使用系統管理員中心 (層級 200) Active Directory 進階的 AD DS 管理Advanced AD DS Management Using Active Directory Administrative Center (Level 200)

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題中更多詳細資料,包括架構範例一般工作,以及疑難排解資訊涵蓋更新的 Active Directory 管理中心與其新 Active Directory 資源回收桶,Fine-grained 密碼原則,Windows PowerShell 歷史檢視器。This topic covers the updated Active Directory Administrative Center with its new Active Directory Recycle Bin, Fine-grained Password policy, and Windows PowerShell History Viewer in more detail, including architecture, examples for common tasks, and troubleshooting information. 如簡介、 Active Directory 系統管理員中心調節和 #40; 簡介層級 100 和 #41;.For an introduction, see Introduction to Active Directory Administrative Center Enhancements (Level 100).

Active Directory 系統管理員中心架構Active Directory Administrative Center Architecture

ADPrep 可執行檔 DllADPrep Executables, DLLs

Active Directory 管理中心基礎架構與模組未變更新資源回收筒、 與 FGPP、 歷史檢視器功能。The module and underlying architecture of Active Directory Administrative Center has not changed with the new recycle bin, FGPP, and history viewer capabilities.

  • Microsoft.ActiveDirectory.Management.UI.dllMicrosoft.ActiveDirectory.Management.UI.dll

  • Microsoft.ActiveDirectory.Management.UI.resources.dllMicrosoft.ActiveDirectory.Management.UI.resources.dll

  • Microsoft.ActiveDirectory.Management.dllMicrosoft.ActiveDirectory.Management.dll

  • Microsoft.ActiveDirectory.Management.resources.dllMicrosoft.ActiveDirectory.Management.resources.dll

  • ActiveDirectoryPowerShellResources.dllActiveDirectoryPowerShellResources.dll

基礎 Windows PowerShell 和層級的作業資源回收筒的新功能的如下所示:The underlying Windows PowerShell and layer of operations for the new Recycle Bin functionality are illustrated below:

進階的 AD DS 管理

讓和管理 Active Directory 資源回收筒使用 Active Directory 系統管理員中心Enabling and Managing the Active Directory Recycle Bin Using Active Directory Administrative Center

功能Capabilities

  • Windows Server 2012 Active Directory 系統管理員中心可讓您設定及管理 Active Directory 資源回收筒的森林中的任何網域磁碟分割。The Windows Server 2012 Active Directory Administrative Center enables you to configure and manage the Active Directory Recycle Bin for any domain partition in a forest. 不是使用 Windows PowerShell 或 Ldp.exe 讓 Active Directory 資源回收桶,或還原網域磁碟分割中的物件的需求。There is no longer a requirement to use Windows PowerShell or Ldp.exe to enable the Active Directory Recycle Bin or restore objects in domain partitions.

  • Active Directory 管理中心已進階篩選準則,在大許多刻意刪除物件的環境中進行目標的還原變得更容易。The Active Directory Administrative Center has advanced filtering criteria, making targeted restoration easier in large environments with many intentionally deleted objects.

限制Limitations

  • Active Directory 管理中心只能管理網域磁碟分割,因為它無法還原刪除的物件的設定、 DNS 網域或樹系 DNS 磁碟分割 (您無法從架構磁碟分割 delete 物件)。Because the Active Directory Administrative Center can only manage domain partitions, it cannot restore deleted objects from the Configuration, Domain DNS, or Forest DNS partitions (you cannot delete objects from the Schema partition). 若要還原物件的非網域磁碟分割,使用還原-ADObjectTo restore objects from non-domain partitions, use Restore-ADObject.

  • Active Directory 管理中心將無法還原子樹單一動作中的物件。The Active Directory Administrative Center cannot restore sub-trees of objects in a single action. 例如,如果您 delete 巢 Ou、 使用者、 群組和電腦的組織單位,還原基底組織單位不會還原子女物件。For example, if you delete an OU with nested OUs, users, groups, and computers, restoring the base OU does not restore the child objects.

    注意

    Active Directory 管理中心批次還原未 」 最佳成就] 有點刪除的物件選擇只在讓排序家長之前子女的 [還原] 清單。The Active Directory Administrative Center batch restore operation does a "best effort" sort of the deleted objects within the selection only so parents are ordered before the children for the restore list. 簡單的測試案例,可能會在單一動作還原子樹物件。In simple test cases, sub-trees of objects may be restored in a single action. 但角落案例,例如包含部分樹-的家長刪除的節點遺失部分樹-選取範圍或錯誤案例,例如略過子女物件家長還原失敗時,可能無法如預期般運作。But corner cases, such as a selection that contains partial trees - trees with some of the deleted parent nodes missing - or error cases, such as skipping the child objects when parent restore fails, may not work as expected. 基於這個原因,您應該會還原子樹的物件不同的動作之後的家長物件還原。For this reason, you should always restore sub-trees of objects as a separate action after you restore the parent objects.

Active Directory 資源回收桶需要 Windows Server 2008 R2 森林功能層級,您必須將企業系統管理員群組成員。Active Directory Recycle Bin requires a Windows Server 2008 R2 Forest Functional Level and you must be a member of the Enterprise Admins group. 一旦支援,您無法停用 Active Directory 資源回收筒]。Once enabled, you cannot disable Active Directory Recycle Bin. Active Directory 資源回收桶放大 Active Directory 資料庫 (NTDS。DIT) 森林中的每個網域控制站上。Active Directory Recycle Bin increases the size of the Active Directory database (NTDS.DIT) on every domain controller in the forest. [資源回收筒] 所使用的磁碟空間持續增加一段時間為也會保留物件和屬性所有的資料。Disk space used by the recycle bin continues to increase over time as it preserves objects and all their attribute data.

如需詳細資訊,請查看Active Directory 資源回收筒中的指示(適用於 Active Directory 資源回收桶) 評估硬體需求For more information, see Active Directory Recycle Bin Step-by-Step Guide and Assess Hardware Requirements (for Active Directory Recycle Bin).

