Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 7 Managing OUs and Active Directory Accounts

Published byBlake Berry Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 7 Managing OUs and Active Directory Accounts"— Presentation transcript:

1 Chapter 7 Managing OUs and Active Directory Accounts
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam Chapter 7 Managing OUs and Active Directory Accounts Chapter 7 Managing OUs and Active Directory Accounts

2 Objectives Work with organizational units Manage user accounts
Manage group accounts Work with computer accounts Automate account management Objectives Work with organizational units Manage user accounts Manage group accounts Work with computer accounts Automate account management MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

3 Working with Organizational Units
Benefits of using OUs: You can create familiar hierarchical structures based on an organizational chart to allow easy resource access Delegation of administrative authority Able to change OU structure easily You can group users and computers for the purposes of assigning administrative and security policies Able to hide AD objects for confidentiality or security reasons Working with Organizational Units Benefits of using OUs: You can create familiar hierarchical structures based on an organizational chart to allow easy resource access Delegation of administrative authority Able to change OU structure easily You can group users and computers for the purposes of assigning administrative and security policies Able to hide AD objects for confidentiality or security reasons MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

4 Figure 7-1 Single-level and multilevel OU structures
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

5 OU Delegation of Control
Delegation of control - a person with higher security privileges assigns authority to a person of lesser security privileges to perform certain tasks Commonly delegated tasks include Create, delete, and manager user accounts Reset user passwords and force password change at next logon Read all user information Create, delete, and manage groups Modify the membership of a group Manage group policy links Generate Resultant Set of Policy (Planning) Generate Resultant Set of Policy (Logging) OU Delegation of Control Delegation of control - a person with higher security privileges assigns authority to a person of lesser security privileges to perform certain tasks Commonly delegated tasks include Create, delete, and manager user accounts Reset user passwords and force password change at next logon Read all user information Create, delete, and manage groups Modify the membership of a group Manage group policy links Generate Resultant Set of Policy (Planning) Generate Resultant Set of Policy (Logging) MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

6 OU Delegation of Control
Custom tasks can be created for delegation as well, but you must fully understand the nature of objects, permissions, and permission inheritance By default, the OU’s properties don’t show that another user has been delegated control Instead, to verify who has been delegated control of an OU, you must view the OU’s permissions OU Delegation of Control Custom tasks can be created for delegation as well, but you must fully understand the nature of objects, permissions, and permission inheritance By default, the OU’s properties don’t show that another user has been delegated control Instead, to verify who has been delegated control of an OU, you must view the OU’s permissions MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

7 Active Directory Object Permissions
Three types of security principals can be assigned permission to an object: Users Groups Computers AD object’s security settings are composed of three components (collectively referred to as the object’s security descriptor): Discretionary access control list (DACL) Object owner System access control list (SACL) Active Directory Object Permissions Three types of security principals can be assigned permission to an object: Users Groups Computers AD object’s security settings are composed of three components (collectively referred to as the object’s security descriptor): Discretionary access control list (DACL) Object owner System access control list (SACL) MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

8 Active Directory Object Permissions
Each object has a list of standard permissions and a list of special permission Each permission can be set to Allow or Deny, and five standard permissions are available for most objects: Read Write Create all child objects Delete all child objects Full control Active Directory Object Permissions Each object has a list of standard permissions and a list of special permission Each permission can be set to Allow or Deny, and five standard permissions are available for most objects: Read Write Create all child objects Delete all child objects Full control MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

9 Permission Inheritance in OUs
Permission inheritance defines how permissions are transmitted from a parent object to a child object All objects in AD are child objects of the domain By default, permissions applied to the parent OU with the Delegation of Control Wizard are inherited by all child objects of that OU Permission Inheritance in Ous Permission inheritance defines how permissions are transmitted from a parent object to a child object All objects in AD are child objects of the domain By default, permissions applied to the parent OU with the Delegation of Control Wizard are inherited by all child objects of that OU MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

10 Effective Permissions
Effective permissions for an object are a combination of the allowed and denied permissions assigned to a security principal Can come from assignments made directly to a single user account or to a group the user belongs to Explicit permissions override inherited permissions, and can create some exceptions to the rule that Deny permissions override Allow permissions Effective Permissions Effective permissions for an object are a combination of the allowed and denied permissions assigned to a security principal Can come from assignments made directly to a single user account or to a group the user belongs to Explicit permissions override inherited permissions, and can create some exceptions to the rule that Deny permissions override Allow permissions MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

