Active Directory 系統管理員中心調節 (層級 100) 簡介Introduction to Active Directory Administrative Center Enhancements (Level 100)

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Windows Server 2012 中的 ADAC 包含管理下列功能:ADAC in Windows Server 2012 includes management features for the following:

Active Directory 資源回收筒Active Directory Recycle Bin

Active Directory 物件意外刪除是常見使用者的 Active Directory Domain Services (AD DS) 和 Active Directory 輕量型 Directory Services (AD LDS)。Accidental deletion of Active Directory objects is a common occurrence for users of Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). 在過去版本的 Windows Server、 Windows Server 2008 R2 前一個復原意外刪除 Active Directory 物件,但方案他們缺點。In past versions of Windows Server, prior to Windows Server 2008 R2 , one could recover accidentally deleted objects in Active Directory, but the solutions had their drawbacks.

在 Windows Server 2008,您可以使用 Windows Server 備份的功能和ntdsutil來標記授權還原命令物件可靠,以確保您的整個網域複寫還原的資料。In Windows Server 2008, you could use the Windows Server Backup feature and ntdsutil authoritative restore command to mark objects as authoritative to ensure that the restored data was replicated throughout the domain. 授權方案缺點是原先執行中 Directory 服務還原模式 (DSRM)。The drawback to the authoritative restore solution was that it had to be performed in Directory Services Restore Mode (DSRM). 期間 DSRM,必須維持離線網域控制站還原。During DSRM, the domain controller being restored had to remain offline. 因此,不能服務 client 要求。Therefore, it was not able to service client requests.

在 Windows Server 2003 Active Directory 和 Windows Server 2008 AD DS,您無法復原透過重新引發標記刪除 Active Directory 物件。In Windows Server 2003 Active Directory and Windows Server 2008 AD DS, you could recover deleted Active Directory objects through tombstone reanimation. 不過,重新引發物件的連結值 (例如群組成員資格帳號) 的屬性移除了實體和清除的非連結值屬性,所以無法復原。However, reanimated objects' link-valued attributes (for example, group memberships of user accounts) that were physically removed and non-link-valued attributes that were cleared were not recovered. 因此,系統管理員可能會依賴重新引發標記為意外刪除物件方案旗艦版。Therefore, administrators could not rely on tombstone reanimation as the ultimate solution to accidental deletion of objects. 如需重新引發標記的詳細資訊,請查看重新引發 Active Directory 標記物件For more information about tombstone reanimation, see Reanimating Active Directory Tombstone Objects.

Active Directory 資源回收筒],開始在 Windows Server 2008 R2 上的現有標記重新引發基礎結構及美化您保留和復原意外刪除 Active Directory 物件的能力。Active Directory Recycle Bin, starting in Windows Server 2008 R2, builds on the existing tombstone reanimation infrastructure and enhances your ability to preserve and recover accidentally deleted Active Directory objects.

當您讓 Active Directory 資源回收筒] 所有連結值非連結值刪除的 Active Directory 物件的屬性會保留並物件會還原為相同的邏輯一致狀態將它們之前刪除完整。When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. 例如,還原的帳號會自動重新取得所有群組成員資格和立即之前刪除中和跨網域對應存取權限。For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains. Active Directory 資源回收桶適用於廣告 LDS 和 AD DS 環境。Active Directory Recycle Bin works for both AD DS and AD LDS environments. 為 Active Directory 資源回收筒的詳細描述,請查看AD DS 中的新功能: Active Directory 資源回收筒]For a detailed description of Active Directory Recycle Bin, see What's New in AD DS: Active Directory Recycle Bin.

新功能?What's new? 在 Windows Server 2012,已使用新的圖形使用者介面使用者管理和還原刪除的物件改良 Active Directory 資源回收筒的功能。In Windows Server 2012 , the Active Directory Recycle Bin feature has been enhanced with a new graphical user interface for users to manage and restore deleted objects. 使用者可以現在看起來找出刪除物件的清單,並將它們還原至其原始或想要的位置。Users can now visually locate a list of deleted objects and restore them to their original or desired locations.

