Advanced AD DS Management Using Active Directory Administrative Center (Level 200)Advanced AD DS Management Using Active Directory Administrative Center (Level 200)

适用于:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主题详细介绍了更新的 Active Directory 管理中心及其新的 Active Directory 回收站、细化密码策略,以及更详细的 Windows PowerShell 历史记录查看器,包括体系结构、常见任务示例和疑难解答信息。This topic covers the updated Active Directory Administrative Center with its new Active Directory Recycle Bin, Fine-grained Password policy, and Windows PowerShell History Viewer in more detail, including architecture, examples for common tasks, and troubleshooting information. 有关简介,请参阅 (级别 100)Active Directory 管理中心增强功能简介 For an introduction, see Introduction to Active Directory Administrative Center Enhancements (Level 100).

Active Directory 管理中心体系结构Active Directory Administrative Center Architecture

Active Directory 管理中心可执行文件、DllActive Directory Administrative Center Executables, DLLs

未使用新的回收站、FGPP 和历史记录查看器功能更改 Active Directory 管理中心的模块和基础体系结构。The module and underlying architecture of Active Directory Administrative Center has not changed with the new recycle bin, FGPP, and history viewer capabilities.

  • Microsoft.ActiveDirectory.Management.UI.dllMicrosoft.ActiveDirectory.Management.UI.dll
  • Microsoft.ActiveDirectory.Management.UI.resources.dllMicrosoft.ActiveDirectory.Management.UI.resources.dll
  • Microsoft.ActiveDirectory.Management.dllMicrosoft.ActiveDirectory.Management.dll
  • Microsoft.ActiveDirectory.Management.resources.dllMicrosoft.ActiveDirectory.Management.resources.dll
  • ActiveDirectoryPowerShellResources.dllActiveDirectoryPowerShellResources.dll

新回收站功能的基础 Windows PowerShell 和操作层如下图所示:The underlying Windows PowerShell and layer of operations for the new Recycle Bin functionality are illustrated below:

高级 AD DS 管理

使用 Active Directory 管理中心启用和管理 Active Directory 回收站Enabling and Managing the Active Directory Recycle Bin Using Active Directory Administrative Center

功能Capabilities

  • Windows Server 2012 或更高版本 Active Directory 管理中心允许你为林中的任何域分区配置和管理 Active Directory 回收站。The Windows Server 2012 or newer Active Directory Administrative Center enables you to configure and manage the Active Directory Recycle Bin for any domain partition in a forest. 不再需要使用 Windows PowerShell 或 Ldp.exe 来启用 Active Directory 回收站或还原域分区中的对象。There is no longer a requirement to use Windows PowerShell or Ldp.exe to enable the Active Directory Recycle Bin or restore objects in domain partitions.
  • Active Directory 管理中心具有高级筛选条件,这使你可以在包含许多有意删除的对象的大型环境中轻松进行定向还原。The Active Directory Administrative Center has advanced filtering criteria, making targeted restoration easier in large environments with many intentionally deleted objects.

限制Limitations

  • 因为 Active Directory 管理中心只能管理域分区,所以它无法从“配置”、“域 DNS”或“林 DNS”分区中还原删除的对象(你无法从“架构”分区中删除对象)。Because the Active Directory Administrative Center can only manage domain partitions, it cannot restore deleted objects from the Configuration, Domain DNS, or Forest DNS partitions (you cannot delete objects from the Schema partition). 若要从非域分区中还原对象,请使用 Restore-ADObjectTo restore objects from non-domain partitions, use Restore-ADObject.

  • Active Directory 管理中心无法在单个操作中还原对象的子树。The Active Directory Administrative Center cannot restore sub-trees of objects in a single action. 例如,如果你删除带有嵌套的 OU、用户、组和计算机的 OU,则还原基本 OU 不会还原子对象。For example, if you delete an OU with nested OUs, users, groups, and computers, restoring the base OU does not restore the child objects.

    备注

    Active Directory 管理中心批处理还原操作 仅对选定内容中 的已删除对象进行 "最大努力",因此在还原列表的子级之前对父对象进行排序。The Active Directory Administrative Center batch restore operation does a "best effort" sort of the deleted objects within the selection only so parents are ordered before the children for the restore list. 在简单的测试用例中,可能会在单个操作中还原对象的子树。In simple test cases, sub-trees of objects may be restored in a single action. 但是,诸如包含部分树的选定内容,如包含某些已删除的父节点的树-树和某些已删除的父节点(例如,当父还原失败时跳过子对象)可能不会按预期方式工作。But corner cases, such as a selection that contains partial trees - trees with some of the deleted parent nodes missing - or error cases, such as skipping the child objects when parent restore fails, may not work as expected. 为此,在还原父对象后,你应该始终通过独立操作还原对象的子树。For this reason, you should always restore sub-trees of objects as a separate action after you restore the parent objects.

Active Directory 回收站需要 Windows Server 2008 R2 林功能级别,并且你必须是 Enterprise Admins 组的成员。The Active Directory Recycle Bin requires a Windows Server 2008 R2 Forest Functional Level and you must be a member of the Enterprise Admins group. 一旦启用,则不能禁用 Active Directory 回收站。Once enabled, you cannot disable Active Directory Recycle Bin. Active Directory 回收站将增大林中每个域控制器上的 Active Directory 数据库 (NTDS.DIT) 大小。Active Directory Recycle Bin increases the size of the Active Directory database (NTDS.DIT) on every domain controller in the forest. 随着时间的推移,回收站使用的磁盘空间将继续增大,因为它保留对象及其所有属性数据。Disk space used by the recycle bin continues to increase over time as it preserves objects and all their attribute data.

