Friday, November 12, 2010

How To: Manage an Active Directory directly from a remote PC.

The Active Directory Users and Computers MMC is commonly used to administer users in an Active Directory via the domain controller. The MMC snap-in is designed to be used by a user that exists on the domain that is being administered; it will determine your rights to make changes to accounts based upon your current login ID.

So let's assume you want to manage an Active Directory on a different domain than the one you are on. Not only do you need to log in as a user on that domain, but you also need to force the snap-in to connect to a seperate domain controller. To do this, you will want to create a .BAT file that employs a runas command. (NOTE: This method can also be used as an additional layer of security so that you can administer the Active Directory from a non-administrative account, avoiding the risks of a trojan or virus gaining access to Active Directory information.) Hit the Read link for details!

To start, create a standard notepad file, and include the following text. For DOMAIN_NAME, enter the domain name, for DOMAIN_CONTROLLER_ADDRESS, enter a fully qualified domain controller address and name, ie domaincontroller1.mydomain.local

@set /p NAME=Enter a UserID:
@runas /netonly /user:DOMAIN_NAME\%NAME% "mmc dsa.msc /domain DOMAIN_CONTROLLER_ADDRESS

(Omit the @ signs if you want the commands to be visible when the .BAT file runs. I also like to add a few @echo lines before the @set describing the function of the .BAT file etc.)

Rename the file extension from .txt to .BAT. It should turn into a recognized Windows Batch file.
Ensure that you have the Active Directory Users and Computers console installed. Type dsa.msc into the Run command line. This should launch the MMC. If it does not, download and apply the Windows 2003 SP1 Administration Tools update.

Now all you need to do is establish a VPN connection to the network you want to administer and launch the .BAT file. It will ask for your username  and password on the target domain (and, if nobody else uses the file, you can always just remove the first line and replace %NAME% with your user ID).

This will launch the snap-in as if you are connected to that domain, and will allow you to administer that Active Directory remotely.

NOTE: Due to the sensitive nature of the data involved in Active Directory account administration, your VPN should use encryption methods to keep password data secure.

PS: Using a terminal server connection to the domain controller is another possibility. This solution is intended to avoid that route and keep administration simple and efficient.

No comments:

Post a Comment