如果想要讓 Active Directory 資源回收桶 Windows Server 2012 中,請考慮下列動作:If you plan to enable Active Directory Recycle Bin in Windows Server 2012 , consider the following:

  • 根據預設,Active Directory 資源回收筒 」 已停用。By default, Active Directory Recycle Bin is disabled. 要讓它,必須先提高 AD DS 或廣告 LDS 環境 Windows Server 2008 R2 或更高的樹系功能層級。To enable it, you must first raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2 or higher. 這會需要森林中的所有網域控制站或主機的廣告 LDS 組態集執行個體的所有伺服器會執行 Windows Server 2008 R2 或更高版本。This in turn requires that all domain controllers in the forest or all servers that host instances of AD LDS configuration sets be running Windows Server 2008 R2 or higher.

  • 程序的 Active Directory 資源回收筒的就是無法還原。The process of enabling Active Directory Recycle Bin is irreversible. 您可以在您的環境中的 Active Directory 資源回收筒] 之後,您無法停用。After you enable Active Directory Recycle Bin in your environment, you cannot disable it.

  • 若要管理透過使用者介面的資源回收筒 」 功能,您必須安裝版本的 Active Directory 管理中心 Windows Server 2012 中。To manage the Recycle Bin feature through a user interface, you must install the version of Active Directory Administrative Center in Windows Server 2012 .

    注意

    您可以使用伺服器管理員在 [資源回收筒] 管理透過使用者介面中使用 Active Directory 管理中心的正確版本的 Windows Server 2012 電腦上安裝遠端伺服器管理工具 (RSAT)。You can use Server Manager to install Remote Server Administration Tools (RSAT) on Windows Server 2012 computers to use the correct version of Active Directory Administrative Center to manage Recycle Bin through a user interface.

    您可以使用RSAT windows® 8 資源回收筒] 管理透過使用者介面中使用 Active Directory 管理中心的正確版本的電腦。You can use RSAT on Windows® 8 computers to use the correct version of Active Directory Administrative Center to manage Recycle Bin through a user interface.

Active Directory 資源回收桶逐步Active Directory Recycle Bin step-by-step

在下列步驟,您將會使用 ADAC Windows Server 2012 中執行下列 Active Directory 資源回收桶工作:In the following steps, you will use ADAC to perform the following Active Directory Recycle Bin tasks in Windows Server 2012 :

注意

成員資格群組企業系統管理員或相當權限,才能執行下列步驟。Membership in the Enterprise Admins group or equivalent permissions is required to perform the following steps.

步驟 1: 提高森林功能等級Step 1: Raise the forest functional level

在此步驟,您將會提升樹系正常運作。In this step, you will raise the forest functional level. 您必須先提高目標樹系之前,您可以 Active Directory 資源回收桶,至少會 Windows Server 2008 R2 上的功能層級。You must first raise the functional level on the target forest to be Windows Server 2008 R2 at a minimum before you enable Active Directory Recycle Bin.

以提升上目標樹系功能To raise the functional level on the target forest
  1. Windows PowerShell 圖示上按一下滑鼠右鍵,請按一下系統管理員身分執行並輸入dsac.exe打開 ADAC。Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.

  2. 按一下管理,按一下 [新增瀏覽節點,然後選取適當的目標網域中新增瀏覽節點] 對話方塊中,然後按一下[確定]Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.

  3. 按一下目標網域在左側的瀏覽窗格中,在工作窗格中,按提高森林功能等級Click the target domain in the left navigation pane and in the Tasks pane, click Raise the forest functional level. 選取至少森林功能層級 Windows Server 2008 R2 或更高版本,然後按一下[確定]Select a forest functional level that is at least Windows Server 2008 R2 or higher and then click OK.

廣告系統管理員中心簡介Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Set-ADForestMode -Identity contoso.com -ForestMode Windows2008R2Forest -Confirm:$false

適用於層的身分引數指定 DNS 的完整的名稱。For the -Identity argument, specify the fully qualified DNS name.

步驟 2: 讓資源回收筒Step 2: Enable Recycle Bin

在此步驟,您將會讓資源回收筒中 AD DS 還原刪除物件。In this step, you will enable the Recycle Bin to restore deleted objects in AD DS.

