book

Active Directory, 4th Edition

by Brian Desmond, Joe Richards, Robbie Allen, Alistair G. Lowe-Norris

November 2008

Beginner to intermediate

866 pages

28h 35m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Active Directory
A Note Regarding Supplemental Files
Preface
Intended AudienceContents of the BookPart 1, Active Directory BasicsPart 2, Designing an Active Directory InfrastructurePart 3, Scripting Active Directory with ADSI, ADO, and WMIConventions Used in This BookUsing Code ExamplesSafari® Books OnlineHow to Contact UsAcknowledgmentsFor the Fourth Edition (Brian)For the Third Edition (Joe)For the Second Edition (Robbie)For the First Edition (Alistair)
I. Active Directory Basics
1. A Brief Introduction
Evolution of the Microsoft NOSBrief History of DirectoriesWindows NT Versus Active DirectoryWindows 2000 Versus Windows Server 2003Windows Server 2003 Versus Windows Server 2003 R2Windows Server 2003 R2 Versus Windows Server 2008Summary
2. Active Directory Fundamentals
How Objects Are Stored and IdentifiedUniquely Identifying ObjectsDistinguished namesExamplesBuilding BlocksDomains and Domain TreesForestsOrganizational UnitsGlobal CatalogFlexible Single Master Operator (FSMO)Time Synchronization in Active DirectoryDomain and Forest Functional LevelsWindows 2000 Domain ModeGroupsGroups in Windows NTGroup nesting in different functional levelsGroup membership across domain boundariesConverting groupsWrap-upSummary
3. Naming Contexts and Application Partitions
Domain Naming ContextConfiguration Naming ContextSchema Naming ContextApplication PartitionsStoring Dynamic DataSummary
4. Active Directory Schema
Structure of the SchemaX.500 and the OID NamespaceAttributes (attributeSchema Objects)Dissecting an Example Active Directory AttributeAttribute PropertiesAttribute SyntaxSystem FlagsConstructed attributesCategory 1 objectsSchema FlagsExSearch FlagsIndexed attributesAmbiguous Name ResolutionPreserve attribute in tombstoneTuple indexConfidentialAttribute change auditingFiltered attribute setProperty Sets and attributeSecurityGUIDLinked AttributesClasses (classSchema Objects)Object Class Category and InheritanceDissecting an Example Active Directory ClassHow inheritance affects mustContain, mayContain, possSuperiors, and auxiliaryClassViewing the user class with the Active Directory Schema snap-inDynamically Linked Auxiliary ClassesSummary
5. Site Topology and Replication
Site TopologySubnetsSitesSite LinksSite Link BridgesConnection ObjectsKnowledge Consistency Checker (KCC)Site and Replication Management ToolsHow Replication WorksA Background to MetadataUpdate Sequence Numbers (USN) and highestCommittedUSNOriginating updates versus replicated updatesDSA GUID and Invocation IDHigh-watermark vector (direct up-to-dateness vector)Up-to-dateness vectorRecapHow an Object’s Metadata Is Modified During ReplicationStep 1: Initial creation of a user on Server AStep 2: Replication of the originating write to DC BStep 3: Password change for the user on DC BStep 4: Password-change replication to DC AThe Replication of a Naming Context Between Two ServersStep 1: Replication with a partner is initiatedStep 2: The partner works out what updates to sendStep 3: The partner sends the updates to the initiating serverStep 4: The initiating server processes the updatesStep 5: The initiating server checks whether it is up-to-dateRecapHow Replication Conflicts Are ReconciledConflict due to identical attribute changeConflict due to a move or creation of an object under a now-deleted parentConflict due to creation of objects with names that conflictReplicating the conflict resolutionSummary
6. Active Directory and DNS
DNS FundamentalsZonesResource RecordsDDNSGlobal Names ZoneDC LocatorResource Records Used by Active DirectoryOverriding SRV Record RegistrationDelegation OptionsNot Delegating the AD DNS ZonesPolitical factorsInitial setup and configurationSupport and maintenanceIntegration issuesDelegating the AD DNS ZonesPolitical factorsInitial setup and configurationSupport and maintenanceIntegration issuesDNS for Standalone ADActive Directory Integrated DNSReplication ImpactBackground Zone LoadingUsing Application Partitions for DNSAging and ScavengingConfiguring ScavengingSetting zone-specific optionsEnabling scavenging on the DNS serverSummary

