MCST 2015 - Module 1.pdf
-
Upload
sergiy-kalmuk -
Category
Documents
-
view
246 -
download
0
Transcript of MCST 2015 - Module 1.pdf
-
7/27/2019 MCST 2015 - Module 1.pdf
1/75
Objects and Accounts
Module 1
MCST 2015
Active Directory
-
7/27/2019 MCST 2015 - Module 1.pdf
2/75
Organizational Unit (OU)
A container object that functions in a subordinatecapacity to a domain, something like a subdomain,but without the complete separation of security
policies. As a container object, OUs can contain other OUs,as well as leaf objects.
You can apply separate Group Policy to an OU, anddelegate the administration of an OU as needed.
However, an OU is still part of the domain and stillinherits policies and permissions from its parentobjects.
-
7/27/2019 MCST 2015 - Module 1.pdf
3/75
Organizational Units
Can be created to represent your companys
functional or geographical model.
Can be used to delegate administrativecontrol over a containers resources to lower-
level or branch office administrators.
Can be used to apply consistent configurationto client computers, users and member
servers.
-
7/27/2019 MCST 2015 - Module 1.pdf
4/75
Organizational Units
-
7/27/2019 MCST 2015 - Module 1.pdf
5/75
Creating an Organizational
Unit
To create an organizational unit, you would
use the Active Directory Users and
Computers console.
-
7/27/2019 MCST 2015 - Module 1.pdf
6/75
Delegation of Control
Creating OUs to support a decentralizedadministration model gives you the ability toallow others to manage portions of your Active
Directory structure, without affecting the rest ofthe structure. Delegating authority at a site level affects all domains
and users within the site.
Delegating authority at a domain level affects theentire domain.
Delegating authority at the OU level affects only thatOU and its hierarchy.
-
7/27/2019 MCST 2015 - Module 1.pdf
7/75
Delegation of Control
Using the Delegation of Control Wizard, you
utilize a simple interface to delegate
permissions for domains, OUs, or containers.
The interface allows you to specify to which usersor groups you want to delegate management
permissions and the specific tasks you wish them
to be able to perform.
You can delegate predefined tasks, or you can
create custom tasks that allow you to be more
specific.
-
7/27/2019 MCST 2015 - Module 1.pdf
8/75
Delegating Administrative Control
of an OU
Open Active Directory Users and
Computers.
Right-click the object to which you wish todelegate control, and click Delegate
Control.
Click Next on the Welcome to theDelegation of Control Wizard page.
-
7/27/2019 MCST 2015 - Module 1.pdf
9/75
Delegating Administrative
Control of an OU
-
7/27/2019 MCST 2015 - Module 1.pdf
10/75
Delegating Administrative
Control of an OU
-
7/27/2019 MCST 2015 - Module 1.pdf
11/75
Delegating Administrative
Control of an OU
-
7/27/2019 MCST 2015 - Module 1.pdf
12/75
Group Policy
One of the biggest reasons to use OUs is for the
application of Group Policy. Create OUs for each
group of objects that need to have different
Group Policy settings. Group Policy objects (GPOs) can be linked to
OUs. Policy settings apply to all objects within
the OU.
Through inheritance, settings applied to the
domain or parent OUs apply to all child OUs
and objects within those OUs
-
7/27/2019 MCST 2015 - Module 1.pdf
13/75
Accidental Deletion
Objects in Active Directory can be accidentally deleted
through Active Directory Users and Computers and other
management tools. The following types of deletions are
most common: Leaf-node deletion is when a user selects and deletes
a leaf object.
Organizational Unit (OU) deletion is when a user
selects and deletes an OU that has subordinateobjects. Deleting the OU deletes all objects within the
OU (including any child OUs and their objects).
-
7/27/2019 MCST 2015 - Module 1.pdf
14/75
Accidental Deletion
To protect objects from accidental deletion:
When you create an organizational unit, leave
the Protect container from accidentaldeletion check box selected. This is the
default. Other types of objects do not have
this default setting and must be manually
configured.