若要讓 Active Directory 資源回收桶 ADAC 目標網域中To enable Active Directory Recycle Bin in ADAC on the target domain
  1. Windows PowerShell 圖示上按一下滑鼠右鍵,請按一下系統管理員身分執行並輸入dsac.exe打開 ADAC。Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.

  2. 按一下管理,按一下 [新增瀏覽節點,然後選取適當的目標網域中新增瀏覽節點] 對話方塊中,然後按一下[確定]Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.

  3. 工作窗格中,按可讓資源回收筒...工作窗格中,按一下[確定]上警告訊息方塊,然後按一下 [ [確定]來重新整理 ADAC 訊息。In the Tasks pane, click Enable Recycle Bin ... in the Tasks pane, click OK on the warning message box, and then click OK to the refresh ADAC message.

  4. 按下 F5 來重新整理 ADAC。Press F5 to refresh ADAC.

廣告系統管理員中心簡介Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com' -Scope ForestOrConfigurationSet -Target 'contoso.com'

步驟 3: 建立測試使用者、 群組和單位Step 3: Create test users, group and organizational unit

下列程序,您將會建立兩個測試的使用者。In the following procedures, you will create two test users. 然後,您將建立測試群組並測試使用者新增到群組。You will then create a test group and add the test users to the group. 此外,您將會建立組織單位。In addition, you will create an OU.

若要建立的使用者測試To create test users
  1. Windows PowerShell 圖示上按一下滑鼠右鍵,請按一下系統管理員身分執行並輸入dsac.exe打開 ADAC。Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.

  2. 按一下管理,按一下 [新增瀏覽節點,然後選取適當的目標網域中新增瀏覽節點] 對話方塊中,然後按一下[確定]Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.

  3. 工作窗格中,按一下 [新增] ,然後按一下 [使用者In the Tasks pane, click New and then click User.

    廣告系統管理員中心簡介

  4. 輸入下列資訊在Account ,然後按一下 [確定]:Enter the following information under Account and then click OK:

    • 完整名稱: test1Full name: test1

    • 使用者 SamAccountName 登入: test1User SamAccountName logon: test1

    • 密碼:p@ssword1Password: p@ssword1

    • 確認密碼:p@ssword1Confirm password: p@ssword1

  5. 重複上一個步驟建立第二個使用者 test2。Repeat the previous steps to create a second user, test2.

若要建立測試群組,並將使用者新增到群組To create a test group and add users to the group
  1. Windows PowerShell 圖示上按一下滑鼠右鍵,請按一下系統管理員身分執行並輸入dsac.exe打開 ADAC。Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.

  2. 按一下管理,按一下 [新增瀏覽節點,然後選取適當的目標網域中新增瀏覽節點] 對話方塊中,然後按一下[確定]Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.

  3. 工作窗格中,按一下 [新增] ,然後按一下 [群組In the Tasks pane, click New and then click Group.

  4. 輸入下列資訊在群組,然後按一下 [ [確定]:Enter the following information under Group and then click OK:

    • 群組的名稱︰ 群組 1Group name:group1
  5. 按一下群組 1,然後在工作] 窗格中,按一下 [屬性Click group1, and then under the Tasks pane, click Properties.

  6. 按一下成員,按一下 [新增,輸入test1; test2,然後按一下 [ [確定]Click Members, click Add, type test1;test2, and then click OK.

廣告系統管理員中心簡介Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Add-ADGroupMember -Identity group1 -Member test1
若要建立組織單位To create an organizational unit
  1. Windows PowerShell 圖示上按一下滑鼠右鍵,請按一下系統管理員身分執行並輸入dsac.exe打開 ADAC。Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.

  2. 按一下管理,按一下 [新增瀏覽節點,然後選取適當的目標網域中新增瀏覽節點] 對話方塊中,然後按一下[確定]Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.

  3. 工作窗格中,按一下 [新增] ,然後按一下 [組織單位In the Tasks pane, click New and then click Organizational Unit.

