1 / 52

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 10: Managing Users, Groups, Comp

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 10: Managing Users, Groups, Computers and Resources. Objectives. Create user objects in Active Directory and set values for the attributes of a user object

lamya
Download Presentation

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 10: Managing Users, Groups, Comp

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, EnhancedChapter 10: Managing Users, Groups, Computers and Resources

  2. Objectives • Create user objects in Active Directory and set values for the attributes of a user object • Create and manipulate groups in Active Directory, and understand the effects of different group scopes • Create and manage computer accounts Guide to MCSE 70-294, Enhanced

  3. Objectives • Create objects for other resources, such as shared folders and printers • Organize objects in Active Directory by leveraging the use of organizational units Guide to MCSE 70-294, Enhanced

  4. Planning and Administering User Accounts • Most frequently changed objects are user objects • Users added, removed, etc. Guide to MCSE 70-294, Enhanced

  5. User Classes, Properties, and Schema • User class defines number of required and optional attributes • Mandatory attributes: • cn • instanceType, objectCategory, and objectClass • objectSID • sAMAccountName • More than 200 optional attributes Guide to MCSE 70-294, Enhanced

  6. The Names of a User • Name attributes: • sAMAccountName • Also called user logon name (pre-Windows 2000) • userPrincipalName (UPN) • Also called user logon name • Decide on naming convention for user accounts • Most common convention is to use user’s first initial followed by user’s last name Guide to MCSE 70-294, Enhanced

  7. The Names of a User (continued) • UPN composed of two parts • Username • UPN suffix • UPN suffix is DNS name by default • Can choose other suffix • Joined by @ symbol • Example: SomeUser@mydomain.com Guide to MCSE 70-294, Enhanced

  8. Name Suffix Routing • Provides name resolution across forests • Used to route authentication requests to correct forest • Disabled when naming conflict occurs • Given unique name suffix can only exist in one forest Guide to MCSE 70-294, Enhanced

  9. Creating Users with Active Directory Users and Computers • Must be working at domain controller • Or must have the administrative tools installed at your workstation • Windows issues query to global catalog to verify that UPN is unique within forest Guide to MCSE 70-294, Enhanced

  10. The New Object - User Dialog Box Guide to MCSE 70-294, Enhanced

  11. New User Password and Security Attributes Guide to MCSE 70-294, Enhanced

  12. Activity 10-2: Creating a New User Object • Objective: Practice creating new user objects. • Use Active Directory Users and Computers console to create a new user Guide to MCSE 70-294, Enhanced

  13. Setting Additional Attributes • Many user attributes exposed through property pages • In Active Directory Users and Computers console • Right-click object in Active Directory Users and Computers • Choose Properties Guide to MCSE 70-294, Enhanced

  14. Setting Additional Attributes (continued) • Categories: • General and business information • Account and profile settings • Terminal Services settings • Dial-in settings • Advanced properties Guide to MCSE 70-294, Enhanced

  15. Resetting Passwords • User’s password stored in encrypted form • Operating system can access to validate user • Administrator cannot retrieve forgotten user Password • Must be reset • Access to encrypted files may be lost Guide to MCSE 70-294, Enhanced

  16. User Account Templates • Preconfigured user account • Already has common attributes associated with a particular type of user configured • Reduces time and administrative burden • Administrator copies template account to create new user Guide to MCSE 70-294, Enhanced

  17. Command-line Utilities • DSADD • DSMOD • DSQUERY • DSGET • DSMOVE • DSRM Guide to MCSE 70-294, Enhanced

  18. Bulk Import and Export • CSVDE • Command-line tool • Supports bulk export and import of Active Directory data • File format: comma-separated value (CSV) files • LDIFDE • Command-line tool • Use to import and export data from Active Directory • File format: LDAP Interchange Format (LDIF) Guide to MCSE 70-294, Enhanced

  19. Activity 10-5: Using LDIFDE to Modify User Accounts • Objective: Use LDIFDE to modify an existing user account • Practice using LDIFDE utility to work with user data Guide to MCSE 70-294, Enhanced

  20. Creating and Modifying User Accounts Programmatically • Many ways to create users besides the Users and Computers console: • Scripts or programs • Automatically by variety of tools • Active Directory Service Interface (ADSI) • Provides single abstract set of directory service interfaces for management of network • Makes it simple for administrators to automate common tasks Guide to MCSE 70-294, Enhanced

  21. Creating and Modifying User Accounts Programmatically (continued) • Active Directory Service Interface (ADSI) • Programmer can use ADSI from: • Visual Basic, C#, or VC++ application • Network administrators use: • Windows Scripting Host (WSH) • VBScript (or another scripting language that WSH supports) Guide to MCSE 70-294, Enhanced

  22. Planning and Administering Groups • Groups simplify Active Directory management • Save time and effort • Eliminate some mistakes Guide to MCSE 70-294, Enhanced

  23. Group Types • Security groups • Most popular type of group • Defined by Security Identifier (SID) • Used in discretionary access control lists (DACLs) • Can also be used as e-mail entities • Distribution groups • Primary purpose for use with e-mail applications • Do not impact user authentication process unnecessarily Guide to MCSE 70-294, Enhanced

  24. Group Types (continued) • Can change group type if domain is at: • Windows 2000 native • Windows Server 2003 functional level • Changed via group properties Guide to MCSE 70-294, Enhanced

