ACTIVE DIRECTORY ADMINISTRATION Chapter 5 ACTIVE DIRECTORY ADMINISTRATION

UNDERSTANDING USER ACCOUNTS Chapter 5: ACTIVE DIRECTORY ADMINISTRATION UNDERSTANDING USER ACCOUNTS Authentication User account types Administrator Guest

AUTHENTICATION AND ACCESS TOKEN Chapter 5: ACTIVE DIRECTORY ADMINISTRATION AUTHENTICATION AND ACCESS TOKEN

CATEGORIES OF USER ACCOUNTS Chapter 5: ACTIVE DIRECTORY ADMINISTRATION CATEGORIES OF USER ACCOUNTS Security Accounts Manager (SAM) Local Builtin user accounts Domain user accounts (NTDS.dit) Domain local

ADMINISTRATOR ACCOUNT Chapter 5: ACTIVE DIRECTORY ADMINISTRATION ADMINISTRATOR ACCOUNT Full control of computer, domain, forest Used to establish administrative structure and create other accounts Should be renamed Should be secured with a complex password Can be disabled, but cannot be deleted

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION GUEST ACCOUNT Designed to allow temporary access to the network Disabled by default, but cannot be deleted Should be secured with a complex password if enabled

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION GROUPS AND THEIR USERS

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION GROUP TYPES

GROUP TYPES, SCOPES, AND CONVERTING Chapter 5: ACTIVE DIRECTORY ADMINISTRATION GROUP TYPES, SCOPES, AND CONVERTING Distribution groups Typically used with applications to provide a list of users (Microsoft Exchange) Cannot be used to assign access permissions Security groups Primarily used to grant access Can also be used like a distribution group for e-mail, if the group has an e-mail address assigned

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION DOMAIN LOCAL GROUPS Membership: user accounts, computer accounts, global groups, universal groups from any domain, and domain local groups from the same domain. Purpose: Used to assign permissions to resources in the local domain. Once you assign permissions to this group, you can use it to grant those permissions to other groups or users.

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION GLOBAL GROUPS Membership: User accounts, computer accounts, and other global groups. Purpose: Used to organize users. Users are typically assigned to global groups based on job role, task, or title.

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION UNIVERSAL GROUPS Membership: user accounts, computer accounts, global or universal groups. Purpose: Used to organize users or groups of users in global groups. Larger organizations typically use universal groups to group accounts from different domains.

GROUP NESTING: WINDOWS 2000 MIXED DOMAIN FUNCTIONAL LEVEL Chapter 5: ACTIVE DIRECTORY ADMINISTRATION GROUP NESTING: WINDOWS 2000 MIXED DOMAIN FUNCTIONAL LEVEL

GROUP NESTING: WINDOWS 2000 NATIVE OR LATER DOMAIN FUNCTIONAL LEVEL Chapter 5: ACTIVE DIRECTORY ADMINISTRATION GROUP NESTING: WINDOWS 2000 NATIVE OR LATER DOMAIN FUNCTIONAL LEVEL

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION DEFAULT GROUPS Builtin security groups Pre-defined permissions Placed in Builtin and Users containers by default Groups are sometimes added when services are installed Dynamic Host Configuration Protocol (DHCP) service adds DHCP Admins and DHCP Users Domain Name System (DNS) adds DNS Admins and DNS UpdateProxy

SPECIAL IDENTITY GROUPS Chapter 5: ACTIVE DIRECTORY ADMINISTRATION SPECIAL IDENTITY GROUPS Anonymous Logon Everyone Authenticated Users Interactive Network

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION LOCAL GROUPS Only on non–Active Directory databases SAM database Domain members’ local security databases Typically used in peer-to-peer (workgroup) networks Used to grant system rights and access to resources available on the local computer

DEVELOPING A GROUP IMPLEMENTATION PLAN Chapter 5: ACTIVE DIRECTORY ADMINISTRATION DEVELOPING A GROUP IMPLEMENTATION PLAN Determine who has the ability to create and manage users and groups. Determine how domain local, global, and universal groups should be used. Define the guidelines for the creation and deletion of users and groups. Implement a common naming scheme for users and groups. Determine the appropriate uses of group nesting.

CREATING USERS AND GROUPS Chapter 5: ACTIVE DIRECTORY ADMINISTRATION CREATING USERS AND GROUPS Batch files netdsadd Directory Exchange Utilities CSVDE utility LDIFDE utility Windows Script Host (WSH)

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION USING BATCH FILES net user net group dsadd user dsadd group

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION USING CSVDE Comma-separated values. Header record must be defined using a distinguished name and schema attributes. Entries in the remainder of the file must follow the order of the header record. Once the file is created, use csvde -i -f file.txt to import the users. Cannot create users with passwords. Cannot modify existing user accounts.

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION USING LDIFDE Line-separated values. Object entries are separated by a hyphen. Once the file is created, use ldifde -i -f file.txt to import the users. Cannot create users with passwords. Can modify passwords once users are created. Can be used to import, export, and modify Active Directory objects.

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION USING WSH Allows you to write scripts to create users and other Active Directory objects. Scripts can be VBScript or Jscript. Allows for highly customized solutions that automate the creation of user accounts.

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION SUMMARY What are the two group types? Which type can be used to assign permissions? Which one is primarily for e-mail? Name three group scopes. What domain functional level is required for creating universal groups? Name methods for automating user account creation.