Embed Size (px)
Citation preview
CN1276 Server (V3)Kemtis KunanuraksapongMSIS with DistinctionMCT, MCTS, MCDST, MCP, A+
Agenda
•Chapter 5: Active Directory Administration
•Quiz•Exercise
Understanding User Accounts
•Three types of user accounts can be created and configured in Windows Server 2008:▫Local accounts▫Domain accounts▫Built-in user accounts
Security guidelines
•Rename the Administrator account▫Set a strong password
•Limit knowledge of administrator passwords to only a few individuals
•Do not use the Administrator account for daily non-administrative tasks
•Rename the Guest account after enabling it for use▫Set a strong password
Group Accounts
•Groups are implemented to allow administrators to assign rights and permissions to multiple users simultaneously.
•A group can be defined as a collection of user or computer accounts that is used to simplify the assignment of rights or permissions to network resources.
Group Types
•Distribution groups▫Non-security-related groups created for the
distribution of information to one or more persons.
•Security groups▫Security-related groups created for
purposes of granting resource access permissions to multiple users.
Group Nesting
•Users can be members of more than one group.
•Groups can contain other Active Directory objects, such as computers, and other groups.
•Groups containing groups is called group nesting.
Group Scopes• Domain Local
▫ These groups can include users, computers, global groups, and universal groups from any domain
▫ To assign permissions to any resource in the domain in which they are located
• Global▫ These groups can include users, computers, and global
groups only from within the same domain ▫ To assign permission to resources that reside in any
domain in the forest ▫ Global group memberships are replicated only to DC within
the same domain• Universal
▫ Same as global group, but the group memberships should not change frequently because these groups are stored in the GC
Using Global and Domain Local Groups•Assign users within a domain to global
groups.•Add global groups to domain local groups.•Assign permissions to domain local group.
AGUDLP
•Microsoft approach to using groups:▫add Accounts to Global groups.
▫add those global groups to Universal groups.
▫Add universal groups to Domain Local groups.
▫Finally, assign Permissions to the domain local groups.
Creating and Managing Groups
•Creating and managing groups is usually done with Active Directory Users and Computers.
Working with Default Groups
•Account Operators▫Can create, modify and delete accounts for
users, groups, and computers in all containers and OUs.
▫Cannot modify administrators, domain admins and enterprise admin groups.
•Administrators•Backup Operators•Guests
▫Disabled by default
Working with Default Groups
•Print Operators▫Can manage printers and document
queues.•Server Operators
▫Can log on a server interactively▫Create and delete shares, start and stop
some services▫Back up and restore files▫Format the disk, shutdown the computer
and modify the system date and time.
Working with Default Groups•Users•DNSAdmins
▫Permits administrative access to the DNS server service.
•Domain Admins•Domain Computers
▫Contains all computers.▫Used to make computer management easier
through group policies.•Domain Controllers – Contains all computers
installed in the domain as a domain controller.
Working with Default Groups•Domain Guests
▫Members include all domain guests.•Domain Users
▫Used to assign permissions to all users in the domain.
•Enterprise Admins▫Allows the global administrative privileges
associated with this group, such as the ability to create and delete domains.
Working with Default Groups
•Schema Admins▫Members can manage and modify the
Active Directory schema.•See Table 5-1 on Page 106 - 111
Special Identity Groups and Local Groups•Authenticated Users
▫Used to allow controlled access to resources throughout the forest or domain.
•Everyone •See Table 5-2 on Page 112 - 113
Group Implementation Plan•A plan that states
▫who has the ability and responsibility to create, delete, and manage groups.
•A policy that states▫how domain local, global, and universal
groups are to be used.▫guidelines for creating new groups and
deleting old groups.•A naming standards document to keep
group names consistent.•A standard for group nesting.
Creating Users and Groups
•Active Directory Users and Computers•Batch files
▫DSAdd user username DN –samid SAM account name
▫Dsadd user cn=jsmith,ou=Accounts,dc=lucernepublishing,dc=com –samid jsmith
Creating Users and Groups (Cont.)•Comma-Separated Value Directory
Exchange (CSVDE)▫Header record (See Page 119)▫Csvde.exe –i –f newusers.csv
-i is to import -f is to specify the file to import
Creating Users and Groups (Cont.)•LDAP Data Interchange Format Directory
Exchange (LDIFDE)▫You can Add/Modify/Delete the object▫Ldifde –i –f newobjects.ldf
•Windows Script Host (WSH)▫See code on Page 121
Creating Users and Groups (Cont.)•Windows PowerShell
▫$objOU=[ADSI]”LDAP://OU=People, DC=contoso, DC=Com”
▫$objUser = $objOU.Create(“user”,”CN=Mary North”)
▫$objUser.put(SamAccountName”,”mary.north”)
▫$objUser.SetInfo()▫Windows 2008 R2
Import-module ActiveDirectory New-ADusers –SamAccountName “mary.north”
Creating Users and Groups (Cont.)•Note:
▫CSVDE and LDIFDE cannot import user’s password, hence the user will be disabled by default
▫Only DSADD supports specifying the password
Offline Domain Join• Offline domain join is a process to add computers to a
domain in locations where there is no connectivity to a corporate network.▫ Windows Server 2008 R2▫ Windows 7 image or on running computer
• The offline domain join process includes the following phases:▫ Run the djoin.exe/provision
To create computer account metadata from the text file djoin /provision /domain <domain_name> /machine <destination
computer> /savefile <filename.txt> ▫ Run the djoin.exe/requestODJ
To insert the computer account metadata into the Windows directory of the destination computer:
djoin /requestodj /loadfile <filename.txt>
Assignment
•Fill in the blank▫1-10
•Multiple Choice▫1-10
•Online Lab 5