使用 Active Directory 管理中心启用 Active Directory 回收站Enabling Active Directory Recycle Bin using Active Directory Administrative Center

若要启用 Active Directory 回收站,请打开 Active Directory 管理中心,然后在导航窗格中单击你的林的名称。To enable the Active Directory Recycle Bin, open the Active Directory Administrative Center and click the name of your forest in the navigation pane. 任务窗格中,单击“启用回收站”****。From the Tasks pane, click Enable Recycle Bin.

高级 AD DS 管理

Active Directory 管理中心显示“启用回收站确认”**** 对话框。The Active Directory Administrative Center shows the Enable Recycle Bin Confirmation dialog. 此对话框警告你启用回收站操作是不可逆的。This dialog warns you that enabling the recycle bin is irreversible. 单击“确定”**** 以启用 Active Directory 回收站。Click OK to enable the Active Directory Recycle Bin. Active Directory 管理中心将显示另一个对话框,以提醒你在所有域控制器都复制配置更改之后,Active Directory 回收站才能实现完整功能。The Active Directory Administrative Center shows another dialog to remind you that the Active Directory Recycle Bin is not fully functional until all domain controllers replicate the configuration change.

重要

在以下情况下,用于启用 Active Directory 回收站的选项不可用:The option to enable the Active Directory Recycle Bin is unavailable if:

  • 林功能级别低于 Windows Server 2008 R2The forest functional level is less than Windows Server 2008 R2
  • 该选项已启用It is already enabled

Windows PowerShell cmdlet 的等效 Active Directory 是:The equivalent Active Directory Windows PowerShell cmdlet is:

Enable-ADOptionalFeature

有关使用 Windows PowerShell 启用 Active Directory 回收站的详细信息,请参阅 Active Directory 回收站循序渐进指南For more information about using Windows PowerShell to enable the Active Directory Recycle Bin, see the Active Directory Recycle Bin Step-by-Step Guide.

使用 Active Directory 管理中心管理 Active Directory 回收站Managing Active Directory Recycle Bin using Active Directory Administrative Center

本部分使用名为 corp.contoso.com 的现有域的示例。This section uses the example of an existing domain named corp.contoso.com. 此域将用户组织到名为“UserAccounts”**** 的父 OU 中。This domain organizes users into a parent OU named UserAccounts. “UserAccounts”**** OU 包含三个按部门命名的子 OU,每个 OU 又进一步包含 OU、用户和组。The UserAccounts OU contains three child OUs named by department, which each contain further OUs, users, and groups.

高级 AD DS 管理

存储和筛选Storage and Filtering

Active Directory 回收站可保留在林中删除的所有对象。The Active Directory Recycle Bin preserves all objects deleted in the forest. 它将根据 msDS deletedObjectLifetime 属性保存这些对象,默认情况下,该属性将设置为与林的 tombstoneLifetime 属性相匹配。It saves these objects according to the msDS-deletedObjectLifetime attribute, which by default is set to match the tombstoneLifetime attribute of the forest. 在使用 Windows Server 2003 SP1 或更高版本创建的任何林中,默认情况下,tombstoneLifetime 的值设置为 180 天。In any forest created using Windows Server 2003 SP1 or later, the value of tombstoneLifetime is set to 180 days by default. 在从 Windows 2000 升级或随 Windows Server 2003(没有 Service Pack)一起安装的任何林中,未设置默认 tombstoneLifetime 属性,因此 Windows 将使用内部默认的 60 天。In any forest upgraded from Windows 2000 or installed with Windows Server 2003 (no service pack), the default tombstoneLifetime attribute is NOT SET and Windows therefore uses the internal default of 60 days. 所有内容都可配置。你可以使用 Active Directory 管理中心还原从林的域分区中删除的任何对象。All of this is configurable.You can use the Active Directory Administrative Center to restore any objects deleted from the domain partitions of the forest. 你必须继续使用 cmdlet Restore-adobject 还原其他分区(例如“配置”)中删除的对象。启用 Active Directory 回收站可使已删除对象容器在 Active Directory 管理中心的每个域分区下可见。You must continue to use the cmdlet Restore-ADObject to restore deleted objects from other partitions, such as Configuration.Enabling the Active Directory Recycle Bin makes the Deleted Objects container visible under every domain partition in the Active Directory Administrative Center.

高级 AD DS 管理

已删除对象容器向你显示该域分区中的所有可还原对象。The Deleted Objects container shows you all the restorable objects in that domain partition. 早于 msDS-deletedObjectLifetime 的已删除对象称为已回收对象。Deleted objects older than msDS-deletedObjectLifetime are known as recycled objects. Active Directory 管理中心不会显示已回收对象,并且你无法使用 Active Directory 管理中心还原这些对象。The Active Directory Administrative Center does not show recycled objects and you cannot restore these objects using Active Directory Administrative Center.

有关回收站的体系结构和处理规则的更深入说明,请参阅 AD 回收站:了解、实现、最佳做法和故障排除For a deeper explanation of the recycle bin's architecture and processing rules, see The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting.

Active Directory 管理中心人为地将从容器返回的默认对象数量限制为 20,000 个对象。The Active Directory Administrative Center artificially limits the default number of objects returned from a container to 20,000 objects. 通过依次单击“管理”**** 菜单和“管理列表选项”****,可以将此上限增加到 100,000 个对象。You can raise this limit as high as 100,000 objects by clicking the Manage menu, then Management List Options.