-
7/27/2019 MCST 2015 - Module 1.pdf
15/75
Default Containers
When you install Active Directory, several
default containers and Organizational
Units (OUs) are automatically created: Builtin
Computers
Domain Controllers Foreign Security Principals
LostAndFound
-
7/27/2019 MCST 2015 - Module 1.pdf
16/75
Default Containers
Default Containers (contd)
NTDS Quotas
Program Data System
Users
-
7/27/2019 MCST 2015 - Module 1.pdf
17/75
Default Containers
Default containers are automatically
created and cannot be deleted.
The Domain Controllers OU is the onlydefault organizational unit object. All other
containers are just containers, not OUs. As
such, you cannot apply a GPO to anydefault container except for the Domain
Controllers OU.
-
7/27/2019 MCST 2015 - Module 1.pdf
18/75
Default Containers
To apply Group Policy specifically to objects
within a default container (except for the Domain
Controllers OU), move the objects into an OU
that you create, then link the GPO.
The LostAndFound, NTDS Quotas, Program
Data, and System containers are hidden in
Active Directory Users and Computers. To viewthese containers, click AdvancedFeatures from
the View menu.
-
7/27/2019 MCST 2015 - Module 1.pdf
19/75
Understanding User
Accounts
Three types of user accounts can be
created and configured in Windows Server
2008: Local accounts.
Domain accounts.
Built-in user accounts.
19MCST 2015 - Administering the ActiveDirectory
-
7/27/2019 MCST 2015 - Module 1.pdf
20/75
Local Accounts
Used to access the local computer only
and are stored in the local Security
Account Manager (SAM) database on thecomputer where they reside.
Never replicated to other computers, nor
do these accounts have domain access.
20MCST 2015 - Administering the ActiveDirectory
-
7/27/2019 MCST 2015 - Module 1.pdf
21/75
Domain Accounts
Accounts used to access Active Directory ornetwork-based resources, such as sharedfolders or printers.
Account information for these users is stored inthe Active Directory database and replicated toall domain controllers within the same domain.
A subset of the domain user account informationis replicated to the global catalog, which is thenreplicated to other global catalog serversthroughout the forest.
21MCST 2015 - Administering the ActiveDirectory
-
7/27/2019 MCST 2015 - Module 1.pdf
22/75
Built-in User Accounts
Automatically created when Microsoft
Windows Server 2008 is installed.
Built-in user accounts are created on amember server or a standalone server.
When you install Windows Server 2008 as a
domain controller, the ability to create andmanipulate these accounts is disabled.
22MCST 2015 - Administering the ActiveDirectory
-
7/27/2019 MCST 2015 - Module 1.pdf
23/75
Built-in User Accounts
By default, two built-in user accounts arecreated on a Windows Server 2008computer:
Administrator account.
Guest account.
Built-in user accounts can be local
accounts or domain accounts, dependingon whether the server is configured as astandalone server or a domain controller.
23MCST 2015 - Administering the ActiveDirectory
-
7/27/2019 MCST 2015 - Module 1.pdf
24/75
Creating and Managing User
Accounts
User accounts are usually created and
managed with Active Directory Users and
Computers.
24MCST 2015 - Administering the ActiveDirectory
-
7/27/2019 MCST 2015 - Module 1.pdf
25/75
User Account Properties
25MCST 2015 - Administering the ActiveDirectory
-
7/27/2019 MCST 2015 - Module 1.pdf
26/75
User Account Properties
26MCST 2015 - Administering the ActiveDirectory
-
7/27/2019 MCST 2015 - Module 1.pdf
27/75
User Account Properties
27MCST 2015 - Administering the ActiveDirectory
-
7/27/2019 MCST 2015 - Module 1.pdf
28/75
Managing User Accounts
Use Active Directory Users and Computers from
a domain controller or workstation with
Administrative Tools installed to configure
domain accounts. To modify properties on multiple user accounts
at once, use the Shift orCtrl keys to select all
users, then edit the necessary properties.
Properties such as the logon name or password
cannot be modified in this way.
-
7/27/2019 MCST 2015 - Module 1.pdf
29/75
Managing User Accounts
You can move user accounts to add them to the
appropriate OUs. Grouping users within OUs allows
you to apply Group Policy settings to groups of
users.
