ACTIVE DIRECTORY ADMINISTRATION Chapter 5 ACTIVE DIRECTORY ADMINISTRATION Briefly describe the topics covered in the chapter. Refer to the list of objectives at the beginning of Chapter 5.
UNDERSTANDING USER ACCOUNTS Chapter 5: ACTIVE DIRECTORY ADMINISTRATION UNDERSTANDING USER ACCOUNTS Authentication User account types Administrator Guest This is an overview slide.
AUTHENTICATION AND ACCESS TOKEN Chapter 5: ACTIVE DIRECTORY ADMINISTRATION AUTHENTICATION AND ACCESS TOKEN Describe the authentication process and the building of an access token. Use the whoami /all command to show a user’s access token.
CATEGORIES OF USER ACCOUNTS Chapter 5: ACTIVE DIRECTORY ADMINISTRATION CATEGORIES OF USER ACCOUNTS Security Accounts Manager (SAM) Local Builtin user accounts Domain user accounts (NTDS.dit) Domain local This slide covers these topics slightly differently from the textbook. The “Understanding User Accounts” section in Chapter 5 describes three types of user accounts in Microsoft Windows Server 2003: local user accounts, domain user accounts, and Builtin user accounts. Describe the difference between the security database on client computers, stand-alone servers, and member servers versus the NTDS.dit security database that holds domain accounts. Open Active Directory Users And Computers and show the Builtin node.
ADMINISTRATOR ACCOUNT Chapter 5: ACTIVE DIRECTORY ADMINISTRATION ADMINISTRATOR ACCOUNT Full control of computer, domain, forest Used to establish administrative structure and create other accounts Should be renamed Should be secured with a complex password Can be disabled, but cannot be deleted The default administrator has full control of the local computer. On a domain controller, the Administrator account has full control access to the domain. On the domain controller in the forest root domain, this account has full control access to the forest. Be very careful not to disable the default Administrator account, unless you’ve created other Administrative accounts. Renaming the Administrator account prevents someone from knowing which account is your Administrative account by looking at the name. However, the default Administrator is always identifiable by the relative identifier, RID 500, which is the last three digits of the user’s security identifier (SID). You can see this with whoami /all. Consider asking the students to run the whoami /all command on their default Administrator accounts to confirm that those accounts also use RID 500. Note that the full SID is different between domains, but the RID of the default Administrator account is the same.
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION GUEST ACCOUNT Designed to allow temporary access to the network Disabled by default, but cannot be deleted Should be secured with a complex password if enabled
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION GROUPS AND THEIR USERS Discuss how users are typically added to local groups in a workgroup or in the SAM database environment. This allows multiple users to gain access to a single resource or to obtain a group of permissions, such as changing the system time, shutting down the computer, and so on, just by being a member of a group. The access token is built during the logon process. The access token is compared to entries in the Access Control List (ACL) of resources, called Access Control Entries (ACEs). The user is allowed to access the resource based upon group membership.
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION GROUP TYPES Explain that there are only two group types from which to choose when you are actually creating groups. There are also three group scopes, which will be discussed later. The next slide compares and contrasts Security and Distribution groups.
GROUP TYPES, SCOPES, AND CONVERTING Chapter 5: ACTIVE DIRECTORY ADMINISTRATION GROUP TYPES, SCOPES, AND CONVERTING Distribution groups Typically used with applications to provide a list of users (Microsoft Exchange) Cannot be used to assign access permissions Security groups Primarily used to grant access Can also be used like a distribution group for e-mail, if the group has an e-mail address assigned Create a new global group as a security group named Demo. Open that group’s properties. Show that you can type an e-mail address for a Security group. If your domain is still in Microsoft Windows 2000 mixed functional level, you can show that you are unable to change the group type from Security to Distribution. You can also show that you are unable to create universal groups. If the students have computers at their desktop with domains in Windows 2000 native functional level, they should be able to create a group and change its group type. Furthermore, they should see that they can create universal groups.
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION DOMAIN LOCAL GROUPS Membership: user accounts, computer accounts, global groups, universal groups from any domain, and domain local groups from the same domain. Purpose: Used to assign permissions to resources in the local domain. Once you assign permissions to this group, you can use it to grant those permissions to other groups or users. Explain that local groups and domain local groups are usually assigned permissions directly. Domain local groups provide a place to group permissions. For example, if you decided that setting the system time and shutting down the domain controller is a permission that you’d like to assign to several people, you’d create a domain local group and assign those permissions directly to that group.
