Module 2 Creating Active Directory ® Domain Services User and Computer Objects.
-
Upload
betty-wiggins -
Category
Documents
-
view
235 -
download
2
Transcript of Module 2 Creating Active Directory ® Domain Services User and Computer Objects.
Module Overview
• Managing User Accounts
• Creating Computer Accounts
• Automating AD DS Object Management
• Using Queries to Locate Objects in AD DS
Lesson 1: Managing User Accounts
• What Is a User Account?
• Names Associated with Domain User Accounts
• User Account Password Options
• Standard User Management
• Tools for Configuring User Accounts
• What Is a User Account Template?
A user account can be stored:In AD DS (AD DS account)
On the local computer (local account)
What Is a User Account?
Creating a user account also creates a Security ID (SID)
A user account is an object that enables authentication and access to local and network resourcesA user account is an object that enables authentication and access to local and network resources
AD DS accounts enable log on to domains and provide access to shared network resourcesAD DS accounts enable log on to domains and provide access to shared network resources
Local accounts enable log on to a single computer and local resourcesLocal accounts enable log on to a single computer and local resources
Naming options for domain user accounts:
Names Associated with Domain User Accounts
Object Names Example Uniqueness requirement
User logon name Gregory Must be unique within domain
User logon name (pre-Microsoft® Windows® 2000)
Woodgrove\Gregory Must be unique within domain
User principal name (UPN)
Must be unique within forest
LDAP distinguished name
CN=Gregory,OU=IT,DC=WoodgroveBank,DC=com
Will be globally unique, combining RDN, container name, and domain names
Relative distinguished name (RDN)
CN=Gregory Must be unique in OU
User Account Password Options
User object passwords are a significant aspect of network security and can have options configured for:
Password history
Length
Complexity
By default, Windows Server® 2008 domain passwords must meet three out of the following four complexity requirements:
Uppercase
Lowercase
Special characters
Numbers
Standard User Management
Standard User management activities include:
Updating group membership: provides user group membership and access rights
Resetting user passwords: resets security authentication used to access domain computer
Setting user expiration: sets expiration date on how long user can access domain
Setting logon hours: sets the hours in which users can log on to the domain
Assigning profiles and setting home folders: Assign user profiles and home folders to regulate access to resources
You use different tools for creating and managing local and domain user accounts:
Tools for Configuring User Accounts
Account Tools
Local computer account Windows XP and Windows Vista®: User Accounts
Domain account
• Windows Server 2003/2008: Active Directory Users and Computers
• Command-line utilities: dsadd, Windows PowerShell™, CSVDE, LDIFDE
Demonstration: Configuring User Accounts
In this demonstration, you will see how to:
• Create a new user account using Active Directory Users and Computers
• Rename user accounts
• View complexity requirements
What Is a User Account Template?
User accounts templates take advantage of similarity between user accounts
To use user templates:Create several typical users reflecting various groups within your organization
Copy the user account most like the new account you want to create
Modify the attributes: names, e-mail address, logon name, etc.
A user account template is an account with common properties already configuredA user account template is an account with common properties already configured
Demonstration: Creating and Using a User Account Template
In this demonstration, you will see how to:
• Create and use a User Account Template
Lesson 2: Creating Computer Accounts
• What Is a Computer Account?
• Options for Creating Computer Accounts
• Managing Computer Accounts
Computer accounts:
What Is a Computer Account?
