530 likes | 661 Views
(Skill 1). Searching for Active Directory Objects on a Network. Active Directory contains information about all objects on a network Each object has a unique set of attributes Attributes are used by administrators to locate objects To locate objects in Active Directory
E N D
(Skill 1) Searching for Active Directory Objects on a Network • Active Directory contains information about all objects on a network • Each object has a unique set of attributes • Attributes are used by administrators to locate objects • To locate objects in Active Directory • Use the Find dialog box in the Active Directory Users and Computers console • The Find dialog box provides a number of options used to search for Active Directory objects
(Skill 1) Searching for Active Directory Objects on a Network (3) • Using the Find dialog box • You can specify a single attribute or multiple attributes to locate an object • You can even specify partial values for the objects you are trying to locate
(Skill 1) Searching for Active Directory Objects on a Network (4) • To locate objects using Active Directory • You must have Read permission for the object in question • Your computers must have certain components enabled • Windows Server 2003, Windows 2000, Windows XP, Windows NT with the Active Directory client enabled • Windows 95/98 with the Active Directory client and Active Desktop enabled
(Skill 1) Figure 7-2 Setting search attributes
(Skill 1) Searching for Active Directory Objects on a Network (5) • You can use the Advanced tab in the Find dialog box to make the search more specific by searching on multiple conditions • Field: You can specify the search field you are looking for based on the attribute of the object you are searching • Condition: You can specify various wildcards, such as Starts with and Ends with, to narrow down the search • Value: Requires you to specify a value for the attribute
(Skill 1) Searching for Active Directory Objects on a Network (7) • When administrators search for users, computers, or printers • They use the Start menu, or choose Entire Directory in the In list box in the Find dialog box in the Active Directory Users and Computers console • They are searching the global catalog • Once they enter the search criteria and select Find Now • The search request is routed to the default global catalog port (3268) and sent to the global catalog • The global catalog allows searching for directory information in all domains in a forest
(Skill 1) Figure 7-3 Using the Advanced tab to search for an object based on a condition
(Skill 1) Figure 7-4 Filtering the search results
(Skill 2) Setting Standard Active Directory Object Permissions • On a Windows Server 2003 network, administrators provide access security for Active Directory objects by setting object permissions • Object permissions • Provide users with access to the objects they will need to use to perform their jobs • Prevent users from accessing objects that are outside of their areas of responsibility or that would represent a security vulnerability
(Skill 2) Setting Standard Active Directory Object Permissions (4) • Assigning permissions • A crucial component of managing Active Directory objects is to assign permissions to users and groups depending on the needs and policies of your organization • Great care must be taken when you assign permissions, particularly when you take into account the multiple groups in which a user may be a member
(Skill 2) Setting Standard Active Directory Object Permissions (5) • Assigning permissions • A user’s effective permissions are a combination of the permissions assigned to all groups to which he or she belongs • Assigning different permissions to different groups can change the effective permissions for a user • A denied permission overrides an allowed permission that has been assigned to either a user or group
(Skill 2) Setting Standard Active Directory Object Permissions (6) • Assigning permissions • Two categories of permissions • Standard permissions include the most commonly assigned permissions such as Read and Write • Special permissionsare used to achieve a more specific level of control over objects than standard permissions
(Skill 2) Setting Standard Active Directory Object Permissions (7) • Assigning permissions • You assign security permissions for objects and their attributes in the Active Directory Users and Computers console • You use the Security tab on the Properties dialog box for an object to assign security permissions to objects • You can view the Security tab only after you enable Active Directory’s advanced features • Select Advanced Features on the View menu in the Active Directory Users and Computers console
(Skill 2) Setting Standard Active Directory Object Permissions (9) • Assigning permissions • By default, Active Directory objects inherit their access control lists from the security descriptor for the parent container object • This means that you do not need to apply permissions every time you create a new child object unless you want to change the inherited permissions • The administration of Active Directory objects is simplified by inheritance