您可以樹系和網域功能層級的 Windows Server 2012 Windows Server 2008 R2 即使讓 Active Directory 資源回收筒。You can lower the forest and domain functional levels from Windows Server 2012 to Windows Server 2008 R2, even after enabling the Active Directory Recycle Bin. 這需要使用設定為 ADForestModeADDomainMode 設定為Active Directory cmdlet。This requires using the Set-ADForestMode and Set-ADDomainMode Active Directory cmdlets.

例如:For example:

Set-AdForestMode -identity corp.contoso.com -server dc1.corp.contoso.com -forestmode Windows2008R2Forest  
Set-AdDomainMode -identity research.corp.contoso.com -server dc3.research.corp.contoso.com -domainmode Windows2008R2Domain  

您無法使用 Active Directory 管理中心進行此變更-只會引發功能層級。You cannot use the Active Directory Administrative Center to make this change - it only raises functional levels.

讓 Active Directory 資源回收桶使用 Active Directory 管理中心Enabling Active Directory Recycle Bin using Active Directory Administrative Center

若要讓 Active Directory 資源回收桶,請打開Active Directory 管理中心,按一下 [瀏覽窗格中樹系的名稱。To enable the Active Directory Recycle Bin, open the Active Directory Administrative Center and click the name of your forest in the navigation pane. 工作窗格中,按可讓資源回收筒]From the Tasks pane, click Enable Recycle Bin.

進階的 AD DS 管理

Active Directory 管理中心會顯示讓資源回收筒確認對話方塊。The Active Directory Administrative Center shows the Enable Recycle Bin Confirmation dialog. 此對話方塊會警告您,讓資源回收筒是無法還原。This dialog warns you that enabling the recycle bin is irreversible. 按一下[確定]以便 Active Directory 資源回收筒]。Click OK to enable the Active Directory Recycle Bin. Active Directory 管理中心會顯示提醒您所有的網域控制站將設定變更,直到不完整功能 Active Directory 資源回收筒的另一個對話方塊。The Active Directory Administrative Center shows another dialog to remind you that the Active Directory Recycle Bin is not fully functional until all domain controllers replicate the configuration change.

重要

選項可讓 Active Directory 資源回收桶,即表示如果:The option to enable the Active Directory Recycle Bin is unavailable if:

  • 樹系功能等級小於 Windows Server 2008 R2The forest functional level is less than Windows Server 2008 R2
  • 它已It is already enabled

相當於 Active Directory Windows PowerShell cmdlet 仍是:The equivalent Active Directory Windows PowerShell cmdlet is still:

Enable-ADOptionalFeature  

如需有關如何使用 Windows PowerShell 來讓 Active Directory 資源回收筒的詳細資訊,請查看Active Directory 資源回收筒中的指示For more information about using Windows PowerShell to enable the Active Directory Recycle Bin, see the Active Directory Recycle Bin Step-by-Step Guide.

管理 Active Directory 資源回收桶使用 Active Directory 管理中心Managing Active Directory Recycle Bin using Active Directory Administrative Center

本章節使用現有的網域名稱的範例corp.contoso.comThis section uses the example of an existing domain named corp.contoso.com. 這個網域組織使用者到家長組織單位名為使用者帳戶This domain organizes users into a parent OU named UserAccounts. 使用者帳戶組織單位包含三個子女 Ou 漂流到由部門,讓每個進一步包含 Ou、 使用者和群組。The UserAccounts OU contains three child OUs named by department, which each contain further OUs, users, and groups.

進階的 AD DS 管理

儲存空間及篩選Storage and Filtering

Active Directory 資源回收筒會保留所有在樹系的物件。The Active Directory Recycle Bin preserves all objects deleted in the forest. 它會儲存於這些物件msDS-deletedObjectLifetime屬性,預設設定成符合tombstoneLifetime的樹系的屬性。It saves these objects according to the msDS-deletedObjectLifetime attribute, which by default is set to match the tombstoneLifetime attribute of the forest. 任何森林中建立使用 Windows Server 2003 SP1 或更新版本的值tombstoneLifetime預設為 180 天。In any forest created using Windows Server 2003 SP1 or later, the value of tombstoneLifetime is set to 180 days by default. 從 Windows 2000 升級或安裝 Windows Server 2003 (不 service pack) 的任何森林中未設定預設 tombstoneLifetime 屬性,並 Windows 因此使用內部 60 天為預設值。In any forest upgraded from Windows 2000 or installed with Windows Server 2003 (no service pack), the default tombstoneLifetime attribute is NOT SET and Windows therefore uses the internal default of 60 days. 這就是可設定。若要還原之子-森林網域磁碟分割從刪除任何物件,您可以使用 Active Directory 管理中心。All of this is configurable.You can use the Active Directory Administrative Center to restore any objects deleted from the domain partitions of the forest. 您必須使用 cmdlet 繼續還原-ADObject還原刪除物件的其他磁碟分割,例如 Configuration.Enabling 可 Active Directory 資源回收筒]刪除物件容器才在 Active Directory 管理中心在每個網域磁碟分割。You must continue to use the cmdlet Restore-ADObject to restore deleted objects from other partitions, such as Configuration.Enabling the Active Directory Recycle Bin makes the Deleted Objects container visible under every domain partition in the Active Directory Administrative Center.

進階的 AD DS 管理

刪除物件容器顯示您所有的可還原物件網域分割中。The Deleted Objects container shows you all the restorable objects in that domain partition. 刪除物件超過msDS-deletedObjectLifetime稱為回收物件。Deleted objects older than msDS-deletedObjectLifetime are known as recycled objects. Active Directory 管理中心不會顯示回收的物件,您將無法還原使用 Active Directory 管理中心這些物件。The Active Directory Administrative Center does not show recycled objects and you cannot restore these objects using Active Directory Administrative Center.