  25. Group Scopes • Local Scope • Exist only within context of specific machine • Often called machine local groups • Can only reference on local machine • Stored in local SAM database on each local machine • Can contain users from • Local security database • Any users, global groups, or universal groups in forest • Any domain local groups in its own domain • Any user or groups from trusted domain Guide to MCSE 70-294, Enhanced

  26. Machine Local Group Membership and Resource Access Guide to MCSE 70-294, Enhanced

  27. Group Scopes (continued) • Domain local scope • Created on domain controller • Can only be assigned permissions to resource available in local domain in which it is created • Group membership can come from any domain within the forest • Can contain user or global groups from any domain • Mainly used to assign access permissions to resources • Can be used on any machine in domain Guide to MCSE 70-294, Enhanced

  28. Group Scopes (continued) • Global scope • Can be assigned permissions to any resource in any domain within forest • Any other trustingdomain that trusts domain where global group exists • Main limitation: • Can only contain users from same domain in which it is created • Mainly used to organize user objects into logical groupings according to function Guide to MCSE 70-294, Enhanced

  29. Group Scopes (continued) • Universal scope • Created for purpose of aggregating groups in different domains throughout forest • Can be assigned permissions to any resource in any domain within forest • Can consist of user objects from any domain in forest • Only available when domain is configured at Windows 2000 native or Windows Server 2003 functional level Guide to MCSE 70-294, Enhanced

  30. Changing a Group’s Scope • May be possible to change scope if domain is at: • Windows 2000 native • Windows Server 2003 functional level • Allowed conversions: • Global to universal • Domain local to universal • Universal to global • Universal to domain local Guide to MCSE 70-294, Enhanced

  31. Managing Security Groups • General strategy use acronym A G U DL P: • Create user Accounts, and organize them within Global groups • Create Universal groups and place global groups from any domain within universal groups • Create Domain Local groups that represent resources in which you want to control access, and add global or universal groups to domain local groups Guide to MCSE 70-294, Enhanced

  32. Managing Security Groups (continued) • A G U DL P: • Assign Permissions to domain local groups • One of best practices that Microsoft loves to test on Guide to MCSE 70-294, Enhanced

  33. Example of A G DL P Group Strategy Guide to MCSE 70-294, Enhanced

  34. Group Nesting • Nesting groups simplifies administrative tasks • Only available for: • Windows 2000 native • Windows Server 2003 functional level Guide to MCSE 70-294, Enhanced

  35. Understanding the Built-in Groups • Number of built-in local security groups with various preassigned rights are created • Builtin container: • Contains number of domain local group accounts • Are allocated different user rights based on common administrative or network-related tasks • Users container • Contains number of different domain local and global group accounts Guide to MCSE 70-294, Enhanced

  36. Understanding Special Identities • Several special identity groups • Operating system controls membership • Not administrator • OS dynamically determines in which special identity groups user should be a member Guide to MCSE 70-294, Enhanced

  37. Special Identity Groups and Members Guide to MCSE 70-294, Enhanced

  38. Creating Groups • Actually creating groups is simple • Add members to group after it is created Guide to MCSE 70-294, Enhanced

  39. Creating and Managing Computer Accounts • Computers require computer accounts to be part of domain • Tools to create computer accounts: • Active Directory Users and Computers • System applet in Control Panel of target computer • All authenticated users can add up to 10 computers to domain • Increase number or grant Create Computer Objects permission for technicians Guide to MCSE 70-294, Enhanced

  40. Activity 10-8: Creating Computer Accounts • Objective: Use Active Directory Users and Computers to create and manage computer accounts • Work with Active Directory Users and Computers to add computer accounts to domain Guide to MCSE 70-294, Enhanced

  41. Resetting Computer Accounts • Computers use secure communication channel known to communicate with domain controller • Password is associated with this secure channel • Changed every 30 days by default • Synchronized automatically between domain and workstation • Synchronization problems can occur • Administrator must reset computer account associated with workstation Guide to MCSE 70-294, Enhanced

  42. Publishing Resources • Object in directory represents resource • Don’t be confused between: • Creating directory object to represent resource • Creating resource itself Guide to MCSE 70-294, Enhanced

  43. Shared Folder • Provides only representation of actual share • Helps network users locate resources • Active Directory does not even check to see if server or the share exists Guide to MCSE 70-294, Enhanced

  44. Printers • Dialog box requests network path to printer • Active Directory does check for existence of printer Guide to MCSE 70-294, Enhanced

  45. Other Resources • As more Active Directory-aware and Active Directory-enabled applications are released • Administrators will have ability to locate more and more information in Active Directory database Guide to MCSE 70-294, Enhanced

  46. Organizing Objects in the Directory • Large network must be well organized • Major advantage of Active Directory • Information can be organized in a logical way Guide to MCSE 70-294, Enhanced

  47. Organizing and Controlling with Organizational Units • Organize Active Directory structure using organizational units • Organizational units: • Provide way to separate objects belonging to one data owner from another • Facilitate browsing directory • Support application of group policy Guide to MCSE 70-294, Enhanced

  48. Moving Objects between Organizational Units • Fairly simple to move objects from one organizational unit to another • Object’s distinguished name changes when moved Guide to MCSE 70-294, Enhanced

  49. Moving Objects between Domains • Not nearly as simple as moving between organizational units • Part of the SID must be changed • SIDhistoryattribute is used • Contains SID used in previous domain • System uses SIDhistory to include old SID in user’s access token • Allows user to retain access to resources where DACL contains old SID Guide to MCSE 70-294, Enhanced

  50. Moving Objects between Domains (continued) • Tools: • Movetree • ADMT Guide to MCSE 70-294, Enhanced

More Related