11 Effective Permissions
Most common settings for permission inheritance: This object only - the permission setting isn’t inherited by child objects This object and all descendant objects - the permission setting applies to the current object and is inherited by all child objects All descendant objects - the permission setting doesn’t apply to the selected object but is inherited by all child objects Descendant [object type] objects - the permission is inherited only by specific child object types, such as user, computer, or group objects. Effective Permissions Most common settings for permission inheritance: This object only - the permission setting isn’t inherited by child objects This object and all descendant objects - the permission setting applies to the current object and is inherited by all child objects All descendant objects - the permission setting doesn’t apply to the selected object but is inherited by all child objects Descendant [object type] objects - the permission is inherited only by specific child object types, such as user, computer, or group objects. MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

12 Effective Permissions
Several permissions are added to an OU’s DACL by default when it’s created To view which permissions are inherited and which have been added to a DACL by viewing the Advanced Security Settings dialog box Permission inheritance is enabled by default on child objects, but can be disabled Use caution before changing permissions and permission inheritance Incorrect settings can cause AD access problems Effective Permissions Several permissions are added to an OU’s DACL by default when it’s created To view which permissions are inherited and which have been added to a DACL by viewing the Advanced Security Settings dialog box Permission inheritance is enabled by default on child objects, but can be disabled Use caution before changing permissions and permission inheritance Incorrect settings can cause AD access problems MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

13 Managing User Accounts
User accounts have two main functions in AD: Provide a method for user authentication to the network Provide detailed information about a user Windows machines not part of a domain store accounts in the Security Accounts Manager (SAM) database on the local computer User accounts created in AD are referred to as “domain user accounts” These accounts can usually log on to any computer that’s in the AD forest. Managing User Accounts User accounts have two main functions in AD: Provide a method for user authentication to the network Provide detailed information about a userWindows machines not part of a domain store accounts in the Security Accounts Manager (SAM) database on the local computer User accounts created in AD are referred to as “domain user accounts” These accounts can usually log on to any computer that’s in the AD forest. MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

14 Managing User Accounts
The following guidelines apply to the built-in Administrator account: Local administrator account has full access to all aspects of a computer, while domain administrator account has full access to all aspects of the domain The domain administrator account in the forest root domain has full access to all aspects of the forest Default Administrator account should be renamed and given a strong password Administrator account should only be used while performing administrative operations Administrator account can be renamed or disabled but not deleted Managing User Accounts The following guidelines apply to the built-in Administrator account: Local administrator account has full access to all aspects of a computer, while domain administrator account has full access to all aspects of the domain The domain administrator account in the forest root domain has full access to all aspects of the forest Default Administrator account should be renamed and given a strong password Administrator account should only be used while performing administrative operations Administrator account can be renamed or disabled but not deleted MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

15 Managing User Accounts
The following guidelines apply to the built-in Guest account Guest account is disabled by default after install, and must be enabled before it can be used for log on Guest account can have a blank password Should be renamed if it is to be used Guest account has limited access to a computer or domain, but does have access to any resource for which the Everyone group has permission Managing User Accounts The following guidelines apply to the built-in Guest account Guest account is disabled by default after install, and must be enabled before it can be used for log on Guest account can have a blank password Should be renamed if it is to be used Guest account has limited access to a computer or domain, but does have access to any resource for which the Everyone group has permission MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

16 Managing User Accounts
When creating a user account in an AD domain, keep the following considerations in mind: User accounts must be unique throughout the domain Account names aren’t case sensitive, and can be from 1 to 20 characters Can use letters, numbers, and special characters (with some exceptions) Develop a standard naming convention By default, complex passwords are required and passwords are case sensitive By default, only a logon name is required to create a user account Managing User Accounts When creating a user account in an AD domain, keep the following considerations in mind: User accounts must be unique throughout the domain Account names aren’t case sensitive, and can be from 1 to 20 characters Can use letters, numbers, and special characters (with some exceptions) Develop a standard naming convention By default, complex passwords are required and passwords are case sensitive By default, only a logon name is required to create a user account MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

17 Managing User Accounts
When you use ADUC to add users, you must enter a value for the following attributes: Full name User logon name User logon name (pre-Windows 2000) Password and Confirm Password Four check boxes are as follows: User must change password at next logon User cannot change password Password never expires Account is disabled Managing User Accounts When you use ADUC to add users, you must enter a value for the following attributes: Full name User logon name User logon name (pre-Windows 2000) Password and Confirm Password Four check boxes are as follows: User must change password at next logon User cannot change password Password never expires Account is disabled MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

