70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 10: Managing Users, Groups, Computers and Resources
Guide to MCSE , Enhanced2 Objectives Create user objects in Active Directory and set values for the attributes of a user object Create and manipulate groups in Active Directory, and understand the effects of different group scopes Create and manage computer accounts
Guide to MCSE , Enhanced3 Objectives Create objects for other resources, such as shared folders and printers Organize objects in Active Directory by leveraging the use of organizational units
Guide to MCSE , Enhanced4 Planning and Administering User Accounts Most frequently changed objects are user objects Users added, removed, etc.
Guide to MCSE , Enhanced5 User Classes, Properties, and Schema User class defines number of required and optional attributes Mandatory attributes: cn instanceType, objectCategory, and objectClass objectSID sAMAccountName More than 200 optional attributes
Guide to MCSE , Enhanced6 The Names of a User Name attributes: sAMAccountName Also called user logon name (pre-Windows 2000) userPrincipalName (UPN) Also called user logon name Decide on naming convention for user accounts Most common convention is to use user’s first initial followed by user’s last name
Guide to MCSE , Enhanced7 The Names of a User (continued) UPN composed of two parts Username UPN suffix UPN suffix is DNS name by default Can choose other suffix Joined symbol Example:
Guide to MCSE , Enhanced8 Name Suffix Routing Provides name resolution across forests Used to route authentication requests to correct forest Disabled when naming conflict occurs Given unique name suffix can only exist in one forest
Guide to MCSE , Enhanced9 Creating Users with Active Directory Users and Computers Must be working at domain controller Or must have the administrative tools installed at your workstation Windows issues query to global catalog to verify that UPN is unique within forest
Guide to MCSE , Enhanced10 The New Object - User Dialog Box
Guide to MCSE , Enhanced11 New User Password and Security Attributes
Guide to MCSE , Enhanced12 Activity 10-2: Creating a New User Object Objective: Practice creating new user objects. Use Active Directory Users and Computers console to create a new user
Guide to MCSE , Enhanced13 Setting Additional Attributes Many user attributes exposed through property pages In Active Directory Users and Computers console Right-click object in Active Directory Users and Computers Choose Properties
Guide to MCSE , Enhanced14 Setting Additional Attributes (continued) Categories: General and business information Account and profile settings Terminal Services settings Dial-in settings Advanced properties
Guide to MCSE , Enhanced15 Resetting Passwords User’s password stored in encrypted form Operating system can access to validate user Administrator cannot retrieve forgotten user Password Must be reset Access to encrypted files may be lost
Guide to MCSE , Enhanced16 User Account Templates Preconfigured user account Already has common attributes associated with a particular type of user configured Reduces time and administrative burden Administrator copies template account to create new user
Guide to MCSE , Enhanced17 Command-line Utilities DSADD DSMOD DSQUERY DSGET DSMOVE DSRM
Guide to MCSE , Enhanced18 Bulk Import and Export CSVDE Command-line tool Supports bulk export and import of Active Directory data File format: comma-separated value (CSV) files LDIFDE Command-line tool Use to import and export data from Active Directory File format: LDAP Interchange Format (LDIF)
Guide to MCSE , Enhanced19 Activity 10-5: Using LDIFDE to Modify User Accounts Objective: Use LDIFDE to modify an existing user account Practice using LDIFDE utility to work with user data
Guide to MCSE , Enhanced20 Creating and Modifying User Accounts Programmatically Many ways to create users besides the Users and Computers console: Scripts or programs Automatically by variety of tools Active Directory Service Interface (ADSI) Provides single abstract set of directory service interfaces for management of network Makes it simple for administrators to automate common tasks
Guide to MCSE , Enhanced21 Creating and Modifying User Accounts Programmatically (continued) Active Directory Service Interface (ADSI) Programmer can use ADSI from: Visual Basic, C#, or VC++ application Network administrators use: Windows Scripting Host (WSH) VBScript (or another scripting language that WSH supports)
Guide to MCSE , Enhanced22 Planning and Administering Groups Groups simplify Active Directory management Save time and effort Eliminate some mistakes
Guide to MCSE , Enhanced23 Group Types Security groups Most popular type of group Defined by Security Identifier (SID) Used in discretionary access control lists (DACLs) Can also be used as entities Distribution groups Primary purpose for use with applications Do not impact user authentication process unnecessarily
Guide to MCSE , Enhanced24 Group Types (continued) Can change group type if domain is at: Windows 2000 native Windows Server 2003 functional level Changed via group properties
Guide to MCSE , Enhanced25 Group Scopes Local Scope Exist only within context of specific machine Often called machine local groups Can only reference on local machine Stored in local SAM database on each local machine Can contain users from Local security database Any users, global groups, or universal groups in forest Any domain local groups in its own domain Any user or groups from trusted domain
Guide to MCSE , Enhanced26 Machine Local Group Membership and Resource Access
Guide to MCSE , Enhanced27 Group Scopes (continued) Domain local scope Created on domain controller Can only be assigned permissions to resource available in local domain in which it is created Group membership can come from any domain within the forest Can contain user or global groups from any domain Mainly used to assign access permissions to resources Can be used on any machine in domain
