Presentation is loading. Please wait.

Presentation is loading. Please wait.

Week 4 Manage Users and Groups

Published byLeonard Greer Modified over 9 years ago

Similar presentations

Presentation on theme: "Week 4 Manage Users and Groups"— Presentation transcript:

1 Week 4 Manage Users and Groups
Course 6425B Week 4 Manage Users and Groups Module 3: Manage Users Create and Administer User Accounts Configure User Object Attributes Automate User Account Creation Manage an Enterprise with Groups Administer Groups Best Practices for Group Management NTFS and Share Permission

2 User Account A user account is an object that
Course 6425B User Account Create User Demo Module 3: Manage Users A user account is an object that Enables authentication of a user with attributes, including a user logon name and password Is a security principal with a security identifier (SID) that can be assigned permissions to resources A user account can be stored In Active Directory®, where it enables logon to the domain and can be assigned permissions to resources anywhere in the domain Domain user accounts are administered with Active Directory snap-ins and commands In the local security accounts manager (SAM) database of a member computer, where it enables logon to the local computer and can be assigned permissions to local resources Local user accounts are administered with the Local Users and Groups snap-in and the net local user command

3 Name Attributes User logon name (pre-Windows 2000): sAMAccountName
Course 6425B Name Attributes Module 3: Manage Users User logon name (pre-Windows 2000): sAMAccountName Unique in domain 20-character limit User logon name: userPrincipalName (UPN) Name + UPN suffix Unique in forest Name or Full Name: cn (common name) Unique in OU so that the relative distinguished name (RDN) is unique in the OU, so that, in turn, the object’s distinguished name (distinguishedName attribute) is unique in the forest Display name: displayName Exchange global address list (GAL) Best if unique, but not technically required to be unique CONTOSO\Tony.Krijnen Tony Krijnen Krijnen, Tony

4 Account Attributes Logon Hours: logonHours Log On To: userWorkstations
Course 6425B Account Attributes Module 3: Manage Users Logon Hours: logonHours Log On To: userWorkstations User must change password at next logon User cannot change password Password never expires Account is disabled Store password using reversible encryption Smart Card is required for interactive logon Account is trusted for delegation Account expires

5 Course 6425B Unlock a User Account Module 3: Manage Users In Active Directory Users and Computers, right-click the user object and click Properties. Click the Account tab, and then select Unlock Account. In the Reset Password dialog box, select Unlock the user’s account. Watch out for drives mapped with alternate credentials. A leading cause of account lockout is when the alternate credentials’ password changes.

6 Create and modify Users with DS commands
Course 6425B Create and modify Users with DS commands Module 3: Manage Users dsadd user "UserDN" –samid pre-Windows 2000 logon name –pwd { password | * } –mustchpwd yes UserDN. Distinguished name of user to create -samid. Required for new account -pwd password. The desired initial password -mustchpwd { yes | no }. User must change password at next logon Lots of optional attributes, such as: - , -hmdir & -profile dsmod user UserDN [-upn UPN][-fn FirstName][-mi Initial][-ln LastName] [-dn DisplayName][- Address] You cannot change the user logon names or CN with DSMod dsmove user UserDN -newname "New CN“ dsmod user UserDN –pwd NewPassword -mustchpwd yes

7 Disable and delete a User Account
Course 6425B Disable and delete a User Account Module 3: Manage Users dsmod user UserDN –disabled {yes|no} dsrm UserDN When you delete an account, you lose The group memberships The security identifier (SID) Common practice Disable the account and move it to an OU for disabled objects After a period of time, delete the account

8 Course 6425B Move a User Account Module 3: Manage Users In Active Directory Users and Computers, right-click the user and then click Move or drag the user object and drop it onto the destination OU dsmove UserDN –newparent TargetOUDN

9 View and Modify Attributes (User Properties)
Course 6425B View and Modify Attributes (User Properties) Modify user Demo Module 3: Manage Users The Attribute Editor In Active Directory Users and Computers, click the View menu, then select Advanced Features Modify multiple users properties Select multiple users (for example, by using CTRL+click) Right-click any one of the selected users, and then click Properties