18 Figure 7-12 Password fields
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

19 Disabling User Accounts
Reasons you might want to disable a user account A user has left the company The account is not ready to use A user goes on extended leave Disabling User Accounts Reasons you might want to disable a user account A user has left the company The account is not ready to use A user goes on extended leave Aside from using ADUC and ADAC to enable and disable accounts, you can use the PowerShell cmdlets: Enable-ADAccount Disable-ADAccount As well as the dsmod user command MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

20 Using User Templates User template - a user account that’s copied to create users with common attributes Tips for creating user templates: Create one template account for each department or OU Disable the template account to eliminate security risks Add an underscore or other special character to the beginning of a template account’s name to make it easy to recognize Fill in as many common attributes as you can so that after the account is created, less customizing is necessary Using User Templates User template - a user account that’s copied to create users with common attributes Tips for creating user templates: Create one template account for each department or OU Disable the template account to eliminate security risks Add an underscore or other special character to the beginning of a template account’s name to make it easy to recognize Fill in as many common attributes as you can so that after the account is created, less customizing is necessary MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

21 Modifying Multiple Users
Selecting multiple users using ctrl + click or shift + click allows them all to be edited simultaneously Following actions can be performed: Add to a group Disable account Enable account Move Send Mail Cut Delete Properties Modifying Multiple Users Selecting multiple users using ctrl + click or shift + click allows them all to be edited simultaneously Following actions can be performed: Add to a group Disable account Enable account Move Send Mail Cut Delete Properties MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

22 Understanding Account Properties
Common actions that might be necessary: Reset a password - the Overview window has Reset Password check box Rename an account - right-click the account and click Rename in the ADUC Understanding Account Properties Common actions that might be necessary: Reset a password - the Overview window has Reset Password check box To reset a password using PowerShell, enter: Set-ADAccount Password LogonName -Reset Rename an account - right-click the account and click Rename in the ADUC To rename an account using PowerShell, enter: Rename-ADObject DistinguisedName -NewName “NewName” MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

23 Understanding Account Properties
Common actions that might be necessary (cont’d): Move an account - Accounts / AD objects can be moved with one of the following methods: Right click the user and click Move Right click the user and click Cut In ADUC, drag the user from one container to another Understanding Account Properties Common actions that might be necessary (cont’d): Move an account - Accounts / AD objects can be moved with one of the following methods: Right click the user and click Move Right click the user and click Cut In ADUC, drag the user from one container to another Use the Move-ADObject cmdlet in PowerShell MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

24 The General Tab Contains descriptive information about the account, but does not affect the user’s account logon, group memberships, rights, or permissions. Fields worth mentioning: Display name - same as the CN when account is first created - can be used to send an to the user using the default mail application Web page - can contain a URL and allows you to open the specified URL by right-clicking the user account The General Tab Contains descriptive information about the account, but does not affect the user’s account logon, group memberships, rights, or permissions. Fields worth mentioning: Display name - same as the CN when account is first created - can be used to send an to the user using the default mail application Web page - can contain a URL and allows you to open the specified URL by right-clicking the user account MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

25 The Account Tab Contains the information that most affects a user’s logon to the domain User logon name and User logon name (pre-Windows 2000) Logon Hours Log On To Unlock account Account options Store password using reversible encryption Smart card is required for interactive logon Account is sensitive and cannot be delegated Account expires The Account Tab Contains the information that most affects a user’s logon to the domain User logon name and User logon name (pre-Windows 2000) Logon Hours Log On To Unlock account Account options Store password using reversible encryption Smart card is required for interactive logon Account is sensitive and cannot be delegated Account expires MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

26 Figure 7-18 Setting logon hours
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

27 The Profile Tab Used to specify the location of files that make up a user’s profile, a logon script, and the location of a home folder: Profile path - used to specify the path to a user’s profile Logon Script - used to specify a script that runs when the user logs on Local path - used to specify the path to a user’s home folder (Documents folder) Connect - Used to map a drive letter to a network share that’s the user’s home folder The Profile Tab Used to specify the location of files that make up a user’s profile, a logon script, and the location of a home folder: Profile path - used to specify the path to a user’s profile Logon Script - used to specify a script that runs when the user logs on Local path - used to specify the path to a user’s home folder (Documents folder) Connect - Used to map a drive letter to a network share that’s the user’s home folder MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

