Active Directory and User Management
-
Upload
umarfarooque-mursal -
Category
Documents
-
view
225 -
download
0
Transcript of Active Directory and User Management
-
8/20/2019 Active Directory and User Management
1/67
Microsoft Windows Server 2008
Introduction to Active Directory and
User Account Management
1
-
8/20/2019 Active Directory and User Management
2/67
Objectives
• Background
• Understand Active irector! basic conce"ts
• #nsta$$ and configure Active irector!
• #%"$e%ent Active irector! containers
• &reate and %anage user accounts
• &onfigure and use securit! grou"s
• escribe and i%"$e%ent new Active irector!
features
2
http://background.pptx/http://background.pptx/
-
8/20/2019 Active Directory and User Management
3/67
Active irector! Basics
• Active irector!
' irector! service t(at (ouses infor%ation about a$$
network resources suc( as servers) "rinters) user
accounts) grou"s of user accounts) securit! "o$icies)and ot(er infor%ation
• Directory service
' *es"onsib$e for "roviding a centra$ $isting of resources
and wa!s to +uick$! find and access s"ecific resourcesand for "roviding a wa! to %anage network resources
,
-
8/20/2019 Active Directory and User Management
4/67
Active irector! Basics -continued.
• Windows Server 2008 uses Active irector! to
%anage accounts) grou"s) and %an! %ore network
%anage%ent services
• Domain controllers (DCs) ' Servers t(at (ave t(e A S server ro$e insta$$ed
' &ontain writab$e co"ies of infor%ation in Active
irector!
• Member servers
' Servers on a network %anaged b! Active irector!
t(at do not (ave Active irector! insta$$ed
/
-
8/20/2019 Active Directory and User Management
5/67
Active irector! Basics -continued.
• o%ain
' &ontainer t(at (o$ds infor%ation about a$$ network
resources t(at are grou"ed wit(in it
' ver! resource is ca$$ed an object• Multimaster replication
' ac( & is e+ua$ to ever! ot(er & in t(at it contains
t(e fu$$ range of infor%ation t(at co%"oses Active
irector!• Active irector! is bui$t to %ake re"$ication efficient
-
8/20/2019 Active Directory and User Management
6/67
-
8/20/2019 Active Directory and User Management
7/67
Active irector! Basics -continued.
• Activit! 3 #nsta$$ing Active irector!
' 4i%e *e+uired3 A""ro5i%ate$! 20',0 %inutes
' Objective3 #nsta$$ Active irector!
6
-
8/20/2019 Active Directory and User Management
8/67
Sc(e%a
• Active irector! schema
' efines t(e objects and t(e infor%ation "ertaining to
t(ose objects t(at can be stored in Active irector!
• User account ' One c$ass of object in Active irector! t(at is defined
t(roug( sc(e%a e$e%ents uni+ue to t(at c$ass
8
-
8/20/2019 Active Directory and User Management
9/67
7
-
8/20/2019 Active Directory and User Management
10/67
$oba$ &ata$og
• Global catalog
' Stores infor%ation about ever! object wit(in a forest
' Store a fu$$ re"$ica of ever! object wit(in its own
do%ain and a "artia$ re"$ica of eac( object wit(in
ever! do%ain in t(e forest
• 4(e first & configured in a forest beco%es t(e
g$oba$ cata$og server
• 4(e g$oba$ cata$og server enab$es forest9wide
searc(es of data
10
-
8/20/2019 Active Directory and User Management
11/67
$oba$ &ata$og -continued.
• 4(e g$oba$ cata$og serves t(e fo$$owing "ur"oses3
' Aut(enticating users w(en t(e! $og on
':roviding $ooku" and access to a$$ resources in a$$do%ains
' :roviding re"$ication of ke! Active irector! e$e%ents
' ;ee"ing a co"! of t(e %ost used attributes for eac(
object for +uick access
11
-
8/20/2019 Active Directory and User Management
12/67
-
8/20/2019 Active Directory and User Management
13/67
&ontainers in Active irector!
