Presentation is loading. Please wait.

Presentation is loading. Please wait.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 10: Managing Users, Groups, Computers and Resources.

Published byPhilomena Webster Modified over 8 years ago

Similar presentations

Presentation on theme: "70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 10: Managing Users, Groups, Computers and Resources."— Presentation transcript:

1 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 10: Managing Users, Groups, Computers and Resources

2 Guide to MCSE 70-294, Enhanced2 Objectives Create user objects in Active Directory and set values for the attributes of a user object Create and manipulate groups in Active Directory, and understand the effects of different group scopes Create and manage computer accounts

3 Guide to MCSE 70-294, Enhanced3 Objectives Create objects for other resources, such as shared folders and printers Organize objects in Active Directory by leveraging the use of organizational units

4 Guide to MCSE 70-294, Enhanced4 Planning and Administering User Accounts Most frequently changed objects are user objects Users added, removed, etc.

5 Guide to MCSE 70-294, Enhanced5 User Classes, Properties, and Schema User class defines number of required and optional attributes Mandatory attributes: cn instanceType, objectCategory, and objectClass objectSID sAMAccountName More than 200 optional attributes

6 Guide to MCSE 70-294, Enhanced6 The Names of a User Name attributes: sAMAccountName Also called user logon name (pre-Windows 2000) userPrincipalName (UPN) Also called user logon name Decide on naming convention for user accounts Most common convention is to use user’s first initial followed by user’s last name

7 Guide to MCSE 70-294, Enhanced7 The Names of a User (continued) UPN composed of two parts Username UPN suffix UPN suffix is DNS name by default Can choose other suffix Joined by @ symbol Example: SomeUser@mydomain.com

8 Guide to MCSE 70-294, Enhanced8 Name Suffix Routing Provides name resolution across forests Used to route authentication requests to correct forest Disabled when naming conflict occurs Given unique name suffix can only exist in one forest

9 Guide to MCSE 70-294, Enhanced9 Creating Users with Active Directory Users and Computers Must be working at domain controller Or must have the administrative tools installed at your workstation Windows issues query to global catalog to verify that UPN is unique within forest

10 Guide to MCSE 70-294, Enhanced10 The New Object - User Dialog Box

11 Guide to MCSE 70-294, Enhanced11 New User Password and Security Attributes

12 Guide to MCSE 70-294, Enhanced12 Activity 10-2: Creating a New User Object Objective: Practice creating new user objects. Use Active Directory Users and Computers console to create a new user

13 Guide to MCSE 70-294, Enhanced13 Setting Additional Attributes Many user attributes exposed through property pages In Active Directory Users and Computers console Right-click object in Active Directory Users and Computers Choose Properties

14 Guide to MCSE 70-294, Enhanced14 Setting Additional Attributes (continued) Categories: General and business information Account and profile settings Terminal Services settings Dial-in settings Advanced properties

15 Guide to MCSE 70-294, Enhanced15 Resetting Passwords User’s password stored in encrypted form Operating system can access to validate user Administrator cannot retrieve forgotten user Password Must be reset Access to encrypted files may be lost

16 Guide to MCSE 70-294, Enhanced16 User Account Templates Preconfigured user account Already has common attributes associated with a particular type of user configured Reduces time and administrative burden Administrator copies template account to create new user

17 Guide to MCSE 70-294, Enhanced17 Command-line Utilities DSADD DSMOD DSQUERY DSGET DSMOVE DSRM

18 Guide to MCSE 70-294, Enhanced18 Bulk Import and Export CSVDE Command-line tool Supports bulk export and import of Active Directory data File format: comma-separated value (CSV) files LDIFDE Command-line tool Use to import and export data from Active Directory File format: LDAP Interchange Format (LDIF)

19 Guide to MCSE 70-294, Enhanced19 Activity 10-5: Using LDIFDE to Modify User Accounts Objective: Use LDIFDE to modify an existing user account Practice using LDIFDE utility to work with user data