  4. 輸入下列資訊在組織單位,然後按一下 [ [確定]:Enter the following information under Organizational Unit and then click OK:

    • NameOU1NameOU1

廣告系統管理員中心簡介Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

1..2 | ForEach-Object {New-ADUser -SamAccountName test$_ -Name "test$_" -Path "DC=fabrikam,DC=com" -AccountPassword (ConvertTo-SecureString -AsPlainText "p@ssword1" -Force) -Enabled $true}
New-ADGroup -Name "group1" -SamAccountName group1 -GroupCategory Security -GroupScope Global -DisplayName "group1"
New-ADOrganizationalUnit -Name OU1 -Path "DC=fabrikam,DC=com"

步驟 4: 還原刪除物件Step 4: Restore deleted objects

下列程序,您將會還原刪除的物件從刪除物件容器到其原始位置,以不同的位置。In the following procedures, you will restore deleted objects from the Deleted Objects container to their original location and to a different location.

若要還原刪除到其原始位置的物件To restore deleted objects to their original location
  1. Windows PowerShell 圖示上按一下滑鼠右鍵,請按一下系統管理員身分執行並輸入dsac.exe打開 ADAC。Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.

  2. 按一下管理,按一下 [新增瀏覽節點,然後選取適當的目標網域中新增瀏覽節點] 對話方塊中,然後按一下[確定]Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.

  3. 選取 [使用者] test1test2,按一下 [ Delete工作窗格中,然後按一下 [確認刪除。Select users test1 and test2, click Delete in the Tasks pane and then click Yes to confirm the deletion.

    廣告系統管理員中心簡介Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

    下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

    Get-ADUser -Filter 'Name -Like "*test*"'|Remove-ADUser -Confirm:$false
    
  4. 瀏覽至刪除物件容器中,選取test2test1 ,然後按一下還原工作窗格。Navigate to the Deleted Objects container, select test2 and test1 and then click Restore in the Tasks pane.

  5. 若要確認物件還原到其原始位置,瀏覽至目標網域,確認帳號列出。To confirm the objects were restored to their original location, navigate to the target domain and verify the user accounts are listed.

    注意

    如果您瀏覽至屬性的帳號test1test2 ,然後按一下成員隸屬,您將會看到他們群組成員資格也還原。If you navigate to the Properties of the user accounts test1 and test2 and then click Member Of, you will see that their group membership was also restored.

下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

廣告系統管理員中心簡介Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

Get-ADObject -Filter 'Name -Like "*test*"' -IncludeDeletedObjects | Restore-ADObject
若要還原刪除物件不同的位置To restore deleted objects to a different location
  1. Windows PowerShell 圖示上按一下滑鼠右鍵,請按一下系統管理員身分執行並輸入dsac.exe打開 ADAC。Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.

  2. 按一下管理,按一下 [新增瀏覽節點,然後選取適當的目標網域中新增瀏覽節點] 對話方塊中,然後按一下[確定]Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.

  3. 選取 [使用者] test1test2,按一下 [ Delete工作窗格中,然後按一下 [確認刪除。Select users test1 and test2, click Delete in the Tasks pane and then click Yes to confirm the deletion.

  4. 瀏覽至刪除物件容器中,選取test2test1 ,然後按一下還原到工作窗格。Navigate to the Deleted Objects container, select test2 and test1 and then click Restore To in the Tasks pane.

  5. 選取 [ OU1 ,然後按一下 [ [確定]Select OU1 and then click OK.

  6. 若要確認物件還原到OU1,瀏覽至目標網域,按兩下 [ OU1 ,並確認帳號會列出。To confirm the objects were restored to OU1, navigate to the target domain, double click OU1 and verify the user accounts are listed.

廣告系統管理員中心簡介Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Get-ADObject -Filter 'Name -Like "*test*"' -IncludeDeletedObjects | Restore-ADObject -TargetPath "OU=OU1,DC=contoso,DC=com"

微調密碼原則Fine-Grained Password Policy

Windows Server 2008 作業系統提供一種方法來定義不同的密碼和 account 鎖定原則的不同設定的使用者網域中的組織。The Windows Server 2008 operating system provides organizations with a way to define different password and account lockout policies for different sets of users in a domain. 在 Windows Server 2008 之前 Active Directory 網域中,只有一個密碼原則和 account 鎖定原則可套用至網域中的所有使用者。In Active Directory domains prior to Windows Server 2008, only one password policy and account lockout policy could be applied to all users in the domain. 這些原則指定中網域預設網域原則。These policies were specified in the Default Domain Policy for the domain. 如此一來,希望不同的使用者的設定的不同的密碼和 account 鎖定設定的組織必須建立密碼篩選或部署多個網域。As a result, organizations that wanted different password and account lockout settings for different sets of users had to either create a password filter or deploy multiple domains. 兩者都高的選項。Both are costly options.