• Active irector! (as a tree$ike structure
• 4(e (ierarc(ica$ e$e%ents) or containers) of Active
irector! inc$ude forests) trees) do%ains)
organi>ationa$ units -OUs.) and sites
1,
-
8/20/2019 Active Directory and User Management
14/67
1/
-
8/20/2019 Active Directory and User Management
15/67
?orest
• Forest ' &onsists of one or %ore Active irector! trees t(at are in a
co%%on re$ations(i"
• ?orests (ave t(e fo$$owing c(aracteristics3
' 4(e trees can use a disjointed na%es"ace ' A$$ trees use t(e sa%e sc(e%a
' A$$ trees use t(e sa%e g$oba$ cata$og
' o%ains enab$e ad%inistration of co%%on$! associated
objects) suc( as accounts and ot(er resources) wit(in a
forest
' 4wo9wa! transitive trusts are auto%atica$$! configured
between do%ains wit(in a sing$e forest
1
-
8/20/2019 Active Directory and User Management
16/67
?orest -continued.
• ?orest "rovides a %eans to re$ate trees t(at use a
contiguous na%es"ace in do%ains wit(in eac( tree
' But t(at (ave disjointed na%es"aces in re$ations(i" to
eac( ot(er • 4(e advantage of joining trees into a forest is t(at a$$
do%ains s(are t(e sa%e sc(e%a and g$oba$ cata$og
• Forest functional level
' *efers to t(e Active irector! functions su""ortedforest9wide
1
-
8/20/2019 Active Directory and User Management
17/67
?orest -continued.
16
-
8/20/2019 Active Directory and User Management
18/67
?orest -continued.
• Windows Server 2008 Active irector! recogni>es
t(ree t!"es of forest functiona$ $eve$s
' Windows 2000
-
8/20/2019 Active Directory and User Management
19/67
4ree
• Tree
' &ontains one or %ore do%ains t(at are in a co%%on
re$ations(i"
• 4ree (as t(e fo$$owing c(aracteristics3 ' o%ains are re"resented in a contiguous na%es"ace
and can be in a (ierarc(!
' 4wo9wa! trust re$ations(i"s e5ist between "arent
do%ains and c(i$d do%ains ' A$$ do%ains in a sing$e tree use t(e sa%e sc(e%a for
a$$ t!"es of co%%on objects
' A$$ do%ains use t(e sa%e g$oba$ cata$og
17
-
8/20/2019 Active Directory and User Management
20/67
4ree -continued.
• 4(e do%ains in a tree t!"ica$$! (ave a (ierarc(ica$
structure
' Suc( as a root do%ain at t(e to" and ot(er do%ains
under t(e root• 4(e do%ains wit(in a tree are in w(at is ca$$ed a
Kerberos transitive trust relationship
' W(ic( consists of to!ay trusts between "arent
do%ains and c(i$d do%ains• Because of t(e trust re$ations(i" between "arent and
c(i$d do%ains) an! one do%ain can (ave access to
t(e resources of a$$ ot(ers
20
-
8/20/2019 Active Directory and User Management
21/67
4ree -continued.
21
-
8/20/2019 Active Directory and User Management
22/67
o%ain
• Microsoft views a do%ain as a $ogica$ "artition wit(in
an Active irector! forest
' A do%ain is a grou"ing of objects t(at t!"ica$$! e5ists
as a "ri%ar! container wit(in Active irector!
• 4(e basic functions of a do%ain are as fo$$ows3
' 4o "rovide an Active irector! @@"artition in w(ic( to
(ouse objects t(at (ave a co%%on re$ations(i")
"articu$ar$! in ter%s of %anage%ent and securit! ' 4o estab$is( a set of infor%ation to be re"$icated fro%
one & to anot(er
' 4o e5"edite %anage%ent of a set of objects
22
-
8/20/2019 Active Directory and User Management
23/67
2,
-
8/20/2019 Active Directory and User Management
24/67
-
8/20/2019 Active Directory and User Management
25/67
o%ain -continued.
• Activit! 3 Managing o%ains
' 4i%e *e+uired3 A""ro5i%ate$! 10 %inutes
' Objective3 earn w(ere to %anage do%ains
2
-
8/20/2019 Active Directory and User Management
26/67
Organi>ationa$ Unit
• "rgani#ational unit ("$)
' Offers a wa! to ac(ieve %ore f$e5ibi$it! in %anaging
t(e resources associated wit( a business unit)
de"art%ent) or division
• 4(an is "ossib$e t(roug( do%ain ad%inistration a$one
• An OU is a grou"ing of re$ated objects wit(in a
do%ain
' OUs a$$ow t(e grou"ing of objects so t(at t(e! can bead%inistered using t(e sa%e grou" "o$icies
• OUs can be nested wit(in OUs
2
-
8/20/2019 Active Directory and User Management
27/67
Organi>ationa$ Unit -continued.
