Presentation is loading. Please wait.

Presentation is loading. Please wait.

ACTIVE DIRECTORY ADMINISTRATION

Published byAnissa Fisher Modified over 6 years ago

Similar presentations

Presentation on theme: "ACTIVE DIRECTORY ADMINISTRATION"— Presentation transcript:

1 ACTIVE DIRECTORY ADMINISTRATION
Chapter 5 ACTIVE DIRECTORY ADMINISTRATION Briefly describe the topics covered in the chapter. Refer to the list of objectives at the beginning of Chapter 5.

2 UNDERSTANDING USER ACCOUNTS
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION UNDERSTANDING USER ACCOUNTS Authentication User account types Administrator Guest This is an overview slide.

3 AUTHENTICATION AND ACCESS TOKEN
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION AUTHENTICATION AND ACCESS TOKEN Describe the authentication process and the building of an access token. Use the whoami /all command to show a user’s access token.

4 CATEGORIES OF USER ACCOUNTS
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION CATEGORIES OF USER ACCOUNTS Security Accounts Manager (SAM) Local Builtin user accounts Domain user accounts (NTDS.dit) Domain local This slide covers these topics slightly differently from the textbook. The “Understanding User Accounts” section in Chapter 5 describes three types of user accounts in Microsoft Windows Server 2003: local user accounts, domain user accounts, and Builtin user accounts. Describe the difference between the security database on client computers, stand-alone servers, and member servers versus the NTDS.dit security database that holds domain accounts. Open Active Directory Users And Computers and show the Builtin node.

5 ADMINISTRATOR ACCOUNT
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION ADMINISTRATOR ACCOUNT Full control of computer, domain, forest Used to establish administrative structure and create other accounts Should be renamed Should be secured with a complex password Can be disabled, but cannot be deleted The default administrator has full control of the local computer. On a domain controller, the Administrator account has full control access to the domain. On the domain controller in the forest root domain, this account has full control access to the forest. Be very careful not to disable the default Administrator account, unless you’ve created other Administrative accounts. Renaming the Administrator account prevents someone from knowing which account is your Administrative account by looking at the name. However, the default Administrator is always identifiable by the relative identifier, RID 500, which is the last three digits of the user’s security identifier (SID). You can see this with whoami /all. Consider asking the students to run the whoami /all command on their default Administrator accounts to confirm that those accounts also use RID 500. Note that the full SID is different between domains, but the RID of the default Administrator account is the same.

6 Chapter 5: ACTIVE DIRECTORY ADMINISTRATION
GUEST ACCOUNT Designed to allow temporary access to the network Disabled by default, but cannot be deleted Should be secured with a complex password if enabled

7 Chapter 5: ACTIVE DIRECTORY ADMINISTRATION
GROUPS AND THEIR USERS Discuss how users are typically added to local groups in a workgroup or in the SAM database environment. This allows multiple users to gain access to a single resource or to obtain a group of permissions, such as changing the system time, shutting down the computer, and so on, just by being a member of a group. The access token is built during the logon process. The access token is compared to entries in the Access Control List (ACL) of resources, called Access Control Entries (ACEs). The user is allowed to access the resource based upon group membership.

8 Chapter 5: ACTIVE DIRECTORY ADMINISTRATION
GROUP TYPES Explain that there are only two group types from which to choose when you are actually creating groups. There are also three group scopes, which will be discussed later. The next slide compares and contrasts Security and Distribution groups.

9 GROUP TYPES, SCOPES, AND CONVERTING
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION GROUP TYPES, SCOPES, AND CONVERTING Distribution groups Typically used with applications to provide a list of users (Microsoft Exchange) Cannot be used to assign access permissions Security groups Primarily used to grant access Can also be used like a distribution group for , if the group has an address assigned Create a new global group as a security group named Demo. Open that group’s properties. Show that you can type an address for a Security group. If your domain is still in Microsoft Windows 2000 mixed functional level, you can show that you are unable to change the group type from Security to Distribution. You can also show that you are unable to create universal groups. If the students have computers at their desktop with domains in Windows 2000 native functional level, they should be able to create a group and change its group type. Furthermore, they should see that they can create universal groups.

10 Chapter 5: ACTIVE DIRECTORY ADMINISTRATION
DOMAIN LOCAL GROUPS Membership: user accounts, computer accounts, global groups, universal groups from any domain, and domain local groups from the same domain. Purpose: Used to assign permissions to resources in the local domain. Once you assign permissions to this group, you can use it to grant those permissions to other groups or users. Explain that local groups and domain local groups are usually assigned permissions directly. Domain local groups provide a place to group permissions. For example, if you decided that setting the system time and shutting down the domain controller is a permission that you’d like to assign to several people, you’d create a domain local group and assign those permissions directly to that group.

