Implementing and managing group and computer accounts
Download
1 / 44

Implementing Groups - PowerPoint PPT Presentation


  • 279 Views
  • Uploaded on

Implementing and Managing Group and Computer Accounts Domain User Accounts Allow users to log on to the domain and gain access to resources anywhere on the network Created in an OU in the Active Directory store Replicated to all domain controllers Local User Accounts

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Implementing Groups' - jacob


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Domain user accounts l.jpg
Domain User Accounts

  • Allow users to log on to the domain and gain access to resources anywhere on the network

  • Created in an OU in the Active Directory store

  • Replicated to all domain controllers


Local user accounts l.jpg
Local User Accounts

  • Allow users to log on to and gain access to resources on the computer where they log in

  • Created in the computer’s security database

  • Not replicated to domain controllers


Introduction to group accounts l.jpg
Introduction to Group Accounts

  • A group is a container object

    • Used to organize collections of users, computers, contacts, other groups

    • Used to simplify administration

  • Similar to Organizational Units except

    • OUs are not security principals, groups are

    • OUs can only contain objects from their parent domain, groups can contain objects from within forest


Introduction to groups l.jpg
Introduction to Groups

  • Groups simplify administration of user permissions.

  • Users can be members of more than one group.

  • When you assign permissions, you give users the capability to gain access to specific resources.


Group types l.jpg
Group Types

  • Security groups

    • Defined by Security Identifier (SID)

    • Can be assigned permissions for resources

      • In discretionary access control lists (DACLs)

    • Can be assigned rights to perform different tasks

    • Can also be used as e-mail entities

  • Distribution groups

    • Primarily used as e-mail entities

    • Do not have associated SID


Group scopes l.jpg
Group Scopes

  • Scope refers to logical boundary of permissions to specific resources

  • Both Security and Distribution Groups have scopes

  • Three scopes

    • Objects possible within each scope dependent on configured functional level of a domain

    • Scope types are global, domain local, and universal


Group scopes continued l.jpg
Group Scopes (continued)

  • Three domain functional levels:

    • Windows 2000 mixed: default configuration, supports a combination of Windows NT Server 4.0, 2000 Server, and Server 2003 domain controllers

    • Windows 2000 native: supports a combination of Windows 2000 Server and Server 2003 domain controllers

    • Windows Server 2003: supports Windows Server 2003 domain controllers only


Global groups l.jpg
Global Groups

  • Organize groups of users, computers, groups within the same domain

  • Use global groups to contain accounts for accessing resources in the same and in other domains via domain local groups

  • Usually represents a geographic location or job function group

  • Types of objects in group related to configured functional level of the domain

    • Depends on the types of domain controllers in environment


Domain local groups l.jpg
Domain Local Groups

  • Created on domain controllers

  • Can be assigned rights and permissions to any resource within the same domain

  • Can contain groups from other domains

  • Specific objects allowed in group related to configured functional level of the domain


Domain local group example l.jpg
Domain Local Group Example

Managing security

through domain local

and global groups


Universal groups l.jpg
Universal Groups

  • Typically created to aggregate users or groups in different domains

  • Stored on domain controllers configured as global catalog servers

  • Can be assigned rights and permissions for any resource within a forest

  • Can only be created at the Windows 2000 native or Windows Server 2003 domain functional level



Creating group objects l.jpg
Creating Group Objects

  • Group objects are stored in Active Directory database

  • Variety of tools can be used can be used for creation and management

    • Active Directory Users and Computers

    • Command-line utilities

      • DSADD, DSMOD, DSQUERY, etc.


Active directory users and computers l.jpg
Active Directory Users and Computers

  • Primary tool

    • To create group accounts

    • Can also be used to configure properties of group accounts

  • Groups can be created in any built-in containers, at root of the domain object, or in custom OU objects

  • Possible group scopes determined by the functional level the domain is configured to





Converting group types l.jpg
Converting Group Types

  • May need to change a security group to a distribution group or vice versa

  • Type of group can only be changed if domain functional level is Windows 2000 native or above



Converting group scopes l.jpg
Converting Group Scopes

  • Scope of a group can be changed

  • Domain functional level must be at least Windows 2000 native

  • Supported changes

    • Global to universal

      • Group can not be a member of another Global Groupwould result in a Universal Group being a member of a Global Group