高级 AD DS 管理

还原Restoration

FilteringFiltering

Active Directory 管理中心将提供强大的条件和筛选选项,你应该先熟悉它们,然后才能在实际还原中进行使用。Active Directory Administrative Center offers powerful criteria and filtering options that you should become familiar with before you need to use them in a real-life restoration. 域会有意地在其生存期内删除许多对象。由于已删除对象的生存期可能为 180 天,因此你不能在发生意外时简单地还原所有对象。Domains intentionally delete many objects over their lifetime .With a likely deleted object lifetime of 180 days, you cannot simply restore all objects when an accident occurs.

高级 AD DS 管理

使用基本和高级“筛选器”**** 菜单以仅列出相关对象,而不是编写复杂的 LDAP 筛选器并将 UTC 值转换为日期和时间。Rather than writing complex LDAP filters and converting UTC values into dates and times, use the basic and advanced Filter menu to list only the relevant objects. 如果你知道删除日期、对象名称或任何其他关键数据,你可以在筛选时利用这一优势。If you know the day of deletion, the names of objects, or any other key data, use that to your advantage when filtering. 通过单击搜索框右侧的 V 形图标切换高级筛选器选项。Toggle the advanced filter options by clicking the chevron to the right of the search box.

与任何其他搜索一样,还原操作支持所有标准筛选器条件选项。The restore operation supports all the standard filter criteria options, the same as any other search. 对于内置筛选器,用于还原对象的重要选项通常如下:Of the built-in filters, the important ones for restoring objects are typically:

  • *ANR (不明确的名称解析-未在菜单中列出,但在 "筛选器" 框中键入内容时将使用它) *ANR (ambiguous name resolution - not listed in the menu, but what is used when you type in the****Filter****box)
  • 给定日期之间的最后修改时间Last modified between given dates
  • 对象是用户/inetorgperson/计算机/组/组织单位Object is user/inetorgperson/computer/group/organization unit
  • 名称Name
  • 删除时间When deleted
  • 最后一个已知的父对象Last known parent
  • 类型Type
  • 说明Description
  • 城市City
  • 国家/地区Country /region
  • Department
  • 员工 IDEmployee ID
  • 名字First name
  • 职务Job title
  • 姓氏Last name
  • SAMaccountnameSAMaccountname
  • 省/自治区/直辖市State/Province
  • 电话号码Telephone number
  • UPNUPN
  • 邮政编码ZIP/Postal code

你可以添加多个条件。You can add multiple criteria. 例如,你可以在2012年9月24日(含职务为经理的伊利诺斯州)中找到已删除的所有用户对象。For example, you can find all user objects deleted on September 24, 2012 from Chicago, Illinois with a job title of Manager.

你还可以在评估要恢复哪些对象时添加、修改或重新排序列标题,以提供更多详细信息。You can also add, modify, or reorder the column headers to provide more detail when evaluating which objects to recover.

高级 AD DS 管理

有关模糊名称解析的详细信息,请参阅 ANR 属性For more information about Ambiguous Name Resolution, see ANR Attributes.

单个对象Single Object

还原已删除对象一直都是单个操作。Restoring deleted objects has always been a single operation. Active Directory 管理中心使该操作更容易。The Active Directory Administrative Center makes that operation easier. 若要还原已删除对象(例如单个用户),请执行以下操作:To restore a deleted object, such as a single user:

  1. 在 Active Directory 管理中心的导航窗格中单击域名。Click the domain name in the navigation pane of the Active Directory Administrative Center.
  2. 在管理列表中,双击“已删除对象”****。Double-click Deleted Objects in the management list.
  3. 右键单击该对象,然后单击“还原”****,或者从“任务”**** 窗格中单击“还原”****。Right-click the object and then click Restore, or click Restore from the Tasks pane.

该对象将还原到其原始位置。The object restores to its original location.

高级 AD DS 管理

单击 " 还原到 ... " 以更改还原位置。Click Restore To... to change the restore location. 如果已删除对象的父容器也被删除,但你不希望还原父容器,这会很有用。This is useful if the deleted object's parent container was also deleted but you do not want to restore the parent.

高级 AD DS 管理

多个对等对象Multiple Peer Objects

你可以还原多个对等级别对象,例如 OU 中的所有用户。You can restore multiple peer-level objects, such as all the users in an OU. 按住 CTRL 键并单击你想要还原的一个或多个已删除的对象。Hold down the CTRL key and click one or more deleted objects you want to restore. 从“任务”窗格中单击“还原”****。Click Restore from the Tasks pane. 还可以通过按住 CTRL 键和 A 键选择显示的所有对象,或者使用 SHIFT 键和单击来选择某个范围内的对象。You can also select all displayed objects by holding down the CTRL and A keys, or a range of objects using SHIFT and clicking.

高级 AD DS 管理

多个父对象和子对象Multiple Parent and Child Objects

了解多个父子还原的还原过程很重要,因为 Active Directory 管理中心无法通过单个操作还原已删除对象的嵌套树。It is critical to understand the restoration process for a multi-parent-child restoration because the Active Directory Administrative Center cannot restore a nested tree of deleted objects with a single action.

  1. 还原树中最顶层的已删除对象。Restore the top-most deleted object in a tree.
  2. 还原该父对象的直属子对象。Restore the immediate children of that parent object.
  3. 还原这些父对象的直属子对象。Restore the immediate children of those parent objects.
  4. 根据需要重复操作,直至还原所有对象。Repeat as necessary until all objects restore.

在还原父对象之前,无法还原其子对象。You cannot restore a child object before restoring its parent. 尝试此还原将返回以下错误:Attempting this restoration returns the following error:

“无法执行该操作,因为未实例化或删除该对象的父对象。”****The operation could not be performed because the object's parent is either uninstantiated or deleted.

