Default Domain Policy

Microsoft Windows Server 2008

Aaron Tiensivu , in Securing Windows Server 2008, 2008

Fine-Grain Countersign and Account Lockout Policies

Windows Server 2008 creates a Default Domain Policy GPO for every domain in the forest. This domain is the primary method used to set some security-related policies such equally password expiration and business relationship lockout.

Y'all can utilise fine-grain password and business relationship lockout policy to utilise custom password and business relationship lockout policy settings to individual users and global security groups within a domain.

The domain countersign policy allows you to specify a range of password security options, including how often users change their passwords, how long passwords must exist, how many unique passwords must be used before a user can reuse i, and how complex passwords must be.

Yous can use account lockout to prevent successful beast strength countersign guessing. If it's non enabled, someone tin can keep attempting to guess username/password combinations very rapidly using a software-based attack. The proper combination of settings can effectively block these types of security vulnerabilities.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/commodity/pii/B9781597492805000031

Mitigating Network Vulnerabilities

Thomas W. Shinder , ... Debra Littlejohn Shinder , in Windows Server 2012 Security from Cease to Border and Across, 2013

Define the Address Space of Your Intranet Network

1.

In the Group Policy Management snap-in (gpmc.msc), open up the Default Domain Policy.

2.

From the Group Policy Management Editor, expand Computer Configuration, Policies, Authoritative Templates, Network and then click Network Isolation.

3.

In the right pane, double-click Individual network ranges for apps.

4.

In the Private network ranges for apps dialog box, click Enabled. In the Private subnets text box, type the private subnets for your intranet (separated past commas).

five.

Double-click Subnet definitions are authoritative. Click Enabled if you want the subnet definitions that you lot previously created to be the single source for your subnet definition.

Read full chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B978159749980400011X

MCSA/MCSE 70-294: Working with Grouping Policy in an Active Directory Environs

Michael Cross , ... Thomas W. Shinder Dr. Technical Editor , in MCSE (Test lxx-294) Written report Guide, 2003

Automatically Enrolling User and Computer Certificates

If your organization is using Document Services to manage user and computer certificates, yous might want to enable autoenrollment of the certificates. Your certification authorities (CAs) need to exist configured to support autoenrollment, just without enabling this setting in policy, users accept to become through a manual process to enroll.

Yous volition prepare the autoenrollment policy in both the user configuration and the computer configuration of the GPO. Since you lot volition probably want the settings to apply to all systems in the organization, enable the settings in the Default Domain Policy object at the root of each domain in the organization. Follow these steps to enable this security setting:

1.

Open Active Directory Users and Computers.

ii.

Right-click the domain container in the console tree and select Properties.

3.

Click the Group Policy tab and select the Default Domain Policy.

iv.

Click Edit to open the Group Policy Object Editor.

5.

Expand the Reckoner Configuration object, and and then the Windows Settings object.

six.

Expand the Security Settings object, and then select the Public Cardinal Policies object.

vii.

Double-click the Autoenrollment Settings object in the right-paw pane.

8.

Click the Enroll certificates automatically option button.

ix.

Enable the Renew expired certificates, update pending certificates, and remove revoked certificates check box.

10.

Enable the Update certificates that use certificate templates bank check box. Your settings should now announced equally shown in Figure 9.28.

Effigy 9.28. Configuring Autoenrollment Settings
xi.

Click Apply, then click OK.

12.

Expand the User Configuration object in the console tree, and then the Windows Settings object.

thirteen.

Expand the Security Settings object, and and so select the Public Key Policies object.

fourteen.

Double-click the Autoenrollment Settings object in the correct-hand pane.

15.

Click the Enroll certificates automatically option button.

sixteen.

Enable the Renew expired certificates, update pending certificates, and remove revoked certificates bank check box.

17.

Enable the Update certificates that utilise document templates cheque box.

18.

Click Utilize, and and then click OK.

If your organization has multiple domains, repeat this process for each domain in the environment. Retrieve that simply systems running Windows 2000 or subsequently will be able to participate in autoenrollment of certificates.