• W(en !ou "$an to create OUs) kee" t(ree concerns
in %ind3
' Microsoft reco%%ends t(at !ou $i%it OUs to 10 $eve$s
or fewer ' Active irector! works %ore efficient$! w(en OUs are
set u" (ori>onta$$! instead of vertica$$!
' 4(e creation of OUs invo$ves %ore "rocessing
resources because eac( re+uest t(roug( an OUre+uires &:U ti%e
26
-
8/20/2019 Active Directory and User Management
28/67
Organi>ationa$ Unit -continued.
• Activit! 3 Managing OUs
' 4i%e *e+uired3 A""ro5i%ate$! 10 %inutes
' Objective3 &reate an OU and de$egate contro$ over it
28
-
8/20/2019 Active Directory and User Management
29/67
Active irector! uide$ines
• Above a$$) kee" Active irector! as si%"$e as
"ossib$e
' :$an its structure before !ou i%"$e%ent it
• #%"$e%ent t(e $east nu%ber of do%ains "ossib$e ' Wit( one do%ain being t(e idea$ and bui$ding fro%
t(ere
• #%"$e%ent on$! one do%ain on %ost s%a$$ networks
• Use OUs to ref$ect t(e organi>ations structure
• &reate on$! t(e nu%ber of OUs t(at are abso$ute$!
necessar!
27
-
8/20/2019 Active Directory and User Management
30/67
Active irector! uide$ines
-continued.
• o not bui$d an Active irector! wit( %ore t(an 10
$eve$s of OUs
• Use do%ains as "artitions in forests to de%arcate
co%%on$! associated accounts and resourcesgoverned b! grou" and securit! "o$icies
• #%"$e%ent %u$ti"$e trees and forests on$! as necessar!
• Use sites in situations w(ere t(ere are %u$ti"$e #:
subnets and %u$ti"$e geogra"(ic $ocations ' As a %eans to i%"rove $ogon and & re"$ication
"erfor%ance
,0
-
8/20/2019 Active Directory and User Management
31/67
User Account Manage%ent
• efau$t accounts3
' Ad%inistrator and uest
• Accounts can be set u" in two genera$ environ%ents3
' Accounts t(at are set u" t(roug( a stand9a$one servert(at does not (ave Active irector! insta$$ed
' Accounts t(at are set u" in a do%ain w(en Active
irector! is insta$$ed
,1
-
8/20/2019 Active Directory and User Management
32/67
&reating Accounts W(en Active
irector! #s
-
8/20/2019 Active Directory and User Management
33/67
,,
-
8/20/2019 Active Directory and User Management
34/67
&reating Accounts W(en Active
irector! #s #nsta$$ed
• Activit! 3 &reating User Accounts in Active irector!
' 4i%e *e+uired3 A""ro5i%ate$! 1 %inutes
' Objective3 earn (ow to create a user account in
Active irector!
,/
-
8/20/2019 Active Directory and User Management
35/67
,
-
8/20/2019 Active Directory and User Management
36/67
isab$ing) nab$ing) and *ena%ing
Accounts
• Activit! 3 isab$ing) *ena%ing) and nab$ing an
Account
' 4i%e *e+uired3 A""ro5i%ate$! %inutes
' Objective3 :ractice disab$ing) rena%ing) and t(enenab$ing an account
,
-
8/20/2019 Active Directory and User Management
37/67
Moving an Account
• Activit! 3 Moving an Account
' 4i%e *e+uired3 A""ro5i%ate$! %inutes
' Objective3 :ractice %oving an account
,6
-
8/20/2019 Active Directory and User Management
38/67
*esetting a :assword
• Activit! 3 &(anging an Accounts :assword
' 4i%e *e+uired3 A""ro5i%ate$! %inutes
' Objective3 :ractice c(anging an accounts "assword
,8
-
8/20/2019 Active Directory and User Management
39/67
e$eting an Account
• Activit! 3 e$eting an Account
' 4i%e *e+uired3 A""ro5i%ate$! %inutes
' Objective3 :ractice de$eting an account
,7
-
8/20/2019 Active Directory and User Management
40/67
Securit! rou" Manage%ent
• One of t(e best wa!s to %anage accounts is b!
grou"ing accounts t(at (ave si%i$ar c(aracteristics
• %cope of influence -or scope.
' 4(e reac( of a grou" for gaining access to resourcesin Active irector!
• 4!"es of grou"s3
' oca$
' o%ain $oca$
' $oba$
' Universa$
/0
-
8/20/2019 Active Directory and User Management
41/67
Securit! rou" Manage%ent
-continued.