28 The Member of Tab Lists groups the user belongs to
Can be used to change group memberships The Set Primary Group button is needed only when a user is logging on to a Mac OS, Unix, or Linux client computer The Member of Tab Lists groups the user belongs to Can be used to change group memberships The Set Primary Group button is needed only when a user is logging on to a Mac OS, Unix, or Linux client computer MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

29 Managing Group Accounts
Active Directory group objects are the main security principal administrators use to grant rights and permissions to users Groups are easier to manage Users with similar access requirements to resources can be made members of a group When a group is created in ADUC, aside from assigning a name, there are two other settings : Group type Group scope Managing Group Accounts Active Directory group objects are the main security principal administrators use to grant rights and permissions to users Groups are easier to manage Users with similar access requirements to resources can be made members of a group When a group is created in ADUC, aside from assigning a name, there are two other settings : Group type Group scope MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

30 Group Types There are two group types: security and distribution
A distribution group is used to group users together Mainly for sending s to several people at once with an AD integrated application, such as Microsoft Exchange Can have the following objects as members: User accounts Contacts Other distribution groups Security groups Computers Group Types There are two group types: security and distribution A distribution group is used to group users together Mainly for sending s to several people at once with an AD integrated application, such as Microsoft Exchange Can have the following objects as members: User accounts Contacts Other distribution groups Security groups Computers MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

31 Group Types Security groups are the main AD object administrators use to manage network resource access and grant rights to users Can contain the same types of objects as distribution groups If a contact is part of a security group that is assigned permissions to a resource, the contact does not make use of the permissions because a contact is not a security principal Group Types Security groups are the main AD object administrators use to manage network resource access and grant rights to users Can contain the same types of objects as distribution groups If a contact is part of a security group that is assigned permissions to a resource, the contact does not make use of the permissions because a contact is not a security principal MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

32 Converting Group Type Group type can be changed from security to distribution and vice versa Only security groups can be added to a DACL If a security group is converted to a distribution group, the entry will remain in a DACL, but it has no effect on access to the resource Converting group types is not commonly done Usually a distribution group is converted to a security group Converting Group Type Group type can be changed from security to distribution and vice versa Only security groups can be added to a DACL If a security group is converted to a distribution group, the entry will remain in a DACL, but it has no effect on access to the resource Converting group types is not commonly done Usually a distribution group is converted to a security group MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

33 Group Scope Group scope determines the reach of a group’s application in a domain or a forest Three group scope options are possible in a Windows Server 2008 forest: Domain local Global Universal A fourth scope called “local” applies only to groups created in the SAM database of a member computer or stand-alone computer Group Scope Group scope determines the reach of a group’s application in a domain or a forest Three group scope options are possible in a Windows Server 2008 forest: Domain local Global Universal A fourth scope called “local” applies only to groups created in the SAM database of a member computer or stand-alone computer MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

34 Table 7-6 Group scope membership and resource assignment
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

35 Domain Local Groups A domain local group is the main security principal recommended for assigning rights and permissions to domain resources In a single domain environment, or when users from only one domain are assigned access to a resource, use AGDLP: Accounts are made members of Global groups, which are made members of Domain Local groups, which are assigned Permissions to resources Domain Local Groups A domain local group is the main security principal recommended for assigning rights and permissions to domain resources In a single domain environment, or when users from only one domain are assigned access to a resource, use AGDLP: Accounts are made members of Global groups, which are made members of Domain Local groups, which are assigned Permissions to resources MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

36 Domain Local Groups In multidomain environments where users from different domains are assigned access to a resource, use AGGUDLP: Accounts are made members of Global groups, which when necessary are nested in other Global groups, which are made members of Universal groups, which are then made members of Domain Local groups, which are assigned Permissions to resources Domain Local Groups In multidomain environments where users from different domains are assigned access to a resource, use AGGUDLP: Accounts are made members of Global groups, which when necessary are nested in other Global groups, which are made members of Universal groups, which are then made members of Domain Local groups, which are assigned Permissions to resources MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

37 Global Groups A global group is used mainly to group users from the same domain with similar access or rights requirements Considered global because it can be made a member of a domain local group in any domain in the forest or trusted domains in other forests A common use is creating a global group for each department, location, or both In a single-domain environment, global groups are added to domain local groups for assigning resource permissions Global Groups A global group is used mainly to group users from the same domain with similar access or rights requirements Considered global because it can be made a member of a domain local group in any domain in the forest or trusted domains in other forests A common use is creating a global group for each department, location, or both In a single-domain environment, global groups are added to domain local groups for assigning resource permissions MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

