Chapter4 Part2
User Account Management Once Active Directory is installed and configured, you enable users to access network servers and resources through user accounts. Several accounts might be set up by default, depending on which Windows components you install But including two primary accounts: Administrator and Guest. 2
3 User Account Management Accounts can be set up in two general environments: Accounts that are set up through a stand-alone server that does not have Active Directory installed Accounts that are set up in a domain when Active Directory is installed When accounts are created in the domain through Active Directory, then those accounts can be used to access any resource within domain.
4 Creating Accounts When Active Directory Is Not Installed 1 of 3
5 Creating Accounts When Active Directory Is Not Installed 2of 3
6 Creating Accounts When Active Directory Is Not Installed 3 of 3
Creating Accounts When Active Directory is Installed 7
Disabling, Enabling, and Renaming Accounts Your organization may disable accounts when someone leaves, and then later renaming and enabling the account for that person’s replacement. Renaming account is easier than deleting the account and creating a new one. 8
Moving Account When an employee moves from one department to another, for example from the Payroll Department to the budget office, you might need to move that person’s account from one container to another— between Ous. You can either reset user password and delete user account. 9
10 Security Group Management One of the best ways to manage accounts is by grouping accounts that have similar characteristics. Scope of influence (or scope) The reach of a group for gaining access to resources in Active Directory All of these groups can be used for security or distribution groups Security groups Used to enable access to resources on a stand-alone server or in Active Directory Distribution groups Used for or telephone lists, to provide quick, huge distribution of information
Security Group Management Types of Security Groups: 1.Local—Used on stand-alone servers that are not part of a domain; scope of this type of group is the local server on which it is defined 2.Domain local—Used when there is a single domain or to manage resources in a particular domain so that global and universal groups can access those resources 3.Global—Used to manage group accounts from the same domain so that those accounts can access resources in the same and in other domains 4.Universal—Used to provide access to resources in any domain within a forest 11
12 Implementing Local Groups Local security group Used to manage resources on a stand-alone computer that is not part of a domain and on member servers in a domain (not DCs) Stand-alone Computer :are computers that are not part of any domain Member Servers: Servers on a network managed by Domain Controllers that do not have Active Directory installed. Each group would be given different security access based on the resources at the server
13 Implementing Domain Local Groups Domain local security group Used when Active Directory is deployed Used to manage resources in a domain and to give global groups from the same and other domains access to those resources Domain local group can contain user accounts, global groups, and universal groups. The scope of a domain local group is the domain in which the group exists The typical purpose of a domain local group is to provide access to resources You grant access to servers, folders, shared folders, and printers to a domain local group
Domain Local Security Group You can convert a domain local group to a universal group if the following conditions are applied: 1.The domain local group does not contain any other domain local groups. 2.The domain must be in the Windows Server 2003 or Windows Server 2008 domain functional level. 14
Designing Domain Local Groups you should plan to put domain local groups in access control lists only, and the resources of domain local groups should be mainly global groups. Access control list (ACL) is a list of security privileges that have been set up for a particular object, such as a shared folder or shared printer. Usually domain local group does not contain accounts, because account management is more efficient when you handle it through global groups. 15
16
17 Implementing Global Groups Global security group Intended to contain user accounts and other global groups from the domain in which it was created Can also be set up as a member of a domain local group in the same or another domain Global group members can access resources in other domains. Global group can contain user accounts and other global groups from the domain in which it was created. A global group can be converted to a universal group As long as it is not nested in another global group or in a universal group
18 Implementing Global Groups (continued)
19 Implementing Global Groups (continued) Faculty Staff 1.The president in college domain, needs access to resources in all three domains 2.To do so create domain local group (LocalExec) and make the three groups (College – Student – Research) member of this group. 3.Create a GlobalExec global group in college domain that has the presidentt user accounts as members
20 Implementing Universal Groups Universal group membership can include user accounts from any domain, global groups from any domain, and other universal groups from any domain Universal groups are offered to provide an easy means to access any resource in any domain. Universal groups are offered to provide an easy means to access any resource in a tree or among trees in a forest
21 Guidelines to help simplify how you plan to use groups 1.Use global groups to hold accounts as member and keep the nesting of global groups to a minimum to avoid confusion. 4.Use domain local groups to provide access to resources in a specific domain. 4.Avoid placing accounts in domain local groups but do make domain local groups members of access control lists for specific resources in the domain,such as shared folders and printers.
5.Use universal groups to provide extensive access to resources,particularly when Active Directory contains trees and forests, or to simplify access when there are multiple domains. 6.Make universal groups members of access control lists for objects in any domain, tree, or forest. 7.Manage user account access by placing accounts in global groups and joining global groups to domain local or universal groups, depending on which is most appropriate to the scope required for access. 22 Guidelines to help simplify how you plan to use groups
23 Implementing Universal Groups (continued) 1.We want to give president account in the college domain access to all three domains. 2.An alternative is to create one universal group that has access to all resources in the three domains—create one global group containing the president and make that global group a member of the universal group.
24 Properties of Groups All of the groups that you can create in Windows Server 2008 have a set of properties that can be configured. Properties of groups are configured using the following tabs: General—Used to enter a description of the group, change the scope and type of group, and provide addresses for a distribution group Members—Used to add members to a group, such as adding user accounts to a global group, and enables members to be removed Member Of—Used to make the group a member of another group, or to remove the group’s membership Managed By—Used to establish an account or group that will manage the group, if the manager is other than the server administrator; also, the location, telephone number, and fax number of the manager can be provided