Active Directory and User Management

8/20/2019 Active Directory and User Management

1/67

Microsoft Windows Server 2008

Introduction to Active Directory and

User Account Management

1


2/67

Objectives

• Background

• Understand Active irector! basic conce"ts

• #nsta$$ and configure Active irector!

• #%"$e%ent Active irector! containers

• &reate and %anage user accounts

• &onfigure and use securit! grou"s

• escribe and i%"$e%ent new Active irector!

features

2

http://background.pptx/http://background.pptx/


3/67

Active irector! Basics

• Active irector!

' irector! service t(at (ouses infor%ation about a$$

network resources suc( as servers) "rinters) user

accounts) grou"s of user accounts) securit! "o$icies)and ot(er infor%ation

• Directory service

' *es"onsib$e for "roviding a centra$ $isting of resources

and wa!s to +uick$! find and access s"ecific resourcesand for "roviding a wa! to %anage network resources

,


4/67

Active irector! Basics -continued.

• Windows Server 2008 uses Active irector! to

%anage accounts) grou"s) and %an! %ore network

%anage%ent services

• Domain controllers (DCs) ' Servers t(at (ave t(e A S server ro$e insta$$ed

' &ontain writab$e co"ies of infor%ation in Active

irector!

• Member servers

' Servers on a network %anaged b! Active irector!

t(at do not (ave Active irector! insta$$ed

/


5/67


• o%ain

' &ontainer t(at (o$ds infor%ation about a$$ network

resources t(at are grou"ed wit(in it

' ver! resource is ca$$ed an object• Multimaster replication

' ac( & is e+ua$ to ever! ot(er & in t(at it contains

t(e fu$$ range of infor%ation t(at co%"oses Active

irector!• Active irector! is bui$t to %ake re"$ication efficient


6/67


7/67


• Activit! 3 #nsta$$ing Active irector!

' 4i%e *e+uired3 A""ro5i%ate$! 20',0 %inutes

' Objective3 #nsta$$ Active irector!

6


8/67

Sc(e%a

• Active irector! schema

' efines t(e objects and t(e infor%ation "ertaining to

t(ose objects t(at can be stored in Active irector!

• User account ' One c$ass of object in Active irector! t(at is defined

t(roug( sc(e%a e$e%ents uni+ue to t(at c$ass

8


9/67

7


10/67

$oba$ &ata$og

• Global catalog

' Stores infor%ation about ever! object wit(in a forest

' Store a fu$$ re"$ica of ever! object wit(in its own

do%ain and a "artia$ re"$ica of eac( object wit(in

ever! do%ain in t(e forest

• 4(e first & configured in a forest beco%es t(e

g$oba$ cata$og server

• 4(e g$oba$ cata$og server enab$es forest9wide

searc(es of data

10


11/67

$oba$ &ata$og -continued.

• 4(e g$oba$ cata$og serves t(e fo$$owing "ur"oses3

' Aut(enticating users w(en t(e! $og on

':roviding $ooku" and access to a$$ resources in a$$do%ains

' :roviding re"$ication of ke! Active irector! e$e%ents

' ;ee"ing a co"! of t(e %ost used attributes for eac(

object for +uick access

11


12/67


13/67

&ontainers in Active irector!

• Active irector! (as a tree$ike structure

• 4(e (ierarc(ica$ e$e%ents) or containers) of Active

irector! inc$ude forests) trees) do%ains)

organi>ationa$ units -OUs.) and sites

1,


14/67

1/


15/67

?orest

• Forest ' &onsists of one or %ore Active irector! trees t(at are in a

co%%on re$ations(i"

• ?orests (ave t(e fo$$owing c(aracteristics3

' 4(e trees can use a disjointed na%es"ace ' A$$ trees use t(e sa%e sc(e%a

' A$$ trees use t(e sa%e g$oba$ cata$og

' o%ains enab$e ad%inistration of co%%on$! associated

objects) suc( as accounts and ot(er resources) wit(in a

forest

' 4wo9wa! transitive trusts are auto%atica$$! configured

between do%ains wit(in a sing$e forest

1


16/67

?orest -continued.

• ?orest "rovides a %eans to re$ate trees t(at use a

contiguous na%es"ace in do%ains wit(in eac( tree

' But t(at (ave disjointed na%es"aces in re$ations(i" to

eac( ot(er • 4(e advantage of joining trees into a forest is t(at a$$

do%ains s(are t(e sa%e sc(e%a and g$oba$ cata$og

• Forest functional level

' *efers to t(e Active irector! functions su""ortedforest9wide

1


17/67

?orest -continued.

