What is Active Directory?
This is long used service and many are well aware of what is active directory? Let me share a little bit about the active directory briefly so understand it if someone does not have an idea about it in general terms as an active directory tutorial to give a basic idea about it.
Even though it is really broad if you want to excel into it but I will try to summarize it as short as possible.
Actually, Active Directory is a Domain-Based Directory Service popularly know as AD. It was developed by Microsoft. Initially, it was for windows environment and being used for centralized domain management but later it got integrated with UNIX and Linux environment using third-party tools.
Obviously, it was from Microsoft so it was started with windows environments including Desktop and Server-based Operating systems.
What is Domain Controller?
The Windows Servers which runs ADDS (Active Directory Domain Service) role are known as Domain Controllers.
For the VMware environment, you may have many ESXi Servers serving the environment you can use AD authentication for user management in the ESXi server. Please refer to how to configure the ESXi host with Active Directory Authentication.
What Protocol used by Domain Controller?
Active Directory uses Lightweight Directory Access Protocol popularly known as LDAP.
For What Active Directory is used?
This is heavily used for centralized user management with an added security advantage. Identity and Access Management (IAM) and Samba Share Cross Platform access with Active Directory Credentials.
AD Integrations with UNIX
There have been many third-party tools that leverage the use of the active directory. A most famous use of it as below
- Samba Shares Access with AD Authentication for cross-platform access.
- UNIX LINUX Server access using AD authentication by integrating third-party utility with AD.
- Obviously, it was from Microsoft so it was for windows environment access using AD-based authentication to servers and desktops as well.
What is Active Directory Group?
In general, what is a group?. A group is the collection of similar objects or people. The basic idea behind Active Directory Group is the same. It is a collection of objects of the same functionalities.
Major Components of Active Directory
In general, you can understand the three major components of the active directory are users, groups, and computers. General recommendations regarding Domain Controllers to have many domain controllers.
Members of any specific group can be granted access to any other group access if required as access is granted mostly using RBAC named as Role-Based Access.
How to find Active Directory Users and Computers via Command Line
Let us see how to find active directory users and computers via command line from Windows 7 or Windows 10. Syntax of commands will be like below.
How to find AD User Details from Command Prompt of your Laptop/Desktop either Windows 7 or Windows 10.
C:\users\user> net user <Users AD ID> /domain Example C:\users\user> net user rbharti /domain The request will be processed at a domain controller for domain xyz.com User name rbharti Full Name Bharti, Ramesh Comment Request No via which ID was created User's comment May be users manager name Country code 000 (System Default) Account active Yes Account expires Never Password last set 1/4/2021 2:33:11 AM Password expires 4/4/2021 2:33:11 AM Password changeable 1/4/2021 2:33:11 AM Password required Yes User may change password Yes Workstations allowed All Logon script logon.cmd User profile profile location here Home directory \fakepath\rbharti$ Last logon 3/8/2021 5:45:41 PM Logon hours allowed All Local Group Memberships Prevent Creation Global Group memberships :Group Membership details. Output truncated for visibility. The command completed successfully.
The above command will provide all details of users in Active Directory with account status etc. That might be really helpful for how to find if any user is locked in AD or not?.
How to find AD User belongs to specific AD group from Command Prompt of your Laptop/Desktop either Windows 7 or Windows 10
Let us see how to find AD user belongs to specific AD groups from the command prompt of your Laptop/Desktop either Windows 7 or Windows 10. How to view Active Directory groups in Windows 10.
Below syntax, you can use to
C:\Users\user> net group <your_groupname> /domain C:\Users\user> net group servername-users /domain C:\Users\user> net localgroup Aliases for \\LAPTOP ------------------------------------------------- *Access Control Assistance Operators *Administrators *Avecto Defendpoint Modified Token *Backup Operators *ConfigMgr Remote Control Users *Cryptographic Operators *Device Owners *Distributed COM Users *Event Log Readers *Guests *Hyper-V Administrators *IIS_IUSRS *Network Configuration Operators *Performance Log Users *Performance Monitor Users *Power Users *Remote Desktop Users *Remote Management Users *Replicator *System Managed Accounts Group *Users The command completed successfully. C:\Users\user>
Using the above command you can easily find that the user is part of the server access group or not. That is really helpful to troubleshoot if any user complains if he can not log in to any particular server. This can address how to verify a user is having access to a specific server or not.