[資源回收筒] 架構與處理規則的深入解釋,請查看AD 資源回收筒: 了解、 實作、 最佳方式,以及疑難排解For a deeper explanation of the recycle bin's architecture and processing rules, see The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting.

Active Directory 管理中心手動限制物件 20000 物件的容器返回預設的數目。The Active Directory Administrative Center artificially limits the default number of objects returned from a container to 20,000 objects. 您可以將這項限制高達 100000 物件提高按一下管理功能表上,然後管理清單選項You can raise this limit as high as 100,000 objects by clicking the Manage menu, then Management List Options.

進階的 AD DS 管理

還原Restoration

篩選Filtering

Active Directory 管理中心提供強大條件和篩選的選項,您應該熟悉之前,您需要使用這些真實還原。Active Directory Administrative Center offers powerful criteria and filtering options that you should become familiar with before you need to use them in a real-life restoration. 網域刻意 delete 透過他們期間的許多物件。與 180 天可能刪除的物件期間,您只是無法還原所有物件發生意外時。Domains intentionally delete many objects over their lifetime .With a likely deleted object lifetime of 180 days, you cannot simply restore all objects when an accident occurs.

進階的 AD DS 管理

除了書寫複雜的 LDAP 篩選 UTC-10 值轉換日期和時間,使用 [基本和進階篩選功能表清單只有相關的物件。Rather than writing complex LDAP filters and converting UTC values into dates and times, use the basic and advanced Filter menu to list only the relevant objects. 如果您知道刪除、 物件的名稱或任何其他重要的資料,請使用優點時篩選。If you know the day of deletion, the names of objects, or any other key data, use that to your advantage when filtering. 按一下 > 形箭號 [搜尋] 方塊右邊切換進階的篩選選項。Toggle the advanced filter options by clicking the chevron to the right of the search box.

還原作業支援所有標準篩選準則選項,與任何其他搜尋相同。The restore operation supports all the standard filter criteria options, the same as any other search. 建篩選,還原物件最重要的通常是:Of the built-in filters, the important ones for restoring objects are typically:

  • ANR (明確的名稱解析-未列出的功能表上,但您輸入時 * * * 篩選 * * * 中)ANR (ambiguous name resolution - not listed in the menu, but what is used when you type in theFilterbox)

  • 上次修改之間指定日期Last modified between given dates

  • 物件是使用者/需要日電腦日群組日組織單位Object is user/inetorgperson/computer/group/organization unit

  • 名稱Name

  • When deleted

  • 最後一個已知的父系Last known parent

  • 輸入Type

  • 描述Description

  • 城市City

  • 國家/地區的國家Country /region

  • 部門Department

  • 員工編號Employee ID

  • 名字First name

  • 職稱Job title

  • 姓氏Last name

  • SAMaccountnameSAMaccountname

  • 省/市State/Province

  • 電話號碼Telephone number

  • UPNUPN

  • 郵遞區號ZIP/Postal code

您可以新增多個條件。You can add multiple criteria. 例如,您可以找到所有使用者物件刪除在 2016 年 9 月 24 日對於工作管理員] 中的標題從芝加哥,伊利諾 2012年。For example, you can find all user objects deleted on September 24th 2012 from Chicago, Illinois with a job title of Manager.

您也可以新增、 修改或重新排列欄標頭評估的物件復原時提供更多詳細資料。You can also add, modify, or reorder the column headers to provide more detail when evaluating which objects to recover.

進階的 AD DS 管理

如需模糊的名稱解析的詳細資訊,請查看ANR 屬性For more information about Ambiguous Name Resolution, see ANR Attributes.

單一物件Single Object

還原刪除的物件一直一次。Restoring deleted objects has always been a single operation. Active Directory 管理中心可更輕鬆地操作。The Active Directory Administrative Center makes that operation easier. 若要還原刪除的物件,例如單一使用者:To restore a deleted object, such as a single user:

  1. 按一下瀏覽窗格中的 Active Directory 管理中心網域名稱。Click the domain name in the navigation pane of the Active Directory Administrative Center.

  2. 按兩下刪除物件在 [管理] 清單。Double-click Deleted Objects in the management list.

  3. 物件上按一下滑鼠右鍵,然後按一下還原,或按還原工作窗格。Right-click the object and then click Restore, or click Restore from the Tasks pane.

此物件會還原到其原始位置。The object restores to its original location.

進階的 AD DS 管理

按一下還原為...變更還原位置。Click Restore To... to change the restore location. 如果刪除的物件的家長容器也已,但不是想要還原家長,這非常有用。This is useful if the deleted object's parent container was also deleted but you do not want to restore the parent.

進階的 AD DS 管理

多個等物件Multiple Peer Objects

您可以還原多個等層級物件,例如 [中的所有使用者。You can restore multiple peer-level objects, such as all the users in an OU. 按住 CTRL 鍵,然後按一下您想要還原的一或多個刪除的物件。Hold down the CTRL key and click one or more deleted objects you want to restore. 按一下還原[工作] 窗格中。Click Restore from the Tasks pane. 您也可以選取 [顯示所有物件按住 CTRL 和金鑰,或使用 shift 鍵,然後按一下物件的範圍。You can also select all displayed objects by holding down the CTRL and A keys, or a range of objects using SHIFT and clicking.

進階的 AD DS 管理

多個家長和子女物件Multiple Parent and Child Objects

請務必因為 Active Directory 管理中心將無法還原的一項動作刪除物件巢的樹了解多 parent 子女還原程序。It is critical to understand the restoration process for a multi-parent-child restoration because the Active Directory Administrative Center cannot restore a nested tree of deleted objects with a single action.

  1. 還原樹上的最高的刪除的物件。Restore the top-most deleted object in a tree.

  2. 還原立即子女的家長物件。Restore the immediate children of that parent object.

  3. 還原立即這些家長物件的子女。Restore the immediate children of those parent objects.

  4. 重複視還原所有物件。Repeat as necessary until all objects restore.