38 Figure 7-20 Global groups nested inside a domain local group is easier to manage
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

39 Universal Groups A universal group can contain users from any domain in the forest and be assigned permission to resources in any domain in the forest Universal groups can be a member of other universal groups or domain local groups from any domain in the forest Universal groups’ membership information is stored only on global catalog servers Universal Groups A universal group can contain users from any domain in the forest and be assigned permission to resources in any domain in the forest Universal groups can be a member of other universal groups or domain local groups from any domain in the forest Universal groups’ membership information is stored only on global catalog servers MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

40 Universal Groups Universal group membership caching - a feature enabled on a domain controller that causes it to keep a local copy of universal group membership after querying a global catalog server Universal group membership changes require replication to all global catalog servers Plan your AD group design carefully so that changes to universal groups does not happen often Universal Groups Universal group membership caching - a feature enabled on a domain controller that causes it to keep a local copy of universal group membership after querying a global catalog server Universal group membership changes require replication to all global catalog servers Plan your AD group design carefully so that changes to universal groups does not happen often MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

41 Local Groups A local group is created in the local SAM database on a member server or workstation or a stand-alone computer When a computer joins a domain, Windows changes the membership of two local groups automatically: Administrators - Domain Admins global group is made a member Users - Domain users global group is made a member Local groups can have the following account types as members: Local user accounts Domain user accounts and computer accounts from any domain in the forest Domain local groups from the same domain Global or universal groups from any domain in the forest Local Groups A local group is created in the local SAM database on a member server or workstation or a stand-alone computer When a computer joins a domain, Windows changes the membership of two local groups automatically: Administrators - Domain Admins global group is made a member Users - Domain users global group is made a member Local groups can have the following account types as members: Local user accounts Domain user accounts and computer accounts from any domain in the forest Domain local groups from the same domain Global or universal groups from any domain in the forest MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

42 Nesting Groups Nesting groups - making a group a member of another group Usually used to group users who have similar roles but work in different departments The complexity of tracking and troubleshooting permissions increases as the number of levels of nested groups increases Usually one level of nesting groups of the same type is enough Nesting Groups Nesting groups - making a group a member of another group Usually used to group users who have similar roles but work in different departments The complexity of tracking and troubleshooting permissions increases as the number of levels of nested groups increases Usually one level of nesting groups of the same type is enough MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

43 Figure 7-22 Nesting global groups
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

44 Default Groups in a Windows Domain
Builtin folder - domain local groups used for assigning rights and permissions in the local domain Users folder - combination of domain local, global, and, in the forest root domain, universal scope User accounts are generally added to global and universal groups in this folder for assigning permissions and rights in the domain and forest Special Identity Groups - can be assigned permissions by adding them to resources’ DACLs Membership is controlled dynamically by Winows and can not be changed manually Default Groups in a Windows Domain Builtin folder - domain local groups used for assigning rights and permissions in the local domain Users folder - combination of domain local, global, and, in the forest root domain, universal scope User accounts are generally added to global and universal groups in this folder for assigning permissions and rights in the domain and forest Special Identity Groups - can be assigned permissions by adding them to resources’ DACLs Membership is controlled dynamically by Winows and can not be changed manually MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

45 Working with Computer Accounts
Computer accounts are created in Active Directory when a client computer becomes a member of a domain A computer account is a security principal with an SID and a password and must authenticate to the domain Advantages of having users log on to computers that are domain members: Single sign-on Active Directory search Group policies Remote management Working with Computer Accounts Computer accounts are created in Active Directory when a client computer becomes a member of a domain A computer account is a security principal with an SID and a password and must authenticate to the domain Advantages of having users log on to computers that are domain members: Single sign-on Active Directory search Group policies Remote management MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

46 Creating Computer Accounts
Computer accounts are created in AD two ways: A user changes the computer membership from Workgroup to Domain in the System Properties dialog box Joining the domain and account is created automatically An administrator creates the account manually in Active Directory Creating Computer Accounts Computer accounts are created in AD two ways: A user changes the computer membership from Workgroup to Domain in the System Properties dialog box Joining the domain and account is created automatically An administrator creates the account manually in Active Directory MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

