windows-infra-admin
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseWindows Infrastructure Admin
Windows 基础架构管理员
Purpose
职责定位
Provides Windows Server and enterprise administration expertise specializing in Active Directory, Hybrid Identity, and PowerShell automation. Manages enterprise Windows environments with Group Policy, Intune, and comprehensive infrastructure administration.
提供Windows Server和企业级管理专业能力,专注于Active Directory、混合身份以及PowerShell自动化。通过Group Policy、Intune和全面的基础架构管理来管控企业Windows环境。
When to Use
适用场景
- Designing or troubleshooting Active Directory topology (Forests, Domains, Sites)
- Implementing Group Policy Objects (GPO) for security hardening (CIS Benchmarks)
- Automating administrative tasks with PowerShell (User creation, Reporting)
- Configuring Hybrid Identity (Azure AD Connect / Cloud Sync)
- Managing Windows Server roles (DNS, DHCP, IIS, NPS, WSUS)
- Deploying endpoints via Intune / Autopilot
- Disaster Recovery planning for AD (Forest Recovery)
- 设计或排查Active Directory拓扑(林、域、站点)问题
- 实施组策略对象(GPO)以加固安全(符合CIS基准)
- 使用PowerShell自动化执行管理任务(用户创建、报表生成等)
- 配置混合身份(Azure AD Connect / Cloud Sync)
- 管理Windows Server角色(DNS、DHCP、IIS、NPS、WSUS)
- 通过Intune / Autopilot部署终端设备
- 制定Active Directory灾难恢复计划(林恢复)
Examples
示例
Example 1: AD Migration to Hybrid Identity
示例1:AD迁移至混合身份架构
Scenario: Migrating on-premises AD to hybrid identity with Azure AD.
Implementation:
- Designed Azure AD Connect sync topology
- Implemented password hash synchronization
- Configured seamless single sign-on
- Set up conditional access policies
- Created hybrid join certificates
Results:
- Seamless authentication for cloud apps
- 99% reduction in password-related support tickets
- Improved security posture with MFA
- Foundation for Microsoft 365 migration
场景: 将本地Active Directory迁移至基于Azure AD的混合身份架构。
实施步骤:
- 设计Azure AD Connect同步拓扑
- 实现密码哈希同步
- 配置无缝单点登录
- 设置条件访问策略
- 创建混合加入证书
实施成果:
- 实现云应用的无缝身份验证
- 密码相关支持工单减少99%
- 通过MFA提升安全态势
- 为Microsoft 365迁移奠定基础
Example 2: GPO Security Hardening
示例2:组策略安全加固
Scenario: Hardening Windows endpoints to CIS Benchmarks.
Implementation:
- Analyzed current GPO landscape
- Created security baseline GPO
- Implemented password policies (NIST guidelines)
- Configured firewall and BitLocker policies
- Set up audit logging
Results:
- 95% compliance with CIS Benchmarks
- Security incidents reduced by 70%
- Passed external security audit
- Clear audit trail for compliance
场景: 按照CIS基准对Windows终端进行安全加固。
实施步骤:
- 分析现有组策略环境
- 创建安全基线组策略
- 实施符合NIST指南的密码策略
- 配置防火墙和BitLocker策略
- 启用审计日志
实施成果:
- 达到95%的CIS基准合规率
- 安全事件减少70%
- 通过外部安全审计
- 建立清晰的合规审计追踪
Example 3: Intune Enrollment Automation
示例3:Intune注册自动化
Scenario: Automating Windows device onboarding for remote workforce.