您將無法還原父之前先還原子物件。You cannot restore a child object before restoring its parent. 嘗試這個還原傳回下列錯誤:Attempting this restoration returns the following error:

因為物件的父系是取消或刪除無法執行此作業。The operation could not be performed because the object's parent is either uninstantiated or deleted.

最後一個已知的父系屬性顯示每個物件的父系關係。The Last Known Parent attribute shows the parent relationship of each object. 最後一個已知的父系屬性變更刪除位置還原位置 Active Directory 管理中心重新整理之後還原家長時。The Last Known Parent attribute changes from the deleted location to the restored location when you refresh the Active Directory Administrative Center after restoring a parent. 因此,您可以還原子女物件時父項目的位置不再顯示分辨刪除的物件的容器的名稱。Therefore, you can restore that child object when a parent object's location no longer shows the distinguished name of the deleted objects container.

請考慮系統管理員的身分不小心刪除銷售組織單位,其中包含子女 Ou 與使用者的案例。Consider the scenario where an administrator accidentally deletes the Sales OU, which contains child OUs and users.

首先,觀察到的值最後一個已知的父系刪除所有使用者的屬性,它會讀取組織單位 = Sales\0ADEL:*< guid + 刪除的物件的容器分辨名稱 > :First, observe the value of the **Last Known Parent* attribute for all the deleted users and how it reads OU=Sales\0ADEL:*<guid+deleted objects container distinguished name>*:

進階的 AD DS 管理

篩選返回刪除的組織單位,然後還原銷售明確的名稱:Filter on the ambiguous name Sales to return the deleted OU, which you then restore:

進階的 AD DS 管理

重新整理 Active Directory 管理中心查看刪除的使用者物件的最後一個已知的父系屬性還原銷售組織單位分辨名稱來變更:Refresh the Active Directory Administrative Center to see the deleted user object's Last Known Parent attribute change to the restored Sales OU distinguished name:

進階的 AD DS 管理

篩選銷售的所有使用者。Filter on all the Sales users. 按住 CTRL,然後選取所有刪除的銷售使用者的按鍵。Hold down the CTRL and A keys to select all the deleted Sales users. 按一下還原將物件的刪除物件群組成員資格與保留屬性銷售組織單位容器。Click Restore to move the objects from the Deleted Objects container to the Sales OU with their group memberships and attributes intact.

進階的 AD DS 管理

如果銷售組織單位包含自己的子女 Ou,然後您可以還原之前先還原子女,子女 Ou 等。If the Sales OU contained child OUs of its own, then you would restore the child OUs first before restoring their children, and so on.

若要還原所有巢刪除的物件指定刪除的家長容器,查看附錄 b 還原多個刪除 Active Directory 物件 (範例指令碼)To restore all nested deleted objects by specifying a deleted parent container, see Appendix B: Restore Multiple, Deleted Active Directory Objects (Sample Script).

Active Directory Windows PowerShell cmdlet 還原刪除的物件的是:The Active Directory Windows PowerShell cmdlet for restoring deleted objects is:

Restore-adobject  

還原-ADObject Windows Server 2008 R2 和 Windows Server 2012 之間未變更 cmdlet 功能。The Restore-ADObject cmdlet functionality did not change between Windows Server 2008 R2 and Windows Server 2012.

伺服器端篩選Server-side Filtering

它可能會,長時間刪除物件的容器將累積超過 20000 (或甚至 100000) 中型與大型企業中的物件並聲音方面有困難顯示所有物件。It is possible that over time, the Deleted Objects container will accumulate over 20,000 (or even 100,000) objects in medium and large enterprises and have difficulty showing all objects. 在 Active Directory 管理中心篩選機制依賴 client 端篩選,因為它無法顯示這些其他物件。Since the filter mechanism in Active Directory Administrative Center relies on client-side filtering, it cannot show these additional objects. 若要替代這項限制,請使用下列步驟來執行伺服器端搜尋:To work around this limitation, use the following steps to perform a server-side search:

  1. 以滑鼠右鍵按一下刪除物件容器和在這個節點搜尋Right click the Deleted Objects container and click Search under this node.

  2. 按一下 > 形箭號公開+ 新增條件功能表上,選取並新增之間上次修改日期指定Click the chevron to expose the +Add criteria menu, select and add Last modified between given dates. 上次修改時間 ( whenChanged屬性) 時的刪除時間; 關閉大約在大部分的環境,都一樣。The Last Modified time (the whenChanged attribute) is a close approximation of the deletion time; in most environments, they are identical. 這項查詢執行伺服器端搜尋。This query performs a server-side search.

  3. 找到要使用進一步顯示篩選排序,在結果中,依此類推還原刪除的物件,通常會還原它們。Locate the deleted objects to restore by using further display filtering, sorting, and so on in the results, and then restore them normally.

設定及管理細緻密碼原則使用 Active Directory 系統管理員中心Configuring and Managing Fine-Grained Password Policies Using Active Directory Administrative Center

設定細緻密碼原則Configuring Fine-Grained Password Policies

Active Directory 管理中心可讓您建立和管理 Fine-Grained 密碼原則 (FGPP) 物件。The Active Directory Administrative Center enables you to create and manage Fine-Grained Password Policy (FGPP) objects. Windows Server 2008 導入了 FGPP 功能,但 Windows Server 2012 的第一個管理圖形介面它。Windows Server 2008 introduced the FGPP feature but Windows Server 2012 has the first graphical management interface for it. 您用於網域層級 Fine-Grained 密碼原則,它可以讓覆寫所需的 Windows Server 2003 的單一網域密碼。You apply Fine-Grained Password Policies at a domain level and it enables overriding the single domain password required by Windows Server 2003. 使用不同的設定建立不同 FGPP,個人的使用者或群組取得不同的密碼原則網域中。By creating different FGPP with different settings, individual users or groups get differing password policies in a domain.