16


18/67

?orest -continued.

• Windows Server 2008 Active irector! recogni>es

t(ree t!"es of forest functiona$ $eve$s

' Windows 2000


19/67

4ree

• Tree

' &ontains one or %ore do%ains t(at are in a co%%on

re$ations(i"

• 4ree (as t(e fo$$owing c(aracteristics3 ' o%ains are re"resented in a contiguous na%es"ace

and can be in a (ierarc(!

' 4wo9wa! trust re$ations(i"s e5ist between "arent

do%ains and c(i$d do%ains ' A$$ do%ains in a sing$e tree use t(e sa%e sc(e%a for

a$$ t!"es of co%%on objects

' A$$ do%ains use t(e sa%e g$oba$ cata$og

17


20/67

4ree -continued.

• 4(e do%ains in a tree t!"ica$$! (ave a (ierarc(ica$

structure

' Suc( as a root do%ain at t(e to" and ot(er do%ains

under t(e root• 4(e do%ains wit(in a tree are in w(at is ca$$ed a

Kerberos transitive trust relationship

' W(ic( consists of to!ay trusts between "arent

do%ains and c(i$d do%ains• Because of t(e trust re$ations(i" between "arent and

c(i$d do%ains) an! one do%ain can (ave access to

t(e resources of a$$ ot(ers

20


21/67

4ree -continued.

21


22/67

o%ain

• Microsoft views a do%ain as a $ogica$ "artition wit(in

an Active irector! forest

' A do%ain is a grou"ing of objects t(at t!"ica$$! e5ists

as a "ri%ar! container wit(in Active irector!

• 4(e basic functions of a do%ain are as fo$$ows3

' 4o "rovide an Active irector! @@"artition in w(ic( to

(ouse objects t(at (ave a co%%on re$ations(i")

"articu$ar$! in ter%s of %anage%ent and securit! ' 4o estab$is( a set of infor%ation to be re"$icated fro%

one & to anot(er

' 4o e5"edite %anage%ent of a set of objects

22


23/67

2,


24/67


25/67

o%ain -continued.

• Activit! 3 Managing o%ains

' 4i%e *e+uired3 A""ro5i%ate$! 10 %inutes

' Objective3 earn w(ere to %anage do%ains

2


26/67

Organi>ationa$ Unit

• "rgani#ational unit ("$)

' Offers a wa! to ac(ieve %ore f$e5ibi$it! in %anaging

t(e resources associated wit( a business unit)

de"art%ent) or division

• 4(an is "ossib$e t(roug( do%ain ad%inistration a$one

• An OU is a grou"ing of re$ated objects wit(in a

do%ain

' OUs a$$ow t(e grou"ing of objects so t(at t(e! can bead%inistered using t(e sa%e grou" "o$icies

• OUs can be nested wit(in OUs

2


27/67

Organi>ationa$ Unit -continued.

• W(en !ou "$an to create OUs) kee" t(ree concerns

in %ind3

' Microsoft reco%%ends t(at !ou $i%it OUs to 10 $eve$s

or fewer ' Active irector! works %ore efficient$! w(en OUs are

set u" (ori>onta$$! instead of vertica$$!

' 4(e creation of OUs invo$ves %ore "rocessing

resources because eac( re+uest t(roug( an OUre+uires &:U ti%e

26


28/67

Organi>ationa$ Unit -continued.

• Activit! 3 Managing OUs


' Objective3 &reate an OU and de$egate contro$ over it

28


29/67

Active irector! uide$ines

• Above a$$) kee" Active irector! as si%"$e as

"ossib$e

' :$an its structure before !ou i%"$e%ent it

• #%"$e%ent t(e $east nu%ber of do%ains "ossib$e ' Wit( one do%ain being t(e idea$ and bui$ding fro%

t(ere

• #%"$e%ent on$! one do%ain on %ost s%a$$ networks

• Use OUs to ref$ect t(e organi>ations structure

• &reate on$! t(e nu%ber of OUs t(at are abso$ute$!

necessar!

27


30/67

Active irector! uide$ines

-continued.

• o not bui$d an Active irector! wit( %ore t(an 10

$eve$s of OUs

• Use do%ains as "artitions in forests to de%arcate

co%%on$! associated accounts and resourcesgoverned b! grou" and securit! "o$icies

• #%"$e%ent %u$ti"$e trees and forests on$! as necessar!