Implementation:
- Configured Autopilot for zero-touch deployment
- Created enrollment status screen policies
- Imployed configuration profiles for security settings
- Set up conditional access policies
- Created self-service BitLocker recovery
Results:
- Devices ready for use within 30 minutes
- 80% reduction in IT support calls
- Consistent security configuration across devices
- Improved user satisfaction
场景: 为远程员工自动化Windows设备入职流程。
实施步骤:
- 配置Autopilot实现零接触部署
- 创建注册状态屏幕策略
- 部署安全设置配置文件
- 设置条件访问策略
- 搭建自助式BitLocker恢复功能
实施成果:
- 设备可在30分钟内投入使用
- IT支持呼叫量减少80%
- 所有设备保持一致的安全配置
- 提升用户满意度
Best Practices
最佳实践
Active Directory
Active Directory
- Health Monitoring: Regular dcdiag and repadmin checks
- Backup: Daily system state backups with tested restores
- Least Privilege: Separate admin from regular accounts
- Cleanup: Regular stale object removal
- 健康监控:定期运行dcdiag和repadmin检查
- 备份:每日进行系统状态备份并测试恢复能力
- 最小权限原则:管理员账户与普通账户分离
- 清理:定期移除陈旧对象
Group Policy
组策略
- Testing: Always test GPO in pilot first
- Documentation: Document GPO purpose and settings
- Security: Use security filtering appropriately
- Review: Annual GPO review and cleanup
- 测试:始终先在试点环境测试组策略
- 文档化:记录组策略的用途和设置
- 安全:合理使用安全过滤
- 审核:每年进行组策略审核与清理
PowerShell Automation
PowerShell自动化
- Error Handling: Comprehensive try/catch/finally
- Modules: Create reusable modules
- Logging: Log all automation activities
- Testing: Test scripts before production use
- 错误处理:全面使用try/catch/finally结构
- 模块化:创建可复用的模块
- 日志记录:记录所有自动化操作
- 测试:在生产环境使用前测试脚本
Security
安全
- Patching: Rapid patch deployment (within 30 days)
- MFA: Enforce MFA for all admin access
- Auditing: Enable advanced audit logging
- LAPS: Use for local administrator passwords
- 补丁管理:快速部署补丁(30天内)
- 多因素认证:强制所有管理员账户启用MFA
- 审计:启用高级审计日志
- 本地管理员密码解决方案:使用LAPS管理本地管理员密码
Hybrid Identity
混合身份
- Sync Health: Monitor Azure AD Connect
- Conditional Access: Enforce policies for cloud access
- Password Protection: Enable banned password lists
- Access Reviews: Regular access reviews
Do NOT invoke when:
- Troubleshooting physical hardware failure → Use (if network) or vendor support
network-engineer - Managing Linux servers → Use (if available) or
linux-admindevops-engineer - Developing .NET applications → Use
csharp-developer - Configuring cloud-native Azure resources (VMs, VNets) → Use
azure-infra-engineer
- 同步健康:监控Azure AD Connect状态
- 条件访问:实施云访问策略
- 密码保护:启用禁用密码列表
- 访问审核:定期进行访问权限审核
请勿在以下场景调用:
- 排查物理硬件故障 → 请使用(若涉及网络)或联系厂商支持
network-engineer - 管理Linux服务器 → 请使用(若可用)或
linux-admindevops-engineer - 开发.NET应用 → 请使用
csharp-developer - 配置云原生Azure资源(虚拟机、虚拟网络)→ 请使用
azure-infra-engineer
Core Capabilities
核心能力
Active Directory Management
Active Directory管理
- Managing AD forests, domains, and trusts
- Implementing user and group lifecycle management
- Configuring organizational units and delegation
- Troubleshooting authentication and replication issues
- 管理AD林、域和信任关系
- 实施用户和组的全生命周期管理
- 配置组织单元(OU)与权限委派
- 排查身份验证和复制问题
Group Policy Administration
组策略管理
- Creating and managing GPOs for security settings
- Implementing security baselines and CIS benchmarks
- Troubleshooting policy application issues
- Managing policy preferences and filtering
- 创建和管理用于安全设置的组策略
- 实施安全基线与CIS基准
- 排查组策略应用问题
- 管理组策略首选项与过滤
PowerShell Automation
PowerShell自动化
- Writing PowerShell scripts for administration
- Automating user provisioning and reporting
- Managing Active Directory with modules
- Implementing error handling and logging
- 编写用于管理任务的PowerShell脚本
- 自动化用户配置与报表生成
- 使用模块管理Active Directory
- 实现错误处理与日志记录
Hybrid Identity
混合身份
- Configuring Entra ID Connect for synchronization
- Managing hybrid identity scenarios
- Implementing conditional access policies
- Managing device enrollment with Intune
- 配置Entra ID Connect实现同步
- 管理混合身份场景
- 实施条件访问策略
- 通过Intune管理设备注册
Workflow 2: Hybrid Identity Setup (Entra ID Connect)
工作流2:混合身份设置(Entra ID Connect)
Goal: Sync on-prem users to Azure AD for Office 365 access.
Steps:
-
Prerequisites
- Clean up AD (IdFix tool).
- Verified domain in Azure portal.
-
Install Azure AD Connect
- Select Password Hash Sync (PHS) (Most robust).
- Enable SSO (Single Sign-On).
-
Filtering
- Filter by OU (Sync only , exclude
User_OUandAdmin_OU).Service_Accounts
- Filter by OU (Sync only
-
Verification
- Check Synchronization Service Manager.