您可以指定單一網域中的多個密碼原則,並將不同的限制的密碼,以及 account 鎖定原則套用到不同設定的網域中的使用者使用細緻密碼原則。You can use fine-grained password policies to specify multiple password policies within a single domain and apply different restrictions for password and account lockout policies to different sets of users in a domain. 例如您可以將有特殊權限帳號更嚴格設定和較嚴格設定套用到帳號,其他使用者。For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. 有時候,您可能想要套用的特殊密碼原則帳號密碼同步處理的其他資料來源。In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources. 如 Fine-Grained 密碼原則的詳細描述, AD DS: Fine-Grained 密碼原則For a detailed description of Fine-Grained Password Policy, see AD DS: Fine-Grained Password Policies

新功能?What's new? 在 Windows Server 2012,精細密碼原則管理是由變得更容易及更多視覺化藉由 AD DS ADAC 中管理他們的系統管理員的使用者介面。In Windows Server 2012 , fine-grained password policy management is made easier and more visual by providing a user interface for AD DS administrators to manage them in ADAC. 系統管理員現在可以檢視原則特定的使用者的結果、 檢視與排序指定網域中的所有密碼原則和視覺管理個人密碼原則。Administrators can now view a given user's resultant policy, view and sort all password policies within a given domain, and manage individual password policies visually.

如果想要在 Windows Server 2012 中使用細緻密碼原則,請考慮下列動作:If you plan to use fine-grained password policies in Windows Server 2012 , consider the following:

  • 細緻密碼原則套用僅限安全性的全域群組和使用者物件 (或需要物件如果他們使用使用者物件而)。Fine-grained password policies apply only global security groups and user objects (or inetOrgPerson objects if they are used instead of user objects). 根據預設,僅限群組成員的網域系統管理員可以設定細緻密碼原則。By default, only members of the Domain Admins group can set fine-grained password policies. 不過,您也可以委派這些原則設定的其他使用者的功能。However, you can also delegate the ability to set these policies to other users. 網域功能等級必須 Windows Server 2008,或更高版本。The domain functional level must be Windows Server 2008 or higher.

  • 您必須使用 Windows Server 2012 版本的 Active Directory 管理中心管理細緻密碼原則圖形使用者介面透過。You must use the Windows Server 2012 version of Active Directory Administrative Center to administer fine-grained password policies through a graphical user interface.

    注意

    您可以使用伺服器管理員在 [資源回收筒] 管理透過使用者介面中使用 Active Directory 管理中心的正確版本的 Windows Server 2012 電腦上安裝遠端伺服器管理工具 (RSAT)。You can use Server Manager to install Remote Server Administration Tools (RSAT) on Windows Server 2012 computers to use the correct version of Active Directory Administrative Center to manage Recycle Bin through a user interface.

    您可以使用RSAT windows® 8 資源回收筒] 管理透過使用者介面中使用 Active Directory 管理中心的正確版本的電腦。You can use RSAT on Windows® 8 computers to use the correct version of Active Directory Administrative Center to manage Recycle Bin through a user interface.

逐步精細密碼原則Fine-Grained Password Policy step-by-step

在下列步驟,您將使用 ADAC,執行下列精細密碼原則工作:In the following steps, you will use ADAC to perform the following fine-grained password policy tasks:

注意

成員資格群組網域系統管理員或相當權限,才能執行下列步驟。Membership in the Domain Admins group or equivalent permissions is required to perform the following steps.

步驟 1: 提升網域功能Step 1: Raise the domain functional level

下列程序,您將會提升網域正常運作的目標網域到 Windows Server 2008,或更高版本。In the following procedure, you will raise the domain functional level of the target domain to Windows Server 2008 or higher. 網域功能層級的 Windows Server 2008,或更高版本,才能讓細緻密碼原則。A domain functional level of Windows Server 2008 or higher is required to enable fine-grained password policies.

以提升網域功能To raise the domain functional level
  1. Windows PowerShell 圖示上按一下滑鼠右鍵,請按一下系統管理員身分執行並輸入dsac.exe打開 ADAC。Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.