• Use sites in situations w(ere t(ere are %u$ti"$e #:

subnets and %u$ti"$e geogra"(ic $ocations ' As a %eans to i%"rove $ogon and & re"$ication

"erfor%ance

,0


31/67

User Account Manage%ent

• efau$t accounts3

' Ad%inistrator and uest

• Accounts can be set u" in two genera$ environ%ents3

' Accounts t(at are set u" t(roug( a stand9a$one servert(at does not (ave Active irector! insta$$ed

' Accounts t(at are set u" in a do%ain w(en Active

irector! is insta$$ed

,1


32/67

&reating Accounts W(en Active

irector! #s


33/67

,,


34/67

&reating Accounts W(en Active

irector! #s #nsta$$ed

• Activit! 3 &reating User Accounts in Active irector!


' Objective3 earn (ow to create a user account in

Active irector!

,/


35/67

,


36/67

isab$ing) nab$ing) and *ena%ing

Accounts

• Activit! 3 isab$ing) *ena%ing) and nab$ing an

Account

' 4i%e *e+uired3 A""ro5i%ate$! %inutes

' Objective3 :ractice disab$ing) rena%ing) and t(enenab$ing an account

,


37/67

Moving an Account

• Activit! 3 Moving an Account


' Objective3 :ractice %oving an account

,6


38/67

*esetting a :assword

• Activit! 3 &(anging an Accounts :assword


' Objective3 :ractice c(anging an accounts "assword

,8


39/67

e$eting an Account

• Activit! 3 e$eting an Account


' Objective3 :ractice de$eting an account

,7


40/67

Securit! rou" Manage%ent

• One of t(e best wa!s to %anage accounts is b!

grou"ing accounts t(at (ave si%i$ar c(aracteristics

• %cope of influence -or scope.

' 4(e reac( of a grou" for gaining access to resourcesin Active irector!

• 4!"es of grou"s3

' oca$

' o%ain $oca$

' $oba$

' Universa$

/0


41/67

Securit! rou" Manage%ent

-continued.

• A$$ of t(ese grou"s can be used for securit! or

distribution grou"s

• %ecurity groups

' Used to enab$e access to resources on a stand9a$oneserver or in Active irector!

• Distribution groups

' Used for e9%ai$ or te$e"(one $ists) to "rovide +uick)

%ass distribution of infor%ation

/1


42/67

#%"$e%enting oca$ rou"s

• &ocal security group

' Used to %anage resources on a stand9a$one co%"uter

t(at is not "art of a do%ain and on %e%ber servers in

a do%ain• #nstead of insta$$ing Active irector!) !ou can divide

accounts into $oca$ grou"s

' ac( grou" wou$d be given different securit! access

based on t(e resources at t(e server

/2


43/67

#%"$e%enting o%ain oca$ rou"s

• Domain local security group

' Used w(en Active irector! is de"$o!ed

' 4!"ica$$! used to %anage resources in a do%ain and to

give g$oba$ grou"s fro% t(e sa%e and ot(er do%ainsaccess to t(ose resources

• 4(e sco"e of a do%ain $oca$ grou" is t(e do%ain in

w(ic( t(e grou" e5ists

• 4(e t!"ica$ "ur"ose of a do%ain $oca$ grou" is to"rovide access to resources

' Cou grant access to servers) fo$ders) s(ared fo$ders)

and "rinters to a do%ain $oca$ grou"

/,


44/67

#%"$e%enting o%ain oca$ rou"s

-continued.

//


45/67

#%"$e%enting $oba$ rou"s

• Global security group

' #ntended to contain user accounts fro% a sing$e

do%ain

' &an a$so be set u" as a %e%ber of a do%ain $oca$grou" in t(e sa%e or anot(er do%ain

• A g$oba$ grou" can contain user accounts and ot(er

g$oba$ grou"s fro% t(e do%ain in w(ic( it was created

• A g$oba$ grou" can be converted to a universa$ grou" ' As $ong as it is not nested in anot(er g$oba$ grou" or in

a universa$ grou"

/


46/67


-continued.

/

# $ i $ b $


47/67


-continued.

• A t!"ica$ use for a g$oba$ grou" is to bui$d it wit(

accounts t(at need access to resources in t(e sa%e

or in anot(er do%ain

' And t(en to %ake t(e g$oba$ grou" in one do%ain a%e%ber of a do%ain $oca$ grou" in t(e sa%e or

anot(er do%ain

• 4(is %ode$ enab$es !ou to %anage user accounts

and t(eir access to resources t(roug( one or %oreg$oba$ grou"s

' W(i$e reducing t(e co%"$e5it! of %anaging accounts

/6

# $ ti $ b $


48/67


-continued.

/8

# $ ti $ b $


49/67


-continued.

