1 / 20

Active Directory (AD or ADS)

Active Directory (AD or ADS). Part I. What is it? Where is it? What’s in it?. NOS Directory Data Store(directory service, database) Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)

virginia-vin
Download Presentation

Active Directory (AD or ADS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Active Directory (AD or ADS) Part I

  2. What is it? Where is it? What’s in it? • NOS • Directory Data Store(directory service, database) • Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs) • Directory data is stored in the Ntds.dit file on each DC (pull data with DSQUERY) • Objects: • Users, Computers, Printers, Faxes, Servers, Services • Containers - Organizational Units (OUs), Groups, Domains • Group Policy Objects (GPOs)

  3. AD Users and Computers Snap-in Tree Structure Builtin OU contains default accounts and groups Users OU contains user accounts or additional OUs

  4. Domain Controller (DC) • Houses AD database • Single function • There are 2 types of servers: • Domain Controllers • Member Servers

  5. Icons This icon indicates object is disabled This indicates object type. Valid types are User, Security Group, Distribution Group This icon indicates object is a group (container) This icon indicates object is a single account

  6. Organizational Units (OUs) • Microsoft recommends as few domains as possible in Active Directory and a reliance on OUs to produce structure and improve the implementation of policies and administration. • The OU is the common level at which to apply GPOs. • The OU is the level at which administrative powers are commonly delegated; however, delegation can be performed on individual objects (or Sites – for another day).

  7. Groups • Protected groups should have limited members and services (each service should be researched for appropriateness): • Enterprise Admins • Schema Admins • Domain Admins • Administrators • Custom groups are created by the entity and should follow a defined naming convention. For example, a group name of HRData should have members from the HR department that are authorized to access sensitive HR data.

  8. Password Settings http://technet.microsoft.com/en-us/library/cc737614(WS.10).aspx (MS Recommendations)

  9. Password Settings (cont’d)

  10. Audit Settings

  11. Logon Controls

  12. Group Policy Management Console (GPMC)

  13. Group Policy Management Console (GPMC)

  14. Group Policy Objects (GPOs) • Can only be performed with Domain Admin, Enterprise Admin, or delegated authority. • Should be a highly-managed task and subject to change management policies and procedures. • More than one policy can be applied to a computer (precedence dictates cumulative effect). • A DC always obtains the account policy from a GPO linked to the domain, which by default is the Default Domain Policy GPO (occurs even if a different policy is applied to the OU that contains the DC).

  15. Delegation • Often, separation of duties for the network administration function are described as too difficult to implement, advise delegation. Tasks to delegate: • Help Desk functions • User account Management • Group Management • Group Policy U:\ITA\Section22X\Audit\Questionnaires, Guides, and Other Audit Information\ADhttp://technet.microsoft.com/en-us/library/cc756087(WS.10).aspx

  16. Delegation Wizard Good for Help Desk Staff Not good HOW TO: Customize the Task List in the Delegation Wizard,” MS Knowledge Base Article 308404

  17. DSQuery Syntax • To return user information for the domain: • dsquery user domainroot • dsquery user OU=Sales,DC=Contoso,DC=Com -o dn • dsquery user domainroot -inactive 3 Results provide all users in the domain Results provide all users in the Sales OU in the Contoso.com domain Results provide all users in the domain that have been inactive for 3 weeks DSQUERY source information: http://technet.microsoft.com/en-us/library/cc732952(WS.10).aspx

  18. Dsquery Commands * Output is in Unicode.

  19. Tidbits • Default Administrator account cannot be locked out. • Spaces can be used in Windows passwords. • If protected group is modified it resets after a period of time (one exception) • MS Updates should follow change control process • Delegation wizard is customizable • Delegate permissions using ACL Editor • GPO refresh is 90-120 minutes, by default http://technet.microsoft.com/en-us/library/cc756087(WS.10).aspx

  20. Tidbits • From my experience: • Loopback policy processing • Computer vs. User Configuration • Kiosk solutions • Non-ADS LDAP repositories • Password-protected screen saver – 4 settings to be effective, .scr file on end-user workstations

More Related