Read full chapter

URL:

https://www.sciencedirect.com/science/commodity/pii/B9781931836944500155

MCSE/MCSA seventy–294: Creating User and Grouping Strategies

Michael Cross , ... Thomas Westward. Shinder Dr. Technical Editor , in MCSE (Exam seventy-294) Study Guide, 2003

1.

From the Windows Server 2003 desktop, click Commencement | Administrative Tools | Active Directory Users and Computers.

2.

Right-click the domain you lot want to administrate, and then select Backdrop.

iii.

Select the Default Domain Policy , and dick the Edit button.

4.

Navigate to the account lockout policy past clicking Estimator Configuration | Windows Settings | Security Settings | Account Policies | Account Lockout Policy. You'll see the screen shown in Figure 3.7.

Figure 3.vii. Business relationship Lockout Policy Objects

Using Account Lockout Policy, yous can configure the following settings:

Business relationship lockout duration This option determines the amount of fourth dimension that a locked-out business relationship will remain inaccessible. Setting this option to 0 means that the account volition remain locked out until an ambassador manually unlocks it. Select a lockout duration that will deter intruders without crippling your authorized users; thirty to hr is sufficient for near environments.

Account lockout threshold This choice determines the number of invalid logon attempts that can occur earlier an business relationship will be locked out. Setting this selection to 0 means that accounts on your network volition never be locked out.

Reset account lockout counter later on This option defines the amount of time in minutes after a bad logon effort that the "counter" will reset. If this value is prepare to 45 minutes, and user jsmith types his password incorrectly 2 times before logging on successfully, his running tally of failed logon attempts will reset to 0 after 45 minutes have elapsed. Be careful not to set this option likewise high, or your users could lock themselves out through simple typographical errors.

5.

For each item that you want to configure, right-click the particular and select Properties. To illustrate, we create an Account lockout threshold of iii invalid logon attempts. In the screen shown in Effigy iii.8, place a check marker side by side to Define this policy setting, and and then enter the appropriate value.

Effigy 3.8. Configuring the Account Lockout Threshold

Read total affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B978193183694450009X

Microsoft Windows Server 2008

Aaron Tiensivu , in Securing Windows Server 2008, 2008

Enabling Group Policy Settings for BitLocker and TPM Active Directory Backup

Here are the steps to follow to configure Group Policies for clients and servers to apply BitLocker Active Directory Backup.

1

Log on with a domain administrator to any Domain Controller.

2

Click Outset, click All Programs, click Authoritative Tools, so click Group Policy Management.

three

In the Group Policy Management Console, aggrandize the forest tree downwards to the domain level.

4

Right-click the Default Domain Policy and select Edit.

five

In the Group Policy Management Editor, open Computer Configuration, open Administrative Templates, open up Windows Components, so open BitLocker Bulldoze Encryption.

vi

In the right pane, double-click Turn on BitLocker backup to Active Directory.

7

Select the Enabled option, select Crave BitLocker backup to AD DS, and click OK.

To farther enable storage of TPM recovery information:

8

Open Estimator Configuration, open Administrative Templates, open System, and then open Trusted Platform Module Services.

ix

In the right pane, double-click Turn on TPM fill-in to Agile Directory.

x

Select the Enabled selection, select Crave TPM backup to AD DS, and click OK.

Warning

In this instance, nosotros utilise the Default Domain Policy to configure Active Directory fill-in for BitLocker and TPM recovery information. All the same, in a real-world scenario you lot would create a new GPO that contains simply BitLocker specific settings!

Read full chapter

URL:

https://www.sciencedirect.com/scientific discipline/commodity/pii/B9781597492805000055

MCSE 70-293: Planning, Implementing, and Maintaining a Security Framework

Martin Grasdal , ... Dr. Thomas Westward. Shinder Technical Editor , in MCSE (Exam 70-293) Study Guide, 2003

Security Policies

Windows Server 2003 makes it easy to ready security policies on local computers or for a domain, using Grouping Policy. To ready security policies on a local reckoner, open the Local Security Policy GPO by selecting Start | All Programs | Authoritative Tools and selecting Local Security Policy (yous will non find this option on domain controllers). To set security policies in a domain, edit the default domain policy every bit follows:

ane.