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION GLOBAL GROUPS Membership: User accounts, computer accounts, and other global groups. Purpose: Used to organize users. Users are typically assigned to global groups based on job role, task, or title. Explain that users are typically assigned to global groups based on their common role or title in the organization. Describe how global groups can become members of domain local groups, thereby giving these members the global permissions that were assigned directly to the domain local group. For example, many organizations create global groups named Accountants, Managers, Executives, Customer Service, and so on. Mention that you can only nest global groups in global groups when the domain functional level is Windows 2000 native or later. Continuing with the example provided in the previous slide: If you had a domain local group that allowed its members to shut down the server and change the system time, you could create a global group to contain the users who are able to manage the server in this way. Then you could make the global group a member of the domain local group to give these users the permission to shut down the server and change the system time.
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION UNIVERSAL GROUPS Membership: user accounts, computer accounts, global or universal groups. Purpose: Used to organize users or groups of users in global groups. Larger organizations typically use universal groups to group accounts from different domains. Remind students that universal groups are only available when the domain functional level is Windows 2000 native or later. Table 5-1 in Chapter 5 covers the differences between global, domain local, and universal groups. Continuing with the example provided in the previous slide: If you want users from several domains to have the right to shut down the server and change the system time, you might create global groups for these users in each domain. Then you could create a universal group to hold these global groups. Instead of adding a global group directly to the domain local group, as in the earlier example, you would add the universal group to the domain local group. In this way, you’d be able to give permission to several users, from several different domains, that are all members of global groups in these other domains. This allows you to manage users in groups through global groups, permissions in groups through domain local groups, and even groups of users in groups through universal groups. Overall, this should reduce the amount of administrative effort when people or even groups of people join or leave your organization.
GROUP NESTING: WINDOWS 2000 MIXED DOMAIN FUNCTIONAL LEVEL Chapter 5: ACTIVE DIRECTORY ADMINISTRATION GROUP NESTING: WINDOWS 2000 MIXED DOMAIN FUNCTIONAL LEVEL Users can be members of global groups. Global groups can be composed of members of local groups. This allows you to group users separately from permissions and link them selectively.
GROUP NESTING: WINDOWS 2000 NATIVE OR LATER DOMAIN FUNCTIONAL LEVEL Chapter 5: ACTIVE DIRECTORY ADMINISTRATION GROUP NESTING: WINDOWS 2000 NATIVE OR LATER DOMAIN FUNCTIONAL LEVEL You can use additional groups, which are either global or universal, to create groups that hold other groups. This allows you to further organize or separate your administrative hierarchy. The broken arrows in this diagram illustrate some of the options for nesting groups.
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION DEFAULT GROUPS Builtin security groups Pre-defined permissions Placed in Builtin and Users containers by default Groups are sometimes added when services are installed Dynamic Host Configuration Protocol (DHCP) service adds DHCP Admins and DHCP Users Domain Name System (DNS) adds DNS Admins and DNS UpdateProxy Table 5-2 in Chapter 5 provides an exhaustive list of default groups, including group scope, locations, default memberships, and the purpose of each group. Consider asking students to review the table and then ask them targeted questions. For example, if you wish to assign someone the permission to remotely monitor a computer’s performance, to which group should you add them? The answer is Performance Monitor Users in the Builtin container.
SPECIAL IDENTITY GROUPS Chapter 5: ACTIVE DIRECTORY ADMINISTRATION SPECIAL IDENTITY GROUPS Anonymous Logon Everyone Authenticated Users Interactive Network Describe each of the groups listed. Discuss the differences between the Everyone group in Windows Server 2003 and Windows 2000. Refer to Table 5-3 in Chapter 5. The table provides an exhaustive list of special identity groups, including information about each group’s members and purpose. Consider asking students to review the table and then ask them targeted questions. For example, a user who is using a keyboard and mouse attached directly to the computer on which the operating system is running is part of which special identity group? The answer is the Interactive group.