10 Manage User Attributes with DSMod and DSGet
Course 6425B Manage User Attributes with DSMod and DSGet Module 3: Manage Users DSMod modifies the attributes of object(s) dsmod user UserDN… [-parameter value …] UserDN …. distinguishedName of the user(s) to modify Parameter. Attribute to modify. dsmod user /? Often does not map to the same name as LDAP (dsmod dept vs. LDAP department) DSGet gets (returns) the value of attributes of object(s) dsget user UserDN… [-parameter …] dsget user /? DSQuery can return objects based on search criteria and pipe those objects to DSGet and DSMod dsquery user -desc "Marketing Task Force" | dsget user -

11 Export Users with CSVDE
Course 6425B Export Users with CSVDE Module 3: Manage Users Export filename.ldf Active Directory CSVDE.exe Import CSV (comma-separated value, or comma-delimited text) Can be edited with simple text editors (Notepad) or Microsoft Office Excel® CSVDE.exe csvde -f filename -d RootDN -p SearchScope -r Filter -l ListOfAttributes RootDN. Start of export (default = domain) SearchScope. Scope of export (Base,OneLevel,Subtree) Filter. Filter within the scope (LDAP query language) ListOfAttributes. Use the LDAP name

12 Import Users with CSVDE
Course 6425B Import Users with CSVDE Module 3: Manage Users Export filename.ldf Active Directory CSVDE.exe Import CSVDE.exe csvde –i -f filename [-k] i. Import – default mode is export k. Continue past errors (such as Object Already Exists) Cannot import passwords, so users are created as disabled Cannot modify existing users

13 Import Users with LDIFDE
Course 6425B Import Users with LDIFDE Module 3: Manage Users Export filename.ldf Active Directory LDIFDE.exe Import LDAP Data Interchange Format (LDIF) LDIFDE.exe ldifde [-i] [-f filename] [-k] i. Import – default mode is export k. Continue past errors (such as Object Already Exists) Cannot import passwords, so users are created as disabled Can modify or remove existing users

14 Access Management Without Groups
Course 6425B Access Management Without Groups Module 4: Manage Groups Identity Resource Access Management 14

15 Groups Add Manageability
Course 6425B Groups Add Manageability Module 4: Manage Groups Identity Group Resource Access Management 15

16 Groups Add Scalability
Course 6425B Groups Add Scalability Module 4: Manage Groups Identity Group Resource Access Management 16

17 Role-Based Management: Role Groups and Rule Groups
Course 6425B Module 4: Manage Groups Identity Role Group Rule Group Resource Access Management 17

18 Define Group Naming Conventions
Course 6425B Define Group Naming Conventions Module 4: Manage Groups Name properties Group name. cn and name of group -- unique within OU Group name (pre-Windows 2000). sAMAccountName of group -- unique in domain Use the same name (unique in the domain) for both properties Naming conventions Role groups. Simple, unique name, such as Sales or Consultants Management groups. For example, ACL_Sales Folders_Read Prefix. Management purpose of group, such as ACL Resource identifier. What is managed, such as Sales Folders Suffix. Access level, such as Read Delimiter. Separates name components, such as underscore (_) 18

19 Group Type Distribution groups Used only with e-mail applications
Course 6425B Group Type Module 4: Manage Groups Distribution groups Used only with applications Not security-enabled (no SID); cannot be given permissions Security groups Security principal with a SID; can be given permissions Can also be enabled 19

20 Group Scope Four group scopes
Course 6425B Group Scope Module 4: Manage Groups Four group scopes Local Global Domain Local Universal Characteristics that distinguish each scope Replication. Where are the group and its membership stored? Membership. What types of objects, from which domains, can be members of the group? Availability (Scope). Where can the group be used? In what scopes of groups can the group be a member? Can the group be added to an ACL? 20

21 Local Groups Replication
Course 6425B Local Groups Module 4: Manage Groups Replication Defined in the security accounts manager (SAM) of a domain member or workgroup computer Membership not replicated to any other system Membership: Local group can include as members Any security principals from the domain: users (U), computers (C), global groups (GG), or domain local groups (DLG) U, C, GG from any domain in the forest U, C, GG from any trusted domain Universal groups (UG) defined in any domain in the forest Availability/scope Limited to the machine on which the group is defined; can be used for ACLs on the local machine only Cannot be a member of any other group 21

22 Domain Local Groups Replication
Course 6425B Domain Local Groups Module 4: Manage Groups Replication Defined in the domain naming context Group and membership replicated to every DC in domain Membership: Domain local group can include as members Any security principals from the domain: U, C, GG, DLG U, C, GG from any domain in the forest U, C, GG from any trusted domain UG defined in any domain in the forest Availability/scope Can be on ACLs on any resource on any domain member Can be a member of other domain local groups or of machine local groups Well suited for defining business management rules 22