How to find Active Directory Users Details in Linux vi Centrify
Basically Centrify Corporation third-party solution provider to AD integration with Unix. It works on client-server architecture same as LDAP.LDAP client must be running on all the client machine same as Centrify service must be running for AD authentication to work.
How Centrify Works on Linux Environment
They normally provide Centrify suite for installation once it gets installed standard user in passwd file gets converted to kind of server accounts including root so their authentication remains local and a new group <servername-users> automatically during the registration process of the server so-called computer in terms of AD.
Also nsswitch.conf gets updated with the first option as Centrify which means users are going to be authenticated with Centrify you can say with AD credentials.
It creates centrifydc.conf file under /etc which stores how it is going to behave for authentication. Also, it maintains the user.allow user.ignore groups.allow groups.ignore.Using this if you put any group in groups.allow you can provide access to all users of that group without they are being a member of <servername-users>.
You can verify any computer or you can say any linux server which is treated as a computer in AD status of it,s connection using adinfo command. The sample is given below for display purposes.
$ adinfo -a Local host name: lnxsrv101 Joined to domain: xyz.com Joined as: lnxsrv101.xyz.com Pre-win2K name: lnxsrv101 Current DC: domain1001.xyz.com Preferred site: abc Zone: xyz.com/Program Data/Centrify/Zones/Development Last password set: 2021-03-08 08:13:08 IST CentrifyDC mode: connected Licensed Features: Enabled
If you review the above example you will find CentrifyDC mode must be in the enabled state for AD authentication to function properly. During installations of agent startup script gets created in /etc/init.d which can be used for starting or stopping agent based on requirements.
How Centrify can help you migrating if you are still running on native NIS. You can manage all your NIS maps in AD. Centrify suite is available to manage all AD-based configuration even user addition and all especially it is really handy for IAM including privileged access management. Filer Access and much more.
This is basically a subscription-based service for enterprise-level clients. It will be really handy if you are still managing users based on AD, especially for UNIX LINUX Environments.
Basically, zones can be created for managing efficiently for instance Production, Development, etc.
How to find a user is in AD or not?
$ adquery user rbharti rbharti:x:123456:100:Bharti, Ramesh:/home/rbharti:/bin/ksh
For example, if you need to find any user is having access to any specific server or not. You can log in to that server first you need to check if AD is in the connected state. So it must be connected to any specific zone and if you run that command it will enquire the same zone or same you can run from any other server in the same zone if for some reason you are not able to get in.
Output like above will confirm that the user is part of that zone. Then matter comes to check if the user is having access to a specific server or not.
If you are looking for more details about the user even a/c status like if it is locked or not below variants can be used. The output is removed for visibility as they have long output. How to find out which Active Directory Groups I am Part of.
$ adquery user -a rbharti $ adquery user -A rbharti $ adquery user -A rbharthi |egrep "zoneEnabled|accountLocked"
The last command above will show if A/c is Zone Enabled or not which is mandatory for access to work and Status of user active or locked etc.
How to find a user is part of a specific AD group?
To see all the AD groups in Zone you can simply run adquery group command. But try to avoid it may have too many groups so better to use a variant of it shared below it.
$ adquery group
As mentioned above computer (linux server) which joins AD by default <servername-users> AD group gets created.
$ adquery group -a servername101-users
This will show all the users have access to mentioned linux server. If you want to check any specific user is part of the access group or not.
$ adquery group -a servername101-users |grep rbharti
That`s all about what is an active directory and how to find active directory users. Thanks in advance for going through this post. This process might be useful to verify user and computer status in Active Directory.
Please like and subscribe to our blog to get the next post delivered immediately with publish and share it in your circle if they want o familiar with it and help to achieve the prime goal to reach this post to the intended audience.