Part I

 NOS  Directory Data Store(directory service, database)  Located on Domain Controllers (DCs), globally distributed, replicated (no longer PDCs/BDCs)  Directory data is stored in the Ntds.dit file on each DC (pull data with DSQUERY)  Objects:  Users, Computers, Printers, Faxes, Servers, Services  Containers - Organizational Units (OUs), Groups, Domains  Group Policy Objects (GPOs)

Builtin OU contains default accounts and groups Users OU contains user accounts or additional OUs AD Users and Computers Snap-in

 Houses AD database  Single function  There are 2 types of servers:  Domain Controllers  Member Servers

This icon indicates object is a group (container) This icon indicates object is a single account This icon indicates object is disabled This indicates object type. Valid types are User, Security Group, Distribution Group

 Microsoft recommends as few domains as possible in Active Directory and a reliance on OUs to produce structure and improve the implementation of policies and administration.  The OU is the common level at which to apply GPOs.  The OU is the level at which administrative powers are commonly delegated; however, delegation can be performed on individual objects (or Sites – for another day).

 Protected groups should have limited members and services (each service should be researched for appropriateness):  Enterprise Admins  Schema Admins  Domain Admins  Administrators  Custom groups are created by the entity and should follow a defined naming convention. For example, a group name of HRData should have members from the HR department that are authorized to access sensitive HR data.

(MS Recommendations)

 Can only be performed with Domain Admin, Enterprise Admin, or delegated authority.  Should be a highly-managed task and subject to change management policies and procedures.  More than one policy can be applied to a computer (precedence dictates cumulative effect).  A DC always obtains the account policy from a GPO linked to the domain, which by default is the Default Domain Policy GPO (occurs even if a different policy is applied to the OU that contains the DC).

 Often, separation of duties for the network administration function are described as too difficult to implement, advise delegation. Tasks to delegate:  Help Desk functions  User account Management  Group Management  Group Policy U:\ITA\Section22X\Audit\Questionnaires, Guides, and Other Audit Information\AD

Good for Help Desk Staff Not good HOW TO: Customize the Task List in the Delegation Wizard,” MS Knowledge Base Article

 To return user information for the domain:  dsquery user domainroot  dsquery user OU=Sales,DC=Contoso,DC=Com -o dn  dsquery user domainroot -inactive 3 Results provide all users in the domain Results provide all users in the Sales OU in the Contoso.com domain Results provide all users in the domain that have been inactive for 3 weeks DSQUERY source information:

Command*Description DSQUERY *Finds any object DSQUERY computerFinds computer accounts DSQUERY contactFinds contacts DSQUERY groupFinds group accounts DSQUERY ouFinds OUs DSQUERY partitionFinds AD Partitions DSQUERY quotaFinds object quotas DSQUERY serverFinds domain controllers DSQUERY siteFinds AD sites DSQUERY subnetFinds subnet objects DSQUERY userFinds user accounts * Output is in Unicode.

 Default Administrator account cannot be locked out.  Spaces can be used in Windows passwords.  If protected group is modified it resets after a period of time (one exception)  MS Updates should follow change control process  Delegation wizard is customizable  Delegate permissions using ACL Editor  GPO refresh is minutes, by default

 From my experience:  Loopback policy processing  Computer vs. User Configuration  Kiosk solutions  Non-ADS LDAP repositories  Password-protected screen saver – 4 settings to be effective,.scr file on end-user workstations