Select Beginning | All Programs | Administrative Tools | Active Directory Users and Computers.

2.

Right-click the domain node in the left pane and click Properties.

3.

Cull the Group Policy tab.

iv.

Select the Default Domain Policy and click Edit.

5.

In the left pane of the GPO Editor, aggrandize Computer Configuration, so Windows Settings, and so Security Settings.

In either case, you will see the following folders under Security Settings:

Account Policies Password, Acount Lockout and Kerberos policy settings.

Local Policies Inspect, User rights assignment and Security options, Invitee account names, CD-Rom access, driver installation and logon prompts.

Public Central Policies Document submission, certificate requests and installations and create and then distribute certificate trust lists.

Software Restriction Policies Used to create hash rules, certificate rules. File identity through a specified path and the ability to create an internet zone dominion.

IP Security Policies Used to create and manage IPSec security policies.

In the instance of the domain policy, you will also run into other entries under Security Settings, including Restricted Groups, System Services, Registry, File System, and Wireless Networks.

Some of the near of import aspects of your security strategy include the configuration of countersign policies, Kerberos policies, account lockout policies, and user rights policies. In the post-obit sections, we will discuss each of these in more than detail.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/commodity/pii/B9781931836937500154

Defining Protection Policies

Brien Posey , in GFI Network Security and PCI Compliance Power Tools, 2009

Agile Directory Based Deployment

Even though GFI EndPointSecurity contains a built-in mechanism for deploying agents, yous have the option of deploying agents through the Active Directory. If you expect at Figure 9.nine, you'll detect that there is a Deploy Through Active Directory option located in the Computers department. If y'all click on this link, you'll be taken to a screen that gives you lot the chance to save a copy of the amanuensis to a location of your choice. In order for Agile Directory based deployment to work correctly, you need to save this file to a central location that can exist accessed by all of your domain controllers.

Effigy 9.9. Yous Can Deploy an Agent Through the Active Directory

Once you have copied the file to an attainable location, it is time to configure the Active Directory to assign the amanuensis to the target computers. Proceed in mind that the Active Directory provides ii dissimilar methods for deploying software. You can either assign applications, or you tin publish them. In this instance, it is improve to assign the application, because assigning an application causes it to automatically be installed on the PC without whatever user intervention. In contrast, publishing an application gives stop users the option of installing or uninstalling the awarding at will. If you would similar to learn more about publishing and assigning applications, and then check out my article at: www.brienposey.com/kb/assigning_and_publishing_applications.asp.

The steps that you lot would use to assign the agent through a group policy setting vary depending on which group policy you want to apply. To assign the agent as a function of the domain policy, perform the following steps on a domain controller:

one

Open the Agile Directory Users and Computers panel.

two

Right-click on the container representing your domain, and cull the Backdrop command from the resulting shortcut carte.

3

When the domain's backdrop sheet appears, select the Group Policy tab.

4

Select the Default Domain Policy , as shown in Effigy ix.10, and click the Edit push button.

5

When the Grouping Policy Object Editor opens, navigate through the console tree to Computer Configuration | Software Settings | Software Installation.

half dozen

Right-click on the Software Installation container, and select the New | Package commands from the resulting shortcut menus, as shown in Figure ix.xi.

seven

When prompted, select the amanuensis installation package, and click Open up.

8

If you see a message stating that Windows cannot verify that the path is a network location, make certain that you have accessed the installation bundle through a mapped bulldoze or a Universal Naming Convention (UNC) share (not a local drive letter of the alphabet), and click Yeah to use the path.

nine

Choose the Assigned option from the Deploy Software dialog box, as shown in Figure nine.12.

ten

Click OK.