  2. 按一下管理,按一下 [新增瀏覽節點,然後選取適當的目標網域中新增瀏覽節點] 對話方塊中,然後按一下[確定]Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.

  3. 按一下目標網域在左側的瀏覽窗格中,在工作窗格中,按提高網域功能等級Click the target domain in the left navigation pane and in the Tasks pane, click Raise the domain functional level. 選取至少森林功能層級 Windows Server 2008,或更高版本,然後按一下[確定]Select a forest functional level that is at least Windows Server 2008 or higher and then click OK.

廣告系統管理員中心簡介Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Set-ADDomainMode -Identity contoso.com -DomainMode 3

步驟 2: 建立測試使用者、 群組,以及單位Step 2: Create test users, group, and organizational unit

若要建立測試使用者和群組需要此步驟,請依照下列程序,位置如下:執行 「 步驟 3: 建立測試使用者、 群組和單位(您不需要建立組織單位,示範精細密碼原則)。To create the test users and group need for this step, follow the procedures located here: Step 3: Create test users, group and organizational unit (you do not need to create the OU to demonstrate fine-grained password policy).

步驟 3: 建立新的細緻密碼原則Step 3: Create a new fine-grained password policy

下列程序,您將會建立新的細微密碼原則 ADAC 使用 UI。In the following procedure you will create a new fine-grained password policy using the UI in ADAC.

若要建立新的正常地細微的密碼原則To create a new fine grained password policy
  1. Windows PowerShell 圖示上按一下滑鼠右鍵,請按一下系統管理員身分執行並輸入dsac.exe打開 ADAC。Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.

  2. 按一下管理,按一下 [新增瀏覽節點,然後選取適當的目標網域中新增瀏覽節點] 對話方塊中,然後按一下[確定]Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.

  3. ADAC 瀏覽窗格中,請打開系統容器,然後按的密碼設定容器In the ADAC navigation pane, open the System container and then click Password Settings Container.

  4. 工作窗格中,按,,然後按一下 [設定密碼In the Tasks pane, click New, and then click Password Settings.

    填入或編輯欄位中屬性頁面,以建立新的設定密碼物件。Fill in or edit fields inside the property page to create a new Password Settings object. 名稱優先順序所需的欄位。The Name and Precedence fields are required.

    廣告系統管理員中心簡介

  5. 直接適用於,按一下 [新增,輸入群組 1,然後按一下 [ [確定]Under Directly Applies To, click Add, type group1, and then click OK.

    這將與您的測試環境建立的全域群組成員關聯密碼原則物件。This associates the Password Policy object with the members of the global group you created for the test environment.

  6. 按一下[確定]來提交建立。Click OK to submit the creation.

廣告系統管理員中心簡介Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

New-ADFineGrainedPasswordPolicy TestPswd -ComplexityEnabled:$true -LockoutDuration:"00:30:00" -LockoutObservationWindow:"00:30:00" -LockoutThreshold:"0" -MaxPasswordAge:"42.00:00:00" -MinPasswordAge:"1.00:00:00" -MinPasswordLength:"7" -PasswordHistoryCount:"24" -Precedence:"1" -ReversibleEncryptionEnabled:$false -ProtectedFromAccidentalDeletion:$true
Add-ADFineGrainedPasswordPolicySubject TestPswd -Subjects group1

步驟 4: 檢視結果原則使用者的設定Step 4: View a resultant set of policies for a user

下列程序,您將會檢視為使用者指派給正常地細微的密碼原則中的群組成員結果密碼設定執行 「 步驟 3: 建立新的細緻密碼原則In the following procedure, you will view the resultant password settings for a user that is a member of the group to which you assigned a fine grained password policy in Step 3: Create a new fine-grained password policy.

若要檢視結果原則使用者的設定To view a resultant set of policies for a user
  1. Windows PowerShell 圖示上按一下滑鼠右鍵,請按一下系統管理員身分執行並輸入dsac.exe打開 ADAC。Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.

  2. 按一下管理,按一下 [新增瀏覽節點,然後選取適當的目標網域中新增瀏覽節點] 對話方塊中,然後按一下[確定]Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.