    • Domain local to universal

      • Cannot contain other Domain Local Groups Universal Groups cannot contain Domain Local Groups


Converting group scopes con t l.jpg
Converting Group Scopes (con’t)

  • Universal to global

    • Cannot contain other Universal GroupsResult would be a Global Group containing a Universal Group

  • Universal to domain local

    • No Restrictions



Command line utilities l.jpg
Command Line Utilities

  • An alternative to Active Directory Users and Computers

    • Some administrators have a preference for command-line utilities

    • Command-line utilities are more flexible for group management and creation in some situations


Dsadd l.jpg
DSADD

  • Introduced in Windows Server 2003

  • Used to create new user and group accounts

  • Syntax is

    • dsadd group distinguished-name switches

  • Switches include: -secgrp, -scope, -memberof, -members

  • More help is available for switches and options at Windows Server 2003 Help and Support Center or at command-line



Dsmod l.jpg
DSMOD

  • Allows various object types to be modified from the command line

  • Syntax is

    • dsmod group distinguished-name switches

  • Switches include: -desc, -rmmbr, -addmbr, -chmbr



Dsquery l.jpg
DSQUERY

  • Used to query various object types from the command line, returns values

  • Syntax for groups is

    • dsquery group query

  • Supports wildcard character (*)

  • Output can be

    • piped (|) as input to other command-line tools

    • Sent (>>) to a file


Dsmove l.jpg
DSMOVE

  • Used to move or rename various object types from the command line

  • Syntax for groups is

    • dsmove group distinguished-name switches

  • Switches include: -newparent, -newname

  • Can only be used for groups within a single domain


Slide31 l.jpg
DSRM

  • Used to delete various object types from the command line

  • Syntax for groups is

    • dsrm group distinguished-name switches

  • Switches include: -noprompt


Managing security groups l.jpg
Managing Security Groups

  • Strategy for managing security groups uses acronym A G U DL P:

    • Create user Accounts (A)

    • Organize them within Global groups (G)

    • Optional: Create Universal groups (U) and place global groups from any domain in universal groups

    • Create Domain Local groups (DL) and add global and universal groups

    • Assign Permissions (P) to the domain local groups


Determining group membership l.jpg
Determining Group Membership

  • Important task for administrators is to ensure that users are members of correct groups

  • One method is via Member Of tab in the properties of a user account

    • Only shows first level of groups (not groups of groups)

  • Second method is to use DSGET

  • Returns values to a query


Determining group membership continued l.jpg
Determining Group Membership (continued)

  • Syntax is

    • dsget group distinguished-name switches -

  • Switches include: -members, -memberof, -expand

  • Can also be used as dsget user to get membership information about a specific user

  • Output can be saved to a file:

    • dsget group distinguished-name switches >> filename


Built in groups l.jpg
Built-In Groups

  • When Windows Server 2003 Active Directory is installed

    • Built-in groups are created automatically

    • Rights are pre-assigned

    • Stored in Builtin container and Users container

  • Use built-in groups where possible

    • Eases implementation of security rights


The builtin container l.jpg
The Builtin Container

  • Contains a number of domain local group accounts

  • Allocated different user rights based on common administrative or network-related tasks



The users container l.jpg
The Users Container

  • Contains a number of domain local and global group accounts

  • Some groups only found in the root domain of an Active Directory forest rather than in individual domains

    • Enterprise Admins

    • Schema Admins



Creating and managing computer accounts l.jpg
Creating and Managing Computer Accounts

  • Computer accounts needed on Windows NT 4.0, 2000, XP, Server 2003

  • Can be created during installation or added manually later

  • Creation and management tools

    • Active Directory Users and Computers

    • System applet in Control Panel

    • Command-line utilities



Resetting computer accounts l.jpg
Resetting Computer Accounts

  • Secure channel

    • Used by computers that are domain members to communicate with domain controller

    • Password is changed every 30 days

    • Automatically synchronized between DC and WS


Resetting computer accounts43 l.jpg
Resetting Computer Accounts

  • Occasional synchronization issues arise

    • Computer has not been connected to network for 30+ days

    • Secure channel has be compromised some how

    • Results in the user not being authenicated

  • Administrator must reset computer account

    • Using Active Directory Users and Computers

    • Netdom.exe command from Windows Support Toolsnetdom reset computername /domin: domainname



ad