MCST 2015 - Module 1.pdf

7/27/2019 MCST 2015 - Module 1.pdf

1/75

Objects and Accounts

Module 1

MCST 2015

Active Directory

7/27/2019 MCST 2015 - Module 1.pdf

2/75

Organizational Unit (OU)

A container object that functions in a subordinatecapacity to a domain, something like a subdomain,but without the complete separation of security

policies. As a container object, OUs can contain other OUs,as well as leaf objects.

You can apply separate Group Policy to an OU, anddelegate the administration of an OU as needed.

However, an OU is still part of the domain and stillinherits policies and permissions from its parentobjects.

7/27/2019 MCST 2015 - Module 1.pdf

3/75

Organizational Units

Can be created to represent your companys

functional or geographical model.

Can be used to delegate administrativecontrol over a containers resources to lower-

level or branch office administrators.

Can be used to apply consistent configurationto client computers, users and member

servers.

7/27/2019 MCST 2015 - Module 1.pdf

4/75

Organizational Units

7/27/2019 MCST 2015 - Module 1.pdf

5/75

Creating an Organizational

Unit

To create an organizational unit, you would

use the Active Directory Users and

Computers console.

7/27/2019 MCST 2015 - Module 1.pdf

6/75

Delegation of Control

Creating OUs to support a decentralizedadministration model gives you the ability toallow others to manage portions of your Active

Directory structure, without affecting the rest ofthe structure. Delegating authority at a site level affects all domains

and users within the site.

Delegating authority at a domain level affects theentire domain.

Delegating authority at the OU level affects only thatOU and its hierarchy.

7/27/2019 MCST 2015 - Module 1.pdf

7/75

Delegation of Control

Using the Delegation of Control Wizard, you

utilize a simple interface to delegate

permissions for domains, OUs, or containers.

The interface allows you to specify to which usersor groups you want to delegate management

permissions and the specific tasks you wish them

to be able to perform.

You can delegate predefined tasks, or you can

create custom tasks that allow you to be more

specific.

7/27/2019 MCST 2015 - Module 1.pdf

8/75

Delegating Administrative Control

of an OU

Open Active Directory Users and

Computers.

Right-click the object to which you wish todelegate control, and click Delegate

Control.

Click Next on the Welcome to theDelegation of Control Wizard page.

7/27/2019 MCST 2015 - Module 1.pdf

9/75

Delegating Administrative

Control of an OU

7/27/2019 MCST 2015 - Module 1.pdf

10/75


Control of an OU

7/27/2019 MCST 2015 - Module 1.pdf

11/75


Control of an OU

7/27/2019 MCST 2015 - Module 1.pdf

12/75

Group Policy

One of the biggest reasons to use OUs is for the

application of Group Policy. Create OUs for each

group of objects that need to have different

Group Policy settings. Group Policy objects (GPOs) can be linked to

OUs. Policy settings apply to all objects within

the OU.

Through inheritance, settings applied to the

domain or parent OUs apply to all child OUs

and objects within those OUs

7/27/2019 MCST 2015 - Module 1.pdf

13/75

Accidental Deletion

Objects in Active Directory can be accidentally deleted

through Active Directory Users and Computers and other

management tools. The following types of deletions are

most common: Leaf-node deletion is when a user selects and deletes

a leaf object.

Organizational Unit (OU) deletion is when a user

selects and deletes an OU that has subordinateobjects. Deleting the OU deletes all objects within the

OU (including any child OUs and their objects).

7/27/2019 MCST 2015 - Module 1.pdf

14/75

Accidental Deletion

To protect objects from accidental deletion:

When you create an organizational unit, leave

the Protect container from accidentaldeletion check box selected. This is the

default. Other types of objects do not have

this default setting and must be manually

configured.

7/27/2019 MCST 2015 - Module 1.pdf

15/75

Default Containers

When you install Active Directory, several

default containers and Organizational

Units (OUs) are automatically created: Builtin

Computers

Domain Controllers Foreign Security Principals

LostAndFound

7/27/2019 MCST 2015 - Module 1.pdf

16/75

Default Containers

Default Containers (contd)

NTDS Quotas

Program Data System

Users

7/27/2019 MCST 2015 - Module 1.pdf

17/75

Default Containers

Default containers are automatically

created and cannot be deleted.

The Domain Controllers OU is the onlydefault organizational unit object. All other

containers are just containers, not OUs. As

such, you cannot apply a GPO to anydefault container except for the Domain

Controllers OU.

