Active directory

De Banane Atomic
Révision datée du 20 février 2022 à 17:13 par Nicolas (discussion | contributions)
(diff) ← Version précédente | Voir la version actuelle (diff) | Version suivante → (diff)
Aller à la navigationAller à la recherche

Installation sur Windows Server 2012

Server Manager Dashboard → Add roles and features → Role-based

  • AD Domain Services
  • AD Federation Services

Server Manager Dashboard → AD DS → more → promote this server to a domain controller

  • Add a New Forest
  • Root domain name: domain.ch
Le serveur doit avoir une IP fixe.

Scripts PowerShell

Installer Remote Server Administration Tools for Windows 10 si besoin (The specified module 'activedirectory' was not loaded)
Powershell.svg
import-module activedirectory

# Afficher toutes les propriétés des tous les comptes *NAME*
Get-ADUser -Filter {EmailAddress -like "*NAME*"} -properties *

# Afficher tous les comptes utilisateur
Get-ADUser -Filter {ObjectClass -eq "user"}

# Afficher tous les comptes utilisateur *NAME*
Get-ADObject -Filter {(mail -like "*NAME*") -and (ObjectClass -eq "user")}

Ajouter un utilisateur

  1. Server Manager → AD DS → clique-droit sur le serveur → AD Users and Computers
  2. clique-droit sur domain.ch → New → Organisational Unit
  3. clique-droit sur l'OU → New → User

ADWS

  • Endpoints par défaut: netTCP Binding sur le port 9389
  • pas de support HTTP-binding
Cs.svg
NetTcpBinding tcpBind = new NetTcpBinding();
var acctMgmt = new ADWSSvc.AccountManagementClient(tcpBind,
    new EndpointAddress("net.tcp://localhost:9389/ActiveDirectoryWebServices/Windows/AccountManagement"));
acctMgmt.ClientCredentials.Windows.AllowedImpersonationLevel =
    System.Security.Principal.TokenImpersonationLevel.Impersonation;
var adPrincipal = acctMgmt.GetADGroupMember("ldap:389", 
                                            "CN=Domain Admins,CN=Users,DC=corp,DC=claimsauth,DC=com",
                                            "DC=corp,DC=claimsauth,DC=com", 
                                            true);
foreach (var item in adPrincipal)
{
    Console.WriteLine(item.Name);
    Console.WriteLine(item.DistinguishedName);
    Console.WriteLine(item.SamAccountName);
}

Liens

Local users and groups

Cs.svg
using System.DirectoryServices;

var ad = new DirectoryEntry($"WinNT://{Environment.MachineName},computer");
var user = ad.Children.Find("Bibi", "user");
var adminGroup = ad.Children.Find("Administrators", "group");
adminGroup.Invoke("Add", new object[] { user.Path });  // add the user to the admin group

LDAP

User Info

Cs.svg
string adminUser = "Administrator";
string adminPassword = "xxx";
string container = "DC=domain,DC=ch";
string domainController = "DOMAIN-CONTROLLER-NAME";
string userName = "user";
string newPassword = "xxx";

const AuthenticationTypes authenticationTypes = AuthenticationTypes.Secure |
    AuthenticationTypes.Sealing | AuthenticationTypes.ServerBind;

DirectoryEntry searchRoot = null;
DirectorySearcher searcher = null;
DirectoryEntry userEntry = null;

try
{
    searchRoot = new DirectoryEntry($"LDAP://{domainController}/{container}",
        adminUser, adminPassword, authenticationTypes);
    searchRoot = new DirectoryEntry($"GC://{domainController}",
        adminUser, adminPassword, authenticationTypes);

    searcher = new DirectorySearcher(searchRoot);
    searcher.Filter = String.Format("sAMAccountName={0}", userName);
    searcher.SearchScope = SearchScope.Subtree;
    searcher.CacheResults = false;

SearchResult searchResult = searcher.FindOne(); ;
    if (searchResult == null)
    {
        output["Error"] = "User Not Found In This Domain";
        return output;
    }

    userEntry = searchResult.GetDirectoryEntry();

    output["Name"] = userEntry.Name;  // CN=User
    foreach (PropertyValueCollection p in userEntry.Properties)
    {
        object v;
        if (p.Value is object[] o)
        {
            v = string.Join(", ", o);
        }
        else
        {
            v = p.Value;
        }
        output[p.PropertyName] = v.ToString();
        // objectClass → top, person, organizationalPerson, user
        // givenName / displayName / name → User
        // sAMAccountName → user
        // userPrincipalName → user@domain.ch
    }
    return output;
}
catch (Exception ex)
{
    output["Exception"] = ex.Message;
    return output;
}
finally
{
    if (userEntry != null) userEntry.Dispose();
    if (searcher != null) searcher.Dispose();
    if (searchRoot != null) searchRoot.Dispose();
}

Change Password

Cs.svg
string adminUser = "Administrator";
string adminPassword = "xxx";
string container = "DC=domain,DC=ch";
string domainController = "DOMAIN-CONTROLLER-NAME";
string userName = "user";
string newPassword = "xxx";

const AuthenticationTypes authenticationTypes = AuthenticationTypes.Secure |
    AuthenticationTypes.Sealing | AuthenticationTypes.ServerBind;

DirectoryEntry searchRoot = null;
DirectorySearcher searcher = null;
DirectoryEntry userEntry = null;

try
{
    searchRoot = new DirectoryEntry($"LDAP://{domainController}/{container}",
        adminUser, adminPassword, authenticationTypes);

    searcher = new DirectorySearcher(searchRoot);
    searcher.Filter = String.Format("sAMAccountName={0}", userName);
    searcher.SearchScope = SearchScope.Subtree;
    searcher.CacheResults = false;

    SearchResult searchResult = searcher.FindOne(); ;
    if (searchResult == null) return "User Not Found In This Domain";

    userEntry = searchResult.GetDirectoryEntry();

    userEntry.Invoke("SetPassword", new object[] { newPassword });
    userEntry.CommitChanges();

    return "New password set";
}
catch (Exception ex)
{
    return ex.ToString();
}
finally
{
    if (userEntry != null) userEntry.Dispose();
    if (searcher != null) searcher.Dispose();
    if (searchRoot != null) searchRoot.Dispose();
}

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Le compte qui fait tourner le service n'a pas le droit de modifier un password.
Specify an Identity for an Application Pool:

  1. IIS Manager → clique sur Application Pools
  2. clique-droit sur le site à modifier → Advanced Settings → Process Model → Identity
  3. Custom Account

AD Federated Services