有關 Fine-Grained 密碼原則,請查看AD DS Fine-Grained 密碼,以及 Account 鎖定原則 Step-by-Step 指南 (Windows Server 2008 R2)For information about the Fine-Grained Password Policy, see AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide (Windows Server 2008 R2).

在瀏覽窗格中,按一下 [樹檢視您的網域,按一下系統,按一下 [密碼設定容器,然後在 [工作] 窗格中,按一下 [密碼設定In the Navigation pane, click Tree View, click your domain, click System, click Password Settings Container, and then in the Tasks pane, click New and Password Settings.

進階的 AD DS 管理

管理細緻密碼原則Managing Fine-Grained Password Policies

建立新的 FGPP 或編輯現有就會出現設定密碼編輯器。Creating a new FGPP or editing an existing one brings up the Password Settings editor. 從,您設定所有所需的密碼原則,您就必須在 Windows Server 2008 或 Windows Server 2008 R2、 只現在的特殊用途編輯器。From here, you configure all desired password policies, as you would have in Windows Server 2008 or Windows Server 2008 R2, only now with a purpose-built editor.

進階的 AD DS 管理

填寫所需所有 (紅色星號) 和任何選擇性欄位,,然後按一下新增若要設定的使用者或群組接收這項原則。Fill out all required (red asterisk) fields and any optional fields, and then click Add to set the users or groups that receives this policy. FGPP 會覆寫預設網域原則設定,針對那些指定的安全性原則。FGPP overrides default domain policy settings for those specified security principals. 在上圖中非常限制原則僅適用於建,以避免危害。In the figure above, an extremely restrictive policy applies only to the built-in Administrator account, to prevent compromise. 原則太複雜標準使用者遵守,但適合高風險 account 僅供 IT 專業人員。The policy is far too complex for standard users to comply with, but is perfect for a high-risk account used only by IT professionals.

您也可以設定優先順序,並原則套用指定的網域中的使用者和群組。You also set precedence and to which users and groups the policy applies within a given domain.

進階的 AD DS 管理

Active Directory Windows PowerShell cmdlet Fine-Grained 密碼原則︰The Active Directory Windows PowerShell cmdlets for Fine-Grained Password Policy are:

Add-ADFineGrainedPasswordPolicySubject  
Get-ADFineGrainedPasswordPolicy  
Get-ADFineGrainedPasswordPolicySubject  
New-ADFineGrainedPasswordPolicy  
Remove-ADFineGrainedPasswordPolicy  
Remove-ADFineGrainedPasswordPolicySubject  
Set-ADFineGrainedPasswordPolicy  

Windows Server 2012 和 Windows Server 2008 R2 之間不會變更精細密碼原則 cmdlet 功能。Fine-Grained Password Policy cmdlet functionality did not change between the Windows Server 2008 R2 and Windows Server 2012. 為了方便下, 圖顯示 cmdlet 的相關引數:As a convenience, the following diagram illustrates the associated arguments for cmdlets:

進階的 AD DS 管理

Active Directory 管理中心也可讓您尋找結果套用 FGPP 特定使用者的設定。The Active Directory Administrative Center also enables you to locate the resultant set of applied FGPP for a specific user. 以滑鼠右鍵按一下任何使用者,按一下 [ [檢視設定密碼結果...打開設定密碼頁面,並透過隱含或明確指派使用者適用於:Right click any user and click View resultant password settings... to open the Password Settings page that applies to that user through implicit or explicit assignment:

進階的 AD DS 管理

檢查屬性任何使用者或群組顯示的直接相關密碼設定,這是明確指派的 FGPPs:Examining the Properties of any user or group shows the Directly Associated Password Settings, which are the explicitly assigned FGPPs:

進階的 AD DS 管理

隱含 FGPP 指派不會顯示在此處。對於,您必須使用[檢視設定密碼結果...選項。Implicit FGPP assignment does not display here; for that, you must use the View resultant password settings... option.

使用 Active Directory 系統管理員中心 Windows PowerShell 歷史檢視器Using the Active Directory Administrative Center Windows PowerShell History Viewer

在未來的 Windows 管理是 Windows PowerShell。The future of Windows management is Windows PowerShell. 層次圖形自動化工作架構上方的工具,來管理最複雜分散式系統變得一致且有效率。By layering graphical tools on top of a task automation framework, management of the most complex distributed systems becomes consistent and efficient. 您需要了解 Windows PowerShell 以瑞曲之戰完整您可能會與您電腦的投資放到最大的運作方式。You need to understand how Windows PowerShell works in order to reach your full potential and maximize your computing investments.

Active Directory 管理中心現在提供完整的它執行所有 Windows PowerShell cmdlet 和引數和值歷史。The Active Directory Administrative Center now provides a complete history of all the Windows PowerShell cmdlets it runs and their arguments and values. 您可以複製 cmdlet 歷史其他地方的研究或修改或重複使用。You can copy the cmdlet history elsewhere for study or modification and re-use. 您可以建立工作資訊來協助找出所您 Active Directory 管理中心造成 Windows PowerShell 中的命令。You can create Task notes to assist in isolating what your Active Directory Administrative Center commands resulted in Windows PowerShell. 您也可以篩選歷史尋找感興趣的點。You can also filter the history to find points of interest.

Active Directory 系統管理員中心 Windows PowerShell 歷史檢視器的目的是讓您了解透過實用的體驗。The Active Directory Administrative Center Windows PowerShell History Viewer's purpose is for you to learn through practical experience.

進階的 AD DS 管理

按一下 > 形箭號 (箭號) 以顯示 Windows PowerShell 歷史檢視器。Click the chevron (arrow) to show Windows PowerShell History Viewer.

進階的 AD DS 管理

然後,建立的使用者或修改群組成員資格。Then, create a user or modify a group's membership. 摺疊檢視的每個 cmdlet Active Directory 管理中心執行引數指定的持續更新歷史檢視器。The history viewer continually updates with a collapsed view of each cmdlet that the Active Directory Administrative Center ran with the arguments specified.

