Server Manager Dashboard → Add roles and features → Role-based
- AD Domain Services
- AD Federation Services
Server Manager Dashboard → AD DS → more → promote this server to a domain controller
- Add a New Forest
- Root domain name: domain.ch
|
Le serveur doit avoir une IP fixe. |
Scripts PowerShell
|
import-module activedirectory
# Afficher toutes les propriétés des tous les comptes *NAME*
Get-ADUser -Filter {EmailAddress -like "*NAME*"} -properties *
# Afficher tous les comptes utilisateur
Get-ADUser -Filter {ObjectClass -eq "user"}
# Afficher tous les comptes utilisateur *NAME*
Get-ADObject -Filter {(mail -like "*NAME*") -and (ObjectClass -eq "user")}
|
- Server Manager → AD DS → clique-droit sur le serveur → AD Users and Computers
- clique-droit sur domain.ch → New → Organisational Unit
- clique-droit sur l'OU → New → User
ADWS
- Endpoints par défaut: netTCP Binding sur le port 9389
- pas de support HTTP-binding
|
NetTcpBinding tcpBind = new NetTcpBinding();
var acctMgmt = new ADWSSvc.AccountManagementClient(tcpBind,
new EndpointAddress("net.tcp://localhost:9389/ActiveDirectoryWebServices/Windows/AccountManagement"));
acctMgmt.ClientCredentials.Windows.AllowedImpersonationLevel =
System.Security.Principal.TokenImpersonationLevel.Impersonation;
var adPrincipal = acctMgmt.GetADGroupMember("ldap:389",
"CN=Domain Admins,CN=Users,DC=corp,DC=claimsauth,DC=com",
"DC=corp,DC=claimsauth,DC=com",
true);
foreach (var item in adPrincipal)
{
Console.WriteLine(item.Name);
Console.WriteLine(item.DistinguishedName);
Console.WriteLine(item.SamAccountName);
}
|
Liens
|
var ad = new DirectoryEntry($"WinNT://{Environment.MachineName},computer");
var user = ad.Children.Find("Bibi", "user");
var adminGroup = ad.Children.Find("Administrators", "group");
adminGroup.Invoke("Add", new object[] { user.Path }); // add the user to the admin group
|
LDAP
User Info
|
string adminUser = "Administrator";
string adminPassword = "xxx";
string container = "DC=domain,DC=ch";
string domainController = "DOMAIN-CONTROLLER-NAME";
string userName = "user";
string newPassword = "xxx";
const AuthenticationTypes authenticationTypes = AuthenticationTypes.Secure |
AuthenticationTypes.Sealing | AuthenticationTypes.ServerBind;
DirectoryEntry searchRoot = null;
DirectorySearcher searcher = null;
DirectoryEntry userEntry = null;
try
{
searchRoot = new DirectoryEntry($"LDAP://{domainController}/{container}",
adminUser, adminPassword, authenticationTypes);
searchRoot = new DirectoryEntry($"GC://{domainController}",
adminUser, adminPassword, authenticationTypes);
searcher = new DirectorySearcher(searchRoot);
searcher.Filter = String.Format("sAMAccountName={0}", userName);
searcher.SearchScope = SearchScope.Subtree;
searcher.CacheResults = false;
SearchResult searchResult = searcher.FindOne(); ;
if (searchResult == null)
{
output["Error"] = "User Not Found In This Domain";
return output;
}
userEntry = searchResult.GetDirectoryEntry();
output["Name"] = userEntry.Name; // CN=User
foreach (PropertyValueCollection p in userEntry.Properties)
{
object v;
if (p.Value is object[] o)
{
v = string.Join(", ", o);
}
else
{
v = p.Value;
}
output[p.PropertyName] = v.ToString();
// objectClass → top, person, organizationalPerson, user
// givenName / displayName / name → User
// sAMAccountName → user
// userPrincipalName → user@domain.ch
}
return output;
}
catch (Exception ex)
{
output["Exception"] = ex.Message;
return output;
}
finally
{
if (userEntry != null) userEntry.Dispose();
if (searcher != null) searcher.Dispose();
if (searchRoot != null) searchRoot.Dispose();
}
|
Change Password
|
string adminUser = "Administrator";
string adminPassword = "xxx";
string container = "DC=domain,DC=ch";
string domainController = "DOMAIN-CONTROLLER-NAME";
string userName = "user";
string newPassword = "xxx";
const AuthenticationTypes authenticationTypes = AuthenticationTypes.Secure |
AuthenticationTypes.Sealing | AuthenticationTypes.ServerBind;
DirectoryEntry searchRoot = null;
DirectorySearcher searcher = null;
DirectoryEntry userEntry = null;
try
{
searchRoot = new DirectoryEntry($"LDAP://{domainController}/{container}",
adminUser, adminPassword, authenticationTypes);
searcher = new DirectorySearcher(searchRoot);
searcher.Filter = String.Format("sAMAccountName={0}", userName);
searcher.SearchScope = SearchScope.Subtree;
searcher.CacheResults = false;
SearchResult searchResult = searcher.FindOne(); ;
if (searchResult == null) return "User Not Found In This Domain";
userEntry = searchResult.GetDirectoryEntry();
userEntry.Invoke("SetPassword", new object[] { newPassword });
userEntry.CommitChanges();
return "New password set";
}
catch (Exception ex)
{
return ex.ToString();
}
finally
{
if (userEntry != null) userEntry.Dispose();
if (searcher != null) searcher.Dispose();
if (searchRoot != null) searchRoot.Dispose();
}
|
Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Le compte qui fait tourner le service n'a pas le droit de modifier un password.
Specify an Identity for an Application Pool:
- IIS Manager → clique sur Application Pools
- clique-droit sur le site à modifier → Advanced Settings → Process Model → Identity
- Custom Account