最后一个已知的父对象属性显示每个对象的父关系。The Last Known Parent attribute shows the parent relationship of each object. 当你在还原父对象后刷新 Active Directory 管理中心时,最后一个已知的父对象属性将从已删除位置更改为已还原位置。The Last Known Parent attribute changes from the deleted location to the restored location when you refresh the Active Directory Administrative Center after restoring a parent. 因此,你可以在父对象的位置不再显示已删除对象容器的可分辨名称时还原该子对象。Therefore, you can restore that child object when a parent object's location no longer shows the distinguished name of the deleted objects container.

请考虑管理员意外删除包含子 OU 和用户的销售 OU 的情况。Consider the scenario where an administrator accidentally deletes the Sales OU, which contains child OUs and users.

首先,观察所有已删除用户的 最后一个已知父 属性的值及其读取方式 *OU = Sales\0ADEL:<guid + 已删除对象容器可分辨名称> * * *:First, observe the value of the Last Known Parent attribute for all the deleted users and how it reads *OU=Sales\0ADEL:<guid+deleted objects container distinguished name>***:

高级 AD DS 管理

筛选模糊名称“销售”,以返回你随后将还原的已删除 OU:Filter on the ambiguous name Sales to return the deleted OU, which you then restore:

高级 AD DS 管理

刷新 Active Directory 管理中心以查看已删除用户对象的上一个已知父属性更改为已还原的销售 OU 可分辨名称:Refresh the Active Directory Administrative Center to see the deleted user object's Last Known Parent attribute change to the restored Sales OU distinguished name:

高级 AD DS 管理

筛选所有“销售”用户。Filter on all the Sales users. 按住 CTRL 键和 A 键以选择所有已删除的“销售”用户。Hold down the CTRL and A keys to select all the deleted Sales users. 单击“还原”****,以将对象从“已删除对象”**** 容器移动到销售 OU,并使其组成员身份和属性保持不变。Click Restore to move the objects from the Deleted Objects container to the Sales OU with their group memberships and attributes intact.

高级 AD DS 管理

如果“销售”**** OU 包含了它自己的子 OU,则你需要先还原子 OU,然后再还原其子项,依此类推。If the Sales OU contained child OUs of its own, then you would restore the child OUs first before restoring their children, and so on.

若要通过指定已删除的父容器来还原所有嵌套的已删除对象,请参阅 附录 B:还原多个已删除的 Active Directory 对象(示例脚本)To restore all nested deleted objects by specifying a deleted parent container, see Appendix B: Restore Multiple, Deleted Active Directory Objects (Sample Script).

用于还原已删除对象的 Active Directory Windows PowerShell cmdlet 为:The Active Directory Windows PowerShell cmdlet for restoring deleted objects is:

Restore-adobject

Restore-ADObject cmdlet 功能未在 Windows Server 2008 R2 和 Windows Server 2012 之间发生更改。The Restore-ADObject cmdlet functionality did not change between Windows Server 2008 R2 and Windows Server 2012.

服务器端筛选Server-side Filtering

随着时间的推移,大中型企业中的已删除对象容器可能会累计超过 20,000(甚至 100,000)个对象,并且很难显示所有对象。It is possible that over time, the Deleted Objects container will accumulate over 20,000 (or even 100,000) objects in medium and large enterprises and have difficulty showing all objects. 由于 Active Directory 管理中心中的筛选器机制依赖于客户端筛选,因此它无法显示这些其他的对象。Since the filter mechanism in Active Directory Administrative Center relies on client-side filtering, it cannot show these additional objects. 若要解决此限制,请使用以下步骤执行服务器端搜索:To work around this limitation, use the following steps to perform a server-side search:

  1. 右键单击“已删除对象”**** 容器并单击“在此节点下搜索”****。Right click the Deleted Objects container and click Search under this node.
  2. 单击 V 形图标以显示“+添加条件”**** 菜单,选择并添加“给定日期之间的最后修改时间”****。Click the chevron to expose the +Add criteria menu, select and add Last modified between given dates. 最后修改时间(whenChanged 属性)近似于删除时间;在大多数环境中,它们是相同的。The Last Modified time (the whenChanged attribute) is a close approximation of the deletion time; in most environments, they are identical. 此查询执行服务器端搜索。This query performs a server-side search.
  3. 通过在结果中使用进一步显示筛选、排序等来找到要还原的已删除对象,然后以正常方式还原它们。Locate the deleted objects to restore by using further display filtering, sorting, and so on in the results, and then restore them normally.

使用 Active Directory 管理中心配置和管理细化密码策略Configuring and Managing Fine-Grained Password Policies Using Active Directory Administrative Center

配置细化密码策略Configuring Fine-Grained Password Policies

Active Directory 管理中心使你能够创建和管理细化密码策略 (FGPP) 对象。The Active Directory Administrative Center enables you to create and manage Fine-Grained Password Policy (FGPP) objects. Windows Server 2008 引入了 FGPP 功能,但 Windows Server 2012 具有它的第一个图形管理界面。Windows Server 2008 introduced the FGPP feature but Windows Server 2012 has the first graphical management interface for it. 你可在域级别上应用细化密码策略,它能够替代 Windows Server 2003 所需的单个域密码。You apply Fine-Grained Password Policies at a domain level and it enables overriding the single domain password required by Windows Server 2003. 通过创建具有不同设置的不同 FGPP,单个用户或组可在域中获取不同的密码策略。By creating different FGPP with different settings, individual users or groups get differing password policies in a domain.

有关细化密码策略的信息,请参阅 AD DS 细化密码和帐户锁定策略分步指南 (Windows Server 2008 R2)For information about the Fine-Grained Password Policy, see AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide (Windows Server 2008 R2).

在“导航”窗格中,依次单击“树视图”、你的域、“系统”**** 和“密码设置容器”****,然后在“任务”窗格中,单击“新建”**** 和“密码设置”****。In the Navigation pane, click Tree View, click your domain, click System, click Password Settings Container, and then in the Tasks pane, click New and Password Settings.