7. Read-Only Domain Controllers
PrerequisitesPassword Replication PoliciesManaging the Password Replication PolicyManaging RODC TheftThe Client Logon ProcessPopulating the Password CacheRODCs and Write RequestsUser Password ChangesComputer Account Password ChangesThe lastLogonTimeStampAttributeLast-Logon StatisticsLogon Success/Fail InformationNetLogon Secure Channel UpdatesReplication Connection ObjectsDNS UpdatesThe W32Time ServiceApplication CompatibilityRODC Placement ConsiderationsRODCs and ReplicationAdministrator Role SeparationSummary
8. Group Policy Primer
Capabilities of GPOsGroup Policy StorageADM or ADMX filesHow GPOs are stored in Active DirectoryGroup Policy replicationHow Group Policies WorkGPOs and Active DirectoryPrioritizing the Application of Multiple PoliciesStandard GPO Inheritance Rules in Organizational UnitsBlocking Inheritance and Overriding the Block in Organizational Unit GPOsSummaryWhen Policies ApplyGroup Policy refresh frequencyCombating Slowdown Due to Group PolicyLimiting the number of GPOs that applyLimiting cross-domain linkingLimiting use of site policiesUse simple queries in WMI filtersSecurity Filtering and Group Policy ObjectsLoopback Merge Mode and Loopback Replace ModeWMI FilteringSummary of Policy OptionsManaging Group PoliciesUsing the Group Policy Management Console (GPMC)Group Policy ModelingDelegation and Change ControlThe importance of change-control proceduresDesigning the delegation of GPO administrationUsing Starter GPOsGroup Policy Backup and RestoreScripting Group PoliciesTroubleshooting Group PolicyGroup Policy Results WizardForcing Group Policy UpdatesEnabling Extra LoggingGroup Policy Diagnostic Best Practices AnalyzerThird-Party Troubleshooting ToolsSummary
9. Fine-Grained Password Policies
Understanding Password Setting ObjectsScenarios for Fine-Grained Password PoliciesDefining Password Setting ObjectsDefining PSO precedenceCreating Password Setting ObjectsPSO Quick StartBuilding a PSO from ScratchCreating a PSO with ADSI editCreating a PSO with PSOMgrManaging Password Settings ObjectsStrategies for Controlling PSO ApplicationApplying PSOs to groupsApplying PSOs to usersMixing group application and user applicationManaging PSO ApplicationApplying a PSO with ADSI EditApplying a PSO with Active Directory users and computersApplying a PSO with PSOMgrViewing the effective PSODelegating Management of PSOsSummary
II. Designing an Active Directory Infrastructure
10. Designing the Namespace
The Complexities of a DesignWhere to StartOverview of the Design ProcessDomain Namespace DesignObjectivesRepresent the structure of your businessStep 1: Decide on the Number of DomainsIsolated replicationUnique domain policyIn-place upgrade of current domainFinal notesStep 2: Design and Name the Tree StructureChoose the forest root domainDesign the namespace naming schemeCreate additional treesCreate additional forestsArrange subdomain hierarchyStep 3: Design the Workstation and Server-Naming SchemeDesign of the Internal Domain StructureStep 4: Design the Hierarchy of Organizational UnitsRecreating the business modelDelegating full administrationDelegating other rightsStep 5: Design the Users and GroupsNaming and placing usersNaming and placing groupsCreating proper security group designsStep 6: Design the Application Partition StructureOther Design ConsiderationsDesign ExamplesTwoSiteCorpStep 1: Set the number of domainsStep 2: Design and name the tree structureStep 3: Design the workstation- and server-naming schemeStep 4: Design the hierarchy of Organizational UnitsStep 5: Design the users and groupsStep 6: Design the application partition structureRecapRetailCorpStep 1: Identify the number of domainsStep 2: Design and name the tree structureStep 3: Design the workstation- and server-naming schemeStep 4: Design the hierarchy of Organizational UnitsStep 5: Design the users and groupsStep 6: Design the application partition structureRecapPetroCorpStep 1: Set the number of domainsStep 2: Design and name the tree structureStep 3: Design the workstation- and server-naming schemeStep 4: Design the hierarchy of Organizational UnitsStep 5: Design the users and groupsStep 6: Design the application partition structureRecapDesigning for the Real WorldIdentify the Number of DomainsDesign to Help Business Plans and Budget ProposalsRecognizing Nirvana’s ProblemsSummary
11. Creating a Site Topology