47 Figure 7-23 Creating a computer account
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

48 Changing the Default Computer Account Location
The Computers folder can’t have a group policy linked to it You should move computer accounts to an OU you have created Change the default location by using the redircmp.exe command-line program Example: to change the location for computer accounts to the MemberComputers OU in the csmtech.local domain, type: Redircmp ou=MemberComputers, dc=local Changing the Default Computer Account Location The Computers folder can’t have a group policy linked to it You should move computer accounts to an OU you have created Change the default location by using the redircmp.exe command-line program Example: to change the location for computer accounts to the MemberComputers OU in the csmtech.local domain, type: Redircmp ou=MemberComputers, dc=local MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

49 Joining a Domain On the computer joining the domain:
Go to the Computer Name tab in the System Properties dialog box Click Change, then click the Domain option button Type the name of the domain you want to join You’ll be prompted for credentials and the computer will restart If the computer account does not already exist, it’s created automatically as long as the domain user account has the right to “Add workstations to the domain” Joining a Domain On the computer joining the domain: Go to the Computer Name tab in the System Properties dialog box Click Change, then click the Domain option button Type the name of the domain you want to join You’ll be prompted for credentials and the computer will restart If the computer account does not already exist, it’s created automatically as long as the domain user account has the right to “Add workstations to the domain” MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

50 Managing Computer Accounts
It may be necessary to reset a computer account If the computer account has become unsynchronized with the domain controller To reset: Right-click the computer object in ADUC and click Reset Account Computer will leave the domain and then join again Administrators might also want to run the Computer Management MMC remotely on a member computer Right click the computer object and click Manage Managing Computer Accounts It may be necessary to reset a computer account If the computer account has become unsynchronized with the domain controller To reset: Right-click the computer object in ADUC and click Reset Account Computer will leave the domain and then join again Administrators might also want to run the Computer Management MMC remotely on a member computer Right click the computer object and click Manage MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

51 Disabling Computer Accounts
When a computer leaves the domain, its computer account is disabled automatically You might need to disable a computer account manually if the computer won’t be in contact with the domain controller for an extended period To disable: Right-click the computer object in ADUC and choose Disable from the shortcut menu Disabling Computer Accounts When a computer leaves the domain, its computer account is disabled automatically You might need to disable a computer account manually if the computer won’t be in contact with the domain controller for an extended period To disable: Right-click the computer object in ADUC and choose Disable from the shortcut menu MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

52 Summary OUs can be designed to mirror a company’s organizational chart
OU permissions and permission inheritance work much the same way as they do in the file system User accounts provide a way for users to authenticate to the network and contain user information that can be used in a company directory ADUC and ADAC are GUI tools for creating and maintaining user accounts User templates facilitate creating users who have some attributes in common, such as group memberships Summary OUs can be designed to mirror a company’s organizational chart OU permissions and permission inheritance work much the same way as they do in the file system User accounts provide a way for users to authenticate to the network and contain user information that can be used in a company directory ADUC and ADAC are GUI tools for creating and maintaining user accounts User templates facilitate creating users who have some attributes in common, such as group memberships MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

53 Summary This chapter covers the user account properties in the General, Account, Profile, and Member Of tabs Groups are the main security principal used to grant rights and permission There are three group scopes in AD: domain local, global, and universal Computer that are domain members have computer accounts in AD Computer accounts are created automatically when a computer joins a domain or manually by an administrator Summary This chapter covers the user account properties in the General, Account, Profile, and Member Of tabs Groups are the main security principal used to grant rights and permission There are three group scopes in AD: domain local, global, and universal Computer that are domain members have computer accounts in AD Computer accounts are created automatically when a computer joins a domain or manually by an administrator You can automate account management by using command-line tools or PowerShell cmdlets MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam

Download ppt "Chapter 7 Managing OUs and Active Directory Accounts"

Similar presentations

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
By Rashid Khan Lesson 5-Directory Assistance: Administration Using Active Directory Users and Computers.

By Rashid Khan Lesson 5-Directory Assistance: Administration Using Active Directory Users and Computers.
Chapter 6 Introducing Active Directory

Chapter 6 Introducing Active Directory
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
7.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

7.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 5: Account Management.

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 5: Account Management.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
5.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

5.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Administering Active Directory

Administering Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:

Chapter 5: Configuring Users and Groups. Windows Vista User Accounts User accounts are the primary means of authentication Built-in Accounts –Administrator:

Similar presentations

Ads by Google