高级 AD DS 管理

管理细化密码策略Managing Fine-Grained Password Policies

创建新 FGPP 或编辑现有 FGPP 将启动“密码设置”**** 编辑器。Creating a new FGPP or editing an existing one brings up the Password Settings editor. 你可从此处配置所有所需的密码策略,就像在 Windows Server 2008 或 Windows Server 2008 R2 中执行该操作一样,区别仅在于现在使用专用于该目的的编辑器。From here, you configure all desired password policies, as you would have in Windows Server 2008 or Windows Server 2008 R2, only now with a purpose-built editor.

高级 AD DS 管理

填写所有必需(红色星号)字段和任何可选字段,然后单击“添加”**** 以设置将接收此策略的用户或组。Fill out all required (red asterisk) fields and any optional fields, and then click Add to set the users or groups that receives this policy. 对于这些指定的安全主体,FGPP 将替代默认域策略设置。FGPP overrides default domain policy settings for those specified security principals. 在上图中,仅将非常严格的策略用于内置管理员帐户以防止泄露。In the figure above, an extremely restrictive policy applies only to the built-in Administrator account, to prevent compromise. 该策略太复杂,标准用户很难符合此策略,但它非常适合仅由 IT 专业人员使用的高风险帐户。The policy is far too complex for standard users to comply with, but is perfect for a high-risk account used only by IT professionals.

你还可设置优先级以及该策略将应用到给定域中的哪些用户和组。You also set precedence and to which users and groups the policy applies within a given domain.

高级 AD DS 管理

用于细化密码策略的 Active Directory Windows PowerShell cmdlet 是:The Active Directory Windows PowerShell cmdlets for Fine-Grained Password Policy are:

Add-ADFineGrainedPasswordPolicySubject
Get-ADFineGrainedPasswordPolicy
Get-ADFineGrainedPasswordPolicySubject
New-ADFineGrainedPasswordPolicy
Remove-ADFineGrainedPasswordPolicy
Remove-ADFineGrainedPasswordPolicySubject
Set-ADFineGrainedPasswordPolicy

细化密码策略 cmdlet 功能未在 Windows Server 2008 R2 和 Windows Server 2012 之间发生更改。Fine-Grained Password Policy cmdlet functionality did not change between the Windows Server 2008 R2 and Windows Server 2012. 为了方便起见,下图说明了 cmdlet 的相关联参数:As a convenience, the following diagram illustrates the associated arguments for cmdlets:

高级 AD DS 管理

Active Directory 管理中心还允许你为特定用户查找生成的已应用 FGPP 组。The Active Directory Administrative Center also enables you to locate the resultant set of applied FGPP for a specific user. 右键单击任何用户,然后单击 " 查看生成的密码设置 ... ",以打开通过隐式或显式分配应用于该用户的 密码设置 页面:Right click any user and click View resultant password settings... to open the Password Settings page that applies to that user through implicit or explicit assignment:

高级 AD DS 管理

检查任何用户或组的“属性”**** 将显示“直接关联的密码设置”****,它们是显式分配的 FGPP:Examining the Properties of any user or group shows the Directly Associated Password Settings, which are the explicitly assigned FGPPs:

高级 AD DS 管理

此处未显示隐式 FGPP 赋值;为此,必须使用 " 查看生成的密码设置 ... " 选项。Implicit FGPP assignment does not display here; for that, you must use the View resultant password settings... option.

使用 Active Directory 管理中心 Windows PowerShell 历史记录查看器Using the Active Directory Administrative Center Windows PowerShell History Viewer

Windows PowerShell 是 Windows 管理的未来。The future of Windows management is Windows PowerShell. 通过利用任务自动化框架上层的分层图形工具,可以一致并高效地管理最复杂的分布式系统。By layering graphical tools on top of a task automation framework, management of the most complex distributed systems becomes consistent and efficient. 你需要了解 Windows PowerShell 的工作原理,才能发挥你的全部潜能并最大程度利用你在计算方面的投入。You need to understand how Windows PowerShell works in order to reach your full potential and maximize your computing investments.

Active Directory 管理中心现在提供了它运行的所有 Windows PowerShell cmdlet 及其参数和值的完整历史记录。The Active Directory Administrative Center now provides a complete history of all the Windows PowerShell cmdlets it runs and their arguments and values. 你可以在其他位置复制 cmdlet 历史记录,以供研究或者修改并重复使用。You can copy the cmdlet history elsewhere for study or modification and re-use. 你可以创建“任务”备注,以帮助隔离 Active Directory 管理中心命令在 Windows PowerShell 中生成的内容。You can create Task notes to assist in isolating what your Active Directory Administrative Center commands resulted in Windows PowerShell. 还可以筛选该历史记录,以查找兴趣点。You can also filter the history to find points of interest.

Active Directory 管理中心 Windows PowerShell 历史记录查看器的目的是供你了解整个实践经验。The Active Directory Administrative Center Windows PowerShell History Viewer's purpose is for you to learn through practical experience.

高级 AD DS 管理

单击 V 形图标(箭头),以显示 Windows PowerShell 历史记录查看器。Click the chevron (arrow) to show Windows PowerShell History Viewer.

高级 AD DS 管理

然后,创建用户或修改组成员身份。Then, create a user or modify a group's membership. 历史记录查看器持续通过一个折叠视图进行更新,该视图显示 Active Directory 管理中心使用指定参数运行的每个 cmdlet。The history viewer continually updates with a collapsed view of each cmdlet that the Active Directory Administrative Center ran with the arguments specified.