Intrasite and Intersite TopologiesThe KCCAutomatic Intrasite Topology Generation by the KCCTwo serversThree serversFour serversEight serversNow what?Site Links: The Basic Building Blocks of Intersite TopologiesCostScheduleTransportWhen the ISTG becomes involvedSite Link Bridges: The Second Building Blocks of Intersite TopologiesDesigning Sites and Links for ReplicationStep 1: Gather Background Data for Your NetworkStep 2: Design the SitesStep 3: Plan the Domain Controller LocationsWhere to put domain controllersHow many domain controllers to havePlacing a domain controller in more than one siteStep 4: Decide How You Will Use the KCC to Your AdvantageStep 5: Create Site LinksStep 6: Create Site Link BridgesExamplesTwoSiteCorpRetailCorpPetroCorpAdditional ResourcesSummary
12. Designing Organization-Wide Group Policies
Using GPOs to Help Design the Organizational Unit StructureIdentifying Areas of PolicyHow GPOs Influenced a Real Organizational Unit DesignThe merits of collapsing the Organizational Unit structureA bridge too farLoopback modeGuidelines for Designing GPOsSummary
13. Active Directory Security: Permissions and Auditing
Permission BasicsPermission ACEProperty Sets, Validated Writes, and Extended RightsInherited Versus Explicit PermissionsDefault Security DescriptorsPermission LockdownConfidentiality BitProtecting Objects from Accidental DeletionUsing the GUI to Examine PermissionsReverting to the Default PermissionsViewing the Effective Permissions for a User or GroupUsing the Delegation of Control WizardUsing the GUI to Examine AuditingDesigning Permission SchemesThe Five Golden Rules of Permissions DesignRule 1: Apply permissions to groups whenever possibleRule 2: Design group permissions so that you have minimum duplicationRule 3: Manage Advanced permissions only when absolutely necessaryRule 4: Allow inheritance; do not protect sections of the domain tree from inheritanceRule 5: Keep a log of unusual changesHow to Plan PermissionsBringing Order Out of ChaosDesigning Auditing SchemesImplementing Auditing under Windows Server 2008Tracking Last Interactive Logon InformationReal-World ExamplesHiding Specific Personal Details for All Users in an Organizational Unit from a GroupAllowing Only a Specific Group of Users to Access a New Published ResourceRestricting Everyone but HR from Viewing Social Security Numbers with Confidential Access CapabilitySummary
14. Designing and Implementing Schema Extensions
Nominating Responsible People in Your OrganizationThinking of Changing the SchemaDesigning the DataTo Change or Not to ChangeThe Global PictureCreating Schema ExtensionsRunning the Schema Manager MMC for the First TimeThe Schema CacheThe Schema Master FSMOUsing LDIF to Extend the SchemaChecks the System Makes When You Modify the SchemaMaking Classes and Attributes DefunctSummary
15. Backup, Recovery, and Maintenance
Backing Up Active DirectoryUsing the NT Backup UtilityUsing Windows Server BackupRestoring a Domain ControllerRestore from ReplicationManually removing a domain controller from Active DirectoryRestore from BackupInstall from MediaCreating and using IFM media on Windows Server 2003Creating and using IFM media on Windows Server 2008Restoring Active DirectoryNon-Authoritative RestoreRestoring with NT BackupRestoring with Windows Server BackupPartial Authoritative RestoreComplete Authoritative RestoreWorking with SnapshotsFSMO RecoveryRestartable Directory ServiceDIT MaintenanceChecking the Integrity of the DITReclaiming SpaceChanging the DS Restore Mode Admin PasswordSummary
16. Upgrading to Windows Server 2003
New Features in Windows Server 2003Differences with Windows 2000Functional Levels ExplainedHow to Raise the Functional LevelPreparing for ADPrepForestPrepDomainPrepGPPrepUpgrade ProcessInventory Domain ControllersInventory ClientsTrial RunPrepare the Forest and DomainsExchange 2000SFU 2.0Tweak SettingsUpgrade Domain ControllersPost-Upgrade TasksMonitorRaise Functional LevelsStart Implementing New FeaturesSummary
17. Upgrading to Windows Server 2003 R2
New Active Directory Features in Windows Server 2003 Service Pack 1Differences with Windows Server 2003New Active Directory Features in Windows Server 2003 R2Preparing for ADPrepForestPrepService Pack 1 Upgrade ProcessR2 Upgrade ProcessPrepare the ForestUpgrade Domain ControllersSummary
18. Upgrading to Windows Server 2008
New Features in Windows Server 2008Differences with Windows Server 2003Preparing for ADPrepForestPrepRODCPrepDomainPrepGPPrepWindows Server 2008 Upgrade ProcessSummary
19. Integrating Microsoft Exchange
A Quick Word about Exchange/AD InteractionPreparing Active Directory for ExchangeSetup PrerequisitesPrepareLegacyExchangePermissionsPrepareSchemaPrepareADPrepareDomainActive Directory Site Design and Domain Controller PlacementSite topologyDomain controller impactOther ConsiderationsMail-Enabling ObjectsUsing the Exchange Management ConsoleMailbox-enabling a userLinked mailboxesMail-enabling a groupUsing PowerShellSummary