23 Global Groups Replication
Course 6425B Global Groups Module 4: Manage Groups Replication Defined in the domain naming context Group and membership is replicated to every DC in domain Membership: Global group can include as members Only security principals from the same domain: U, C, GG, DLG Availability/scope Available for use by all domain members, all other domains in the forest, and all trusting external domains Can be on ACLs on any resource on any computer in any of those domains Can be a member of any DLG or UG in the forest, and of any DLG in a trusting external domain Well suited for defining roles 23

24 Universal Groups Replication
Course 6425B Universal Groups Module 4: Manage Groups Replication Defined in a single domain in the forest Replicated to the global catalog (forestwide) Membership: Universal group can include as members U, C, GG, and UG from any domain in the forest Availability/scope Available to every domain and domain member in the forest Can be on ACLs on any resource on any system in the forest Can be a member of other UGs or DLGs anywhere in the forest Useful in multidomain forests Defining roles that include members from multiple domains Defining business management rules that manage resources in multiple domains in the forest 24

25 Group Scope Possibilities Summarized
Course 6425B Group Scope Possibilities Summarized Module 4: Manage Groups Group Scope Members from Same Domain Members from Domain in Same Forest Members from Trusted External Domain Replication Can be Assigned Permissions to Resources Local U, C, GG, DLG, UG and local users GG, UG GG Not Replicated On the local computer only Domain Local GG, DLG, UG To every DC in the Domain Anywhere in the domain Universal N/A Anywhere in the forest Global To Global Catalog server Anywhere in the domain or a trusted domain U User C Computer GG Global Group DLG Domain Local Group UG Universal Group 25

26 Role-Based Management and Windows Group Management Strategy
Course 6425B Role-Based Management and Windows Group Management Strategy Module 4: Managing Security Universal groups can serve as both forestwide role definitions and forestwide management groups, so in many cases the universal group will supplant the global group, the domain local group, or both, leading to IUA, IGUA, or IUDLA. Access Management Identity Role Group Rule Group Resource Identity Global Domain Local Access 26

27 Create Groups with DSAdd
Course 6425B Create Groups with DSAdd Module 4: Manage Groups dsadd group GroupDN –secgrp {yes|no} –scope {g | l | u} GroupDN. Distinguished name of group to create -secgrp. Security-enabled (yes=security; no=distribution) -scope. Scope (global, domain local, universal) -samid. sAMAccountName (not necessary; defaults to cn) -desc Description. description attribute -member MemberDN …. Space-separated list of members to add when creating the group -memberof GroupDN …. Space-separated list of groups to add this group to dsadd group "CN=Marketing,OU=Role,OU=Groups, DC=contoso,DC=com" –samid Marketing –secgrp yes –scope g 27

28 Import Groups with CSVDE
Course 6425B Import Groups with CSVDE Module 4: Manage Groups Comma-separated values (csv) file format Example csvde -i -f "filename" [-k] -i. Import; default mode is export -f. File name -k. Continue on error, such as object already exists CSVDE can create groups, not modify existing groups Comma-separated list of attributes Groups to create, one per line, with all attributes listed on the first line objectClass,sAMAccountName,DN,member group,Marketing,"CN=Marketing,OU=Role,OU=Groups, DC=contoso,DC=com", "CN=Linda Mitchell,OU=Employees,OU=User Accounts, DC=contoso,DC=com;CN=Scott Mitchell,OU=Employees, OU=User Accounts,DC=contoso,DC=com" 28

29 Import Groups with LDIFDE
Course 6425B Import Groups with LDIFDE Module 4: Manage Groups Lightweight Directory Access Protocol Data Interchange Format (LDIF) file Ldifde -i -f "filename" [-k] -i. Import (default mode is export) -f. File name -k. Continue on error, such as object already exists DN: CN=Finance,OU=Role,OU=Groups,DC=contoso,DC=com changeType: add CN: Finance description: Finance Users objectClass: group sAMAccountName: Finance DN: CN=Research,OU=Role,OU=Groups,DC=contoso,DC=com CN: Research description: Research Users sAMAccountName: Research 29