When creating a new user account or resetting a
forgotten password, a common practice is to reset
the user account password, then select User must
change password at next logon. This forces theuser to reset the password immediately following
logon, ensuring that the user will be the only person
who knows the password.
-
7/27/2019 MCST 2015 - Module 1.pdf
30/75
Managing User Accounts
You can configure an expiration date for
temporary user accounts. Once the
account is expired, it cannot be used for
logon.
If a user will be gone for an extended
period of time, disable the account. This
prevents the account from being usedduring the user's absence. Enable the
account when the user returns.
-
7/27/2019 MCST 2015 - Module 1.pdf
31/75
Managing User Accounts
Configure the logon hours for a user account to
allow the account to only be used between specific
hours.
Logon attempts outside of the specified hours willnot be allowed.
Users who are currently logged on will be allowed
to continue working when the logon hours expire.
To log a user off when the logon hours pass,configure Group Policy settings to log the user off
automatically.
-
7/27/2019 MCST 2015 - Module 1.pdf
32/75
Managing User Accounts
If you accidentally delete a user account,
restore it from backup rather than creating
a new one with the same name. Creating
a new account with the same name results
in a user account with a different SID and
will not automatically assume the
permissions and memberships of thepreviously deleted account.
-
7/27/2019 MCST 2015 - Module 1.pdf
33/75
Managing User Accounts
To create another user account similar to
an existing user, copy the existing user
account. You will be prompted for a newname and password. Existing account
settings and group memberships will be
copied to the new account. Permissions
will notbe copied to the new account.
-
7/27/2019 MCST 2015 - Module 1.pdf
34/75
Managing Computer
Accounts
A computer accountis an Active Directory object
that identifies a network computer. The account
in Active Directory is associated with a specific
hardware device. To identify a specific computer,two processes are required:
Create a computer account in Active Directory.
Join a computer to the domain. When you join the
domain, the device is associated with the Active
Directory computer account.
-
7/27/2019 MCST 2015 - Module 1.pdf
35/75
Managing Computer
Accounts Because the Computers folder is not an OU, you
cannot link a GPO to this container, meaning
that only Group Policy settings in the domain will
apply to these computers. For more control overGroup Policy settings for computers or groups of
computers, move computer accounts to OUs.
To control where computer accounts are placed
when the computer joins the domain, createcomputer accounts ahead of time before joining
the domain from the workstation
-
7/27/2019 MCST 2015 - Module 1.pdf
36/75
Managing Computer
Accounts
The following group members can create a
computer account:
Account Operators Domain Admins
Enterprise Admins
-
7/27/2019 MCST 2015 - Module 1.pdf
37/75
Managing Computer
Accounts
Members of the Authenticated Users group can
join up to 10 computers to a domain from a
workstation (and create the computer account
automatically if it does not already exist). Thisability comes from the Add workstations to a
domain user right. You can also allow specific
users to join specific computers to a domain by
selecting The following user or group can jointhis computer to a domain when creating the
computer account.
-
7/27/2019 MCST 2015 - Module 1.pdf
38/75
Managing Computer
Accounts
You can grant other users permissions to create
computer accounts by giving them the Create
Computer Objects right over the Active
Directory OU. This permission does not have alimit on the number of accounts that can be
created. Note: You must grant this right to the
domain or specific OUs.
To join a computer to a domain, you must be a
member of the Administrators group on the local
computer or be given the necessary rights.
-
7/27/2019 MCST 2015 - Module 1.pdf
39/75
Managing Service
Accounts
A service accountis a special user
account that an application or service uses
to interact with the operating system.Services use the service accounts to log
on and make changes to the operating
system or the configuration. Through
permissions, you can control the actions
that the service can perform.