展開可查看所有值提供 cmdlet 的引數感任何的興趣明細項目:Expand any line item of interest to see all values provided to the cmdlet's arguments:

進階的 AD DS 管理

按一下開始工作]功能表,以建立手動標記,才能使用 Active Directory 管理中心來建立、 修改或 delete 物件。Click the Start Task menu to create a manual notation before you use Active Directory Administrative Center to create, modify, or delete an object. 輸入您所執行的動作。Type in what you were doing. 完成您的變更,選取 [結束工作]When done with your change, select End Task. 插入摺疊便箋更好了解您可以使用所有的這些動作執行工作注意群組。The task note groups all of those actions performed into a collapsible note you can use for better understanding.

例如,若要查看 Windows PowerShell 命令可用來變更使用者的密碼,並移除他的群組:For example, to see the Windows PowerShell commands used to change a user's password and remove him from a group:

進階的 AD DS 管理

選取 [顯示所有核取方塊也會顯示取得-* 動詞 Windows PowerShell cmdlet 只擷取的資料。Selecting the Show All check box also shows the Get-* verb Windows PowerShell cmdlets that only retrieve data.

進階的 AD DS 管理

歷史檢視器顯示文字的命令執行 Active Directory 管理中心和您可能會請注意,某些 cmdlet 出現必要執行。The history viewer shows the literal commands run by the Active Directory Administrative Center and you might note that some cmdlets appear to run unnecessarily. 例如,您可以建立新的使用者:For example, you can create a new user with:

new-aduser   

並不需要使用:and do not need to use:

set-adaccountpassword  
enable-adaccount  
set-aduser  

Active Directory 管理中心的設計需要使用量降到最低的程式碼和模組化程度。The Active Directory Administrative Center's design required minimal code usage and modularity. 因此,而不是一組功能,建立新的使用者與另一組修改現有的使用者,它至少會每項功能,然後將它們 cmdlet 一起。Therefore, instead of a set of functions that create new users and another set that modify existing users, it minimally does each function and then chains them together with the cmdlets. 當您將會學習 Active Directory Windows PowerShell 時,請牢記這點。Keep this in mind when you are learning Active Directory Windows PowerShell. 您也可以使用的學習技巧,您看到如何只是您可以使用 Windows PowerShell 來完成單一工作。You can also use that as a learning technique, where you see how simply you can use Windows PowerShell to complete a single task.

疑難排解 AD DS 管理Troubleshooting AD DS Management

疑難排解簡介Introduction to Troubleshooting

因為其相對我們,在現有客戶環境中使用的 Active Directory 管理中心有限疑難排解選項。Because of its relative newness and lack of usage in existing customer environments, the Active Directory Administrative Center has limited troubleshooting options.

疑難排解選項Troubleshooting Options

登入選項Logging Options

Active Directory 管理中心現在包含建登入 Windows Server 2012,追蹤設定檔的一部分。The Active Directory Administrative Center now contains built-in logging in Windows Server 2012, as part of a tracing config file. 建立日修改下列檔案 dsac.exe 相同的資料夾中︰Create/modify the following file in the same folder as dsac.exe:

dsac.exe.configdsac.exe.config

建立下列動作:Create the following contents:

<appSettings>  
  <add key="DsacLogLevel" value="Verbose" />  
</appSettings>  
<system.diagnostics>   
 <trace autoflush="false" indentsize="4">   
  <listeners>   
   <add name="myListener"   
    type="System.Diagnostics.TextWriterTraceListener"   
    initializeData="dsac.trace.log" />   
   <remove name="Default" />   
  </listeners>   
 </trace>   
</system.diagnostics>  

詳細資訊層級的DsacLogLevel錯誤警告資訊,和詳細資訊The verbosity levels for DsacLogLevel are None, Error, Warning, Info, and Verbose. 輸出檔案名稱設定,並將寫入 dsac.exe 相同的資料夾。The output file name is configurable and writes to the same folder as dsac.exe. 輸出可以告訴您更多約 ADAC 運作方式的網域控制站它連絡時,所執行的 Windows PowerShell 命令,項目回應,並進一步詳細資料。The output can tell you more about how ADAC is operating, which domain controllers it contacted, what Windows PowerShell commands executed, what the responses were, and further details.

例如,而使用資訊的層級,它會傳回追蹤層級詳細資訊以外的所有結果:For example, while using the INFO level, which returns all results except the trace-level verbosity:

  • DSAC.exe 開始DSAC.exe starts

  • 登入開始Logging starts

  • 網域控制站要求退貨初始的網域資訊Domain Controller requested to return initial domain information

    [12:42:49][TID 3][Info] Command Id, Action, Command, Time, Elapsed Time ms (output), Number objects (output)  
    [12:42:49][TID 3][Info] 1, Invoke, Get-ADDomainController, 2012-04-16T12:42:49  
    [12:42:49][TID 3][Info] Get-ADDomainController-Discover:$null-DomainName:"CORP"-ForceDiscover:$null-Service:ADWS-Writable:$null  
    
  • 網域控制站 DC1 傳回網域 CorpDomain controller DC1 returned from domain Corp

  • 廣告 virtual 磁碟機 PS 載入PS AD virtual drive loaded

    [12:42:49][TID 3][Info] 1, Output, Get-ADDomainController, 2012-04-16T12:42:49, 1  
    [12:42:49][TID 3][Info] Found the domain controller 'DC1' in the domain 'CORP'.  
    [12:42:49][TID 3][Info] 2, Invoke, New-PSDrive, 2012-04-16T12:42:49  
    [12:42:49][TID 3][Info] New-PSDrive-Name:"ADDrive0"-PSProvider:"ActiveDirectory"-Root:""-Server:"dc1.corp.contoso.com"  
    [12:42:49][TID 3][Info] 2, Output, New-PSDrive, 2012-04-16T12:42:49, 1  
    [12:42:49][TID 3][Info] 3, Invoke, Get-ADRootDSE, 2012-04-16T12:42:49  
    