展开感兴趣的任何行项,以查看向 cmdlet 的参数提供的所有值:Expand any line item of interest to see all values provided to the cmdlet's arguments:

高级 AD DS 管理

单击“启动任务”**** 菜单以创建手动表示法,然后使用 Active Directory 管理中心来创建、修改或删除对象。Click the Start Task menu to create a manual notation before you use Active Directory Administrative Center to create, modify, or delete an object. 键入之前正在执行的操作。Type in what you were doing. 完成所做的更改时,请选择“结束任务”****。When done with your change, select End Task. 任务备注将执行的所有操作汇集到折叠备注中,你可使用它来更好地了解情况。The task note groups all of those actions performed into a collapsible note you can use for better understanding.

例如,若要查看用于更改用户密码并从组中删除该用户的 Windows PowerShell 命令:For example, to see the Windows PowerShell commands used to change a user's password and remove him from a group:

高级 AD DS 管理

选择“全部显示”复选框还会显示仅用于检索数据的 Get-* 动词 Windows PowerShell cmdlet。Selecting the Show All check box also shows the Get-* verb Windows PowerShell cmdlets that only retrieve data.

高级 AD DS 管理

历史记录查看器显示由 Active Directory 管理中心运行的文本命令,你可能注意到似乎不必运行某些 cmdlet。The history viewer shows the literal commands run by the Active Directory Administrative Center and you might note that some cmdlets appear to run unnecessarily. 例如,你可以使用以下对象创建新用户:For example, you can create a new user with:

new-aduser

并且无需使用:and do not need to use:

set-adaccountpassword
enable-adaccount
set-aduser

Active Directory 管理中心的设计需要尽量少用代码和模块化。The Active Directory Administrative Center's design required minimal code usage and modularity. 因此,它将最小程度地执行每个函数,然后使用 cmdlet 将它们链接在一起,而不是使用用于创建新用户的函数集和用于修改现有用户的其他集。Therefore, instead of a set of functions that create new users and another set that modify existing users, it minimally does each function and then chains them together with the cmdlets. 当你学习 Active Directory Windows PowerShell 时,请记住这一点。Keep this in mind when you are learning Active Directory Windows PowerShell. 你还可以将其用作学习技术,你将在其中发现使用 Windows PowerShell 完成单个任务是如此简单。You can also use that as a learning technique, where you see how simply you can use Windows PowerShell to complete a single task.

疑难解答 AD DS 管理Troubleshooting AD DS Management

疑难解答简介Introduction to Troubleshooting

由于 Active Directory 管理中心在现有客户环境中相对较新且使用经验较少,因此它的疑难解答选项有限。Because of its relative newness and lack of usage in existing customer environments, the Active Directory Administrative Center has limited troubleshooting options.

疑难解答选项Troubleshooting Options

日志记录选项Logging Options

Active Directory 管理中心现在包含内置日志记录,作为跟踪配置文件的一部分。The Active Directory Administrative Center now contains built-in logging, as part of a tracing config file. 在 dsac.exe 所在的相同文件夹中创建/修改以下文件:Create/modify the following file in the same folder as dsac.exe:

dsac.exe.configdsac.exe.config

创建以下内容:Create the following contents:

<appSettings>
  <add key="DsacLogLevel" value="Verbose" />
</appSettings>
<system.diagnostics>
 <trace autoflush="false" indentsize="4">
  <listeners>
   <add name="myListener"
    type="System.Diagnostics.TextWriterTraceListener"
    initializeData="dsac.trace.log" />
   <remove name="Default" />
  </listeners>
 </trace>
</system.diagnostics>

DsacLogLevel 的详细级别为错误警告信息详细The verbosity levels for DsacLogLevel are None, Error, Warning, Info, and Verbose. 输出文件名可进行配置,并将写入 dsac.exe 所在的相同文件夹。The output file name is configurable and writes to the same folder as dsac.exe. 该输出可以告诉你有关以下方面的更多信息:如何运行 ADAC、它联系了哪些域控制器、已执行哪些 Windows PowerShell 命令、响应了哪些内容以及进一步的详细信息的。The output can tell you more about how ADAC is operating, which domain controllers it contacted, what Windows PowerShell commands executed, what the responses were, and further details.

例如,在使用“信息”级别时(这会返回除跟踪级别详细级别之外的所有结果),将发生以下事件:For example, while using the INFO level, which returns all results except the trace-level verbosity:

  • DSAC.exe 启动DSAC.exe starts

  • 日志记录启动Logging starts

  • 域控制器已请求返回初始域信息Domain Controller requested to return initial domain information

    [12:42:49][TID 3][Info] Command Id, Action, Command, Time, Elapsed Time ms (output), Number objects (output)
    [12:42:49][TID 3][Info] 1, Invoke, Get-ADDomainController, 2012-04-16T12:42:49
    [12:42:49][TID 3][Info] Get-ADDomainController-Discover:$null-DomainName:"CORP"-ForceDiscover:$null-Service:ADWS-Writable:$null
    
  • 域控制器 DC1 已从域 Corp 返回Domain controller DC1 returned from domain Corp

  • PS AD 虚拟驱动器已加载PS AD virtual drive loaded

    [12:42:49][TID 3][Info] 1, Output, Get-ADDomainController, 2012-04-16T12:42:49, 1
    [12:42:49][TID 3][Info] Found the domain controller 'DC1' in the domain 'CORP'.
    [12:42:49][TID 3][Info] 2, Invoke, New-PSDrive, 2012-04-16T12:42:49
    [12:42:49][TID 3][Info] New-PSDrive-Name:"ADDrive0"-PSProvider:"ActiveDirectory"-Root:""-Server:"dc1.corp.contoso.com"
    [12:42:49][TID 3][Info] 2, Output, New-PSDrive, 2012-04-16T12:42:49, 1
    [12:42:49][TID 3][Info] 3, Invoke, Get-ADRootDSE, 2012-04-16T12:42:49
    