M i S i
-
7/27/2019 MCST 2015 - Module 1.pdf
40/75
Managing Service
Accounts
Categories of Service Accounts:
Built-in local user account
Domain user account
Managed service account
Virtual account
M i S i
-
7/27/2019 MCST 2015 - Module 1.pdf
41/75
Managing Service
Accounts
Built-in local user account
A built-in user account is a user account that
is created automatically during installation.The following three built-in user accounts are
used by most services:
Local System account (also called the System
account) Local Service account
Network Service account
M i S i
-
7/27/2019 MCST 2015 - Module 1.pdf
42/75
Managing Service
Accounts Domain user account
User accounts are managed centrally in Active
Directory.
You can create a single user account for a singleservice, or share a user account for multiple services.
You can grant only the specific privileges required by
the service.
You must manage account passwords. For example,you will need to periodically reset the account
password on the account as well as reset the
password used by the service.
M i S i
-
7/27/2019 MCST 2015 - Module 1.pdf
43/75
Managing Service
Accounts
Managed service account
A managed service account is a new account type
available in Windows Server 2008 R2 and Windows 7.
A managed service account provides the samebenefits of using a domain user with the added benefit
that Passwords are managed and reset automatically.
An account can be used on only one computer (you
must create at least one account per computer).
Each account can be used by multiple services on a
computer. You can also create a separate account for
each service.
M i S i
-
7/27/2019 MCST 2015 - Module 1.pdf
44/75
Managing Service
Accounts
Virtual account
A virtual account is a new account type
available in Windows Server 2008 R2 andWindows 7. Virtual accounts:
Are not created or deleted.
Use a single account for a single service. If you
have multiple services that use virtual accounts,there will be a different account for each service.
-
7/27/2019 MCST 2015 - Module 1.pdf
45/75
Group Accounts
Groups are implemented to allow
administrators to assign rights and
permissions to multiple userssimultaneously.
A group can be defined as a collection of
user or computer accounts that is used tosimplify the assignment of rights or
permissions to network resources.
45MCST 2015 - Administering the ActiveDirectory
-
7/27/2019 MCST 2015 - Module 1.pdf
46/75
Group Accounts
When a user logs on, an access token is created thatidentifies the user and all of the users groupmemberships.
This access token is used to verify a users permissions
when the user attempts to access a local or networkresource.
By using groups, multiple users can be given the samepermission level for resources on the network.
Since a users access token is only generated when they
first log on to the network from their workstation, if youadd a user to a group, they will need to log off and logback on again for that change to take effect.
46MCST 2015 - Administering the ActiveDirectory
-
7/27/2019 MCST 2015 - Module 1.pdf
47/75
Group Types
Distribution groups Non-security-related
groups created for the distribution of
information to one or more persons. Security groups - Security-related groups
created for purposes of granting resource
access permissions to multiple users.
47MCST 2015 - Administering the ActiveDirectory
-
7/27/2019 MCST 2015 - Module 1.pdf
48/75
Group Nesting
Users can be members of more than one
group.
Groups can contain other Active Directoryobjects, such as computers, and other
groups.
Groups containing groups is called groupnesting.
48MCST 2015 - Administering the ActiveDirectory
-
7/27/2019 MCST 2015 - Module 1.pdf
49/75
Group Scopes
Global
Domain Local
Universal
49MCST 2015 - Administering the ActiveDirectory
-
7/27/2019 MCST 2015 - Module 1.pdf
50/75
Using Global and Domain Local
Groups
Global These groups can include users, computers, and
other global groups from the same domain. You can use them to organize users who have
similar functions and therefore similarrequirements on the network.
Domain local These groups can include users, computers, and
groups from any domain in the forest.
They are most often utilized to grant permissionsfor local resources and may be used to provideaccess to any resource in the domain in whichthey are located.
50MCST 2015 - Administering the ActiveDirectory
U i Gl b l d D i
-
7/27/2019 MCST 2015 - Module 1.pdf
51/75
Using Global and Domain
Local Groups
Assign users within a domain to global
groups.
Add global groups to domain local groups. Assign permissions to domain local group.
51MCST 2015 - Administering the ActiveDirectory
-
7/27/2019 MCST 2015 - Module 1.pdf
52/75
Universal Groups
These groups can include users andgroups from any domain in the AD DSforest and can be employed to grant
permissions to any resource in the forest. A universal group can include users,
computers, and global groups from anydomain in the forest.