Guide to MCSE , Enhanced28 Group Scopes (continued) Global scope Can be assigned permissions to any resource in any domain within forest Any other trusting domain that trusts domain where global group exists Main limitation: Can only contain users from same domain in which it is created Mainly used to organize user objects into logical groupings according to function
Guide to MCSE , Enhanced29 Group Scopes (continued) Universal scope Created for purpose of aggregating groups in different domains throughout forest Can be assigned permissions to any resource in any domain within forest Can consist of user objects from any domain in forest Only available when domain is configured at Windows 2000 native or Windows Server 2003 functional level
Guide to MCSE , Enhanced30 Changing a Group’s Scope May be possible to change scope if domain is at: Windows 2000 native Windows Server 2003 functional level Allowed conversions: Global to universal Domain local to universal Universal to global Universal to domain local
Guide to MCSE , Enhanced31 Managing Security Groups General strategy use acronym A G U DL P: Create user Accounts, and organize them within Global groups Create Universal groups and place global groups from any domain within universal groups Create Domain Local groups that represent resources in which you want to control access, and add global or universal groups to domain local groups
Guide to MCSE , Enhanced32 Managing Security Groups (continued) A G U DL P: Assign Permissions to domain local groups One of best practices that Microsoft loves to test on
Guide to MCSE , Enhanced33 Example of A G DL P Group Strategy
Guide to MCSE , Enhanced34 Group Nesting Nesting groups simplifies administrative tasks Only available for: Windows 2000 native Windows Server 2003 functional level
Guide to MCSE , Enhanced35 Understanding the Built-in Groups Number of built-in local security groups with various preassigned rights are created Builtin container: Contains number of domain local group accounts Are allocated different user rights based on common administrative or network-related tasks Users container Contains number of different domain local and global group accounts
Guide to MCSE , Enhanced36 Understanding Special Identities Several special identity groups Operating system controls membership Not administrator OS dynamically determines in which special identity groups user should be a member
Guide to MCSE , Enhanced37 Special Identity Groups and Members
Guide to MCSE , Enhanced38 Creating Groups Actually creating groups is simple Add members to group after it is created
Guide to MCSE , Enhanced39 Creating and Managing Computer Accounts Computers require computer accounts to be part of domain Tools to create computer accounts: Active Directory Users and Computers System applet in Control Panel of target computer All authenticated users can add up to 10 computers to domain Increase number or grant Create Computer Objects permission for technicians
Guide to MCSE , Enhanced40 Activity 10-8: Creating Computer Accounts Objective: Use Active Directory Users and Computers to create and manage computer accounts Work with Active Directory Users and Computers to add computer accounts to domain
Guide to MCSE , Enhanced41 Resetting Computer Accounts Computers use secure communication channel known to communicate with domain controller Password is associated with this secure channel Changed every 30 days by default Synchronized automatically between domain and workstation Synchronization problems can occur Administrator must reset computer account associated with workstation
Guide to MCSE , Enhanced42 Publishing Resources Object in directory represents resource Don’t be confused between: Creating directory object to represent resource Creating resource itself
Guide to MCSE , Enhanced43 Shared Folder Provides only representation of actual share Helps network users locate resources Active Directory does not even check to see if server or the share exists
Guide to MCSE , Enhanced44 Printers Dialog box requests network path to printer Active Directory does check for existence of printer
Guide to MCSE , Enhanced45 Other Resources As more Active Directory-aware and Active Directory-enabled applications are released Administrators will have ability to locate more and more information in Active Directory database
Guide to MCSE , Enhanced46 Organizing Objects in the Directory Large network must be well organized Major advantage of Active Directory Information can be organized in a logical way
Guide to MCSE , Enhanced47 Organizing and Controlling with Organizational Units Organize Active Directory structure using organizational units Organizational units: Provide way to separate objects belonging to one data owner from another Facilitate browsing directory Support application of group policy
Guide to MCSE , Enhanced48 Moving Objects between Organizational Units Fairly simple to move objects from one organizational unit to another Object’s distinguished name changes when moved
Guide to MCSE , Enhanced49 Moving Objects between Domains Not nearly as simple as moving between organizational units Part of the SID must be changed SIDhistory attribute is used Contains SID used in previous domain System uses SIDhistory to include old SID in user’s access token Allows user to retain access to resources where DACL contains old SID
Guide to MCSE , Enhanced50 Moving Objects between Domains (continued) Tools: Movetree ADMT
Guide to MCSE , Enhanced51 Summary Primary tool used to create and manage user accounts is Active Directory Users and Computers Primary purpose of groups in network environment Ease administrative burden associated with assigning rights and permissions to individual user accounts
Guide to MCSE , Enhanced52 Summary Four possible scopes of groups: Local (or machine local) Domain local Global Universal Workstations require computer accounts Resources can be published so users can quickly locate them