• A$$ of t(ese grou"s can be used for securit! or
distribution grou"s
• %ecurity groups
' Used to enab$e access to resources on a stand9a$oneserver or in Active irector!
• Distribution groups
' Used for e9%ai$ or te$e"(one $ists) to "rovide +uick)
%ass distribution of infor%ation
/1
-
8/20/2019 Active Directory and User Management
42/67
#%"$e%enting oca$ rou"s
• &ocal security group
' Used to %anage resources on a stand9a$one co%"uter
t(at is not "art of a do%ain and on %e%ber servers in
a do%ain• #nstead of insta$$ing Active irector!) !ou can divide
accounts into $oca$ grou"s
' ac( grou" wou$d be given different securit! access
based on t(e resources at t(e server
/2
-
8/20/2019 Active Directory and User Management
43/67
#%"$e%enting o%ain oca$ rou"s
• Domain local security group
' Used w(en Active irector! is de"$o!ed
' 4!"ica$$! used to %anage resources in a do%ain and to
give g$oba$ grou"s fro% t(e sa%e and ot(er do%ainsaccess to t(ose resources
• 4(e sco"e of a do%ain $oca$ grou" is t(e do%ain in
w(ic( t(e grou" e5ists
• 4(e t!"ica$ "ur"ose of a do%ain $oca$ grou" is to"rovide access to resources
' Cou grant access to servers) fo$ders) s(ared fo$ders)
and "rinters to a do%ain $oca$ grou"
/,
-
8/20/2019 Active Directory and User Management
44/67
#%"$e%enting o%ain oca$ rou"s
-continued.
//
-
8/20/2019 Active Directory and User Management
45/67
#%"$e%enting $oba$ rou"s
• Global security group
' #ntended to contain user accounts fro% a sing$e
do%ain
' &an a$so be set u" as a %e%ber of a do%ain $oca$grou" in t(e sa%e or anot(er do%ain
• A g$oba$ grou" can contain user accounts and ot(er
g$oba$ grou"s fro% t(e do%ain in w(ic( it was created
• A g$oba$ grou" can be converted to a universa$ grou" ' As $ong as it is not nested in anot(er g$oba$ grou" or in
a universa$ grou"
/
-
8/20/2019 Active Directory and User Management
46/67
#%"$e%enting $oba$ rou"s
-continued.
/
# $ i $ b $
-
8/20/2019 Active Directory and User Management
47/67
#%"$e%enting $oba$ rou"s
-continued.
• A t!"ica$ use for a g$oba$ grou" is to bui$d it wit(
accounts t(at need access to resources in t(e sa%e
or in anot(er do%ain
' And t(en to %ake t(e g$oba$ grou" in one do%ain a%e%ber of a do%ain $oca$ grou" in t(e sa%e or
anot(er do%ain
• 4(is %ode$ enab$es !ou to %anage user accounts
and t(eir access to resources t(roug( one or %oreg$oba$ grou"s
' W(i$e reducing t(e co%"$e5it! of %anaging accounts
/6
# $ ti $ b $
-
8/20/2019 Active Directory and User Management
48/67
#%"$e%enting $oba$ rou"s
-continued.
/8
# $ ti $ b $
-
8/20/2019 Active Directory and User Management
49/67
#%"$e%enting $oba$ rou"s
-continued.
• Activit! 3 &reating o%ain oca$ and $oba$ Securit!
rou"s
' 4i%e *e+uired3 A""ro5i%ate$! 1 %inutes
' Objective3 &reate a do%ain $oca$ and a g$oba$ securit!grou" and %ake t(e g$oba$ grou" a %e%ber of t(e
do%ain $oca$ grou"
/7
-
8/20/2019 Active Directory and User Management
50/67
#%"$e%enting Universa$ rou"s
• $niversal security groups
' :rovide a %eans to s"an do%ains and trees
• Universa$ grou" %e%bers(i" can inc$ude user
accounts fro% an! do%ain) g$oba$ grou"s fro% an!do%ain) and ot(er universa$ grou"s fro% an! do%ain
• Universa$ grou"s are offered to "rovide an eas!
%eans to access an! resource in a tree
' Or a%ong trees in a forest
0
# $ ti U i $
-
8/20/2019 Active Directory and User Management
51/67
#%"$e%enting Universa$ rou"s
-continued.