11 Chapter 5: ACTIVE DIRECTORY ADMINISTRATION
GLOBAL GROUPS Membership: User accounts, computer accounts, and other global groups. Purpose: Used to organize users. Users are typically assigned to global groups based on job role, task, or title. Explain that users are typically assigned to global groups based on their common role or title in the organization. Describe how global groups can become members of domain local groups, thereby giving these members the global permissions that were assigned directly to the domain local group. For example, many organizations create global groups named Accountants, Managers, Executives, Customer Service, and so on. Mention that you can only nest global groups in global groups when the domain functional level is Windows 2000 native or later. Continuing with the example provided in the previous slide: If you had a domain local group that allowed its members to shut down the server and change the system time, you could create a global group to contain the users who are able to manage the server in this way. Then you could make the global group a member of the domain local group to give these users the permission to shut down the server and change the system time.

12 Chapter 5: ACTIVE DIRECTORY ADMINISTRATION
UNIVERSAL GROUPS Membership: user accounts, computer accounts, global or universal groups. Purpose: Used to organize users or groups of users in global groups. Larger organizations typically use universal groups to group accounts from different domains. Remind students that universal groups are only available when the domain functional level is Windows 2000 native or later. Table 5-1 in Chapter 5 covers the differences between global, domain local, and universal groups. Continuing with the example provided in the previous slide: If you want users from several domains to have the right to shut down the server and change the system time, you might create global groups for these users in each domain. Then you could create a universal group to hold these global groups. Instead of adding a global group directly to the domain local group, as in the earlier example, you would add the universal group to the domain local group. In this way, you’d be able to give permission to several users, from several different domains, that are all members of global groups in these other domains. This allows you to manage users in groups through global groups, permissions in groups through domain local groups, and even groups of users in groups through universal groups. Overall, this should reduce the amount of administrative effort when people or even groups of people join or leave your organization.

13 GROUP NESTING: WINDOWS 2000 MIXED DOMAIN FUNCTIONAL LEVEL
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION GROUP NESTING: WINDOWS 2000 MIXED DOMAIN FUNCTIONAL LEVEL Users can be members of global groups. Global groups can be composed of members of local groups. This allows you to group users separately from permissions and link them selectively.

14 GROUP NESTING: WINDOWS 2000 NATIVE OR LATER DOMAIN FUNCTIONAL LEVEL
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION GROUP NESTING: WINDOWS 2000 NATIVE OR LATER DOMAIN FUNCTIONAL LEVEL You can use additional groups, which are either global or universal, to create groups that hold other groups. This allows you to further organize or separate your administrative hierarchy. The broken arrows in this diagram illustrate some of the options for nesting groups.

15 Chapter 5: ACTIVE DIRECTORY ADMINISTRATION
DEFAULT GROUPS Builtin security groups Pre-defined permissions Placed in Builtin and Users containers by default Groups are sometimes added when services are installed Dynamic Host Configuration Protocol (DHCP) service adds DHCP Admins and DHCP Users Domain Name System (DNS) adds DNS Admins and DNS UpdateProxy Table 5-2 in Chapter 5 provides an exhaustive list of default groups, including group scope, locations, default memberships, and the purpose of each group. Consider asking students to review the table and then ask them targeted questions. For example, if you wish to assign someone the permission to remotely monitor a computer’s performance, to which group should you add them? The answer is Performance Monitor Users in the Builtin container.

16 SPECIAL IDENTITY GROUPS
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION SPECIAL IDENTITY GROUPS Anonymous Logon Everyone Authenticated Users Interactive Network Describe each of the groups listed. Discuss the differences between the Everyone group in Windows Server 2003 and Windows Refer to Table 5-3 in Chapter 5. The table provides an exhaustive list of special identity groups, including information about each group’s members and purpose. Consider asking students to review the table and then ask them targeted questions. For example, a user who is using a keyboard and mouse attached directly to the computer on which the operating system is running is part of which special identity group? The answer is the Interactive group.

17 Chapter 5: ACTIVE DIRECTORY ADMINISTRATION
LOCAL GROUPS Only on non–Active Directory databases SAM database Domain members’ local security databases Typically used in peer-to-peer (workgroup) networks Used to grant system rights and access to resources available on the local computer Explain that Microsoft Windows 9x and Microsoft Windows Me clients do not maintain local security databases and therefore do not have local groups. However, Microsoft Windows NT version 4.0, as well as computers using Windows 2000 and Microsoft Windows XP, do have local security databases, which contain local user and group accounts.