20. Active Directory Lightweight Directory Service (a.k.a. ADAM)
ADAM TermsDifferences Between AD and ADAM V1.0Standalone Application ServiceConfigurable LDAP PortsNo SRV RecordsNo Global CatalogTop-Level Application Partition Object ClassesGroup and User ScopeFSMOsSchemaService AccountConfiguration/Schema Partition NamesDefault Directory SecurityUser Principal NamesAuthenticationADAM R2 UpdatesUsers in the Configuration PartitionPassword Reset/Change Chaining to WindowsVirtual List View (VLV) SearchingConfidentiality BitNew and Updated ToolsInstallationAuthenticationR2 ADAM for R2 Server OnlyActive Directory Lightweight Directory Services UpdatesGUI ToolsAvailability on Server CoreSupport for Install from MediaSupport for Snapshots and the Database Mounting ToolSupport for Enhanced Auditing FeaturesAD LDS InstallationInstalling ComponentsInstalling a New ADAM InstanceInstalling an ADAM ReplicaToolsADAM ADSIEDITADAM Schema ManagementADAM InstallADAMSyncADAM UninstallAD Schema AnalyzerCSVDEDSACLSDSDBUTILDSDiagDSMgmtLDIFDELDPRepAdminADAM SchemaVirtual List View (VLV) Index SupportDefault Security DescriptorsBindable Objects and Bindable Proxy ObjectsUsing ADAMCreating Application PartitionsCreating ContainersCreating UsersCreating User ProxiesSpecial considerationsRenaming UsersCreating GroupsAdding Members to GroupsRemoving Members from GroupsDeleting ObjectsDeleting Application PartitionsSummary
III. Scripting Active Directory with ADSI, ADO, and WMI
21. Scripting with ADSI
What Are All These Buzzwords?ActiveXWindows Scripting Host (WSH)Active Server Pages (ASPs)Active Directory Service Interface (ADSI)ActiveX Data Objects (ADO)Windows Management Instrumentation (WMI).NET and .NET FrameworkWriting and Running ScriptsA Brief Primer on COM and WSHHow to Write ScriptsWSH File FormatsADSIObjects and InterfacesNamespaces, ProgIDs, and ADsPathRetrieving ObjectsSimple Manipulation of ADSI ObjectsCreating the OUCreating the UsersTearing Down What Was CreatedSummary
22. IADs and the Property Cache
The IADs PropertiesUsing IADs::Get and IADs::PutThe Property CacheBe CarefulMore Complexities of Property Access: IADs::GetEx and IADs::PutExUsing IADs::GetExUsing IADs::PutExManipulating the Property CacheProperty Cache MechanicsAdding Individual ValuesAdding Sets of ValuesWalking Through the Property CacheApproach 1: Using the IADsPropertyList::PropertyCount property methodApproach 2: Using the IADsPropertyList::Next methodApproach 3: Using the IADsPropertyList::Next and IADsPropertyList::Skip methodsWriting the ModificationsWalking the Property Cache: The SolutionWalking the Property Cache Using the Formal Schema Class DefinitionChecking for Errors in VBScriptSummary
23. Using ADO for Searching
The First SearchStep 1: Define the Constants and VariablesStep 2: Establish an ADO Database ConnectionStep 3: Open the ADO ConnectionStep 4: Execute the QueryStep 5: Navigate Through the ResultsetStep 6: Close the ADO ConnectionThe Entire Script for a Simple SearchUnderstanding Search FiltersItems Within a FilterConnecting FiltersOptimizing SearchesEfficient SearchingObjectClass Versus ObjectCategoryAdvanced Search Function: SearchADSummary
24. Users and Groups
Creating a Simple User AccountCreating a Full-Featured User AccountLDAP ProviderCreating Many User AccountsModifying Many User AccountsAccount Unlocker UtilityCreating a GroupAdding Members to a GroupAdding Many USER Groups to GroupsEvaluating Group MembershipSummary
25. Permissions and Auditing
How to Create an ACE Using ADSITrusteeAccessMaskAceTypeAceFlagsFlags, ObjectType, and InheritedObjectTypeA Simple ADSI ExampleDiscussionA Complex ADSI ExampleDiscussionUnlock accountSet/clear “User Must Change Password On Next Logon” flagReset PasswordMaking Your Own ACEsDelegate member attribute on groupsDelegate ability to view Confidential AttributeHow to implement other delegationsCreating Security DescriptorsListing the Security Descriptor of an ObjectSummary
26. Extending the Schema and the Active Directory Snap-ins
Modifying the Schema with ADSIIADsClass and IADsPropertyCreating the Mycorp-LanguagesSpoken AttributeCreating the FinanceUser classCreating instances of the new classFinding the Schema Container and Schema FSMOTransferring the Schema FSMO RoleForcing a Reload of the Schema CacheAdding an Attribute to the Partial Attribute SetCustomizing the Active Directory Administrative Snap-insDisplay SpecifiersProperty PagesContext MenusIconsDisplay NamesLeaf or ContainerObject Creation WizardSummary