(Skill 2) Setting Standard Active Directory Object Permissions (10) • Assigning permissions • You can change the inherited permissions • Open the Advanced Security Settings for <object_name> dialog box • Clear the check box: Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here
(Skill 2) Figure 7-7 The Advanced Security Settings for SERVERA dialog box
(Skill 2) Setting Standard Active Directory Object Permissions (11) • Assigning permissions • After you clear the check box, a message box provides two options • The Copy button allows you to copy the permissions from the parent object • The Remove button removes all previously inherited permissions from the object
(Skill 2) Figure 7-8 Preventing permission inheritance
(Skill 2) Setting Standard Active Directory Object Permissions (12) • Assigning permissions • After you choose Copy or Remove, you can make changes to the allowed permissions for a child object or remove users or groups from the Permissions list • Although this can provide a finer degree of control over objects, the maintenance required increases the administrative burden, so changing inherited permissions should be used cautiously
(Skill 3) Publishing Resources in Active Directory • Active Directory provides a centralized database for all network resources • It can be used as a single location where network users can find information about network resources • The process of adding resources to the directory is known as publishing
(Skill 3) Publishing Resources in Active Directory (2) • Publishing • Publishing ensures that searchable attributes for a resource are included in the Active Directory database • Resources that can be published include users, computers, shared folders, and network services • Commonly used attributes (user and computer names) are published automatically • Other directory data (information about shared folders) must be manually published • Publishing resources ensures that users can use object attributes to quickly and easily locate network objects
(Skill 3) Figure 7-9 Publishing a shared folder
(Skill 3) Figure 7-10 The published folder in the OU
(Skill 3) Publishing Resources in Active Directory (3) • Publishing • Only Windows 2000 and Windows Server 2003 network printers are published automatically in Active Directory • You must manually publish information about printers running on down-level operating systems
(Skill 3) Publishing Resources in Active Directory (4) • Publishing • When you manually publish a printer, you create a new PrintQueue object in the Active Directory Users and Computers console • To view PrintQueue objects and other sub-objects • Open the View menu and select the Users, Groups, and Computers as containers command • Open the Computers folder and select any computer to display its sub-objects, including printers
(Skill 3) Publishing Resources in Active Directory (5) • Publishing • To publish printers, you must be a member of the Printer Operators, Domain Admins, or Enterprise Admins group • Printers you want to publish must be shared • You must have the Manage Printers permission for the printer to share or publish it • You can also use the Pubprn.vbs script that is stored in the %systemroot%\System32 folder to publish a printer
(Skill 4) Publishing Network-enabled Services • In Windows Server 2003, you can publish network services information in Active Directory • When you publish service information, administrators can manage the service from a central location rather than having to go to each individual server or computer • A set of services is published in Active Directory by default, but you can add to this list as necessary
(Skill 4) Publishing Network-enabled Services (2) • Publishing services • Creates a service-centric model that allows clients to more easily access services, because they will not need to store the location of the resource • Any published service can be made available from any Windows Server 2003 server • A specific computer does not need to be used to perform a task • Users need to know only the name of the service they want to use
(Skill 4) Publishing Network-enabled Services (6) • You use the Services container in the Active Directory Sites and Services console to publish and manage network services information • The Services container does not appear in the console by default • To view it, toggle on the Show Services command on the View menu • Services are published using programming interfaces, such as ADSI
(Skill 4) Figure 7-13 Displaying the Services container
(Skill 4) Figure 7-14 Changing permissions for a service certificate template
(Skill 5) Moving Active Directory Objects Within a Domain • Depending on the size and infrastructure of the organization, objects can be moved • Within a domain • Between domains • Between sites • Moving Active Directory objects from one container to another within a domain is performed in the Active Directory Users and Computers console
(Skill 5) Moving Active Directory Objects Within a Domain (2) • Restrictions apply to moving objects in Active Directory • After an object has been moved to a new container • It ceases to retain the permissions of the old container • It inherits the permissions of the new container • Permissions assigned directly to the object remain with the object even after you move it to a new location