  • 取得網域根 DSE 資訊Get domain Root DSE Information

    [12:42:49][TID 3][Info] Get-ADRootDSE  
    -Server:"dc1.corp.contoso.com"  
    [12:42:49][TID 3][Info] 3, Output, Get-ADRootDSE, 2012-04-16T12:42:49, 1  
    [12:42:49][TID 3][Info] 4, Invoke, Get-ADOptionalFeature, 2012-04-16T12:42:49  
    
  • 取得 AD 網域資源回收筒] 資訊Get domain AD recycle bin information

    [12:42:49][TID 3][Info] Get-ADOptionalFeature  
    -LDAPFilter:"(msDS-OptionalFeatureFlags=1)"  
    -Server:"dc1.corp.contoso.com"  
    [12:42:49][TID 3][Info] 4, Output, Get-ADOptionalFeature, 2012-04-16T12:42:49, 1  
    [12:42:49][TID 3][Info] 5, Invoke, Get-ADRootDSE, 2012-04-16T12:42:49  
    [12:42:49][TID 3][Info] Get-ADRootDSE  
    -Server:"dc1.corp.contoso.com"  
    [12:42:49][TID 3][Info] 5, Output, Get-ADRootDSE, 2012-04-16T12:42:49, 1  
    [12:42:49][TID 3][Info] 6, Invoke, Get-ADRootDSE, 2012-04-16T12:42:49  
    [12:42:49][TID 3][Info] Get-ADRootDSE  
    -Server:"dc1.corp.contoso.com"  
    [12:42:49][TID 3][Info] 6, Output, Get-ADRootDSE, 2012-04-16T12:42:49, 1  
    [12:42:49][TID 3][Info] 7, Invoke, Get-ADOptionalFeature, 2012-04-16T12:42:49  
    [12:42:49][TID 3][Info] Get-ADOptionalFeature  
    -LDAPFilter:"(msDS-OptionalFeatureFlags=1)"  
    -Server:"dc1.corp.contoso.com"  
    [12:42:50][TID 3][Info] 7, Output, Get-ADOptionalFeature, 2012-04-16T12:42:50, 1  
    [12:42:50][TID 3][Info] 8, Invoke, Get-ADForest, 2012-04-16T12:42:50  
    
  • 取得 AD 森林Get AD forest

    [12:42:50][TID 3][Info] Get-ADForest  
    -Identity:"corp.contoso.com"  
    -Server:"dc1.corp.contoso.com"  
    [12:42:50][TID 3][Info] 8, Output, Get-ADForest, 2012-04-16T12:42:50, 1  
    [12:42:50][TID 3][Info] 9, Invoke, Get-ADObject, 2012-04-16T12:42:50  
    
  • 取得支援的加密類型,FGPP,某些使用者的資訊架構資訊Get Schema information for supported encryption types, FGPP, certain user information

    [12:42:50][TID 3][Info] Get-ADObject  
    -LDAPFilter:"(|(ldapdisplayname=msDS-PhoneticDisplayName)(ldapdisplayname=msDS-PhoneticCompanyName)(ldapdisplayname=msDS-PhoneticDepartment)(ldapdisplayname=msDS-PhoneticFirstName)(ldapdisplayname=msDS-PhoneticLastName)(ldapdisplayname=msDS-SupportedEncryptionTypes)(ldapdisplayname=msDS-PasswordSettingsPrecedence))"  
    -Properties:lDAPDisplayName  
    -ResultPageSize:"100"  
    -ResultSetSize:$null  
    -SearchBase:"CN=Schema,CN=Configuration,DC=corp,DC=contoso,DC=com"  
    -SearchScope:"OneLevel"  
    -Server:"dc1.corp.contoso.com"  
    [12:42:50][TID 3][Info] 9, Output, Get-ADObject, 2012-04-16T12:42:50, 7  
    [12:42:50][TID 3][Info] 10, Invoke, Get-ADObject, 2012-04-16T12:42:50  
    
  • 取得有關網域物件,以系統管理員,並按下網域標頭顯示的所有資訊。Get all information about the domain object to display to administrator who clicked on the domain head.

    [12:42:50][TID 3][Info] Get-ADObject  
    -IncludeDeletedObjects:$false  
    -LDAPFilter:"(objectClass=*)"  
    -Properties:allowedChildClassesEffective,allowedChildClasses,lastKnownParent,sAMAccountType,systemFlags,userAccountControl,displayName,description,whenChanged,location,managedBy,memberOf,primaryGroupID,objectSid,msDS-User-Account-Control-Computed,sAMAccountName,lastLogonTimestamp,lastLogoff,mail,accountExpires,msDS-PhoneticCompanyName,msDS-PhoneticDepartment,msDS-PhoneticDisplayName,msDS-PhoneticFirstName,msDS-PhoneticLastName,pwdLastSet,operatingSystem,operatingSystemServicePack,operatingSystemVersion,telephoneNumber,physicalDeliveryOfficeName,department,company,manager,dNSHostName,groupType,c,l,employeeID,givenName,sn,title,st,postalCode,managedBy,userPrincipalName,isDeleted,msDS-PasswordSettingsPrecedence  
    -ResultPageSize:"100"  
    -ResultSetSize:"20201"  
    -SearchBase:"DC=corp,DC=contoso,DC=com"  
    -SearchScope:"Base"  
    -Server:"dc1.corp.contoso.com"  
    

設定的詳細資訊層級也會顯示.NET 堆疊的每項功能,但這些不包括不足,無法資料以外時疑難排解 Dsac.exe 遭受存取違規或當機非常有用。Setting the Verbose level also shows the .NET stacks for each function, but these do not include enough data to be particularly useful except when troubleshooting the Dsac.exe suffering an access violation or crash.