20 Guide to MCSE 70-294, Enhanced20 Creating and Modifying User Accounts Programmatically Many ways to create users besides the Users and Computers console: Scripts or programs Automatically by variety of tools Active Directory Service Interface (ADSI) Provides single abstract set of directory service interfaces for management of network Makes it simple for administrators to automate common tasks

21 Guide to MCSE 70-294, Enhanced21 Creating and Modifying User Accounts Programmatically (continued) Active Directory Service Interface (ADSI) Programmer can use ADSI from: Visual Basic, C#, or VC++ application Network administrators use: Windows Scripting Host (WSH) VBScript (or another scripting language that WSH supports)

22 Guide to MCSE 70-294, Enhanced22 Planning and Administering Groups Groups simplify Active Directory management Save time and effort Eliminate some mistakes

23 Guide to MCSE 70-294, Enhanced23 Group Types Security groups Most popular type of group Defined by Security Identifier (SID) Used in discretionary access control lists (DACLs) Can also be used as e-mail entities Distribution groups Primary purpose for use with e-mail applications Do not impact user authentication process unnecessarily

24 Guide to MCSE 70-294, Enhanced24 Group Types (continued) Can change group type if domain is at: Windows 2000 native Windows Server 2003 functional level Changed via group properties

25 Guide to MCSE 70-294, Enhanced25 Group Scopes Local Scope Exist only within context of specific machine Often called machine local groups Can only reference on local machine Stored in local SAM database on each local machine Can contain users from Local security database Any users, global groups, or universal groups in forest Any domain local groups in its own domain Any user or groups from trusted domain

26 Guide to MCSE 70-294, Enhanced26 Machine Local Group Membership and Resource Access

27 Guide to MCSE 70-294, Enhanced27 Group Scopes (continued) Domain local scope Created on domain controller Can only be assigned permissions to resource available in local domain in which it is created Group membership can come from any domain within the forest Can contain user or global groups from any domain Mainly used to assign access permissions to resources Can be used on any machine in domain

28 Guide to MCSE 70-294, Enhanced28 Group Scopes (continued) Global scope Can be assigned permissions to any resource in any domain within forest Any other trusting domain that trusts domain where global group exists Main limitation: Can only contain users from same domain in which it is created Mainly used to organize user objects into logical groupings according to function

29 Guide to MCSE 70-294, Enhanced29 Group Scopes (continued) Universal scope Created for purpose of aggregating groups in different domains throughout forest Can be assigned permissions to any resource in any domain within forest Can consist of user objects from any domain in forest Only available when domain is configured at Windows 2000 native or Windows Server 2003 functional level

30 Guide to MCSE 70-294, Enhanced30 Changing a Group’s Scope May be possible to change scope if domain is at: Windows 2000 native Windows Server 2003 functional level Allowed conversions: Global to universal Domain local to universal Universal to global Universal to domain local

31 Guide to MCSE 70-294, Enhanced31 Managing Security Groups General strategy use acronym A G U DL P: Create user Accounts, and organize them within Global groups Create Universal groups and place global groups from any domain within universal groups Create Domain Local groups that represent resources in which you want to control access, and add global or universal groups to domain local groups

32 Guide to MCSE 70-294, Enhanced32 Managing Security Groups (continued) A G U DL P: Assign Permissions to domain local groups One of best practices that Microsoft loves to test on

33 Guide to MCSE 70-294, Enhanced33 Example of A G DL P Group Strategy

34 Guide to MCSE 70-294, Enhanced34 Group Nesting Nesting groups simplifies administrative tasks Only available for: Windows 2000 native Windows Server 2003 functional level

35 Guide to MCSE 70-294, Enhanced35 Understanding the Built-in Groups Number of built-in local security groups with various preassigned rights are created Builtin container: Contains number of domain local group accounts Are allocated different user rights based on common administrative or network-related tasks Users container Contains number of different domain local and global group accounts