7/27/2019 MCST 2015 - Module 1.pdf

18/75

Default Containers

To apply Group Policy specifically to objects

within a default container (except for the Domain

Controllers OU), move the objects into an OU

that you create, then link the GPO.

The LostAndFound, NTDS Quotas, Program

Data, and System containers are hidden in

Active Directory Users and Computers. To viewthese containers, click AdvancedFeatures from

the View menu.

7/27/2019 MCST 2015 - Module 1.pdf

19/75

Understanding User

Accounts

Three types of user accounts can be

created and configured in Windows Server

2008: Local accounts.

Domain accounts.

Built-in user accounts.

19MCST 2015 - Administering the ActiveDirectory

7/27/2019 MCST 2015 - Module 1.pdf

20/75

Local Accounts

Used to access the local computer only

and are stored in the local Security

Account Manager (SAM) database on thecomputer where they reside.

Never replicated to other computers, nor

do these accounts have domain access.


7/27/2019 MCST 2015 - Module 1.pdf

21/75

Domain Accounts

Accounts used to access Active Directory ornetwork-based resources, such as sharedfolders or printers.

Account information for these users is stored inthe Active Directory database and replicated toall domain controllers within the same domain.

A subset of the domain user account informationis replicated to the global catalog, which is thenreplicated to other global catalog serversthroughout the forest.


7/27/2019 MCST 2015 - Module 1.pdf

22/75

Built-in User Accounts

Automatically created when Microsoft

Windows Server 2008 is installed.

Built-in user accounts are created on amember server or a standalone server.

When you install Windows Server 2008 as a

domain controller, the ability to create andmanipulate these accounts is disabled.


7/27/2019 MCST 2015 - Module 1.pdf

23/75

Built-in User Accounts

By default, two built-in user accounts arecreated on a Windows Server 2008computer:

Administrator account.

Guest account.

Built-in user accounts can be local

accounts or domain accounts, dependingon whether the server is configured as astandalone server or a domain controller.


7/27/2019 MCST 2015 - Module 1.pdf

24/75

Creating and Managing User

Accounts

User accounts are usually created and

managed with Active Directory Users and

Computers.


7/27/2019 MCST 2015 - Module 1.pdf

25/75

User Account Properties


7/27/2019 MCST 2015 - Module 1.pdf

26/75



7/27/2019 MCST 2015 - Module 1.pdf

27/75



7/27/2019 MCST 2015 - Module 1.pdf

28/75

Managing User Accounts

Use Active Directory Users and Computers from

a domain controller or workstation with

Administrative Tools installed to configure

domain accounts. To modify properties on multiple user accounts

at once, use the Shift orCtrl keys to select all

users, then edit the necessary properties.

Properties such as the logon name or password

cannot be modified in this way.

7/27/2019 MCST 2015 - Module 1.pdf

29/75


You can move user accounts to add them to the

appropriate OUs. Grouping users within OUs allows

you to apply Group Policy settings to groups of

users.

When creating a new user account or resetting a

forgotten password, a common practice is to reset

the user account password, then select User must

change password at next logon. This forces theuser to reset the password immediately following

logon, ensuring that the user will be the only person

who knows the password.

7/27/2019 MCST 2015 - Module 1.pdf

30/75


You can configure an expiration date for

temporary user accounts. Once the

account is expired, it cannot be used for

logon.

If a user will be gone for an extended

period of time, disable the account. This

prevents the account from being usedduring the user's absence. Enable the

account when the user returns.

7/27/2019 MCST 2015 - Module 1.pdf

31/75


Configure the logon hours for a user account to

allow the account to only be used between specific

hours.

Logon attempts outside of the specified hours willnot be allowed.

Users who are currently logged on will be allowed

to continue working when the logon hours expire.

To log a user off when the logon hours pass,configure Group Policy settings to log the user off

automatically.

7/27/2019 MCST 2015 - Module 1.pdf

32/75


If you accidentally delete a user account,

restore it from backup rather than creating

a new one with the same name. Creating

a new account with the same name results

in a user account with a different SID and

will not automatically assume the

permissions and memberships of thepreviously deleted account.

7/27/2019 MCST 2015 - Module 1.pdf

33/75


To create another user account similar to

an existing user, copy the existing user

account. You will be prompted for a newname and password. Existing account

settings and group memberships will be

copied to the new account. Permissions

will notbe copied to the new account.

