Presentation is loading. Please wait.

Presentation is loading. Please wait.

WolfTech Active Directory: OU Administration June 30th, 2009 2-5pm Daniels 407.

Published byBartholomew Sparks Modified over 8 years ago

Similar presentations

Presentation on theme: "WolfTech Active Directory: OU Administration June 30th, 2009 2-5pm Daniels 407."— Presentation transcript:

1 WolfTech Active Directory: OU Administration http://www.wolftech.ncsu.edu/activedirectory June 30th, 2009 2-5pm Daniels 407

2 Tools Remote Server Administration Tools (RSAT) o Vista SP1+ / 2008 version of AdminPak o Only way to access Group Policy Preferences o Includes all added functionality from 2003 R2 GPMC - Included in Vista o VBScripts for doing GPO Scripting SpecOps GPUpdate - Extension for ADUC Scripting: VBScript/PowerShell ShellRunas - Run as different Domain User for Vista o Do not do administration with normal unity account Custom MMC Consoles DEMO!

3 Migration Checklist 1.Get your house in order: o DNS needs to be accurate, including DNS domains, use DHCP o Asset tracking needs to be accurate o Laptops - register in NOMAD 2.Design OU/Group Layout Considerations o What types of Users do you have to support? o What types of computers ? o Are there multiple Logical Units? Offices? Departments? 3.Management Policies o Who can login where? What level of permissions should they have? o Who is allowed to administer the machines? o Do you need to deploy Mapped Drives, Scripts, or Printers? 4.Software Deployment Strategy o Who can install their own software on what machines? o What software packages need to be automated? 5.Migrating Machines o Reinstall from scratch or Join them in current state? o Pre-Staging Computer Objects o Do you include Mac/Linux machines? o New Machine/Reinstallation - WDS 6.What other services will you need to provide?

4 Accounts Accounts already provisioned for all Unity Centrally managed Passwords synced via Password Change Page Units can create their own accounts: o more than 8 characters o Administrative:.admin o Guests:.. o Service:..service http://www.wolftech.ncsu.edu/support/support/Active_Directory/Naming_Standards Coming Soon: o Workshop Accounts o Cross Realm Trust

5 Grouping "Best Practices": Creating lots of groups up front will ease administration when change requests are needed later on. It is better to have a group and not use it, than need a group and not have one. Always use groups for delegating permissions. Types of Groups: Group by User Directory Info: Faculty/Staff/Student Group by Machine Use: Public Lab/Teaching Lab/Kiosk/Server Group by Machine type: Laptop/Desktop Group by Administrative Access: Server Admins/Lab Admins Groups for Application Deployment Groups for Printer Deployment Groups for Resource Access

6 WolfTech Managed Groups Create Groups based on: o OUC o Affiliation o Building o Course Rolls Membership populated daily! Set expiration dates! http://www.wolftech.ncsu.edu/wtmg/

7 OU Layout - Machine Types Single User o Faculty - Individual login, local admin o Staff - Individual or group login, no local admin o Grad Students - Group login, no student admin, Faculty admin Labs o Teaching Labs - college or class login, user rights o Public Labs - any account login (or college), user rights o Research Labs - Group login, user rights Stand Alone o Kiosks - no login, extremely locked down o Conference Rooms - any account login o Loaner machines Servers Macs? Linux boxes?

8 OU Layout Considerations Favor an overly-hierarchical layout rather than a flat layout Allows for easier targeting of GPO's Follows a more logical structure for support Its harder to move from Flat->Hierarchical than vise-versa Q: Design OU structure based on Function or Organization? A: Both! First one, then the other. Examples! Desktops/Laptops OU's: Cron Job to help maintain group memberships

9 Group Policy Basics Creating: Group Policy Objects Container How to copy a GPO Starter GPO's GPO Processing: GPO processing starts at the root of the domain and overlays as you get closer to the object Link GPO's to OU's Link ordering on OU's Filter GPO's based on Group membership Filter GPO's based on WMI Enforced vs. Blocking Inheritance Deny permission?

10 Group Policy Basics (continued) Naming Conventions: - For software: {SW,FW,EX}- - Be descriptive in your GPO names, there is no length limit Some "best practices": GPO's that provide access to a resource should be linked at the highest level that is administratively feasible. WMI filtering on specific versions of software usually doesn't get updated. Use WMI filters for OS, and Item-Level targeting in GPP for everything else you can. If you find yourself creating alot of GPO's to solve a single problem, you are doing something wrong.