36 Guide to MCSE 70-294, Enhanced36 Understanding Special Identities Several special identity groups Operating system controls membership Not administrator OS dynamically determines in which special identity groups user should be a member

37 Guide to MCSE 70-294, Enhanced37 Special Identity Groups and Members

38 Guide to MCSE 70-294, Enhanced38 Creating Groups Actually creating groups is simple Add members to group after it is created

39 Guide to MCSE 70-294, Enhanced39 Creating and Managing Computer Accounts Computers require computer accounts to be part of domain Tools to create computer accounts: Active Directory Users and Computers System applet in Control Panel of target computer All authenticated users can add up to 10 computers to domain Increase number or grant Create Computer Objects permission for technicians

40 Guide to MCSE 70-294, Enhanced40 Activity 10-8: Creating Computer Accounts Objective: Use Active Directory Users and Computers to create and manage computer accounts Work with Active Directory Users and Computers to add computer accounts to domain

41 Guide to MCSE 70-294, Enhanced41 Resetting Computer Accounts Computers use secure communication channel known to communicate with domain controller Password is associated with this secure channel Changed every 30 days by default Synchronized automatically between domain and workstation Synchronization problems can occur Administrator must reset computer account associated with workstation

42 Guide to MCSE 70-294, Enhanced42 Publishing Resources Object in directory represents resource Don’t be confused between: Creating directory object to represent resource Creating resource itself

43 Guide to MCSE 70-294, Enhanced43 Shared Folder Provides only representation of actual share Helps network users locate resources Active Directory does not even check to see if server or the share exists

44 Guide to MCSE 70-294, Enhanced44 Printers Dialog box requests network path to printer Active Directory does check for existence of printer

45 Guide to MCSE 70-294, Enhanced45 Other Resources As more Active Directory-aware and Active Directory-enabled applications are released Administrators will have ability to locate more and more information in Active Directory database

46 Guide to MCSE 70-294, Enhanced46 Organizing Objects in the Directory Large network must be well organized Major advantage of Active Directory Information can be organized in a logical way

47 Guide to MCSE 70-294, Enhanced47 Organizing and Controlling with Organizational Units Organize Active Directory structure using organizational units Organizational units: Provide way to separate objects belonging to one data owner from another Facilitate browsing directory Support application of group policy

48 Guide to MCSE 70-294, Enhanced48 Moving Objects between Organizational Units Fairly simple to move objects from one organizational unit to another Object’s distinguished name changes when moved

49 Guide to MCSE 70-294, Enhanced49 Moving Objects between Domains Not nearly as simple as moving between organizational units Part of the SID must be changed SIDhistory attribute is used Contains SID used in previous domain System uses SIDhistory to include old SID in user’s access token Allows user to retain access to resources where DACL contains old SID

50 Guide to MCSE 70-294, Enhanced50 Moving Objects between Domains (continued) Tools: Movetree ADMT

51 Guide to MCSE 70-294, Enhanced51 Summary Primary tool used to create and manage user accounts is Active Directory Users and Computers Primary purpose of groups in network environment Ease administrative burden associated with assigning rights and permissions to individual user accounts

52 Guide to MCSE 70-294, Enhanced52 Summary Four possible scopes of groups: Local (or machine local) Domain local Global Universal Workstations require computer accounts Resources can be published so users can quickly locate them

Download ppt "70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 10: Managing Users, Groups, Computers and Resources."

Similar presentations

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
By Rashid Khan Lesson 5-Directory Assistance: Administration Using Active Directory Users and Computers.

By Rashid Khan Lesson 5-Directory Assistance: Administration Using Active Directory Users and Computers.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.

11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.
7.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

7.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 5: Account Management.

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 5: Account Management.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
5.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

5.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Administering Active Directory

Administering Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Lesson 14: Creating and Managing Active Directory Users and Computers

Lesson 14: Creating and Managing Active Directory Users and Computers
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

Similar presentations

Ads by Google