1 / 11

Automation of NT Domain

Improve domain administration tasks, user and group management, authentication, security control, secure networking, and logging with the DESY WindowsNT Group solution.

olgaj
Télécharger la présentation

Automation of NT Domain

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automation of NT Domain Christian Trachimow The DESY WindowsNT Group

  2. Domain administration tasks • Domain data • 1000 PCs / 1500 Users • 50 groups • 4 central home directory servers, 2 home directory servers in groups • MS Dfs server • TEM • user / group management • Administrative tasks: • users: create, move, delete, archive, rename • groups: ... The DESY WindowsNT Group

  3. General problems • Impersonation • Run scripts with administrative rights (in domain) • Authentication • who wants to execute a script • Security control / delegation • allow execution to a group of users • Secure networking • Easy invocation • Logging • Prevent misuse (check parameters) The DESY WindowsNT Group

  4. Solution: Transaction Server • Impersonation MTX • Authentication NTLM (DCOM) • Security control MTX (“Roles”) • Secure networking DCOM (“packet privacy”) • Invocation DCOM • Logging COM module • Check parameters COM module • Execute script COM module The DESY WindowsNT Group

  5. IsCallerInRole ? Roles Transaction Server • Connection pooling, thread pooling, transaction support GetConnectingUser Impersonation Transaction support Network security Impersonation COM dll Script Roles Roles: list of users or groups The DESY WindowsNT Group

  6. c:\scripts\du.bat param1 username Inside the COM object %WINDIR%\system32\DomainAuto.cfg Roles #comment#format: (separator = tab) #ScriptName Script Role Flag0/1DeleteComputer C:\scripts\dc.bat RoleDC 0 # DeleteUser C:\scripts\du.bat Admins 1 RoleDC:GroupAdmusg_ Admins:DomainAdmins Set obj = CreateObject(“DomainAuto.DomainAuto”) . obj.InvokeScript(“DeleteUser”, ”param1 ..”) The DESY WindowsNT Group

  7. Scripting Host Usage • 1. Write script • 2. Configure script • put it on MTX server • define “role” • change .cfg • Common script name • Script location • Role name • 1 / 0 : if name of the connecting user should be passed to script • 3. Write Web interface / client script • MTX automatically creates client setup script • easy to deploy The DESY WindowsNT Group

  8. Web Interface • Separate Web (IIS) accessible via SSL • User has to authenticate • Challenge / Response does not allow to pass authentication to another server • Basic authentication gets password • DCOM interface is used to execute the script on transaction server • Web is configured to run .asp as user (impersonation) • Packet privacy is used for DCOM security • Write asp and establish DCOM connection:Set obj = CreateObject(“DomainAuto.DomainAuto”) strResult = obj.InvokeScriptWithReturn (“scripname”, “param1 param2”) The DESY WindowsNT Group

  9. Web example <html> <%' get variables from form strUserName = Request.Form("UserName") strNewComment = Request.Form("NewComment") ' call script On Error Resume Next Set Dobj = CreateObject("DomainAuto.DomainAuto") strRet = Dobj.InvokeScriptWithReturn("ChangeUserComment", strUserName & " """ & strNewComment & """") %> <h2>Result</h2> <% If not Err Then %> <p>The user status has been changed successfully!!! </p> <% Else %> <p>Error occurred, the comment could not be changed!!!</p> <p>Error message: <br> <%=Err.Description%></p> <% End If %> </html> The DESY WindowsNT Group

  10. Domain automation - scheme Client indirect - via SSL IIS TransactionServer .DLL Script / Program Execution ASP DomainAuto.cfg ConfigurationFile Client direct Roles The DESY WindowsNT Group

  11. User and Group Management • A managing user wants to change some user attributs or add users to special groups Management Group Rights Groups sys USER * cadadmin GROUP cad • Extend the script attributes to the new rights USER/GROUP • Automatically check if connecting user is allowed to change The DESY WindowsNT Group

More Related