27. Scripting with WMI
Origins of WMIWMI ArchitectureCIMOM and CIM RepositoryWMI ProvidersGetting Started with WMI ScriptingReferencing an ObjectEnumerating Objects of a Particular ClassSearching with WQLAuthentication with WMIWMI ToolsWMI from a Command LineWMI from the WebWMI SDKScriptomatic Version 2.0; WMI Scripting ToolManipulating ServicesQuerying the Event LogsMonitoring TrustsMonitoring ReplicationSummary
28. Scripting DNS
DNS Provider OverviewInstalling the DNS ProviderManaging DNS with the DNS ProviderManipulating DNS Server ConfigurationListing a DNS Server’s PropertiesConfiguring a DNS serverRestarting the DNS ServiceDNS Server Configuration Check ScriptCreating and Manipulating ZonesCreating a ZoneConfiguring a ZoneListing the Zones on a ServerCreating and Manipulating Resource RecordsFinding Resource Records in a ZoneCreating Resource RecordsSummary
29. Programming the Directory with the .NET Framework
Why .NET?Choosing a .NET Programming LanguageChoosing a Development Tool.NET IDE Options.NET Development Without an IDE.NET Framework VersionsWhich .NET Framework Comes with Which OS?Directory Programming Features by .NET Framework ReleaseAssemblies Versus NamespacesSummary of Namespaces, Assemblies, and Framework VersionsDirectory Services Programming LandscapeSystem.DirectoryServices OverviewOther nice things in System.DirectoryServicesSystem.DirectoryServices SummarySystem.DirectoryServices.ActiveDirectory OverviewWhy use System.DirectoryServices.ActiveDirectory?System.DirectoryServices.ActiveDirectory summarySystem.DirectoryServices.Protocols OverviewWhy use System.DirectoryServices.Protocols?System.DirectoryServices.Protocols summarySystem.DirectoryServices.AccountManagement OverviewWhy use System.DirectoryServices.AccountManagement?System.DirectoryServices.AccountManagement summary.NET Directory Services Programming by ExampleConnecting to the DirectorySearching the DirectoryBasics of Modifying the DirectoryBasic add exampleBasic remove examplesMoving and renaming objectsModifying existing objectsManaging UsersManaging users with System.DirectoryServices.AccountManagementOverriding SSL Server Certificate Verification with SDS.PSummary
30. PowerShell Basics
Exploring the PowerShellVariables and ObjectsWorking with QuotesProfilesWorking with the PipelineThe $_ ExpressionPipeline by ExampleCmdletsThe Cmdlet Naming SchemeCmdlet ParametersWorking with Built-in CmdletsGet-HelpGet-CommandGet-MemberManaging the EnvironmentSet-LocationSet-ExecutionPolicyGet-PSSnapinAdd-PSSnapinFormatting OutputFormat-ListFormat-TableOut-NullProcessing and Filtering OutputForeach-ObjectWhere-ObjectImporting InformationGet-ContentImport-CsvImport-CliXmlExporting InformationExport-CsvExport-CliXmlOut-FileBuilding PowerShell ScriptsArgumentsFunctionsError HandlingFlow ControlConditional StatementsLoopsUsing WMISummary
31. Scripting Active Directory with PowerShell
Becoming Familiar with .NETDirectoryEntryDirectorySearcherDomainForestDirectoryContextDomainControllerGlobalCatalogApplicationPartitionUnderstanding Client-Side ProcessingBuilding the Lab Build ScriptSetupCreating Organizational UnitsCreating User AccountsCreating Computer AccountsCreating GroupsAdding group membersPutting It All TogetherWorking with Forests and DomainsGathering Forest InformationGathering Domain InformationUnderstanding Group PolicyGroup Policy Refresh CmdletGPMC CmdletsQuest CmdletsSummary
32. Scripting Basic Exchange 2003 Tasks
Notes on Managing ExchangeExchange Management ToolsMail-Enabling Versus Mailbox-EnablingExchange DelegationMail-Enabling a UserMail-Disabling a UserCreating and Mail-Enabling a ContactMail-Disabling a ContactMail-Enabling a Group (Distribution List)Mail-Disabling a GroupMailbox-Enabling a UserMailbox-Disabling a User (Mailbox Deletion)Purging a Disconnected MailboxReconnecting a Disconnected MailboxMoving a MailboxEnumerating Disconnected MailboxesViewing Mailbox Sizes and Message CountsViewing All Store Details of All Mailboxes on a ServerDumping All Store Details of All Mailboxes on All Servers in Exchange OrgSummary
33. Scripting Basic Exchange 2007 Tasks
Exchange Scripting NotesThe Departure of the Recipient Update ServiceMail-Enabling Versus Mailbox-EnablingExchange Cmdlet PrimerManaging UsersMailbox-Enabling a UserMailbox-Disabling a UserMail-Enabling a UserMail-Disabling a UserViewing Mailbox PropertiesMoving a User MailboxProvisioning Mailboxes Out-of-BandManaging GroupsMail-Enabling a GroupMail-Disabling a GroupManaging Group MembershipDisplaying Group PropertiesSummary
Index
About the Authors
Colophon
Copyright