  • 获取域根 DSE 信息Get domain Root DSE Information

    [12:42:49][TID 3][Info] Get-ADRootDSE -Server:"dc1.corp.contoso.com"
    [12:42:49][TID 3][Info] 3, Output, Get-ADRootDSE, 2012-04-16T12:42:49, 1
    [12:42:49][TID 3][Info] 4, Invoke, Get-ADOptionalFeature, 2012-04-16T12:42:49
    
  • 获取域 AD 回收站信息Get domain AD recycle bin information

    [12:42:49][TID 3][Info] Get-ADOptionalFeature -LDAPFilter:"(msDS-OptionalFeatureFlags=1)" -Server:"dc1.corp.contoso.com"
    [12:42:49][TID 3][Info] 4, Output, Get-ADOptionalFeature, 2012-04-16T12:42:49, 1
    [12:42:49][TID 3][Info] 5, Invoke, Get-ADRootDSE, 2012-04-16T12:42:49
    [12:42:49][TID 3][Info] Get-ADRootDSE -Server:"dc1.corp.contoso.com"
    [12:42:49][TID 3][Info] 5, Output, Get-ADRootDSE, 2012-04-16T12:42:49, 1
    [12:42:49][TID 3][Info] 6, Invoke, Get-ADRootDSE, 2012-04-16T12:42:49
    [12:42:49][TID 3][Info] Get-ADRootDSE -Server:"dc1.corp.contoso.com"
    [12:42:49][TID 3][Info] 6, Output, Get-ADRootDSE, 2012-04-16T12:42:49, 1
    [12:42:49][TID 3][Info] 7, Invoke, Get-ADOptionalFeature, 2012-04-16T12:42:49
    [12:42:49][TID 3][Info] Get-ADOptionalFeature -LDAPFilter:"(msDS-OptionalFeatureFlags=1)" -Server:"dc1.corp.contoso.com"
    [12:42:50][TID 3][Info] 7, Output, Get-ADOptionalFeature, 2012-04-16T12:42:50, 1
    [12:42:50][TID 3][Info] 8, Invoke, Get-ADForest, 2012-04-16T12:42:50
    
  • 获取 AD 林Get AD forest

    [12:42:50][TID 3][Info] Get-ADForest -Identity:"corp.contoso.com" -Server:"dc1.corp.contoso.com"
    [12:42:50][TID 3][Info] 8, Output, Get-ADForest, 2012-04-16T12:42:50, 1
    [12:42:50][TID 3][Info] 9, Invoke, Get-ADObject, 2012-04-16T12:42:50
    
  • 获取有关支持的加密类型、FGPP、某些用户信息的架构信息Get Schema information for supported encryption types, FGPP, certain user information

    [12:42:50][TID 3][Info] Get-ADObject
    -LDAPFilter:"(|(ldapdisplayname=msDS-PhoneticDisplayName)(ldapdisplayname=msDS-PhoneticCompanyName)(ldapdisplayname=msDS-PhoneticDepartment)(ldapdisplayname=msDS-PhoneticFirstName)(ldapdisplayname=msDS-PhoneticLastName)(ldapdisplayname=msDS-SupportedEncryptionTypes)(ldapdisplayname=msDS-PasswordSettingsPrecedence))"
    -Properties:lDAPDisplayName
    -ResultPageSize:"100"
    -ResultSetSize:$null
    -SearchBase:"CN=Schema,CN=Configuration,DC=corp,DC=contoso,DC=com"
    -SearchScope:"OneLevel"
    -Server:"dc1.corp.contoso.com"
    [12:42:50][TID 3][Info] 9, Output, Get-ADObject, 2012-04-16T12:42:50, 7
    [12:42:50][TID 3][Info] 10, Invoke, Get-ADObject, 2012-04-16T12:42:50
    
  • 获取要向单击了域标头的管理员显示的域对象的所有相关信息。Get all information about the domain object to display to administrator who clicked on the domain head.

    [12:42:50][TID 3][Info] Get-ADObject
    -IncludeDeletedObjects:$false
    -LDAPFilter:"(objectClass=*)"
    -Properties:allowedChildClassesEffective,allowedChildClasses,lastKnownParent,sAMAccountType,systemFlags,userAccountControl,displayName,description,whenChanged,location,managedBy,memberOf,primaryGroupID,objectSid,msDS-User-Account-Control-Computed,sAMAccountName,lastLogonTimestamp,lastLogoff,mail,accountExpires,msDS-PhoneticCompanyName,msDS-PhoneticDepartment,msDS-PhoneticDisplayName,msDS-PhoneticFirstName,msDS-PhoneticLastName,pwdLastSet,operatingSystem,operatingSystemServicePack,operatingSystemVersion,telephoneNumber,physicalDeliveryOfficeName,department,company,manager,dNSHostName,groupType,c,l,employeeID,givenName,sn,title,st,postalCode,managedBy,userPrincipalName,isDeleted,msDS-PasswordSettingsPrecedence
    -ResultPageSize:"100"
    -ResultSetSize:"20201"
    -SearchBase:"DC=corp,DC=contoso,DC=com"
    -SearchScope:"Base"
    -Server:"dc1.corp.contoso.com"
    

设置详细级别还将显示每个函数的 .NET 堆栈,但这些堆栈未包含足够的数据,因此除了用于解决 Dsac.exe 的访问冲突或崩溃,它们不是非常有用。Setting the Verbose level also shows the .NET stacks for each function, but these do not include enough data to be particularly useful except when troubleshooting the Dsac.exe suffering an access violation or crash. 此问题的两个可能原因如下:The two likely causes of this issue are:

  • ADWS 服务未在任何可访问的域控制器上运行。The ADWS service is not running on any accessible domain controllers.
  • 对于运行 Active Directory 管理中心的计算机,将阻止对 ADWS 服务的网络通信。Network communications are blocked to the ADWS service from the computer running the Active Directory Administrative Center.

