640 likes | 895 Views
Introduction to Microsoft Management Console (MMC). MMC is a common console framework for management applications. MMC provides a common environment for snap-ins, the tools that support management functionality. MMC allows you to perform a number of tasks. The MMC Window. MMC Consoles.
E N D
Introduction to Microsoft Management Console (MMC) • MMC is a common console framework for management applications. • MMC provides a common environment for snap-ins, the tools that support management functionality. • MMC allows you to perform a number of tasks.
Stand-Alone Snap-Ins • Stand-alone snap-ins are usually referred to simply as snap-ins. • Each snap-in provides one function or a related set of functions.
Extension Snap-Ins • Extension snap-ins are usually referred to as extensions. • An extension provides additional administrative functionality to another snap-in. • Extensions are designed to work with one or more stand-alone snap-ins. • Some snap-ins can act as stand-alone snap-ins or as extensions.
Console Options • Create a Custom Console • Run MMC • Author mode • User mode • Full Access • Limited Access, Multiple Windows • No access to console tree • Can’t open new windows • Limited Access, Single Window
Windows 2000 User Accounts • Domain user accounts • Local user accounts • Built-in user accounts
Domain User Accounts • Allow users to log on to the domain and gain access to resources anywhere on the network • Created in an OU in the Active Directory store • Replicated to all domain controllers
Local User Accounts • Allow users to log on to and gain access to resources on the computer where they log in • Created in the computer’s security database • Not replicated to domain controllers
Built-In User Accounts • Administrator • Rename • Create new account with administrator privleges • runas /user:<domain name>\<username> prog • Guest • Disabled by default
Naming Conventions • The naming convention establishes how users are identified in the domain. • Several considerations • User account Naming • Password requirements • Account options • Logon hours • Computer restrictions
Must be uniques within the OU 20 characters max / \ [ ] : ; | = + * < > invalid Not case sensitive How will you deal with duplicates Services may require an account name to run Logon Name
Password Requirements • Always assign a password for the Administrator account. • Determine whether the administrator or the users will control passwords. • Use passwords that are hard to guess. • Passwords can be up to 128 characters; a minimum length of eight characters is recommended. • Use both uppercase and lowercase letters, numerals, and valid non-alphanumeric characters.
Account Options • Logon hours • Computer from which users can log on • Account expiration
Overview of Modifying Properties • A set of default properties is associated with each user account. • Properties defined for a domain user account can be used to search for users in the Active Directory store. • Several properties should be configured for each domain user account. • You can use the Active Directory Users And Computers snap-in to modify a domain user account. • You can use the Local Users And Groups snap-in to modify a local user account.
The Properties Dialog Box • Personal properties tabs • Account tab • Profile tab • Desktop settings • Home Directories • Published Certificates tab • Member Of tab • Dial-In tab • Object tab • FQDN of Object • USN • Security tab • Terminal Services tabs
Administering User Accounts • Managing user profiles • Modifying user accounts • Creating home folders
Managing User Profiles • A user profile is a collection of folders and data that stores your current desktop environment and application settings as well as personal data. • Microsoft Windows 2000 creates a local user profile the first time you log on at a computer. • User profiles operate in a specific manner. • Stored in • %systemdrive%\Documents and Settings\<logon name> • <%systemdrive>\profiles
Profiles • Customizable • ntuser.dat • Mandatory • ntuser.man • Local • Stored on the local machine • Roaming • Stored in a shared folder on a server
Introduction to Groups • A group is a collection of user accounts. • Groups simplify administration of user permissions. • Users can be members of more than one group. • When you assign permissions, you give users the capability to gain access to specific resources. • You can add user accounts, contacts, computers, and other groups to groups.
Types of Groups • Security groups • Distribution groups
Introduction to Group Membership • The group scope determines the membership of the group. • Membership rules define which members a group can contain. • Domain local groups and global groups can be converted to universal groups.