(Skill 5) Moving Active Directory Objects Within a Domain (3) • You can use the Dsmov.exe utility at the command prompt to move objects within a domain • You must be a member of the Domain Admins or Enterprise Admins group, or have the appropriate authority to perform this procedure
(Skill 5) Figure 7-15 The Move dialog box
(Skill 5) Figure 7-16 The user object in its new location
(Skill 6) Moving Active Directory Objects Between Domains • Two command-line utilities are available to move objects such as users, computers, and OUs across domains • Movetree utility • Is included in the \Support\Tools folder on the Windows Server 2003 installation CD • You must first install it, because it is not available by default • Does not un-join the computer from its previous domain or join it to its new domain, so computer accounts are typically invalid after the move • Netdom utility is the suggested tool for moving computer accounts
(Skill 6) Moving Active Directory Objects Between Domains (2) • Security ID (SID) • Every object has a unique SID in the domain • When an object is moved between domains, the SID for that object becomes invalid and a new SID is created for the object in the new domain • The old SID information, including the security settings, is stored in SIDHistory, a security field available in Windows 2000 Server and Windows Server 2003
(Skill 6) Moving Active Directory Objects Between Domains (3) • Security ID (SID) • The information in SIDHistory is used when users log on to a network • During logon, along with the new SIDs, the old SIDs in the SIDHistory field are also considered and added to the access token for the objects • This helps users to retain some of their old access permissions • In contrast to SID, the GUID (a unique reference number for an object) remains unchanged after you move an object from one domain to another
(Skill 6) Moving Active Directory Objects Between Domains (4) • Movetree • To move objects between domains, you must run the Movetree utility from the command prompt • Alternatively, you can create a batch file and run the file from the Start menu • To view the complete syntax for the Movetree command, enter Movetree /? at the command prompt
(Skill 7) Moving a Domain Controller Between Sites • As an administrator, you must control replication and monitor server performance to ensure users are able to log on within a reasonable amount of time • You may occasionally need to move domain controllers between sites to create an efficient replication topology and accomplish this task
(Skill 7) Moving a Domain Controller Between Sites (2) • Although the first domain controller is always created in the Default-First-Site-Namesite, you can create subsequent domain controllers in any site and later move them to other sites • You move domain controllers between sites in the Active Directory Sites and Services console
(Skill 7) Figure 7-18 The Move Server dialog box
(Skill 7) Figure 7-19 The domain controller in its new location
(Skill 7) Moving a Domain Controller Between Sites (3) • Netdom • Used to move workstations and member servers between domains • This utility is installed along with the Movetree utility when you install the Windows Server 2003 Support Tools from the Windows Server 2003 CD • Domain controllers cannot be moved across domains • To move a domain controller from one domain to another • Demote the domain controller to a member server • Use Netdom to move it to the required domain
(Skill 8) Delegating Active Directory Permissions • Delegation of control • The process of giving other users or administrators permissions for Active Directory objects to distribute the administrative load • Decentralizes administration to various levels of the organization, thus reducing the centralized administrative burden
(Skill 8) Delegating Active Directory Permissions (2) • Delegation of control is available at all levels of the hierarchy • You can delegate the ability to modify all domain objects • You can delegate the ability to modify all OU objects • You can even delegate control over just a single object • Delegation at the OU level is more common than delegation at the object level • To delegate control to OUs or containers, you use the Delegation of Control Wizard
(Skill 8) Figure 7-22 The Users or Groups screen in the Delegation of Control Wizard
(Skill 8) Delegating Active Directory Permissions (3) Guidelines for effectively managing Active Directory • Understand the policies and requirements of your organization before you plan the delegation of control • Make sure that users who are delegated tasks are fully aware of Active Directory and its functions • Delegate control at the domain, site, or OU level, rather than over individual objects
(Skill 8) Delegating Active Directory Permissions (4) Guidelines for effectively managing Active Directory • Deny permissions sparingly • Make sure you provide the correct permissions to users to enable them to perform their duties properly • Document your Active Directory object control decisions • Serves as a future reference • Helps you to better manage Active Directory objects