重要

还存在一个称为 Active Directory 管理网关的带外版本的服务,该服务在 Windows Server 2008 SP2 和 Windows Server 2003 SP2 上运行。There is also an out-of-band version of the service called the Active Directory Management Gateway, which runs on Windows Server 2008 SP2 and Windows Server 2003 SP2.

在没有可用 Active Directory Web 服务实例时显示的错误如下:The errors shown when no Active Directory Web Services instances are available are:

错误Error OperationOperation
“无法连接到任何域。"Cannot connect to any domain. 请在连接可用时刷新或重试”Refresh or try again when connection is available" 在 Active Directory 管理中心应用程序启动时显示Shown at start of the Active Directory Administrative Center application
"找不到 运行 Active Directory Web 服务 (ADWS) " 的域中的可用服务器"Cannot find an available server in the domain that is running the Active Directory Web Service (ADWS)" 当尝试在 Active Directory 管理中心应用程序中选择域节点时显示Shown when trying to select a domain node in the Active Directory Administrative Center application

若要解决此问题,请使用以下步骤:To troubleshoot this issue, use these steps:

  1. 验证 Active Directory Web 服务服务是否在域中至少一个域控制器(最好是林中的所有域控制器)上启动。Validate the Active Directory Web Services service is started on at least one domain controller in the domain (and preferably all domain controllers in the forest). 还要确保它设置为在所有域控制器上自动启动。Ensure that it is set to start automatically on all domain controllers as well.

  2. 从运行 Active Directory 管理中心的计算机中,验证是否可以通过运行以下 NLTest.exe 命令找到运行 ADWS 的服务器:From the computer running the Active Directory Administrative Center, validate that you can locate a server running ADWS by running these NLTest.exe commands:

    nltest /dsgetdc:<domain NetBIOS name> /ws /force
    nltest /dsgetdc:<domain fully qualified DNS name> /ws /force
    

    如果即使正在运行 ADWS 服务这些测试仍然失败,则该问题与名称解析或 LDAP 相关,而不与 ADWS 或 Active Directory 管理中心相关。If those tests fail even though the ADWS service is running, the issue is with name resolution or LDAP and not ADWS or Active Directory Administrative Center. 但是,如果 ADWS 未在任何域控制器上运行,则此测试失败并带有错误“1355 0x54B ERROR_NO_SUCH_DOMAIN”,因此请在得出任何结论之前进行复核。This test fails with error "1355 0x54B ERROR_NO_SUCH_DOMAIN" if ADWS is not running on any domain controllers though, so double-check before reaching any conclusions.

  3. 在 NLTest 返回的域控制器上,使用该命令转储侦听的端口列表:On the domain controller returned by NLTest, dump the listening port list with command:

    Netstat -anob > ports.txt
    

    检查 ports.txt 文件,并验证 ADWS 服务正在端口 9389 上进行侦听。Examine the ports.txt file and validate that the ADWS service is listening on port 9389. 示例:Example:

    TCP    0.0.0.0:9389    0.0.0.0:0    LISTENING    1828
    [Microsoft.ActiveDirectory.WebServices.exe]
    
    TCP    [::]:9389       [::]:0       LISTENING    1828
    [Microsoft.ActiveDirectory.WebServices.exe]
    

    如果正在侦听,验证 Windows 防火墙规则,并确保它们允许 9389 TCP 入站。If listening, validate the Windows Firewall rules and ensure that they allow 9389 TCP inbound. 默认情况下,域控制器启用防火墙规则“Active Directory Web 服务 (TCP-in)”。By default, domain controllers enable firewall rule "Active Directory Web Services (TCP-in)". 如果不侦听,再次验证该服务在此服务器上运行,并重新启动它。If not listening, validate again that the service is running on this server and restart it. 验证端口 9389 上不存在正在侦听的任何其他过程。Validate that no other process is already listening on port 9389.

  4. 在运行 Active Directory 管理中心的计算机上和 NLTEST 返回的域控制器上安装 NetMon 或其他网络捕获实用程序。Install NetMon or another network capture utility on the computer running Active Directory Administrative Center and on the domain controller returned by NLTEST. 从两台计算机中收集同时进行的网络捕获 - 你在这些计算机中启动 Active Directory 管理中心并可以在停止捕获之前看到错误。Gather simultaneous network captures from both computers, where you start Active Directory Administrative Center and see the error before stopping the captures. 验证客户端能够在端口 TCP 9389 上与域控制器进行发送和接收操作。Validate that the client is able to send to and receive from the domain controller on port TCP 9389. 如果数据包已发送但不能到达,或者可以到达并且域控制器可进行回复,但它们永远不会到达客户端,则可能是那个将数据包放在该端口的网络上的计算机之间存在防火墙。If packets are sent but never arrive, or arrive and the domain controller replies but they never reach the client, it is likely there is a firewall in between the computers on the network dropping packets on that port. 此防火墙可能是软件或硬件,并且可能是第三方端点保护(防病毒)软件的一部分。This firewall may be software or hardware, and may be part of third party endpoint protection (antivirus) software.

另请参阅See Also

AD 回收站、细粒度密码策略和 PowerShell 历史记录AD Recycle Bin, Fine-Grained Password Policy, and PowerShell History