18 DEVELOPING A GROUP IMPLEMENTATION PLAN
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION DEVELOPING A GROUP IMPLEMENTATION PLAN Determine who has the ability to create and manage users and groups. Determine how domain local, global, and universal groups should be used. Define the guidelines for the creation and deletion of users and groups. Implement a common naming scheme for users and groups. Determine the appropriate uses of group nesting. Write out these determinations (shown in slide) in order to create a documented implementation plan.

19 CREATING USERS AND GROUPS
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION CREATING USERS AND GROUPS Batch files netdsadd Directory Exchange Utilities CSVDE utility LDIFDE utility Windows Script Host (WSH) This is an overview of different tools that can be used to create user accounts.

20 Chapter 5: ACTIVE DIRECTORY ADMINISTRATION
USING BATCH FILES net user net group dsadd user dsadd group Explain that the net commands and dsadd commands allow you to add users, groups, and computers. However, with net commands you cannot create universal groups or specify as many user properties as you can with dsadd. Consider demonstrating the creation of users and groups with each of these commands. Mention that dsadd can be used to create organizational units (OUs). Consider mentioning other directory service (ds) commands, such as dsget, dsmod, dsmove, dsquery, and dsrm. Students can learn more about these tools by typing dsadd /?. At the bottom of the printed help is a list of other ds utilities.

21 Chapter 5: ACTIVE DIRECTORY ADMINISTRATION
USING CSVDE Comma-separated values. Header record must be defined using a distinguished name and schema attributes. Entries in the remainder of the file must follow the order of the header record. Once the file is created, use csvde -i -f file.txt to import the users. Cannot create users with passwords. Cannot modify existing user accounts. Be sure to emphasize the limitations of this utility. In order to create users with CSVDE, you must disable password policies in the domain. CSVDE is unable to set passwords for users.

22 Chapter 5: ACTIVE DIRECTORY ADMINISTRATION
USING LDIFDE Line-separated values. Object entries are separated by a hyphen. Once the file is created, use ldifde -i -f file.txt to import the users. Cannot create users with passwords. Can modify passwords once users are created. Can be used to import, export, and modify Active Directory objects. Since LDIFDE cannot be used to create a user with a password, password policies must be disabled in order to import user accounts. However, once the users are imported, you can use LDIFDE to modify the users’ passwords. Students can find an example of an LDIFDE file in Chapter 5. They will also have the opportunity to use LDIFDE to modify a user account as a Lab Challenge exercise. Consider demonstrating the command ldifde -r objectClass=user -f C:\users.txt. Then open c:\users.txt with Notepad to show that the command dumped a list of objects from the user class; these are the users of the domain.

23 Chapter 5: ACTIVE DIRECTORY ADMINISTRATION
USING WSH Allows you to write scripts to create users and other Active Directory objects. Scripts can be VBScript or Jscript. Allows for highly customized solutions that automate the creation of user accounts. Consider demonstrating the newuser.vbs from your instructor CD-ROM to create the account for Scott on the contoso.com domain. You can show the students and explain how this simple script works. The example in Chapter 5 uses the Lightweight Directory Access Protocol (LDAP) method, which requires that the object be created before a password can be set. This means that script won’t work with a password policy in place. However, the WINNT method, which is used in newuser.vbs, allows you to set a password during user account creation and works even if a password policy is in place. There are many more scripting examples available on the Microsoft Web site.

24 Chapter 5: ACTIVE DIRECTORY ADMINISTRATION
SUMMARY What are the two group types? Which type can be used to assign permissions? Which one is primarily for ? Name three group scopes. What domain functional level is required for creating universal groups? Name methods for automating user account creation. You can use this slide as a summary and interactive review. What are the two group types? (Security and Distribution groups) Which group type can be used to assign permissions? (Security group) Which group type is primarily for ? (Distribution group) Name three group scopes? (domain local, global, and universal) What domain functional level is required to create universal groups? (Windows 2000 native or Windows Server 2003) Name methods for automating user account creation. (batch files, dsadd, LDIFDE, CSVDE, and WSH)

Download ppt "ACTIVE DIRECTORY ADMINISTRATION"

Similar presentations

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Module 3: Configuring Active Directory Objects and Trusts.

Module 3: Configuring Active Directory Objects and Trusts.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.

11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 5: Account Management.

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 5: Account Management.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory

Administering Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.

Chapter 8 Chapter 8: Managing the Server Through Accounts and Groups.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW  Describe the process of adding a computer to.

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW  Describe the process of adding a computer to.
Understanding Active Directory

Understanding Active Directory
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

Similar presentations

Ads by Google