7/27/2019 MCST 2015 - Module 1.pdf

34/75

Managing Computer

Accounts

A computer accountis an Active Directory object

that identifies a network computer. The account

in Active Directory is associated with a specific

hardware device. To identify a specific computer,two processes are required:

Create a computer account in Active Directory.

Join a computer to the domain. When you join the

domain, the device is associated with the Active

Directory computer account.

7/27/2019 MCST 2015 - Module 1.pdf

35/75

Managing Computer

Accounts Because the Computers folder is not an OU, you

cannot link a GPO to this container, meaning

that only Group Policy settings in the domain will

apply to these computers. For more control overGroup Policy settings for computers or groups of

computers, move computer accounts to OUs.

To control where computer accounts are placed

when the computer joins the domain, createcomputer accounts ahead of time before joining

the domain from the workstation

7/27/2019 MCST 2015 - Module 1.pdf

36/75

Managing Computer

Accounts

The following group members can create a

computer account:

Account Operators Domain Admins

Enterprise Admins

7/27/2019 MCST 2015 - Module 1.pdf

37/75

Managing Computer

Accounts

Members of the Authenticated Users group can

join up to 10 computers to a domain from a

workstation (and create the computer account

automatically if it does not already exist). Thisability comes from the Add workstations to a

domain user right. You can also allow specific

users to join specific computers to a domain by

selecting The following user or group can jointhis computer to a domain when creating the

computer account.

7/27/2019 MCST 2015 - Module 1.pdf

38/75

Managing Computer

Accounts

You can grant other users permissions to create

computer accounts by giving them the Create

Computer Objects right over the Active

Directory OU. This permission does not have alimit on the number of accounts that can be

created. Note: You must grant this right to the

domain or specific OUs.

To join a computer to a domain, you must be a

member of the Administrators group on the local

computer or be given the necessary rights.

7/27/2019 MCST 2015 - Module 1.pdf

39/75

Managing Service

Accounts

A service accountis a special user

account that an application or service uses

to interact with the operating system.Services use the service accounts to log

on and make changes to the operating

system or the configuration. Through

permissions, you can control the actions

that the service can perform.

M i S i

7/27/2019 MCST 2015 - Module 1.pdf

40/75

Managing Service

Accounts

Categories of Service Accounts:

Built-in local user account

Domain user account

Managed service account

Virtual account

M i S i

7/27/2019 MCST 2015 - Module 1.pdf

41/75

Managing Service

Accounts

Built-in local user account

A built-in user account is a user account that

is created automatically during installation.The following three built-in user accounts are

used by most services:

Local System account (also called the System

account) Local Service account

Network Service account

M i S i

7/27/2019 MCST 2015 - Module 1.pdf

42/75

Managing Service

Accounts Domain user account

User accounts are managed centrally in Active

Directory.

You can create a single user account for a singleservice, or share a user account for multiple services.

You can grant only the specific privileges required by

the service.

You must manage account passwords. For example,you will need to periodically reset the account

password on the account as well as reset the

password used by the service.

M i S i

7/27/2019 MCST 2015 - Module 1.pdf

43/75

Managing Service

Accounts

Managed service account

A managed service account is a new account type

available in Windows Server 2008 R2 and Windows 7.

A managed service account provides the samebenefits of using a domain user with the added benefit

that Passwords are managed and reset automatically.

An account can be used on only one computer (you

must create at least one account per computer).

Each account can be used by multiple services on a

computer. You can also create a separate account for

each service.

M i S i

7/27/2019 MCST 2015 - Module 1.pdf

44/75

Managing Service

Accounts

Virtual account

A virtual account is a new account type

available in Windows Server 2008 R2 andWindows 7. Virtual accounts:

Are not created or deleted.

Use a single account for a single service. If you

have multiple services that use virtual accounts,there will be a different account for each service.

7/27/2019 MCST 2015 - Module 1.pdf

45/75

Group Accounts

Groups are implemented to allow

administrators to assign rights and

permissions to multiple userssimultaneously.

A group can be defined as a collection of

user or computer accounts that is used tosimplify the assignment of rights or

permissions to network resources.


7/27/2019 MCST 2015 - Module 1.pdf

46/75

Group Accounts

When a user logs on, an access token is created thatidentifies the user and all of the users groupmemberships.

This access token is used to verify a users permissions

when the user attempts to access a local or networkresource.