Changes to universal group membershiplists are replicated to all global catalogservers throughout the forest.
52MCST 2015 - Administering the ActiveDirectory
-
7/27/2019 MCST 2015 - Module 1.pdf
53/75
AGUDLP
Microsoft approach to using groups:
add Accounts to Global groups.
add those global groups to Universal groups.
Add universal groups to Domain Local
groups.
Finally, assign Permissions to the domain
local groups.
53MCST 2015 - Administering the ActiveDirectory
Creating and Managing
-
7/27/2019 MCST 2015 - Module 1.pdf
54/75
Creating and Managing
Groups
Creating and managing groups is usually
done with Active Directory Users and
Computers.
54MCST 2015 - Administering the ActiveDirectory
-
7/27/2019 MCST 2015 - Module 1.pdf
55/75
Group Properties
55MCST 2015 - Administering the ActiveDirectory
-
7/27/2019 MCST 2015 - Module 1.pdf
56/75
Group Properties
56MCST 2015 - Administering the ActiveDirectory
Working with Default
-
7/27/2019 MCST 2015 - Module 1.pdf
57/75
Working with Default
Groups
Account Operators Can create, modify anddelete accounts for users, groups, andcomputers in all containers and OUs.
Cannot modify administrators, domain adminsand enterprise admin groups.
Administrators Complete and unrestrictedaccess to the computer or domain controller.
Backup Operators - Can back up and restoreall files on the computer.
57MCST 2015 - Administering the ActiveDirectory
Working with Default
-
7/27/2019 MCST 2015 - Module 1.pdf
58/75
Working with Default
Groups
Guests Same privileges as members of theUsers group.
Disabled by default
Print Operators Can manage printers anddocument queues.
Server Operators Can log on a serverinteractively, create and delete shares, start andstop some services, back up and restore files,format the disk, shutdown the computer andmodify the system date and time.
58MCST 2015 - Administering the ActiveDirectory
Working with Default
-
7/27/2019 MCST 2015 - Module 1.pdf
59/75
Working with Default
Groups
Users Allows general access to run
applications, use printers, shut down and
start the computer and use network sharesfor which they are assigned permissions.
DNSAdmins Permits administrative
access to the DNS server service.
59MCST 2015 - Administering the Active
Directory
Working with Default
-
7/27/2019 MCST 2015 - Module 1.pdf
60/75
Working with Default
Groups
Domain Admins Can performadministrative tasks on any computeranywhere in the domain.
Domain Computers Contains allcomputers. Used to make computer management easier
through group policies.
Domain Controllers Contains allcomputers installed in the domain as adomain controller.
60MCST 2015 - Administering the Active
Directory
Working with Default
-
7/27/2019 MCST 2015 - Module 1.pdf
61/75
Working with Default
Groups
Domain Guests Members include alldomain guests.
Domain Users Members include all
domain users. Used to assign permissions to all users in the
domain.
Enterprise Admins Allows the globaladministrative privileges associated withthis group, such as the ability to createand delete domains.
61MCST 2015 - Administering the Active
Directory
Working with Default
-
7/27/2019 MCST 2015 - Module 1.pdf
62/75
Working with Default
Groups
Schema Admins Members can manage
and modify the Active Directory schema.
62MCST 2015 - Administering the Active
Directory
Special Identity Groups
-
7/27/2019 MCST 2015 - Module 1.pdf
63/75
Special Identity Groups
and Local Groups
Authenticated Users Used to allow
controlled access to resources throughout
the forest or domain. Everyone Used to provide access to
resource for all users and guest.
Not recommended to not assign this group toresources.
63MCST 2015 - Administering the Active
Directory
Group Implementation
-
7/27/2019 MCST 2015 - Module 1.pdf
64/75
Group Implementation
Plan
A plan that states who has the ability andresponsibility to create, delete, and managegroups.
A policy that states how domain local, global,and universal groups are to be used.
A policy that states guidelines for creatingnew groups and deleting old groups.
A naming standards document to keep groupnames consistent.
A standard for group nesting.
