11

ACTIVE DIRECTORY ADMINISTRATION

Chapter 5

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 2

UNDERSTANDING USER ACCOUNTS

Authentication

User account types

Administrator

Guest

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 3

AUTHENTICATION AND ACCESS TOKEN

ActiveDirectory

Authentication

Process

Resources

Access TokenUser identificationGroup membershipsPrivileges assigned to user(also named system rights)

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 4

CATEGORIES OF USER ACCOUNTS

Security Accounts Manager (SAM) Local

Builtin user accounts

Domain user accounts (NTDS.dit) Domain local

Builtin user accounts

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 5

ADMINISTRATOR ACCOUNT

Full control of computer, domain, forest

Used to establish administrative structure and create other accounts

Should be renamed

Should be secured with a complex password

Can be disabled, but cannot be deleted

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 6

GUEST ACCOUNT

Designed to allow temporary access to the network

Disabled by default, but cannot be deleted

Should be secured with a complex password if enabled

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 7

GROUPS AND THEIR USERS

Resources

Local Groups

Users

Access Token

Permissionsand/or

Resource ACEs

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 8

GROUP TYPES

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 9

GROUP TYPES, SCOPES, AND CONVERTING

Distribution groups Typically used with applications to provide a

list of users (Microsoft Exchange)

Cannot be used to assign access permissions

Security groups Primarily used to grant access

Can also be used like a distribution group for e-mail, if the group has an e-mail address assigned

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 10

DOMAIN LOCAL GROUPS

Membership: user accounts, computer accounts, global groups, universal groups from any domain, and domain local groups from the same domain.

Purpose: Used to assign permissions to resources in the local domain.

Once you assign permissions to this group, you can use it to grant those permissions to other groups or users.

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 11

GLOBAL GROUPS

Membership: User accounts, computer accounts, and other global groups.

Purpose: Used to organize users.

Users are typically assigned to global groups based on job role, task, or title.

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 12

UNIVERSAL GROUPS

Membership: user accounts, computer accounts, global or universal groups.

Purpose: Used to organize users or groups of users in global groups.

Larger organizations typically use universal groups to group accounts from different domains.

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 13

GROUP NESTING: WINDOWS 2000 MIXED DOMAIN FUNCTIONAL LEVEL

Resources

Local GroupsGlobal GroupsUsers

Permissionsand/or

Resource ACEs

Access Token

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 14

GROUP NESTING: WINDOWS 2000 NATIVE OR LATER DOMAIN FUNCTIONAL LEVEL

Resources

DomainLocal

GlobalGroup

GlobalGroup

Users

Permissionsand/or

Resource ACEs

Access Token

UniversalGroup

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 15

DEFAULT GROUPS

Builtin security groups Pre-defined permissions

Placed in Builtin and Users containers by default

Groups are sometimes added when services are installed Dynamic Host Configuration Protocol (DHCP)

service adds DHCP Admins and DHCP Users

Domain Name System (DNS) adds DNS Admins and DNS UpdateProxy

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 16

SPECIAL IDENTITY GROUPS

Anonymous Logon

Everyone

Authenticated Users

Interactive

Network

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 17

LOCAL GROUPS

Only on non–Active Directory databases SAM database

Domain members’ local security databases

Typically used in peer-to-peer (workgroup) networks

Used to grant system rights and access to resources available on the local computer

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 18

DEVELOPING A GROUP IMPLEMENTATION PLAN

Determine who has the ability to create and manage users and groups.

Determine how domain local, global, and universal groups should be used.

Define the guidelines for the creation and deletion of users and groups.

Implement a common naming scheme for users and groups.

Determine the appropriate uses of group nesting.

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 19

CREATING USERS AND GROUPS

Batch files netdsadd

Directory Exchange Utilities CSVDE utility

LDIFDE utility

Windows Script Host (WSH)

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 20

USING BATCH FILES

net user

net group

dsadd user

dsadd group

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 21

USING CSVDE

Comma-separated values.

Header record must be defined using a distinguished name and schema attributes. Entries in the remainder of the file must follow the order of the header record.

Once the file is created, use csvde -i -f file.txt to import the users.

Cannot create users with passwords.

Cannot modify existing user accounts.

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 22

USING LDIFDE

Line-separated values. Object entries are separated by a hyphen.

Once the file is created, use ldifde -i -f file.txt to import the users.

Cannot create users with passwords.

Can modify passwords once users are created.

Can be used to import, export, and modify Active Directory objects.

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 23

USING WSH

Allows you to write scripts to create users and other Active Directory objects.

Scripts can be VBScript or Jscript.

Allows for highly customized solutions that automate the creation of user accounts.

Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 24

SUMMARY

What are the two group types? Which type can be used to assign

permissions?

Which one is primarily for e-mail?

Name three group scopes.

What domain functional level is required for creating universal groups?

Name methods for automating user account creation.