By using groups, multiple users can be given the samepermission level for resources on the network.

Since a users access token is only generated when they

first log on to the network from their workstation, if youadd a user to a group, they will need to log off and logback on again for that change to take effect.


7/27/2019 MCST 2015 - Module 1.pdf

47/75

Group Types

Distribution groups Non-security-related

groups created for the distribution of

information to one or more persons. Security groups - Security-related groups

created for purposes of granting resource

access permissions to multiple users.


7/27/2019 MCST 2015 - Module 1.pdf

48/75

Group Nesting

Users can be members of more than one

group.

Groups can contain other Active Directoryobjects, such as computers, and other

groups.

Groups containing groups is called groupnesting.


7/27/2019 MCST 2015 - Module 1.pdf

49/75

Group Scopes

Global

Domain Local

Universal


7/27/2019 MCST 2015 - Module 1.pdf

50/75

Using Global and Domain Local

Groups

Global These groups can include users, computers, and

other global groups from the same domain. You can use them to organize users who have

similar functions and therefore similarrequirements on the network.

Domain local These groups can include users, computers, and

groups from any domain in the forest.

They are most often utilized to grant permissionsfor local resources and may be used to provideaccess to any resource in the domain in whichthey are located.


U i Gl b l d D i

7/27/2019 MCST 2015 - Module 1.pdf

51/75

Using Global and Domain

Local Groups

Assign users within a domain to global

groups.

Add global groups to domain local groups. Assign permissions to domain local group.


7/27/2019 MCST 2015 - Module 1.pdf

52/75

Universal Groups

These groups can include users andgroups from any domain in the AD DSforest and can be employed to grant

permissions to any resource in the forest. A universal group can include users,

computers, and global groups from anydomain in the forest.

Changes to universal group membershiplists are replicated to all global catalogservers throughout the forest.


7/27/2019 MCST 2015 - Module 1.pdf

53/75

AGUDLP

Microsoft approach to using groups:

add Accounts to Global groups.

add those global groups to Universal groups.

Add universal groups to Domain Local

groups.

Finally, assign Permissions to the domain

local groups.


Creating and Managing

7/27/2019 MCST 2015 - Module 1.pdf

54/75

Creating and Managing

Groups

Creating and managing groups is usually

done with Active Directory Users and

Computers.


7/27/2019 MCST 2015 - Module 1.pdf

55/75

Group Properties


7/27/2019 MCST 2015 - Module 1.pdf

56/75

Group Properties


Working with Default

7/27/2019 MCST 2015 - Module 1.pdf

57/75


Groups

Account Operators Can create, modify anddelete accounts for users, groups, andcomputers in all containers and OUs.

Cannot modify administrators, domain adminsand enterprise admin groups.

Administrators Complete and unrestrictedaccess to the computer or domain controller.

Backup Operators - Can back up and restoreall files on the computer.



7/27/2019 MCST 2015 - Module 1.pdf

58/75


Groups

Guests Same privileges as members of theUsers group.

Disabled by default

Print Operators Can manage printers anddocument queues.

Server Operators Can log on a serverinteractively, create and delete shares, start andstop some services, back up and restore files,format the disk, shutdown the computer andmodify the system date and time.



7/27/2019 MCST 2015 - Module 1.pdf

59/75


Groups

Users Allows general access to run

applications, use printers, shut down and

start the computer and use network sharesfor which they are assigned permissions.

DNSAdmins Permits administrative

access to the DNS server service.

59MCST 2015 - Administering the Active

Directory


7/27/2019 MCST 2015 - Module 1.pdf

60/75


Groups

Domain Admins Can performadministrative tasks on any computeranywhere in the domain.

Domain Computers Contains allcomputers. Used to make computer management easier

through group policies.

Domain Controllers Contains allcomputers installed in the domain as adomain controller.


Directory


7/27/2019 MCST 2015 - Module 1.pdf

61/75


Groups

Domain Guests Members include alldomain guests.

Domain Users Members include all

domain users. Used to assign permissions to all users in the

domain.

Enterprise Admins Allows the globaladministrative privileges associated withthis group, such as the ability to createand delete domains.


Directory


7/27/2019 MCST 2015 - Module 1.pdf

62/75


Groups

Schema Admins Members can manage

and modify the Active Directory schema.


