Although forests constitute the security boundary in an Active Directory environment, you can split up your AD infrastructure into separate domains to create smaller administrative or replication boundaries within a large-scale network. In Windows 2000 and Windows Server 2003 Active Directory, domains can also constitute a policy boundary, as certain Group Policy settings such as password policies and account lockout policies can only be applied at the domain level. (Windows Server 2008 introduces the concept of a Fine-Grained Password Policy, which allows administrators to configure multiple password and account lockout policies within a single domain.) Domains are represented in Active Directory by domainDNS objects. The distinguished name (DN) of a domainDNS object directly corresponds to the fully qualified DNS name of the domain. For example, the amer.adatum.com domain would have a DN of
dc=amer,dc=adatum,dc=com.
Table 2-4 contains a list of some of the interesting attributes that are available on domainDNS objects.
Table 2-4: Attributes of domainDNS objects
Attribute
Description
dc
The domain component of the domain distinguished name (e.g., amer).
distinguishedName
The DN of the domain (e.g., dc=adatum,dc=com).
fSMORoleOwner
The NTDS Settings object DN of the domain controller on which the schema can be modified.
gPLink
List of GPOs that have been applied to the domain. By default it will contain a reference to the Default Domain Policy GPO.
lockoutDuration
A 64-bit integer representing the time an account will be locked out before being automatically unlocked in the absence of any applicable Fine-Grained Password Policies.
lockoutObservationWindow
A 64-bit integer representing the time after a failed logon attempt that the failed logon counter for the account will be reset to 0 in the absence of any applicable Fine-Grained Password Policies.
lockoutThreshold
Number of failed logon attempts after which an account will be locked in the absence of any applicable Fine-Grained Password Policies.
Attribute
Description
maxPwdAge
A 64-bit integer representing the maximum number of days a password can be used before a user must change it, in the absence of any applicable Fine-Grained Password Policies.
minPwdAge
A 64-bit integer representing the minimum number of days a password must be used before it can be changed, in the absence of any applicable Fine-Grained Password Policies.
minPwdLength
Minimum number of characters allowed in a password in the absence of any applicable Fine-Grained Password Policies.
msDS-Behavior-Version
Number that represents the functional level of the domain. This attribute was first introduced in Windows Server 2003.
msDS-LogonTimeSyncInterval
Controls how often the lastLogonTimestamp attribute is updated. Defaults to 14 days with a 0–5 day randomization value, which means that lastLogonTimestamp will be updated for a given account every 9 to 14 days to prevent excessive replication of lastLogonTimestamp.
ms-DS-MachineAccountQuota
The number of computer accounts a nonadministrator user account can join to the domain.
nTMixedDomain
Number that represents the mode of a domain.
pwdHistoryLength
Number of passwords to remember before a user can reuse a previous password in the absence of any applicable Fine-Grained Password Policies.
pwdProperties
Bit flag that represents different options that can be configured for passwords used in the domain, including password complexity and storing passwords with reversible encryption.
subRefs
Multivalue attribute containing the list of subordinate naming contexts and application partitions, such as DC=ForestDnsZones,DC=adatum,DC=com within the adatum.com domain.
wellKnownObjects
GUIDs for well-known objects, such as the default computer container.
Distinguished names in Active Directory
Hierarchical paths in Active Directory are known as distinguished names and can be used to uniquely reference an object.
Distinguished names are defined in the LDAP standard as a means of referring to any object in the directory.
Distinguished names for Active Directory objects are normally represented using the syntax and rules defined in the LDAP standards.
Beginning with Windows Server 2003, you can also use the dsadd.exe command-line utility to create Active Directory objects. To add a single user to Active Directory, simply type dsadd user UserDN at the command line, where UserDN refers to the distinguished name of the user object, such as cn=smith, dc=example, dc=com. dsadd allows you to set a huge number of user attributes at the command line by using any of the following parameters:
-samid SAMName: Specifies the SAM account name for backwards compatibilitywith Windows NT 4.0 and legacy applications.
-upn UPN: Specifies the user principal name, like “[email protected]”.
-fn FirstName
-mi MiddleInitial
-ln LastName
-display DisplayName
-empid EmployeeID
-pwd Password: Specifies the password for the user to be set to. You can either enter the password when you issue the dsadd command, or type * to be prompted for a password when the user object is created.
-desc Description
-memberof GroupDN: Specifies the security groups that this user should belong to. Separates multiple group names using a comma.
-office Office
-tel TelephoneNumber
-email Email
-hometel HomePhoneNumber
-pager PagerNumber
-mobile CellPhoneNumber
-fax FaxNumber
-iptel IPPhoneNumber
-webpg WebPage
-title Title
-dept Department
-company Company
-mgr ManagerDN: Specifies the distinguished name of the manager of the user account you’re currently creating.
-hmdir HomeDirectory: The user’s home directory.
-hmdrv DriveLetter: The drive letter that a user’s home directory should be mapped to.
-profile ProfilePath: Path to the user’s profile.
-loscr ScriptPath: Path to the user’s logon script.
-mustchpwd {yes | no}: Specifies whether the user needs to change his password the next (or first) time he logs on to Active Directory. This defaults to no if it isn’t specified.
-canchpwd {yes | no}: Specifies whether the user is allowed to change her password. This needs to be set to yes if -mustchpwd is set to yes. The value for -canchpwd defaults to yes.
-reversiblepwd {yes | no}: Specifies whether the password should be stored using reversible encryption. This defaults to no if you don’t specify a value.
-pwdneverexpires {yes | no}: Specifies whether the user password expires (if set to yes) or not (if set to no). Defaults to no.
-acctexpires NumberOfDays: Number of days from today when the account will expire.
-disabled {yes | no}: Specifies whether the user account is disabled. Defaults to no.
{-s Server | -d Domain}: Specifies whether the user account is configured on a member server or a domain controller. This defaults to a domain controller in the user’s logon domain.
-u: Specifies the user account that you’ll use to connect to the remote server. This allows you to improve the security of your network by logging on to your workstation using an everyday user account, and using the -u option to specify an administrative account to create a new user.
-p: Specifies the password that you’ll use to connect to the remote server. You can enter the password manually, or enter an asterisk (*) to be prompted for a password when dsadd runs.
-uc | -uco | -uci: Specifies that the input or output file is formatted using Unicode formatting. -uc specifies Unicode for both input and output files, -uci specifies that only the input file is Unicode, -uco specifies Unicode for only the output file.
-q: Suppresses any output from dsadd; the command runs in “quiet” mode.
To create a single user object using the dsadd utility, you would use the following syntax:
dsadd user cn=smith, dc=mycompany,
dc=com -samid smith -fn Bryan
-ln Smith