Figure ix.10. Select the Default Domain Policy, and Click the Edit Push button

Figure 9.11. Right-Click on the Software Installation Container, and Select the New | Bundle Commands From the Resulting Shortcut Menus

Figure 9.12. Choose the Assigned Option and Click OK

Active Directory deployment volition but work if the managed machines are domain members and are subject to the Grouping Policy Object that y'all are using to assign the agent awarding.

Read full affiliate

URL:

https://www.sciencedirect.com/science/commodity/pii/B9781597492850000091

MCSA/MCSE 70-294: Active Directory Infrastructure Overview

Michael Cantankerous , ... Thomas W. Shinder Dr. Technical Editor , in MCSE (Test 70-294) Study Guide, 2003

Command-Line Tools

Windows Server 2003 provides a number of command-line tools that y'all tin use for managing Active Directory. These tools utilise commands typed in at the prompt, and tin provide a number of services that are useful in administering the directory. The command-line tools for Agile Directory include:

Cacls Used to view and modify discretionary access control lists (DACLs) on files.

Cmdkey Used to create, list, and delete usernames, passwords, and credentials.

Csvde Used to import and export data from the directory.

Dcgpofix Restores Group Policy Objects (GPOs) to the state they where in when initially installed.

Dsadd Used to add users, groups, computers, contacts, and OUs.

Dsget Displays the properties of an object in Agile Directory.

Dsmod Used to change users, groups, computers, servers, contacts, and OUs.

Dsmove Renames an object without moving it, or moves an object to a new location.

Ldifde Used to create, modify, and delete objects from Agile Directory.

Ntdsutil Used for general management of Agile Directory.

Whoami Provides information on the user who'south currently logged on.

In the sections that follow, we will briefly discuss each of these tools, and show you lot how they can aid you in performing certain tasks when administering Active Directory.

Cacls

Cacls is used to view and modify the permissions a user or group has to a particular resource. Cacls provides this power by assuasive you to view and change DACLs on files. A DACL is a listing of access control entries (ACEs) for users and groups, and includes permissions the user has to a file. The syntax for using this tool is:

Cacls filename

Cacls also has a number of switches, which are parameters you lot can enter on the control line to use a specific functionality. Tabular array one.i lists the switches for Cacls.

Table 1.1. Switches for the Cacls Tool

Parameter Description
/t Change the DACLs of files in the current directory and all subdirectories.
/e Edit the DACL.
/r username Revokes the users' rights.
/c Ignore any errors that might occur when changing the DACL.
/g username permission Grants rights to a specified user. Rights that tin be granted are: n (None), r (Read), w (Write), c (Modify), and f (Full Command).
/p username permission Replaces the rights of a specified user. The rights that can be replaced are: n (None), r (Read), w (Write), c (Change), and f (Full Control).
/d username Denies admission to a specified user.

Cmdkey

Cmdkey is used to create, view, edit, and delete the stored usernames, passwords, and credentials. This allows you to log on using one business relationship, and view and modify the credentials of another user. As with other control-line tools nosotros'll discuss, cmdkey has a number of switches that provided needed parameters for the tool to function. Table i.2 lists these parameters.

Table 1.2. Switches for the Cmdkey Tool

Parameter Clarification
/add:targetname Adds a username and password to the list, and specifies the reckoner or domain (using the targetname parameter) with which the entry will be associated.
/generic Adds generic credentials to the list.
/smartcard Instructs cmdkey to call back credentials from a smart menu.
/user: username Provides the username with which this entry is to be associated. If the username parameter isn't provided, you will be prompted for information technology.
/laissez passer: password Provides the countersign to store with this entry. If the password parameter isn't provided, you will exist prompted for it.
/delete: {targetname | /ras} Deletes the username and password from the listing. If the targetname parameter is provided, the specified entry will be deleted. If /ras is included, the stored remote access entry is deleted.
/list: targetname Lists the stored usernames and credentials. If the targetname parameter isn't provided, all of the stored usernames and credentials volition be listed.