  3. 選取一位使用者, test1群組中,所屬的群組 1相關聯的細緻密碼原則中執行 「 步驟 3: 建立新的細緻密碼原則Select a user, test1 that belongs to the group, group1 that you associated a fine-grained password policy with in Step 3: Create a new fine-grained password policy.

  4. 按一下檢視結果密碼設定工作窗格。Click View Resultant Password Settings in the Tasks pane.

  5. 檢查 [密碼原則設定,然後按一下取消Examine the password setting policy and then click Cancel.

廣告系統管理員中心簡介Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Get-ADUserResultantPasswordPolicy test1

步驟 5: 編輯精細密碼原則Step 5: Edit a fine-grained password policy

下列程序,您將會編輯正常地細微的密碼原則您建立執行 「 步驟 3: 建立新的細緻密碼原則In the following procedure, you will edit the fine grained password policy you created in Step 3: Create a new fine-grained password policy

若要編輯精細密碼原則To edit a fine-grained password policy
  1. Windows PowerShell 圖示上按一下滑鼠右鍵,請按一下系統管理員身分執行並輸入dsac.exe打開 ADAC。Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.

  2. 按一下管理,按一下 [新增瀏覽節點,然後選取適當的目標網域中新增瀏覽節點] 對話方塊中,然後按一下[確定]Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.

  3. 在 [ADAC瀏覽窗格中,展開 [系統,然後按一下 [密碼設定容器In the ADAC Navigation Pane, expand System and then click Password Settings Container.

  4. 選取 [建立您的正常地細微的密碼原則執行 「 步驟 3: 建立新的細緻密碼原則,按一下 [屬性工作窗格。Select the fine grained password policy you created in Step 3: Create a new fine-grained password policy and click Properties in the Tasks pane.

  5. 執行密碼歷史,變更的值記住密碼的數字30Under Enforce password history, change the value of Number of passwords remembered to 30.

  6. 按一下[確定]Click OK.

廣告系統管理員中心簡介Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Set-ADFineGrainedPasswordPolicy TestPswd -PasswordHistoryCount:"30"

步驟 6: Delete 精細密碼原則Step 6: Delete a fine-grained password policy

若要 delete 精細密碼原則To delete a fine-grained password policy
  1. Windows PowerShell 圖示上按一下滑鼠右鍵,請按一下系統管理員身分執行並輸入dsac.exe打開 ADAC。Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.

  2. 按一下管理,按一下 [新增瀏覽節點,然後選取適當的目標網域中新增瀏覽節點] 對話方塊中,然後按一下[確定]Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.

  3. 在 [ADAC 瀏覽窗格中,展開系統,然後按一下 [的密碼設定容器In the ADAC Navigation Pane, expand System and then click Password Settings Container.

  4. 選取 [建立您的正常地細微的密碼原則執行 「 步驟 3: 建立新的細緻密碼原則工作窗格中按一下 [屬性Select the fine grained password policy you created in Step 3: Create a new fine-grained password policy and in the Tasks pane click Properties.

  5. 清除以防止誤刪除保護核取方塊,按一下 [ [確定]Clear the Protect from accidental deletion checkbox and click OK.

  6. 選取 [細緻細微的密碼原則,在工作窗格中按一下 [ DeleteSelect the fine grained password policy, and in the Tasks pane click Delete.

  7. 按一下[確定]在 [確認] 對話方塊。Click OK in the confirmation dialog.

廣告系統管理員中心簡介Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Set-ADFineGrainedPasswordPolicy -Identity TestPswd -ProtectedFromAccidentalDeletion $False
Remove-ADFineGrainedPasswordPolicy TestPswd -Confirm