Content preview from Active Directory, 4th Edition

Chapter 13. Active Directory Security: Permissions and Auditing

Permissions can be set in Active Directory in much the same way they are set for files. Although you may not care that everyone in the tree can read all your users’ phone numbers, you may want to store more sensitive information and restrict that access. Reading is not the only problem, of course. You also have create, modify, and delete privileges to worry about, and the last thing you need is a disgruntled or clever employee finding a way to delete all the users in an Organizational Unit.

None of this should be new to system managers who already deal with Windows NT Access Control Lists and Access Masks, Novell eDirectory Trustee Lists and Inherited Rights Masks, and Unix access permissions in file masks. In fact, Microsoft has carried the NT terminology from file permissions forward to Active Directory, so if you already know these terms, you’re well ahead. If you are not familiar with them, don’t worry. Terminology in permissions can seem confusing at first, so we’ll go through it all in detail.

Managing the permissions in Active Directory doesn’t have to be a headache. You can design sensible permissions schemes using guidelines on inheritance and complexity that will allow you to have a much easier time as a systems administrator. The GUI that Microsoft provides is fairly good for simple tasks but more cumbersome for complex multiple permissions. In Windows Server 2003, the GUI was enhanced to provide an “effective ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780596155179Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Active Directory, 4th Edition

by Brian Desmond, Joe Richards, Robbie Allen, Alistair G. Lowe-Norris

Chapter 13. Active Directory Security: Permissions and Auditing

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.