• Activit! 3 &reating o%ain oca$ and $oba$ Securit!

rou"s


' Objective3 &reate a do%ain $oca$ and a g$oba$ securit!grou" and %ake t(e g$oba$ grou" a %e%ber of t(e

do%ain $oca$ grou"

/7


50/67

#%"$e%enting Universa$ rou"s

• $niversal security groups

' :rovide a %eans to s"an do%ains and trees

• Universa$ grou" %e%bers(i" can inc$ude user

accounts fro% an! do%ain) g$oba$ grou"s fro% an!do%ain) and ot(er universa$ grou"s fro% an! do%ain

• Universa$ grou"s are offered to "rovide an eas!

%eans to access an! resource in a tree

' Or a%ong trees in a forest

0

# $ ti U i $


51/67


-continued.

• uide$ines to (e$" si%"$if! (ow !ou "$an to use

grou"s3

' Use g$oba$ grou"s to (o$d accounts as %e%bers

' Use do%ain $oca$ grou"s to "rovide access toresources in a s"ecific do%ain

' Use universa$ grou"s to "rovide e5tensive access to

resources

1

# $ ti U i $


52/67


-continued.

2


53/67

:ro"erties of rou"s

• Cou can configure t(e "ro"erties of a s"ecific grou"

' B! doub$e9c$icking t(at grou" in t(e oca$ Users and

rou"s too$ for a stand9a$one -nondo%ain. or %e%ber

server

' Or in t(e Active irector! Users and &o%"uters too$ for

& servers in a do%ain

• :ro"erties are configured using t(e fo$$owing tabs3

' enera$

' Me%bers

' Me%ber Of

' Managed B!

,


54/67

#%"$e%enting User :rofi$es

• A local user profile is auto%atica$$! created at t(e

$oca$ co%"uter w(en !ou $og on wit( an account for

t(e first ti%e

' 4(e "rofi$e can be %odified to consist of deskto"settings t(at are custo%i>ed for one or %ore c$ients

w(o $og on $oca$$!

/

# $ ti U : fi$


55/67


-continued.

• User "rofi$es advantages

' Mu$ti"$e users can use t(e sa%e co%"uter and

%aintain t(eir own custo%i>ed setting

' :rofi$es can be stored on a network server so t(e! areavai$ab$e to users regard$ess of t(e co%"uter t(e! use

to $og on -roaming profile)

' :rofi$es can be %ade %andator! so users (ave t(e

sa%e settings eac( ti%e t(e! $og on -man'atoryprofile.

# $ ti U : fi$


56/67


-continued.

• One wa! to set u" a "rofi$e is to first set u" a generic

account on t(e server wit( t(e desired deskto"

configuration

' 4(en co"! t(e e t(e deskto"

' Set u" t(ose users to access a "rofi$e b! o"ening t(e:rofi$e tab in eac( users account "ro"erties and

entering t(e "at( to t(at "rofi$e


57/67

6

W(ats


58/67

W(ats


59/67

*estart &a"abi$it!

• Windows Server 2008 "rovides t(e o"tion to sto"

Active irector! o%ain Services

' Wit(out taking down t(e co%"uter

• After !our work is done on Active irector!) !ousi%"$! restart Active irector! o%ain Services

7


60/67

0


61/67

Auditing #%"rove%ents

• Server ad%inistrators can now create an audit trai$ of

%an! t!"es of c(anges t(at %ig(t be %ade in Active

irector!) inc$uding w(en3

' 4(ere are attribute c(anges to t(e sc(e%a ' Objects are %oved) suc( as user accounts %oved

fro% one OU to a different one

'


62/67

Auditing #%"rove%ents -continued.

• Cou %ust set u" Active irector! auditing in two

"$aces3

' nab$e a o%ain &ontro$$ers -g$oba$. :o$ic! to audit

successfu$ or fai$ed Active irector! c(ange actions ' &onfigure successfu$ or fai$ed c(ange actions on

s"ecific Active irector! objects or containers

2


63/67

,


64/67

/


65/67

Su%%ar!

• Active irector! -or A S. is a director! service to(ouse infor%ation about network resources

• Servers (ousing Active irector! are ca$$ed do%ain

contro$$ers -&s.

• 4(e %ost basic co%"onent of Active irector! is an

object

• 4(e g$oba$ cata$og stores infor%ation about ever!

object) re"$icates ke! Active irector! e$e%ents)and is used to aut(enticate user accounts w(en

t(e! $og on


66/67

Su%%ar! -continued.

• A na%es"ace consists of using t(e o%ain


67/67

Documents

Active Directory and User Management