CN1276 Server (V3) Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+

Agenda Chapter 5: Active Directory Administration Quiz Exercise

Understanding User Accounts Three types of user accounts can be created and configured in Windows Server 2008: ▫Local accounts ▫Domain accounts ▫Built-in user accounts

Security guidelines Rename the Administrator account ▫Set a strong password Limit knowledge of administrator passwords to only a few individuals Do not use the Administrator account for daily non-administrative tasks Rename the Guest account after enabling it for use ▫Set a strong password

Group Accounts Groups are implemented to allow administrators to assign rights and permissions to multiple users simultaneously. A group can be defined as a collection of user or computer accounts that is used to simplify the assignment of rights or permissions to network resources.

Group Types Distribution groups ▫Non-security-related groups created for the distribution of information to one or more persons. Security groups ▫Security-related groups created for purposes of granting resource access permissions to multiple users.

Group Nesting Users can be members of more than one group. Groups can contain other Active Directory objects, such as computers, and other groups. Groups containing groups is called group nesting.

Group Scopes Domain Local ▫These groups can include users, computers, global groups, and universal groups from any domain ▫To assign permissions to any resource in the domain in which they are located Global ▫These groups can include users, computers, and global groups only from within the same domain ▫To assign permission to resources that reside in any domain in the forest ▫Global group memberships are replicated only to DC within the same domain Universal ▫Same as global group, but the group memberships should not change frequently because these groups are stored in the GC

Using Global and Domain Local Groups Assign users within a domain to global groups. Add global groups to domain local groups. Assign permissions to domain local group.

AGUDLP Microsoft approach to using groups: ▫add A ccounts to G lobal groups. ▫add those global groups to U niversal groups. ▫Add universal groups to D omain L ocal groups. ▫Finally, assign P ermissions to the domain local groups.

Creating and Managing Groups Creating and managing groups is usually done with Active Directory Users and Computers.

Working with Default Groups Account Operators ▫Can create, modify and delete accounts for users, groups, and computers in all containers and OUs. ▫Cannot modify administrators, domain admins and enterprise admin groups. Administrators Backup Operators Guests ▫Disabled by default

Working with Default Groups Print Operators ▫Can manage printers and document queues. Server Operators ▫Can log on a server interactively ▫Create and delete shares, start and stop some services ▫Back up and restore files ▫Format the disk, shutdown the computer and modify the system date and time.

Working with Default Groups Users DNSAdmins ▫Permits administrative access to the DNS server service. Domain Admins Domain Computers ▫Contains all computers. ▫Used to make computer management easier through group policies. Domain Controllers – Contains all computers installed in the domain as a domain controller.

Working with Default Groups Domain Guests ▫Members include all domain guests. Domain Users ▫Used to assign permissions to all users in the domain. Enterprise Admins ▫Allows the global administrative privileges associated with this group, such as the ability to create and delete domains.

Working with Default Groups Schema Admins ▫Members can manage and modify the Active Directory schema. See Table 5-1 on Page

Special Identity Groups and Local Groups Authenticated Users ▫Used to allow controlled access to resources throughout the forest or domain. Everyone See Table 5-2 on Page

Group Implementation Plan A plan that states ▫who has the ability and responsibility to create, delete, and manage groups. A policy that states ▫how domain local, global, and universal groups are to be used. ▫guidelines for creating new groups and deleting old groups. A naming standards document to keep group names consistent. A standard for group nesting.

Creating Users and Groups Active Directory Users and Computers Batch files ▫DSAdd user username DN –samid SAM account name ▫Dsadd user cn=jsmith,ou=Accounts,dc=lucernepublishing,dc =com –samid jsmith

Creating Users and Groups (Cont.) Comma-Separated Value Directory Exchange (CSVDE) ▫Header record (See Page 119) ▫Csvde.exe –i –f newusers.csv  -i is to import  -f is to specify the file to import

Creating Users and Groups (Cont.) LDAP Data Interchange Format Directory Exchange (LDIFDE) ▫You can Add/Modify/Delete the object ▫Ldifde –i –f newobjects.ldf Windows Script Host (WSH) ▫See code on Page 121

Creating Users and Groups (Cont.) Windows PowerShell ▫$objOU=[ADSI]”LDAP://OU=People, DC=contoso, DC=Com” ▫$objUser = $objOU.Create(“user”,”CN=Mary North”) ▫$objUser.put(SamAccountName”,”mary.north”) ▫$objUser.SetInfo() ▫Windows 2008 R2  Import-module ActiveDirectory  New-ADusers –SamAccountName “mary.north”

Creating Users and Groups (Cont.) Note: ▫CSVDE and LDIFDE cannot import user’s password, hence the user will be disabled by default ▫Only DSADD supports specifying the password

Offline Domain Join Offline domain join is a process to add computers to a domain in locations where there is no connectivity to a corporate network. ▫Windows Server 2008 R2 ▫Windows 7 image or on running computer The offline domain join process includes the following phases: ▫Run the djoin.exe/provision  To create computer account metadata from the text file  djoin /provision /domain /machine /savefile ▫Run the djoin.exe/requestODJ  To insert the computer account metadata into the Windows directory of the destination computer:  djoin /requestodj /loadfile

Assignment Fill in the blank ▫1-10 Multiple Choice ▫1-10 Online Lab 5