Csvde

Csvde is used to import and export data from Active Directory. This information is comma delimitated, and so that a comma separates each value. Exporting information in this fashion allows you to so import information technology into other applications (for instance, Microsoft Office tools such every bit Admission and Excel).Tabular array ane.3 lists the parameters for this control.

Table 1.3. Switches for the Csvde Tool

Parameter Description
-i Used to specify the import way.
-f filename Specifies the filename to import or export data to.
-south servername Sets the DC that will exist used to import or export data.
-c string1 string2 Replaces the value of string1 with string2. This is often used when importing information between domains, and the DN of the domain information is being exported from (string1) needs to exist replaced with the name of the import domain (string2).
-V Verbose mode.
-j path Specifies the location for log files.
-t portnumber The portnumber parameter is used to specify the LDAP port number. By default, the LDAP port is 389 and the GC port is 3268.
-d BaseDN The BaseDN parameter is used to specify the DN of a search base for data export.
-p scope Used to set the search scope. The value of the scope parameter tin be Base, OneLevel, or SubTree.
-l LDAPAttributeList Specifies a listing of attributes to return in an export query. If this parameter isn't used, then all attributes are returned in the query.
-o LDAPAttributeList Specifies a list of attributes to omit in an export query.
-g Used to omit paged searches.
-m Used to omit attributes that apply to sure objects in Agile Directory.
-due north Specifies that binary values are to be omitted from an export.
-k If errors occur during an import, this parameter specifies that csvde should continue processing.
-a username password Specifies the username and password to exist used when running this command. By default, the credentials of the user currently logged on are used.
-b username domain countersign Specifies the username, domain, and password to employ when running this command. Past default, the credentials of the user currently logged on are used.

Dcgpofix

Dcgpofix is used to restore the default domain policy and default DC'due south policy to they way they were when initially created. Past restoring these GPOs to their original states, any changes that were made to them are lost. This tool has only two switches associated with it:

/ignoreschema Ignores the version number of the schema.

/target: {domain | dc | both} Specifies the target domain, DC, or both.

When the /ignoreschema switch is used, dcgpofix volition ignore the version number of Active Directory's schema when information technology runs. This will allow it to work on other versions of Agile Directory, as opposed to the one on the computer on which dcgpofix was initially installed. Y'all should use the version of dcgpofix that was installed with your installation of Windows Server 2003, every bit GPOs might not be restored if versions from other operating systems are used.

Dsadd

Dsadd is used to add together objects to Agile Directory. The objects you can add together with this control-line tool are users, computers, groups, OUs, contacts, and quota specifications. To add together any of these objects, you would enter the following commands at the control prompt:

dsadd user Adds a user to the directory

dsadd computer Adds a computer to the directory

dsadd group Adds a group to the directory

dsadd ou Adds an OU to the directory

dsadd contact Adds a contact to the directory

dsadd quota Adds a quota specification to the directory

While the commands for this tool are straightforward, there is a variety of arguments associated with each. For total details on these arguments, blazon the control at the command prompt followed by /? . This volition display a list of parameters for each control.

Dsget

Dsget is used to view the backdrop of objects in Active Directory. The objects you can view with dsget are users, groups, computers, servers, sites, subnets, OUs, contacts, partitions, and quota specifications. To view the properties of these objects, enter the following commands:

dsget user Displays the properties of a user

dsget group Displays the properties of a group and its membership

dsget figurer Displays the backdrop of a computer

dsget server Displays the properties of a DC

dsget site Displays the properties of a site

dsget subnet Displays the properties of a subnet

dsget ou Displays the properties of an OU

dsget contact Displays the properties of a contact

dsget partition Displays the backdrop of a directory partition

dsget quota Displays the properties of a quota specification

While the commands for this tool are straightforward, there is a variety of arguments associated with each. For full details on these arguments, blazon the command at the command prompt followed past /? . This will display a listing of parameters for each command.