重要

還有稱為服務超出的版本Active Directory 管理閘道,在 Windows Server 2008 SP2 與 Windows Server 2003 SP2 上執行。There is also an out-of-band version of the service called the Active Directory Management Gateway, which runs on Windows Server 2008 SP2 and Windows Server 2003 SP2.

有兩個這個問題的可能原因有:The two likely causes of this issue are:

  • 不執行任何無障礙網域控制站 ADWS 服務。The ADWS service is not running on any accessible domain controllers.

  • 網路通訊封鎖 ADWS 服務執行 Active Directory 管理中心的電腦Network communications are blocked to the ADWS service from the computer running the Active Directory Administrative Center

不 Active Directory 網頁的服務執行個體可供使用時所顯示的錯誤︰The errors shown when no Active Directory Web Services instances are available are:

錯誤Error 操作Operation
「 無法連接到任何網域。"Cannot connect to any domain. 重新整理或再試一次連接可 」Refresh or try again when connection is available" 顯示在 [開始] 畫面的 Active Directory 管理中心應用程式Shown at start of the Active Directory Administrative Center application
[可用的伺服器中找不到* 執行 Active Directory Web 服務 (ADWS) 網域 」"Cannot find an available server in the * domain that is running the Active Directory Web Service (ADWS)" 顯示 Active Directory 管理中心應用程式中選取網域節點嘗試時Shown when trying to select a domain node in the Active Directory Administrative Center application

這個問題的疑難排解,使用下列步驟:To troubleshoot this issue, use these steps:

  1. 驗證 Active Directory Web 服務服務會開始至少網域中的網域控制站 (以及最好是所有網域控制站森林中的)。Validate the Active Directory Web Services service is started on at least one domain controller in the domain (and preferably all domain controllers in the forest). 請確定它已設定自動開始上所有網域控制站同時。Ensure that it is set to start automatically on all domain controllers as well.

  2. 執行 Active Directory 管理中心的電腦,驗證,您可以找出執行這些 NLTest.exe 命令執行 ADWS 伺服器:From the computer running the Active Directory Administrative Center, validate that you can locate a server running ADWS by running these NLTest.exe commands:

    nltest /dsgetdc:<domain NetBIOS name> /ws /force   
    nltest /dsgetdc:<domain fully qualified DNS name> /ws /force  
    

    這些測試失敗即使 ADWS 服務順利執行時,問題的名稱解析 LDAP 並不 ADWS 或 Active Directory 管理中心。If those tests fail even though the ADWS service is running, the issue is with name resolution or LDAP and not ADWS or Active Directory Administrative Center. 這項測試失敗,錯誤 」 1355年 0x54B ERROR_NO_SUCH_DOMAIN 「 達到任何結論前請再次檢查 ADWS 不執行任何網域控制站不過,如果。This test fails with error "1355 0x54B ERROR_NO_SUCH_DOMAIN" if ADWS is not running on any domain controllers though, so double-check before reaching any conclusions.

  3. 網域控制站傳回 NLTest,傾印連接埠聆聽命令清單:On the domain controller returned by NLTest, dump the listening port list with command:

    Netstat -anob > ports.txt  
    

    檢查 ports.txt 檔案,並驗證 ADWS 服務正在聽取指令 9389 連接埠。Examine the ports.txt file and validate that the ADWS service is listening on port 9389. 範例:Example:

    TCP    0.0.0.0:9389    0.0.0.0:0    LISTENING    1828  
    [Microsoft.ActiveDirectory.WebServices.exe]  
    
    TCP    [::]:9389       [::]:0       LISTENING    1828  
    [Microsoft.ActiveDirectory.WebServices.exe]  
    

    是否正在聽取指令,驗證 Windows 免,並確認它們允許 9389 TCP 輸入。If listening, validate the Windows Firewall rules and ensure that they allow 9389 TCP inbound. 根據預設,網域控制站讓防火牆規則 「 Active Directory Web 服務 (TCP 單元) 」。By default, domain controllers enable firewall rule "Active Directory Web Services (TCP-in)". 如果您無法聆聽,再試一次驗證服務執行此伺服器上並重新開機。If not listening, validate again that the service is running on this server and restart it. 驗證其他處理序已經聆聽 9389 連接埠。Validate that no other process is already listening on port 9389.

  4. 執行 Active Directory 管理中心的電腦上並傳回 NLTEST 網域控制站,安裝 NetMon 或其他網路擷取公用程式。Install NetMon or another network capture utility on the computer running Active Directory Administrative Center and on the domain controller returned by NLTEST. 收集同時網路擷取的兩部電腦,您開始 Active Directory 管理中心並停止擷取之前,請先查看錯誤。Gather simultaneous network captures from both computers, where you start Active Directory Administrative Center and see the error before stopping the captures. 驗證 client 是無法用來傳送和接收的網域控制站 TCP 9389 連接埠。Validate that the client is able to send to and receive from the domain controller on port TCP 9389. 如果封包傳送,但不會時接到提醒,或時接到提醒,網域控制站回覆,但它們不會瑞曲之戰 client 很有可能是防火牆空行連接埠卸除封包網路上的電腦。If packets are sent but never arrive, or arrive and the domain controller replies but they never reach the client, it is likely there is a firewall in between the computers on the network dropping packets on that port. 這個防火牆可能的軟體或硬體,而且可能第三方 endpoint protection (防毒) 軟體的一部分。This firewall may be software or hardware, and may be part of third party endpoint protection (antivirus) software.

已知日可能的問題與支援案例Known/Likely Issues and Support Scenarios

Active Directory 管理中心問題可能只是無法連接到 Active Directory Web 服務 (ADWS) 執行 Windows Server 2012 或 Windows Server 2008 R2 網域控制站。The only likely issue with the Active Directory Administrative Center is an inability to connect to the Active Directory Web Service (ADWS) running on a Windows Server 2012 or Windows Server 2008 R2 domain controller.

也了See Also

Active Directory 系統管理員中心調節和 #40; 簡介層級 100 和 #41;Introduction to Active Directory Administrative Center Enhancements (Level 100)