• uide$ines to (e$" si%"$if! (ow !ou "$an to use
grou"s3
' Use g$oba$ grou"s to (o$d accounts as %e%bers
' Use do%ain $oca$ grou"s to "rovide access toresources in a s"ecific do%ain
' Use universa$ grou"s to "rovide e5tensive access to
resources
1
# $ ti U i $
-
8/20/2019 Active Directory and User Management
52/67
#%"$e%enting Universa$ rou"s
-continued.
2
-
8/20/2019 Active Directory and User Management
53/67
:ro"erties of rou"s
• Cou can configure t(e "ro"erties of a s"ecific grou"
' B! doub$e9c$icking t(at grou" in t(e oca$ Users and
rou"s too$ for a stand9a$one -nondo%ain. or %e%ber
server
' Or in t(e Active irector! Users and &o%"uters too$ for
& servers in a do%ain
• :ro"erties are configured using t(e fo$$owing tabs3
' enera$
' Me%bers
' Me%ber Of
' Managed B!
,
-
8/20/2019 Active Directory and User Management
54/67
#%"$e%enting User :rofi$es
• A local user profile is auto%atica$$! created at t(e
$oca$ co%"uter w(en !ou $og on wit( an account for
t(e first ti%e
' 4(e "rofi$e can be %odified to consist of deskto"settings t(at are custo%i>ed for one or %ore c$ients
w(o $og on $oca$$!
/
# $ ti U : fi$
-
8/20/2019 Active Directory and User Management
55/67
#%"$e%enting User :rofi$es
-continued.
• User "rofi$es advantages
' Mu$ti"$e users can use t(e sa%e co%"uter and
%aintain t(eir own custo%i>ed setting
' :rofi$es can be stored on a network server so t(e! areavai$ab$e to users regard$ess of t(e co%"uter t(e! use
to $og on -roaming profile)
' :rofi$es can be %ade %andator! so users (ave t(e
sa%e settings eac( ti%e t(e! $og on -man'atoryprofile.
# $ ti U : fi$
-
8/20/2019 Active Directory and User Management
56/67
#%"$e%enting User :rofi$es
-continued.
• One wa! to set u" a "rofi$e is to first set u" a generic
account on t(e server wit( t(e desired deskto"
configuration
' 4(en co"! t(e e t(e deskto"
' Set u" t(ose users to access a "rofi$e b! o"ening t(e:rofi$e tab in eac( users account "ro"erties and
entering t(e "at( to t(at "rofi$e
-
8/20/2019 Active Directory and User Management
57/67
6
W(ats
-
8/20/2019 Active Directory and User Management
58/67
W(ats
-
8/20/2019 Active Directory and User Management
59/67
*estart &a"abi$it!
• Windows Server 2008 "rovides t(e o"tion to sto"
Active irector! o%ain Services
' Wit(out taking down t(e co%"uter
• After !our work is done on Active irector!) !ousi%"$! restart Active irector! o%ain Services
7
-
8/20/2019 Active Directory and User Management
60/67
0
-
8/20/2019 Active Directory and User Management
61/67
Auditing #%"rove%ents
• Server ad%inistrators can now create an audit trai$ of
%an! t!"es of c(anges t(at %ig(t be %ade in Active
irector!) inc$uding w(en3
' 4(ere are attribute c(anges to t(e sc(e%a ' Objects are %oved) suc( as user accounts %oved
fro% one OU to a different one
'
-
8/20/2019 Active Directory and User Management
62/67
Auditing #%"rove%ents -continued.
• Cou %ust set u" Active irector! auditing in two
"$aces3
' nab$e a o%ain &ontro$$ers -g$oba$. :o$ic! to audit
successfu$ or fai$ed Active irector! c(ange actions ' &onfigure successfu$ or fai$ed c(ange actions on
s"ecific Active irector! objects or containers
2
-
8/20/2019 Active Directory and User Management
63/67
,
-
8/20/2019 Active Directory and User Management
64/67
/
-
8/20/2019 Active Directory and User Management
65/67
Su%%ar!
• Active irector! -or A S. is a director! service to(ouse infor%ation about network resources
• Servers (ousing Active irector! are ca$$ed do%ain
contro$$ers -&s.
• 4(e %ost basic co%"onent of Active irector! is an
object
• 4(e g$oba$ cata$og stores infor%ation about ever!
object) re"$icates ke! Active irector! e$e%ents)and is used to aut(enticate user accounts w(en
t(e! $og on
-
8/20/2019 Active Directory and User Management
66/67
Su%%ar! -continued.
• A na%es"ace consists of using t(e o%ain
-
8/20/2019 Active Directory and User Management
67/67