11 Group Policy Diagnostics gpupdate - initiate a Group Policy refresh (optional: /force) Group Policy Results - What is applying now Group Policy Modeling - Planning out changes before making them (currently doesn't work) Group Policy Logging: o http://technet.microsoft.com/en-us/library/cc775423(WS.10).aspx http://technet.microsoft.com/en-us/library/cc775423(WS.10).aspx

12 Group Policy - WolfTech Specifics WolfTech uses Loopback Processing (merge mode) Permissions: Cron: o All OU Admins get Read to all GPO's o Delegate permissions to -OU Admins group for GPO's following naming conventions mentioned earlier "Deny" permissions on GPO's should be used with care o Primary use case is in Software Distribution

13 Policies Types of Policies: Software Deployment Scripts Security Settings o Restricted Groups o User Rights assignment o Machine Permissions (Filesystem, Registry, Services) o Software restriction o Configure Wireless o Windows Security Guide Templates are already in WolfTech  {VSG, XP, WS03, WS08} EC Administrative Templates o Firewall - no spaces in comma separated lists! o Windows Update, IE, desktop environment, etc. o DNS Domain, DNS Search order o WSUS Groups (client-side targetting)

14 Software Distribution Naming: SW-OU-Vendor-App-Version-Build date o SW-NCSU-Mathworks-Matlab-7.6-20090605 Assigned via GPO o "Remove when out of scope" o SW - Licensed Software o FW - Freeware o EX - Experimental (In testing, Use at own rise, etc.) Group Hierarchy o A Group Created at Software level will replicate down to all child colleges/departments

15 Preferences Types of Preferences: Mapped Drives Power Settings Printers* Distributing individual files, registry keys, shortcuts Collections Item-Level Targeting lets you filter based off of: o IP Address/MAC Address/Battery State o Security Group/OU/User o Registry/File Match o Date/Time o and much, much more! http://www.wolftech.ncsu.edu/support/support/Active_Directory/Documentation#Group_Policy_Preferences

16 Windows Software Update Services WSUS is the freepatch distribution product provided by MS. All patches except drivers Approval Timelines: o Early, Normal, Late o Use GPO to set the Client Group: -Early Reports o http://www.wolftech.ncsu.edu/support/support/Active_Directory/Documentati on/WSUS_Management_Console http://www.wolftech.ncsu.edu/support/support/Active_Directory/Documentati on/WSUS_Management_Console http://www.wolftech.ncsu.edu/support/support/Active_Directory/Service_Groups#WS US_Service_Group

17 Windows Distribution Services WDS is the free image creation and deployment product provided by MS PXE - DHCP Templates (WDS-Main, WDS-Centennial, PXE-All) Base OS's + drivers Vista/Windows 7 are easy, XP works http://www.wolftech.ncsu.edu/support/support/Active_Direct ory/Documentation/WDS

18 Scenarios What are some problems that you need to solve?

19 Q & A

Download ppt "WolfTech Active Directory: OU Administration June 30th, 2009 2-5pm Daniels 407."

Similar presentations

Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.
Microsoft Server 2008 R2 Group Policies & AD. Group Policies-Refresher  Policies are “all or nothing”  You cannot selectively choose within a policy.

Microsoft Server 2008 R2 Group Policies & AD. Group Policies-Refresher  Policies are “all or nothing”  You cannot selectively choose within a policy.
Module 14: Implementing an Active Directory Infrastructure.

Module 14: Implementing an Active Directory Infrastructure.
NREL is a national laboratory of the U.S. Department of Energy Office of Energy Efficiency and Renewable Energy operated by the Alliance for Sustainable.

NREL is a national laboratory of the U.S. Department of Energy Office of Energy Efficiency and Renewable Energy operated by the Alliance for Sustainable.
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
Managing User Settings with Group Policy

Managing User Settings with Group Policy
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.

Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
MIS 431 - Chapter 91 Ch. 9 – Implement and Use Group Policy MIS 431 – created Spring 2006.

MIS Chapter 91 Ch. 9 – Implement and Use Group Policy MIS 431 – created Spring 2006.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Clyde G. Johnson.  Test Environment  Tools of the trade  Demo  Central Store  Show  Group Policy Spreadsheets  Demo  Planning and Deployment.

Clyde G. Johnson.  Test Environment  Tools of the trade  Demo  Central Store  Show  Group Policy Spreadsheets  Demo  Planning and Deployment.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Lesson 16: Creating Group Policy Objects

Lesson 16: Creating Group Policy Objects
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Guide to MCSE 70-290, Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.

Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
Group Policy in Microsoft Windows Active Directory.

Group Policy in Microsoft Windows Active Directory.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 9-10-11 2008.

(ITI310) By Eng. BASSEM ALSAID SESSIONS

Similar presentations

Ads by Google