Windows PowerShell 歷史檢視器Windows PowerShell History Viewer

ADAC 是建置 Windows PowerShell 上方的使用者介面工具。ADAC is a user interface tool built on top of Windows PowerShell. 在 Windows Server 2012 時,IT 系統管理員可以利用 ADAC 學習 Windows PowerShell cmdlet Active Directory 使用 Windows PowerShell 歷史檢視器。In Windows Server 2012 , IT administrators can leverage ADAC to learn Windows PowerShell for Active Directory cmdlets by using the Windows PowerShell History Viewer. 在使用者介面中執行的動作,相同的 Windows PowerShell 命令會顯示在 Windows PowerShell 歷史檢視器中的使用者。As actions are executed in the user interface, the equivalent Windows PowerShell command is shown to the user in Windows PowerShell History Viewer. 這可讓建立自動化的指令碼,並減少重複的工作,因此增加生產力 IT 系統管理員。This allows administrators to create automated scripts and reduce repetitive tasks, thus increasing IT productivity. 這項功能降低 Active Directory 了 Windows PowerShell 的時間,,他們自動化的指令碼的正確性增加使用者的信心。Also, this feature reduces the time to learn Windows PowerShell for Active Directory and increases the users' confidence in the correctness of their automation scripts.

Windows Server 2012 中使用 Windows PowerShell 歷史檢視器考慮下列方法:When using the Windows PowerShell History Viewer in Windows Server 2012 consider the following:

  • 若要使用 Windows PowerShell 指令碼檢視器,您必須使用 ADAC 的 Windows Server 2012 版本To use Windows PowerShell Script Viewer, you must use the Windows Server 2012 version of ADAC

    注意

    您可以使用伺服器管理員在 [資源回收筒] 管理透過使用者介面中使用 Active Directory 管理中心的正確版本的 Windows Server 2012 電腦上安裝遠端伺服器管理工具 (RSAT)。You can use Server Manager to install Remote Server Administration Tools (RSAT) on Windows Server 2012 computers to use the correct version of Active Directory Administrative Center to manage Recycle Bin through a user interface.

    您可以使用RSAT windows® 8 資源回收筒] 管理透過使用者介面中使用 Active Directory 管理中心的正確版本的電腦。You can use RSAT on Windows® 8 computers to use the correct version of Active Directory Administrative Center to manage Recycle Bin through a user interface.

  • 有一些基本的 Windows PowerShell 知識。Have some basic Windows PowerShell knowledge. 例如,您需要知道傳送 Windows PowerShell 中的運作方式。For example, you need to know how piping in Windows PowerShell works. 如需關於 Windows PowerShell 中的 [傳送的資訊,請查看傳送及 Windows PowerShell 中的管線For more information about piping in Windows PowerShell, see Piping and the Pipeline in Windows PowerShell.

Windows PowerShell 歷史檢視器逐步Windows PowerShell History Viewer step-by-step

在下列程序,您將使用 Windows PowerShell 歷史檢視器中 ADAC 建構 Windows PowerShell 指令碼。In the following procedure, you will use the Windows PowerShell History Viewer in ADAC to construct a Windows PowerShell script. 此程序開始之前,請移除使用者] test1群組中,群組 1Before you begin this procedure, remove user, test1 from the group, group1.

建立指令碼使用 PowerShell 歷史檢視器To construct a script using PowerShell History Viewer
  1. Windows PowerShell 圖示上按一下滑鼠右鍵,請按一下系統管理員身分執行並輸入dsac.exe打開 ADAC。Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.

  2. 按一下管理,按一下 [新增瀏覽節點,然後選取適當的目標網域中新增瀏覽節點] 對話方塊中,然後按一下[確定]Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.

  3. 展開Windows PowerShell 歷史窗格中 ADAC 畫面的底部。Expand the Windows PowerShell History pane at the bottom of the ADAC screen.

  4. 選取使用者] test1Select user, test1.

  5. 按一下群組新增...工作窗格。Click Add to group... in the Tasks pane.

  6. 瀏覽至群組 1 ,按一下 [ [確定]對話方塊中。Navigate to group1 and click OK in the dialog box.

  7. 瀏覽至Windows PowerShell 歷史窗格中,並找出剛剛產生的命令。Navigate to the Windows PowerShell History pane and locate the command just generated.

  8. 複製命令,並將它貼到您想要建立指令碼編輯器。Copy the command and paste it into your desired editor to construct your script.

    例如,您可以修改新增到不同的使用者命令群組 1,或新增test1到不同群組。For example, you can modify the command to add a different user to group1, or add test1 to a different group.

也了See Also

使用 Active Directory 系統管理員中心和 #40; 進階的 AD DS 管理層級 200 和 #41;Advanced AD DS Management Using Active Directory Administrative Center (Level 200)