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION LOCAL GROUPS Only on non–Active Directory databases SAM database Domain members’ local security databases Typically used in peer-to-peer (workgroup) networks Used to grant system rights and access to resources available on the local computer Explain that Microsoft Windows 9x and Microsoft Windows Me clients do not maintain local security databases and therefore do not have local groups. However, Microsoft Windows NT version 4.0, as well as computers using Windows 2000 and Microsoft Windows XP, do have local security databases, which contain local user and group accounts.
DEVELOPING A GROUP IMPLEMENTATION PLAN Chapter 5: ACTIVE DIRECTORY ADMINISTRATION DEVELOPING A GROUP IMPLEMENTATION PLAN Determine who has the ability to create and manage users and groups. Determine how domain local, global, and universal groups should be used. Define the guidelines for the creation and deletion of users and groups. Implement a common naming scheme for users and groups. Determine the appropriate uses of group nesting. Write out these determinations (shown in slide) in order to create a documented implementation plan.
CREATING USERS AND GROUPS Chapter 5: ACTIVE DIRECTORY ADMINISTRATION CREATING USERS AND GROUPS Batch files netdsadd Directory Exchange Utilities CSVDE utility LDIFDE utility Windows Script Host (WSH) This is an overview of different tools that can be used to create user accounts.
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION USING BATCH FILES net user net group dsadd user dsadd group Explain that the net commands and dsadd commands allow you to add users, groups, and computers. However, with net commands you cannot create universal groups or specify as many user properties as you can with dsadd. Consider demonstrating the creation of users and groups with each of these commands. Mention that dsadd can be used to create organizational units (OUs). Consider mentioning other directory service (ds) commands, such as dsget, dsmod, dsmove, dsquery, and dsrm. Students can learn more about these tools by typing dsadd /?. At the bottom of the printed help is a list of other ds utilities.
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION USING CSVDE Comma-separated values. Header record must be defined using a distinguished name and schema attributes. Entries in the remainder of the file must follow the order of the header record. Once the file is created, use csvde -i -f file.txt to import the users. Cannot create users with passwords. Cannot modify existing user accounts. Be sure to emphasize the limitations of this utility. In order to create users with CSVDE, you must disable password policies in the domain. CSVDE is unable to set passwords for users.
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION USING LDIFDE Line-separated values. Object entries are separated by a hyphen. Once the file is created, use ldifde -i -f file.txt to import the users. Cannot create users with passwords. Can modify passwords once users are created. Can be used to import, export, and modify Active Directory objects. Since LDIFDE cannot be used to create a user with a password, password policies must be disabled in order to import user accounts. However, once the users are imported, you can use LDIFDE to modify the users’ passwords. Students can find an example of an LDIFDE file in Chapter 5. They will also have the opportunity to use LDIFDE to modify a user account as a Lab Challenge exercise. Consider demonstrating the command ldifde -r objectClass=user -f C:\users.txt. Then open c:\users.txt with Notepad to show that the command dumped a list of objects from the user class; these are the users of the domain.
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION USING WSH Allows you to write scripts to create users and other Active Directory objects. Scripts can be VBScript or Jscript. Allows for highly customized solutions that automate the creation of user accounts. Consider demonstrating the newuser.vbs from your instructor CD-ROM to create the account for Scott on the contoso.com domain. You can show the students and explain how this simple script works. The example in Chapter 5 uses the Lightweight Directory Access Protocol (LDAP) method, which requires that the object be created before a password can be set. This means that script won’t work with a password policy in place. However, the WINNT method, which is used in newuser.vbs, allows you to set a password during user account creation and works even if a password policy is in place. There are many more scripting examples available on the Microsoft Web site.
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION SUMMARY What are the two group types? Which type can be used to assign permissions? Which one is primarily for e-mail? Name three group scopes. What domain functional level is required for creating universal groups? Name methods for automating user account creation. You can use this slide as a summary and interactive review. What are the two group types? (Security and Distribution groups) Which group type can be used to assign permissions? (Security group) Which group type is primarily for e-mail? (Distribution group) Name three group scopes? (domain local, global, and universal) What domain functional level is required to create universal groups? (Windows 2000 native or Windows Server 2003) Name methods for automating user account creation. (batch files, dsadd, LDIFDE, CSVDE, and WSH)