Chapter 5
Download
1 / 24

ACTIVE DIRECTORY ADMINISTRATION - PowerPoint PPT Presentation


  • 123 Views
  • Uploaded on

Chapter 5. ACTIVE DIRECTORY ADMINISTRATION. UNDERSTANDING USER ACCOUNTS. Authentication User account types Administrator Guest. AUTHENTICATION AND ACCESS TOKEN. CATEGORIES OF USER ACCOUNTS. Security Accounts Manager (SAM) Local Builtin user accounts Domain user accounts (NTDS.dit)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' ACTIVE DIRECTORY ADMINISTRATION' - doris-foreman


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Chapter 5

Chapter 5

ACTIVE DIRECTORY ADMINISTRATION


Understanding user accounts

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

UNDERSTANDING USER ACCOUNTS

  • Authentication

  • User account types

  • Administrator

  • Guest


Authentication and access token

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

AUTHENTICATION AND ACCESS TOKEN


Categories of user accounts

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

CATEGORIES OF USER ACCOUNTS

  • Security Accounts Manager (SAM)

    • Local

    • Builtin user accounts

  • Domain user accounts (NTDS.dit)

    • Domain local

    • Builtin user accounts


Administrator account

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

ADMINISTRATOR ACCOUNT

  • Full control of computer, domain, forest

  • Used to establish administrative structure and create other accounts

  • Should be renamed

  • Should be secured with a complex password

  • Can be disabled, but cannot be deleted


Guest account

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

GUEST ACCOUNT

  • Designed to allow temporary access to the network

  • Disabled by default, but cannot be deleted

  • Should be secured with a complex password if enabled




Group types scopes and converting

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

GROUP TYPES, SCOPES, AND CONVERTING

  • Distribution groups

    • Typically used with applications to provide a list of users (Microsoft Exchange)

    • Cannot be used to assign access permissions

  • Security groups

    • Primarily used to grant access

    • Can also be used like a distribution group for e-mail, if the group has an e-mail address assigned


Domain local groups

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

DOMAIN LOCAL GROUPS

  • Membership: user accounts, computer accounts, global groups, universal groups from any domain, and domain local groups from the same domain.

  • Purpose: Used to assign permissions to resources in the local domain.

  • Once you assign permissions to this group, you can use it to grant those permissions to other groups or users.


Global groups

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

GLOBAL GROUPS

  • Membership: User accounts, computer accounts, and other global groups.

  • Purpose: Used to organize users.

  • Users are typically assigned to global groups based on job role, task, or title.


Universal groups

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

UNIVERSAL GROUPS

  • Membership: user accounts, computer accounts, global or universal groups.

  • Purpose: Used to organize users or groups of users in global groups.

  • Larger organizations typically use universal groups to group accounts from different domains.


Group nesting windows 2000 mixed domain functional level

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

GROUP NESTING: WINDOWS 2000 MIXED DOMAIN FUNCTIONAL LEVEL


Group nesting windows 2000 native or later domain functional level

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

GROUP NESTING: WINDOWS 2000 NATIVE OR LATER DOMAIN FUNCTIONAL LEVEL


Default groups

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

DEFAULT GROUPS

  • Builtin security groups

    • Pre-defined permissions

    • Placed in Builtin and Users containers by default

  • Groups are sometimes added when services are installed

    • Dynamic Host Configuration Protocol (DHCP) service adds DHCP Admins and DHCP Users

    • Domain Name System (DNS) adds DNS Admins and DNS UpdateProxy


Special identity groups

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

SPECIAL IDENTITY GROUPS

  • Anonymous Logon

  • Everyone

  • Authenticated Users

  • Interactive

  • Network


Local groups

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

LOCAL GROUPS

  • Only on non–Active Directory databases

    • SAM database

    • Domain members’ local security databases

  • Typically used in peer-to-peer (workgroup) networks

  • Used to grant system rights and access to resources available on the local computer


Developing a group implementation plan

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

DEVELOPING A GROUP IMPLEMENTATION PLAN

  • Determine who has the ability to create and manage users and groups.

  • Determine how domain local, global, and universal groups should be used.

  • Define the guidelines for the creation and deletion of users and groups.

  • Implement a common naming scheme for users and groups.

  • Determine the appropriate uses of group nesting.


Creating users and groups

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

CREATING USERS AND GROUPS

  • Batch files

    • netdsadd

  • Directory Exchange Utilities

    • CSVDE utility

    • LDIFDE utility

  • Windows Script Host (WSH)


Using batch files

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

USING BATCH FILES

  • net user

  • net group

  • dsadd user

  • dsadd group


Using csvde

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

USING CSVDE

  • Comma-separated values.

  • Header record must be defined using a distinguished name and schema attributes. Entries in the remainder of the file must follow the order of the header record.

  • Once the file is created, use csvde -i -f file.txt to import the users.

  • Cannot create users with passwords.

  • Cannot modify existing user accounts.


Using ldifde

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

USING LDIFDE

  • Line-separated values. Object entries are separated by a hyphen.

  • Once the file is created, use ldifde -i -f file.txt to import the users.

  • Cannot create users with passwords.

  • Can modify passwords once users are created.

  • Can be used to import, export, and modify Active Directory objects.


Using wsh

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

USING WSH

  • Allows you to write scripts to create users and other Active Directory objects.

  • Scripts can be VBScript or Jscript.

  • Allows for highly customized solutions that automate the creation of user accounts.


Summary

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION

SUMMARY

  • What are the two group types?

    • Which type can be used to assign permissions?

    • Which one is primarily for e-mail?

  • Name three group scopes.

  • What domain functional level is required for creating universal groups?

  • Name methods for automating user account creation.


ad