Directory

Special Identity Groups

7/27/2019 MCST 2015 - Module 1.pdf

63/75

Special Identity Groups

and Local Groups

Authenticated Users Used to allow

controlled access to resources throughout

the forest or domain. Everyone Used to provide access to

resource for all users and guest.

Not recommended to not assign this group toresources.


Directory

Group Implementation

7/27/2019 MCST 2015 - Module 1.pdf

64/75

Group Implementation

Plan

A plan that states who has the ability andresponsibility to create, delete, and managegroups.

A policy that states how domain local, global,and universal groups are to be used.

A policy that states guidelines for creatingnew groups and deleting old groups.

A naming standards document to keep groupnames consistent.

A standard for group nesting.


Directory

Creating Users and

7/27/2019 MCST 2015 - Module 1.pdf

65/75

Creating Users and

Groups

Active Directory Users and Computers.

Batch files.

Comma-Separated Value DirectoryExchange (CSVDE).

LDAP Data Interchange Format Directory

Exchange (LDIFDE). Windows Script Host (WSH).


Directory

7/27/2019 MCST 2015 - Module 1.pdf

66/75

Summary

When planning your OU structure, consider the

business function, organizational structure, and

administrative goals for your network.

Delegation of administrative tasks should be aconsideration in your plan.

Moving objects between containers and OUs within

a domain can be achieved by using the Move menu

command, the drag-and-drop feature in ActiveDirectory Users and Computers, or the dsmove

utility from a command line.

7/27/2019 MCST 2015 - Module 1.pdf

67/75

Summary

Administrative tasks can be delegated for

a domain, OU, or container to achieve a

decentralized management structure.

Permissions can be delegated using the

Delegation of Control Wizard.

Verification or removal of these permissions

must be achieved through the Security tab inthe Properties dialog box of the affected

container.

7/27/2019 MCST 2015 - Module 1.pdf

68/75

Summary

Moving objects between containers and

OUs within a domain can be achieved by

using the Move menu command, the drag-and-drop feature in Active Directory Users

and Computers, or the dsmove utility from

a command line.

7/27/2019 MCST 2015 - Module 1.pdf

69/75

Summary

Three types of user accounts exist in WindowsServer 2008:

Local user accounts reside on a local computer and

are not replicated to other computers by ActiveDirectory.

Domain user accounts are created and stored inActive Directory and replicated to all domaincontrollers within a domain.

Built-in user accounts are automatically created whenthe operating system is installed and when a memberserver is promoted to a domain controller.


Directory

7/27/2019 MCST 2015 - Module 1.pdf

70/75

Summary

The Administrator account is a built-in domainaccount that serves as the primarysupervisory account in Windows Server

2008. It can be renamed, but it cannot be deleted. The Guest account is a built-in account used

to assign temporary access to resources.

It can be renamed, but it cannot be deleted. This account is disabled by default and the

password can be left blank.


Directory

7/27/2019 MCST 2015 - Module 1.pdf

71/75

Summary

Windows Server 2008 group options

include two types (security and

distribution) and three scopes (domainlocal, global, and universal).

Domain local groups are placed on the

ACL of resources and assignedpermissions. They typically contain global

groups in their membership list.


Directory

7/27/2019 MCST 2015 - Module 1.pdf

72/75

Summary

Global groups are used to organize

domain users according to their resource

access needs. Global groups are placed in the membership

list of domain local groups, which are then

assigned the desired permissions to

resources.


Directory

7/27/2019 MCST 2015 - Module 1.pdf

73/75

Summary

Universal groups are used to provide

access to resources anywhere in the

forest. Their membership lists can contain global

groups and users from any domain.

Changes to universal group membership lists

are replicated to all global catalog servers

throughout the forest.


Directory

7/27/2019 MCST 2015 - Module 1.pdf

74/75

Summary

The recommended permission assignment

strategy (AGUDLP) places users needing

access permissions in a global group, theglobal group in a universal group, and the

universal group in a domain local group

and then assigns permissions to the

domain local group.


Directory

7/27/2019 MCST 2015 - Module 1.pdf

75/75

Summary

Group nesting is the process of placing groupaccounts in the membership of other groupaccounts for the purpose of simplifying

permission assignments. Multiple users and groups can be created in

Active Directory by using several methods.Windows Server 2008 offers the ability to usebatch files, CSVDE, LDIFDE, and WSH toaccomplish your administrative goals.

MCST 2015 - Module 1.pdf

Documents

Transcript of MCST 2015 - Module 1.pdf