Are required for authentication and auditing
A computer account is an object in AD DS that identifies a computer in a domain
A computer account is an object in AD DS that identifies a computer in a domain
Enable managing computer by using group policies
Are required for all computers running Windows NT or later
Options for Creating Computer Accounts
Scenario Process
Adding individual computers to a domain
• Add the computer to the domain through computer system properties
• Account will be created by default in Computers container
Creating multiple computer accounts in preparation for automating an operating system and software deployment
1. Create an OU for each department
2. Pre-stage new computer accounts
3. Add the computer to the domain
Managing Computer Accounts
Computer management activities include:
Adding computer accounts: provides computer name and specifies management option
Disabling computer accounts: maintains account, but prevents log on from the account
Resetting the computer account: resets the security association between the domain and the client computer (re-join necessary)
Deleting computer accounts: removes computer from all domain services
Configuring group policies: manages software or computer desktop environments
Demonstration: Configuring Computer Accounts
In this demonstration, you will see how to:
• Pre-stage a computer account
• Configure computer account settings
• Disable and reset a computer account
Lesson 3: Automating AD DS Object Management
• Tools for Automating AD DS Object Management
• Configuring AD DS Objects Using Command-Line Tools
• Managing User Objects with LDIFDE
• Managing User Objects with CSVDE
• What Is Windows PowerShell?
• Windows PowerShell Cmdlets
Tools for Automating AD DS Object Management
Active Directory Users and Computers
Directory Service Tools
• Dsadd
• Dsmod
• Dsrm
Csvde and Ldifde Tools Windows PowerShell
Configuring AD DS Objects Using Command-Line Tools
Command-line tools:
• Dsadd - Add objects to AD DS
• Dsmod - Modify objects in AD DS
• Dsrm - Remove objects from AD DS
• Dsget - Locate objects in AD DS
• net user - Add or modify user accounts
• Net group - Add or modify group access
• Net computer - Add or remove computer
objects from AD DS
Managing User Objects with CSVDE
filename.csvActive Directory
import
export
• CSVDE.exe
HR Application
What Is Windows PowerShell?
Windows PowerShell is a scripting and command-line technology that you can use to manage AD DS and other Windows components
Windows PowerShell features include:
• Powerful single line cmdlets
• Aliases
• Variables
• Pipelining
• Scripting support
• Access to all cmd.exe commands
Results from one cmdlet can be pipelined to another
Windows PowerShell Cmdlets
Windows PowerShell cmdlets all use the same syntax
Noun Verb Date
Parameters Example
Get Get-Date
Start Service W3SVC Start-Service W3SVC
• Get-Service W3svc | format-list
• Get-Service | sort-object name
• Get-Service |where-object {$_.status –eq “running”} | sort-object name
Demonstration: Configuring Active Directory Objects Using Windows PowerShell
In this demonstration, you will see how to:
• Configure Active Directory Objects using Windows PowerShell
Lesson 4: Using Queries to Locate Objects in AD DS
• Options for Locating Objects in AD DS
• What Is a Saved Query?
Options for Locating Objects in AD DS
Sorting: use column headings in Active Directory Users and Computers to find the objects based on the columns
Sorting: use column headings in Active Directory Users and Computers to find the objects based on the columns
Searching: provide the criteria for which you want to search
Searching: provide the criteria for which you want to search
Command-line: dsquery parameter
Command-line: dsquery parameter
Demonstration: Searching AD DS
In this demonstration, you will see how to:
• Search AD DS for user accounts
What Is a Saved Query?
Saved queries provide:
A quick and consistent way to access a common set of directory objects to monitor or to perform specific tasks
A saved query is a way to save search criteriaA saved query is a way to save search criteria
Options for searching attributes (e.g. last logon date)
Demonstration: Using a Saved Query
In this demonstration, you will see how to:
• Create a saved query
Lab: Creating AD DS User and Computer Accounts
• Exercise 1: Creating and Configuring User Accounts
• Exercise 2: Creating and Configuring Computer Accounts
• Exercise 3: Automating the Management of AD DS Objects
Logon information
Virtual computers 6419A-NYC-DC1, 6419A-NYC-CL1
User name Administrator
Password Pa$$w0rd
Estimated time: 45 minutes
Lab Scenario
Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. Woodgrove Bank has deployed AD DS for Windows Server 2008. As one of the network administrators, one of your primary tasks will be to create and manage user and computer accounts.
Lab Review
•In order for the searches like the ones used in this lab to return accurate results, what do you have to do when creating the user accounts?
•Your organization has a group of desktop support technicians who need to be able to add all computers to the AD DS domain. How can you ensure that these technicians can add more than 10 computers to the domain without granting them more permissions than required?