization really needs from a requirements perspective. Large vendors offer very comprehensive suites of tools that are costly and often require a lot of specialized services to implement and fine tune. For many enterprises, a simple set of requirements emerge when looking at:


  • Data Synchronization. The FIM Synchronization service includes the meta-directory, the provisioning engine, and the management agents (MAs) (See Figure 1). It allows for synchronization between the FIM database and other identity sources in an organization.
  • Self-service password reset – Allowing users to reset their own password to avoid tying up helpdesk resources.
  • Provisioning and de-provisioning accounts in the directory.

FIM fulfills these requirements and has a relatively low cost of admission compared to other products on the market, especially for organizations that are Microsoft shoppers and have Microsoft skillsets within their IT team.

Figure 1: Management Agent creation / provisioning options (Source: technet.com)

Identity and Password Synchronization

Synchronizing Identities (particularly usernames and passwords) across multiple systems can be a quick win for an identity and access solution. Giving a user a single set of credentials to remember and manage makes it easier for them to get their work done, provides for faster provisioning and onboarding when users are accessing new systems and services, and allows for more efficient credential management in an enterprise environment.

FIM offers what is called a state-based system for identity synchronization. It infers changes in the identity store with previously stored data and decides whether there’s been a modification or not. FIM uses Management Agents (MAs) to synchronize with other systems like Siebel, People Soft, etc. Imports from these systems are done on a ‘delta’ basis, importing only what’s changed from the primary source. This allows for business rules to be enforced persistently across the entire environment. For example, synchronization of objects can be done on a regular schedule (every 24 hours) and policy can be enforced across the environment uniformly for things like minimum password length, password expiration, etc.

Synchronizing multiple data sources through FIM allows for an important view into the environment from an audit and compliance perspective as well. Being able to perform a cursory audit on other systems, but diving deep on credential security and configuration in a single system like Active Directory through the FIM meta-verse, saves a lot of time and energy from an internal and external review perspective. Also, the ability to add and remove Management Agents provides for future growth as you expand FIM out beyond simple Active Directory and your HR application synchronization. If the default FIM interface and options don’t provide enough “detail”, there is a scripting component that allows for development of custom Management Agents and a fairly active partner community that develops these as well. Synchronization of identity with FIM is something you can start small with and grow as you need to.

Self-service password reset

With many organizations citing password reset as the #1 request to the helpdesk, the ability to move to a self-service option is very attractive. Providing users a set of questions and process (See Figure 2) to perform their own password reset could save tens of thousands of dollars in time and resources over the course of a year. Indeed, many companies justify the cost of an identity and access solution based on the potential cost savings from this module.

Figure 2: FIM Self-Service Password Reset registration screen (source: blogs.technet.com)

In FIM, there are two components to the self-service password reset module: the FIM Password Reset Portal and the FIM Password Reset client, which gets installed locally on managed machines. A current drawback with the solution today is that it’s required to be installed on a domain-joined client. In future versions of FIM, Microsoft has hinted that this module will be expanded to work on non-domain joined clients as well.

To use the password management tool, users must first register with the system and enter a number of data points. A set of security questions is created by the administrator that the user must provide valid answers to. These questions can be defined by the administrator and the user has the ability to select which they’d like to answer. Examples include “What City were you born in?” or “What was your first pet’s name?” This flexibility reduces the likelihood that the user can be easily spoofed and the customization of questions allows the administrator to keep a ‘hands-off’ approach to the reset process as much as possible.

From a user interface perspective, the Self Service Password Reset module in FIM integrates into the Windows logon screen, providing for a very seamless experience for the end user. This is a huge plus when training end users on the process to change or reset their password.

Provisioning and De-Provisioning Accounts

FIM can be used as the authoritative provisioning and de-provisioning tool for Active Directory. This is great from an Active Directory cleanup perspective as users can be assigned groups for things like job role or physical site and as they move from one location to another. With FIM, the provisioning process can be triggered through a workflow embedded in a tool like SharePoint or even in Outlook for group management. Business rules can be enforced to automatically remove access to certain resources or remove objects out of groups as users transfer roles within the company (ex: moving from an HR organizational role to an IT organizational role).

A big issue in provisioning accounts is the lack of a consistent and easy to use process for an accounts administrator to add, remove or modify accounts. The Active Directory Users and Groups tool is not the most intuitive user interface and mistakes can easily be made. FIM provides a step by step blueprint to provision a new employee and a drop-down for a job or role, eliminates much of the human error factor (See Figure 3). Again, this is very helpful from an audit and compliance perspective as well.

Figure 3: Customized FIM portal administration screen. (Source: blogs.msdn.com)

Summary

Forefront Identity Manager is a relatively low cost solution for Identity and Access management. It is not as complex as some other products on the market, but an easy integration with Active Directory and a tight coexistence with the Microsoft ecosystem, large or small. The user experience for self-service password reset is tough to compete with. Synchronizing objects in the meta-verse is an easily automated process and is extensible to a number of different systems. Learn more about FIM here and see if it makes sense to deploy in your environment.

Featured Links