Dsmod

Dsmod is used to modify existing objects in Active Directory. The objects yous can modify using dsmod are users, groups, computers, servers, OUs, contacts, partitions, and quota specifications. To edit these objects, enter the following commands:

dsmod user Modifies the attributes of a user in the directory

dsmod group Modifies the attributes of a group in the directory

dsmod reckoner Modifies a computer in the directory

dsmod server Modifies the backdrop of a DC

dsmod ou Modifies the attributes of an OU in the directory

dsmod contact Modifies the attributes of a contact in the directory

dsmod partition Modifies a directory segmentation

dsmod quota Displays the backdrop of a quota specification

While the commands for this tool are straightforward, there is a variety of arguments associated with each. For full details on these arguments, type the command at the control prompt followed by /?. This volition display a list of parameters for each control.

Dsmove

Dsmove is used to either rename or movement an object within a domain. Using this tool, you can rename an object without moving it in the directory, or movement it to a new location within the directory tree.

Exam Warning

The dsmove tool can't exist used to move objects to other domains.

Renaming or moving an object requires that you employ the DN, which identifies the object's location in the tree. For example, if you accept an object chosen JaneD in an OU called Accounting, located in a domain called syngress.com, the DN is:

CN   =   JaneD, OU   =   Accounting, DC   =   syngress, DC   =   com

The –newname switch is used to rename objects using the DN. For example, permit's say y'all wanted to change a user account's proper noun from JaneD to JaneM. To practice so, you would use the post-obit command:

Dsmove CN   =   JaneD, OU   =   Accounting, DC   =   syngress, DC   =   com -newname JaneM

The –newparent switch is used to move objects within a domain. For instance, let'southward say the user whose proper name y'all just changed was transferred from Accounting to Sales, which you've organized in a different OU container. To move the user object, you would utilize the post-obit command:

Dsmove CN   =   JaneM, OU   =   Accounting, DC   =   syngress, DC   =   com -newparent OU   =   Sales, DC   =   syngress, DC   =   com

In add-on to the –newname and –newparent switches, you lot can also use the parameters listed in Table one.4 to control how this tool is used.

Table 1.four. Switches for Dsmove

Parameter Description
{-s Server –d Domain} Specifies a remote server or domain to connect to. Past default, dsmove will connect to the DC in the domain you logged on to.
-u Username Specifies the username to use when logging on to a remote server.
-p {Countersign | *} discussion. Specifies the password to utilize when logging on to a remote server. If y'all type the * symbol instead of a countersign, you are then prompted to enter the laissez passer-
-q Sets dsmove to suppress output.
{-uc | -uco | -uci} Specifies dsmove to format input and output in Unicode.

Ldifde

Ldifde is used to create, modify, and delete objects from the directory, and can as well be used to extend the schema. An additional utilize for this tool is to import and export user and group information. This allows you to view exported data in other applications, or populate Active Directory with imported data. To perform such tasks, ldifde relies on a number of switches that enable information technology to perform specific tasks, listed in Table one.5.

Table 1.5. Switches for Ldifde

Parameter Clarification
-I Sets Idifde to import data. If this isn't specified, so the tool will work in Export way.
-f Filename Specifies the name of the file to import or consign.
-southward Servername Specifies the DC that will be used to perform the import or export.
-c string1 string2 Replaces the value of string1 with string2. This is often used when importing information between domains, and the DN of the domain information is beingness exported from (string1) needs to be replaced with the name of the import domain (string2).
-v Verbose mode.
-j path Specifies the location for log files.
-t portnumber The portnumber parameter is used to specify the LDAP port number. By default, the LDAP port is 389 and the GC port is 3268.
-d BaseDN The BaseDN parameter is used to specify the DN of a search base for data export.
-p scope Used to set the search telescopic. The value of the telescopic parameter can exist Base, OneLevel, or SubTree.
-r LDAPfilter Specifies a search filter for exporting data.
-I LDAPAttributeList Specifies a list of attributes to return in an export query. If this parameter isn't used, then all attributes are returned in the query.
-o LDAPAttributeList Specifies a list of attributes to omit in an export query.
-g Used to omit paged searches.
-yard Used to omit attributes that employ to sure objects in Agile Directory.
-n Specifies that binary values are to be omitted from an export.
-thousand If errors occur during an import, this parameter specifies that ldifde should continue processing.
-a username password Specifies the username and password to be used when running this command. Past default, the credentials of the user who's currently logged on are used.
-b username domain password Specifies the username, domain, and password to use when running this command. Past default, the credentials of the user who's currently logged on are used.

