250 likes | 421 Views
CN1276 Server ( V3). Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS , MCDST, MCP, A+. Agenda. Chapter 5: Active Directory Administration Quiz Exercise. Understanding User Accounts. Three types of user accounts can be created and configured in Windows Server 2008: Local accounts
E N D
CN1276 Server (V3) Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
Agenda • Chapter 5: Active Directory Administration • Quiz • Exercise
Understanding User Accounts • Three types of user accounts can be created and configured in Windows Server 2008: • Local accounts • Domain accounts • Built-in user accounts
Security guidelines • Rename the Administrator account • Set a strong password • Limit knowledge of administrator passwords to only a few individuals • Do not use the Administrator account for daily non-administrative tasks • Rename the Guest account after enabling it for use • Set a strong password
Group Accounts • Groups are implemented to allow administrators to assign rights and permissions to multiple users simultaneously. • A group can be defined as a collection of user or computer accounts that is used to simplify the assignment of rights or permissions to network resources.
Group Types • Distribution groups • Non-security-related groups created for the distribution of information to one or more persons. • Security groups • Security-related groups created for purposes of granting resource access permissions to multiple users.
Group Nesting • Users can be members of more than one group. • Groups can contain other Active Directory objects, such as computers, and other groups. • Groups containing groups is called group nesting.
Group Scopes • Domain Local • These groups can include users, computers, global groups, and universal groups from any domain • To assign permissions to any resource in the domain in which they are located • Global • These groups can include users, computers, and global groups only from within the same domain • To assign permission to resources that reside in any domain in the forest • Global group memberships are replicated only to DC within the same domain • Universal • Same as global group, but the group memberships should not change frequently because these groups are stored in the GC
Using Global and Domain Local Groups • Assign users within a domain to global groups. • Add global groups to domain local groups. • Assign permissions to domain local group.
AGUDLP • Microsoft approach to using groups: • add Accounts to Global groups. • add those global groups to Universal groups. • Add universal groups to Domain Local groups. • Finally, assign Permissions to the domain local groups.
Creating and Managing Groups • Creating and managing groups is usually done with Active Directory Users and Computers.
Working with Default Groups • Account Operators • Can create, modify and delete accounts for users, groups, and computers in all containers and OUs. • Cannot modify administrators, domain admins and enterprise admin groups. • Administrators • Backup Operators • Guests • Disabled by default
Working with Default Groups • PrintOperators • Can manage printers and document queues. • ServerOperators • Can log on a server interactively • Create and delete shares, start and stop some services • Back up and restore files • Format the disk, shutdown the computer and modify the system date and time.
Working with Default Groups • Users • DNSAdmins • Permits administrative access to the DNS server service. • Domain Admins • Domain Computers • Contains all computers. • Used to make computer management easier through group policies. • Domain Controllers – Contains all computers installed in the domain as a domain controller.
Working with Default Groups • DomainGuests • Members include all domain guests. • DomainUsers • Used to assign permissions to all users in the domain. • EnterpriseAdmins • Allows the global administrative privileges associated with this group, such as the ability to create and delete domains.
Working with Default Groups • SchemaAdmins • Members can manage and modify the Active Directory schema. • See Table 5-1 on Page 106 - 111
Special Identity Groups and Local Groups • AuthenticatedUsers • Used to allow controlled access to resources throughout the forest or domain. • Everyone • See Table 5-2 on Page 112 - 113
Group Implementation Plan • A plan that states • who has the ability and responsibility to create, delete, and manage groups. • A policy that states • how domain local, global, and universal groups are to be used. • guidelines for creating new groups and deleting old groups. • A naming standards document to keep group names consistent. • A standard for group nesting.
Creating Users and Groups • Active Directory Users and Computers • Batch files • DSAdd user username DN –samid SAM account name • Dsadd user cn=jsmith,ou=Accounts,dc=lucernepublishing,dc=com –samidjsmith
Creating Users and Groups (Cont.) • Comma-Separated Value Directory Exchange (CSVDE) • Header record (See Page 119) • Csvde.exe –i –f newusers.csv • -i is to import • -f is to specify the file to import
Creating Users and Groups (Cont.) • LDAP Data Interchange Format Directory Exchange (LDIFDE) • You can Add/Modify/Delete the object • Ldifde –i –f newobjects.ldf • Windows Script Host (WSH) • See code on Page 121
Creating Users and Groups (Cont.) • Windows PowerShell • $objOU=[ADSI]”LDAP://OU=People, DC=contoso, DC=Com” • $objUser = $objOU.Create(“user”,”CN=Mary North”) • $objUser.put(SamAccountName”,”mary.north”) • $objUser.SetInfo() • Windows 2008 R2 • Import-module ActiveDirectory • New-ADusers –SamAccountName “mary.north”
Creating Users and Groups (Cont.) • Note: • CSVDE and LDIFDE cannot import user’s password, hence the user will be disabled by default • Only DSADD supports specifying the password
Offline Domain Join • Offline domain join is a process to add computers to a domain in locations where there is no connectivity to a corporate network. • Windows Server 2008 R2 • Windows 7 image or on running computer • The offline domain join process includes the following phases: • Run the djoin.exe/provision • To create computer account metadata from the text file • djoin/provision /domain <domain_name> /machine <destination computer> /savefile <filename.txt> • Run the djoin.exe/requestODJ • To insert the computer account metadata into the Windows directory of the destination computer: • djoin /requestodj /loadfile <filename.txt>
Assignment • Fill in the blank • 1-10 • Multiple Choice • 1-10 • Online Lab 5