64MCST 2015 - Administering the Active
Directory
Creating Users and
-
7/27/2019 MCST 2015 - Module 1.pdf
65/75
Creating Users and
Groups
Active Directory Users and Computers.
Batch files.
Comma-Separated Value DirectoryExchange (CSVDE).
LDAP Data Interchange Format Directory
Exchange (LDIFDE). Windows Script Host (WSH).
65MCST 2015 - Administering the Active
Directory
-
7/27/2019 MCST 2015 - Module 1.pdf
66/75
Summary
When planning your OU structure, consider the
business function, organizational structure, and
administrative goals for your network.
Delegation of administrative tasks should be aconsideration in your plan.
Moving objects between containers and OUs within
a domain can be achieved by using the Move menu
command, the drag-and-drop feature in ActiveDirectory Users and Computers, or the dsmove
utility from a command line.
-
7/27/2019 MCST 2015 - Module 1.pdf
67/75
Summary
Administrative tasks can be delegated for
a domain, OU, or container to achieve a
decentralized management structure.
Permissions can be delegated using the
Delegation of Control Wizard.
Verification or removal of these permissions
must be achieved through the Security tab inthe Properties dialog box of the affected
container.
-
7/27/2019 MCST 2015 - Module 1.pdf
68/75
Summary
Moving objects between containers and
OUs within a domain can be achieved by
using the Move menu command, the drag-and-drop feature in Active Directory Users
and Computers, or the dsmove utility from
a command line.
-
7/27/2019 MCST 2015 - Module 1.pdf
69/75
Summary
Three types of user accounts exist in WindowsServer 2008:
Local user accounts reside on a local computer and
are not replicated to other computers by ActiveDirectory.
Domain user accounts are created and stored inActive Directory and replicated to all domaincontrollers within a domain.
Built-in user accounts are automatically created whenthe operating system is installed and when a memberserver is promoted to a domain controller.
69MCST 2015 - Administering the Active
Directory
-
7/27/2019 MCST 2015 - Module 1.pdf
70/75
Summary
The Administrator account is a built-in domainaccount that serves as the primarysupervisory account in Windows Server
2008. It can be renamed, but it cannot be deleted. The Guest account is a built-in account used
to assign temporary access to resources.
It can be renamed, but it cannot be deleted. This account is disabled by default and the
password can be left blank.
70MCST 2015 - Administering the Active
Directory
-
7/27/2019 MCST 2015 - Module 1.pdf
71/75
Summary
Windows Server 2008 group options
include two types (security and
distribution) and three scopes (domainlocal, global, and universal).
Domain local groups are placed on the
ACL of resources and assignedpermissions. They typically contain global
groups in their membership list.
71MCST 2015 - Administering the Active
Directory
-
7/27/2019 MCST 2015 - Module 1.pdf
72/75
Summary
Global groups are used to organize
domain users according to their resource
access needs. Global groups are placed in the membership
list of domain local groups, which are then
assigned the desired permissions to
resources.
72MCST 2015 - Administering the Active
Directory
-
7/27/2019 MCST 2015 - Module 1.pdf
73/75
Summary
Universal groups are used to provide
access to resources anywhere in the
forest. Their membership lists can contain global
groups and users from any domain.
Changes to universal group membership lists
are replicated to all global catalog servers
throughout the forest.
73MCST 2015 - Administering the Active
Directory
-
7/27/2019 MCST 2015 - Module 1.pdf
74/75
Summary
The recommended permission assignment
strategy (AGUDLP) places users needing
access permissions in a global group, theglobal group in a universal group, and the
universal group in a domain local group
and then assigns permissions to the
domain local group.
74MCST 2015 - Administering the Active
Directory
-
7/27/2019 MCST 2015 - Module 1.pdf
75/75
Summary
Group nesting is the process of placing groupaccounts in the membership of other groupaccounts for the purpose of simplifying
permission assignments. Multiple users and groups can be created in
Active Directory by using several methods.Windows Server 2008 offers the ability to usebatch files, CSVDE, LDIFDE, and WSH toaccomplish your administrative goals.