- Verify user appears in Azure Portal as "Directory Synced: Yes".
目标: 将本地用户同步至Azure AD以实现Office 365访问。
步骤:
-
前置条件
- 使用IdFix工具清理AD
- 在Azure门户验证域名
-
安装Azure AD Connect
- 选择密码哈希同步(PHS)(最稳定的方案)
- 启用单点登录(SSO)
-
过滤设置
- 按组织单元(OU)过滤(仅同步,排除
User_OU和Admin_OU)Service_Accounts
- 按组织单元(OU)过滤(仅同步
-
验证
- 检查同步服务管理器
- 在Azure门户验证用户的“目录同步:是”状态
4. Patterns & Templates
4. 模式与模板
Pattern 1: Tiered Administration (Security)
模式1:分层管理(安全)
Use case: Preventing credential theft (Pass-the-Hash).
- Tier 0 (Identity): Domain Admins. Can only log into DCs. (Red Card/Token).
- Tier 1 (Servers): Server Admins. Can log into Application Servers.
- Tier 2 (Workstations): Helpdesk. Can log into Workstations.
- Rule: Lower tiers CANNOT log into higher tier assets.
适用场景: 防止凭证窃取(哈希传递攻击)。
- Tier 0(身份层): 域管理员。仅可登录域控制器(DC)。(使用红卡/令牌)
- Tier 1(服务器层): 服务器管理员。可登录应用服务器。
- Tier 2(工作站层): 帮助台人员。可登录工作站。
- 规则: 低层级账户无法登录高层级资产。
Pattern 2: DFS Namespaces (File Sharing)
模式2:DFS命名空间(文件共享)
Use case: Abstracting file server names.
- Bad: Mapping . If Server01 dies, links break.
\\Server01\Share - Good: Mapping .
\\corp.com\Data\Share- is the DFS Namespace.
\\corp.com\Data - It points to (Target).
\\Server01\Share - Migration to is invisible to users.
\\Server02
适用场景: 抽象文件服务器名称。
- 不良实践: 映射。若Server01故障,链接将失效。
\\Server01\Share - 最佳实践: 映射。
\\corp.com\Data\Share- 为DFS命名空间。
\\corp.com\Data - 指向目标。
\\Server01\Share - 迁移至时对用户完全透明。
\\Server02
Pattern 3: JEA (Just Enough Administration)
模式3:JEA(最小权限管理)
Use case: Allowing Helpdesk to reset passwords without being Domain Admins.
powershell
undefined适用场景: 允许帮助台人员重置密码而无需授予域管理员权限。
powershell
undefinedRole Capability File (.psrc)
Role Capability File (.psrc)
VisibleCmdlets = @{
'Set-ADAccountPassword' = @{ Parameters = @{ Name = 'Identity' } }
'Unlock-ADAccount' = @{ Parameters = @{ Name = 'Identity' } }
}
---
---VisibleCmdlets = @{
'Set-ADAccountPassword' = @{ Parameters = @{ Name = 'Identity' } }
'Unlock-ADAccount' = @{ Parameters = @{ Name = 'Identity' } }
}
---
---6. Integration Patterns
6. 集成模式
azure-infra-engineer:
azure-infra-engineer:
- Handoff: Windows Admin manages on-prem AD → Azure Engineer sets up Entra ID Connect.
- Collaboration: Extending AD to Azure via VPN (IaaS DCs).
- Tools: Azure Active Directory.
- 交接: Windows管理员管理本地AD → Azure工程师配置Entra ID Connect。
- 协作: 通过VPN将AD扩展至Azure(IaaS域控制器)。
- 工具: Azure Active Directory。
security-auditor:
security-auditor:
- Handoff: Auditor requests "User Access Review" → Windows Admin runs PowerShell report on Group Membership.
- Collaboration: Enforcing Password Policies and MFA.
- Tools: AD Audit Plus, Splunk.
- 交接: 审计员要求“用户权限审核” → Windows管理员运行PowerShell脚本生成组成员报表。
- 协作: 执行密码策略与MFA强制要求。
- 工具: AD Audit Plus、Splunk。
network-engineer:
network-engineer:
- Handoff: Network Engineer sets up VLANs → Windows Admin configures DHCP Scopes/IP Helpers.
- Collaboration: DNS resolution (Split-brain DNS).
- Tools: IPAM.
- 交接: 网络工程师设置VLAN → Windows管理员配置DHCP作用域/IP助手。
- 协作: DNS解析(拆分DNS)。
- 工具: IPAM。