30 Convert Group Type and Scope
Course 6425B Convert Group Type and Scope Module 4: Manage Groups In Active Directory Users and Computers, you can change group type: Security to distribution (* lose permissions assigned to group) Distribution to security In Active Directory Users and Computers, you can change the group scope: Global to universal Domain local to universal Universal to global Universal to domain local You cannot change DL  G or G  DL directly, but you can change DL  U  G or G  U  DL. dsmod group GroupDN –secgrp { yes | no } –scope { l | g | u } 30

31 Modify Group Membership with DSMod
Course 6425B Modify Group Membership with DSMod Module 4: Manage Groups dsmod group "GroupDN" [options] -addmbr "Member DN" -rmmbr "Member DN" dsmod group "CN=Research,OU=Role,OU=Groups, DC=contoso,DC=com" -addmbr "CN=Mike Danseglio, OU=Employees,OU=User Accounts,DC=contoso,DC=com" 31

32 Modify Group Membership with LDIFDE
Course 6425B Modify Group Membership with LDIFDE Module 4: Manage Groups LDIF file changetype: modify Third line: What type of change? Add a value to member To delete a member, just change to delete: member Change operation is terminated with line containing only – dn: CN=Finance,OU=Role,OU=Groups,DC=contoso,DC=com changetype: modify add: member member: CN=April Stewart,OU=Employees,OU=User Accounts, dc=contoso,dc=com member: CN=Mike Fitzmaurice,OU=Employees,OU=User Accounts, dc=contoso,dc=com - 32

33 Retrieve Group Membership with DSGet
Course 6425B Retrieve Group Membership with DSGet Module 4: Manage Groups No option to show fully enumerated group memberships in Active Directory Users and Computers DSGet allows full enumeration (including nested members) dsget group "GroupDN" –members [-expand] Shows members of group (GroupDN), optionally including nested members (-expand) dsget {user|computer} "ObjectDN" –memberof [-expand] Shows membership of user or computer (ObjectDN), optionally including nested group memberships (-expand) 33

34 Copy Group Membership Copy members from one group to another
Course 6425B Copy Group Membership Module 4: Manage Groups Copy members from one group to another Copy memberships of one user to another dsget group "CN=Sales,OU=Role,OU=Groups,DC=contoso,DC=com" –members | dsmod group "CN=Marketing,OU=Role,OU=Groups,DC=contoso,DC=com" –addmbr dsget user "SourceUserDN" –memberof | dsmod group –addmbr "TargetUserDN" 34

35 Move and Rename Groups Active Directory Users and Computers
Course 6425B Move and Rename Groups Module 4: Manage Groups Active Directory Users and Computers Right-click group, then click Move or Rename DSMove command dsmove ObjectDN [-newname NewName] [-newparent TargetOUDN] ObjectDN is the DN of the group -newparent TargetOUDN moves the group to a new OU -newname NewName changes the cn of the group Must use DSMod Group to change the sAMAccountName dsmove "CN=Public Relations,OU=Role,OU=Groups,DC=contoso,DC=com" –newparent "OU=Marketing,DC=contoso,DC=com" dsmove "CN=Marketing,OU=Role,OU=Groups,DC=contoso,DC=com" –newname "Public Relations" dsmod group "CN=Public Relations,OU=Role,OU=Groups,DC=contoso,DC=com" -samid "Public Relations" 35

36 Course 6425B Delete Groups Module 4: Manage Groups Active Directory Users and Computers: Right-click, Delete DSRm command dsrm ObjectDN ... [-subtree [-exclude]] [-noprompt] [-c] -noprompt prevents prompting to confirm each deletion -c continues if an error occurs (such as access denied) -subtree deletes the object and all child objects -subtree -exclude deletes all child objects but not the object itself Deleting a security group has significant impact SID is lost and cannot be re-established by re-creating group Tip: First, record all members and delete all members for a test period, to evaluate any unintended side effects dsrm "CN=Public Relations,OU=Role,OU=Groups, DC=contoso,DC=com" 36

37 Protect Groups from Accidental Deletion
Course 6425B Protect Groups from Accidental Deletion Module 4: Manage Groups In the Active Directory Users and Computers snap-in, click the View menu and make sure that Advanced Features is selected. Open the Properties dialog box for a group. On the Object tab, select the Protect Object From Accidental Deletion check box. Click OK. Objective: Protect groups from accidental deletion. 37