Group Nesting • You can add groups to other groups to reduce the number of times permissions need to be assigned. • You should create a hierarchy of groups based on business needs. • Try to minimize the levels of nesting. • Nesting reduces the number of times you assign permissions; however, tracking permissions becomes more complex. • Document group membership to keep track of permission assignments. • Effective nesting in a multiple domain environment will reduce network traffic between domains and simplify administration. • Consider the domain operation mode when nesting groups.
Introduction to Groups • Determine the required group scope based on how you want to use the group. • Avoid adding users to universal groups. • Determine whether you have the necessary permissions to create a group in the appropriate domain. • Determine the name of the group.
Group Scope • Domain Local • Users from any domain • Access to Domain resources only • Global • User from same domain • Access to all domains resources • Universal • Open membership • Open access
Overview of Group Implementation • A local group can contain user accounts on a computer and can be assigned to resources on that computer. • There are two types of local groups: • Local • Domain local • Try to follow specific guidelines when using local groups. • Non-domain local groups can contain local user accounts from the computer on which you create the local groups.
Built-In Global Groups • Windows 2000 creates built-in global groups to group common types of user accounts. • The groups are created in the Active Directory store. • The Users OU contains the built-in global groups. • Windows 2000 includes a number of commonly used built-in global groups.
Built-In Domain Local Groups • Built-in domain local groups provide users with user rights and permissions to perform tasks on domain controllers and in the Active Directory store. • Built-in domain local groups give predefined rights to user accounts when you add user accounts or global groups as members. • Windows 2000 includes a number of commonly used built-in domain local groups.
Built-In Local Groups • Built-in local groups give rights to perform system tasks on a single computer. • Built-in local groups are located in the Groups folder of the Computer Management snap-in. • Windows 2000 includes a number of commonly used built-in local groups.
Built-In System Groups • Built-in system groups exist on all computers running Windows 2000. • You do not see system groups when you administer groups, but they are available for use when you assign rights to resources. • Windows 2000 includes a number of commonly used built-in system groups.
Overview of Group Policies • Group policies are a set of configuration settings that an administrator applies to one or more objects in the Active Directory store. • A group policy consists of settings that govern how an object and its child objects behave. • Group policies provide users with a fully populated desktop environment. • Conflicts can exist between group policies and local needs.
Benefits of Group Policies • Lowering your network’s total cost of ownership (TCO) • Securing a user’s environment • Enhancing a user’s environment
Types of Group Policies • Software Settings • Scripts • Security Settings • Administrative Templates • Remote Installation Services (RIS) • Folder Redirection
Group Policy Structure • Group policy objects (GPOs) • Group policy containers (GPCs) • Group policy templates (GPTs)
Group Policy Objects (GPOs) • A GPO contains group policy settings for sites, domains, and OUs. • One or more GPOs can be applied to a site, a domain, or an OU. • Group policy data that is small in size and changes infrequently is stored in GPCs. • Group policy data that is large and can change frequently is stored in the GPT. • A local GPO exists on every Windows 2000 computer, and by default, only security settings are configured.
Group Policy Containers (GPCs) • A GPC is an Active Directory object that stores GPO properties and includes subcontainers for computer and user group policy information. • The GPC stores the Windows 2000 class store information for application deployment.
Group Policy Templates (GPTs) • When a GPO is created, the corresponding GPT folder structure is created. • Certain subfolders are often contained in the GPT structure.
Using the Group Policy Snap-In • Computer Configuration • Applies to Computers • When system initialized • Every user • Startup/Shutdown Scripts • User Configuration • Applies to users • When logon • Logon/logoff scripts
Group Policy • More than 500 settings • Software Settings • Software installation • Windows Settings • Desktop settings • Administrative Templates
Group Policies • Computer settings take precedence over user settings • Computer settings take effect • After refresh interval • When OS restarted • User setting • After refresh interval • When new logon