Ntdsutil

Ntdsutil is a general-purpose command-line tool that can perform a variety of functions for managing Active Directory. Using Ntdsutil, you can:

Perform maintenance of Active Directory

Perform an authoritative restore of Agile Directory

Modify the Time To Live (TTL) of dynamic data

Manage domains

Manage data in the directory and log files

Block certain IP addresses from querying the directory, and set LDAP policies

Remove metadata from DCs that were retired or improperly uninstalled

Manage Security Identifiers (SIDs)

Manage principal operation roles (Domain Naming Principal, Schema Master, Iinfrastructure Main, PDC Emulator, and RID Master)

Typing ntdsutil at the control prompt will load the tool and the prompt will modify to ntdsutil:. As shown in Figure 1.23, by typing help at the command line, you can view dissimilar commands for the tasks being performed. Later on entering a command, typing help once more volition provide other commands that can be used. For example, typing metadata cleanup after first starting ntdsutil, and and then typing help will display a list of commands relating to metadata cleanup. This allows yous to use the command as if you were navigating through menus containing other commands. You lot can return to a previous menu at any fourth dimension, or leave the program past typing Quit.

Figure i.23. NTDSUTIL

Whoami

Whoami is a tool for displaying data about the user who is currently logged on. Using this tool, you can view your domain name, calculator proper name, username, grouping names, logon identifier, and privileges. The amount of data displayed depends on the parameters that are entered with this control. Tabular array 1.half-dozen lists the available parameters.

Tabular array ane.6. Switches for Whoami

Parameter Description
/upn Displays the UPN of the user currently logged on.
/fqdn Displays the FQDN of the user currently logged on.
/logonid Displays the Logon ID.
/user Displays the username of the user currently logged on.
/groups Displays grouping names.
/priv Displays privileges associated with the currently logged-on user.
/fo format Controls the format of how information is displayed. The format parameter can have the value of: table (to evidence output in a tabular array format), list (to list output), or csv to display in a comma-delimited format.
/all Displays username, groups, SIDs, and privileges for the user currently logged on.

Exercise i.03

Using WHOAMI

1.

From the Windows Starting time menu, click Control Prompt.

2.

When the Command Prompt opens, type WHOAMI at the prompt and then press the Enter key. The output will bear witness the business relationship you are currently logged on with.

3.

Type WHOAMI /UPN and then printing Enter. The UPN of the currently logged-on user volition be displayed on the screen.

four.

Blazon WHOAMI /FQDN and then press Enter. The FQDN of the user that'south currently logged on will appear on the screen.

v.

Type WHOAMI /ALL and and then press Enter. A list of privileges associated with the account you are currently logged on with should announced on the screen.

6.

Type WHOAMI /ALL and then printing Enter, Equally shown in Figure 1.24, a listing of data relating to the account you're currently logged on with will be listed on the screen.

Figure 1.24. Results of Using the WHOAMI /ALL Command

Implementing Active Directory Security and Access Control

Security is an of import office of Windows Server 2003 and Active Directory. Ii primary methods of implementing security are user authentication and access command. Authentication is used to verify the identity of a user or other objects, such equally applications or computers. Afterwards it'south been determined they are who or what they say they are, the process continues by giving them the level of admission they deserve. Access control manages what users (or other objects) can use, and how they tin can use them. Past combining authentication and access control, a user is permitted or denied access to objects in the directory.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9781931836944500076