38 Delegate Membership Management with the Managed By Tab
Course 6425B Delegate Membership Management with the Managed By Tab Module 4: Manage Groups The Managed By tab serves two purposes: Provide contact information for who manages the group Allow specified user (or group) to modify group membership if Manager Can Update Membership List is selected Tips Must click OK (not just Apply) to change the ACL on the group To set a group in the Name box, click Change, then click Object Types, and then click Groups 38

39 Course 6425B Default Groups Module 4: Manage Groups Default local groups in the BUILTIN and Users containers Enterprise Admins, Schema Admins, Administrators, Domain Admins, Server Operators, Account Operators, Backup Operators, Print Operators Pre-defined rights associated with these groups. Know these rights for the certification exams Problems with these groups Highly overdelegated Account Operators, for example, can log on to a DC Best practice: Keep these groups empty and create custom groups with the rights and privileges you require 39

40 Special Identities Membership is controlled by Windows: Examples
Course 6425B Special Identities Module 4: Manage Groups Membership is controlled by Windows: Cannot be viewed, edited, or added to other groups Can be used on ACLs Examples Anonymous Logon. Represents connections to a computer without a username and password Authenticated Users. Represents identities that have been authenticated, but does not include the Guest identity Everyone. Includes Authenticated Users and Guest (but not Anonymous Logon by default in Windows Server 2003/2008) Interactive. Users logged on locally or with Remote Desktop Network. Users accessing a resource over the network 40

41 What Are Effective Permissions?
Course 6292A Module 3: Configuring File Access and Printers on Windows 7 Clients What Are Effective Permissions? Effective permissions are a file or folder’s final, combined permission set that is determined by Windows when a file or folder contains both user and group permissions. When determining effective permissions: User and group permissions are combined Deny permissions override allow permissions The Effective Permissions feature: Calculates and displays the permissions granted to a user or group Determines all domain and local groups in which the user is a member Takes into account permissions inherited from the parent object 41

42 Discussion: Determining Effective Permissions
Course 6292A Module 3: Configuring File Access and Printers on Windows 7 Clients Discussion: Determining Effective Permissions Users group has Write for Folder1 Sales group has Read for Folder1 1 NTFS Partition Users Group Folder1 Users group has Read for Folder1 Sales group has Write for Folder2 2 File1 User1 Folder2 Users group has Modify for Folder1 File2 must only be available to Sales group with Read permission 3 File2 Sales Group 42

43 Discussion: Combining NTFS and Share Permissions
Course 6292A Module 3: Configuring File Access and Printers on Windows 7 Clients Discussion: Combining NTFS and Share Permissions When you create a shared folder on an NTFS formatted partition, both the shared folder permissions and the NTFS file system permissions are combined to secure file resources. By default, the Everyone group is granted the shared folder permission Read ü Users must have the appropriate NTFS permissions for each file and subfolder in a shared folder and the appropriate shared folder permissions to access those resources The share permissions on a folder apply to that folder, to all files in that folder, to sub folders, and to all files in those subfolders When NTFS and shared folder permissions are combined, the resulting effective permission is the most restrictive one of the two permission sets 43

Download ppt "Week 4 Manage Users and Groups"

Similar presentations

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
MOAC : Installing and Configuring Windows Server 2012

MOAC : Installing and Configuring Windows Server 2012
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Module 3: Configuring Active Directory Objects and Trusts.

Module 3: Configuring Active Directory Objects and Trusts.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 5: Account Management.

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 5: Account Management.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts.
1 Chapter 1 Introduction to Windows Server 2003. 2 Two main goals for Net Admin Make network resources available to users Files, folders, printers, etc.

1 Chapter 1 Introduction to Windows Server Two main goals for Net Admin Make network resources available to users Files, folders, printers, etc.
Administering Active Directory

Administering Active Directory
1 Administering Active Directory Administering W2K Server (Week 9, Wednesday 3/7/2007) © Abdou Illia, Spring 2007.

1 Administering Active Directory Administering W2K Server (Week 9, Wednesday 3/7/2007) © Abdou Illia, Spring 2007.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Chapter 3 – Creating and Managing User Accounts MIS 431 – Created Spring 2006.

Chapter 3 – Creating and Managing User Accounts MIS 431 – Created Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.
Group Accounts; Securing Resources with Permissions

Group Accounts; Securing Resources with Permissions

Similar presentations

Ads by Google