Administering Active Directory Administering W2K Server



Similar documents
Module 2: Managing User and Computer Accounts

Understanding Active Directory. Heng Sovannarith

Microsoft Virtual Labs. Active Directory New User Interface

GENERAL SYSTEM COMMANDS

Creating Organizational Units, Accounts, and Groups. Active Directory Users and Computers (ADUC) 21/05/2013

CHAPTER THREE. Managing Groups

Chapter 4: Implementing and Managing Group and Computer Accounts. Objectives

Administering Active Directory. Administering Active Directory. Reading. Review: Organizational Units. Review: Domains. Review: Domain Trees

Module 4. Managing Groups. Contents: Lesson 1: Overview of Groups 4-3. Lesson 2: Administer Groups Lab A: Administer Groups 4-36

R4: Configuring Windows Server 2008 Active Directory

Active Directory. Learning Objective. Active Directory

Chapter. Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

Active Directory Commands ( )

Joining. Domain. Windows XP Pro

Restructuring Active Directory Domains Within a Forest

Configuring Windows Server 2008 Active Directory

Test Note Phone Manager Deployment Windows Group Policy Sever 2003 and XP SPII Clients

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

The Windows Server 2003 Environment. Introduction. Computer Roles. Introduction to Administering Accounts and Resources. Lab 2

How to monitor AD security with MOM

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Module 3: Implementing an Organizational Unit Structure

Core Active Directory Administration

Module 4: Implementing User, Group, and Computer Accounts

INUVIKA OVD VIRTUAL DESKTOP ENTERPRISE

These guidelines can dramatically improve logon and startup performance.

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

Configuration Task 3: (Optional) As part of configuration, you can deploy rules. For more information, see "Deploy Inbox Rules" below.

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

File and Printer Sharing with Microsoft Windows

Windows Server 2003 Logon Scripts Paul Flynn

Administration Guide. . All right reserved. For more information about Specops Password Sync and other Specops products, visit

Managing External Users to NIH Active Directory

Introduction. Versions Used Windows Server 2003

1. Set Daylight Savings Time Create Migrator Account Assign Migrator Account to Administrator group... 4

Sample Configuration: Cisco UCS, LDAP and Active Directory

MCSE TestPrep: Windows NT Server 4, Second Edition Managing Resources

Ultimus and Microsoft Active Directory

Managing Users, Computers, & Groups

Lesson Plans LabSim for Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

HELP DOCUMENTATION UMRA REFERENCE GUIDE

Module 1: Introduction to Active Directory Infrastructure

Objectives. At the end of this chapter students should be able to:

Active Directory Integration Guide

Active Directory. By: Kishor Datar 10/25/2007

Advanced Audit Policy Configurations for LT Auditor+ Reference Guide

RIGHTS RESERVED. User Guide. GoToAssist Corporate , InnerApps, LLC. ALL RIGHTS RESERVED

Windows Clients and GoPrint Print Queues

Active Directory at the University of Michgan. The Michigan Way Since 2000

AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT FIVE. Microsoft Windows Security.

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

Setting Up a Backup Domain Controller

College of Marin Accounts Fall marin.edu Access,

Integrating LANGuardian with Active Directory

Eurobackup PRO Exchange Databases Backup Best Practices

Dadeschools.net Site Administrator Security Settings Request for Comment (RFC)

Active Directory Change Notifier Quick Start Guide

Delegated Administration Quick Start

IIS, FTP Server and Windows

1 of 10 1/31/2014 4:08 PM

LDAP Implementation AP561x KVM Switches. All content in this presentation is protected 2008 American Power Conversion Corporation

Windows Domain Network Configuration Guide

Video Administration Backup and Restore Procedures

4cast Client Specification and Installation

Managing an Active Directory Infrastructure

Manage Fine-Grained Password and Account Lockout Policies

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

PLANNING AND DESIGNING GROUP POLICY, PART 1

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

HOW TO CONFIGURE SQL SERVER REPORTING SERVICES IN ORDER TO DEPLOY REPORTING SERVICES REPORTS FOR DYNAMICS GP

How to Enable LDAP Directory Services Authentication to Microsoft Active Directory in the HP cclass Onboard Administrator

Installation and Configuration Guide

Joining a workstation to the TAMU IT Domain and Profile Migration

CardAccess 3000 V2.9.x New Features Configuration Guide

NE-6425C Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

ThinManager and Active Directory

Windows Server 2003 Administration Part 1 Lab Manual Presented by

User Migration Tool. Note. Staging Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0(1) 1

Password Manager Windows Desktop Client

Configuring User Identification via Active Directory

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

Configuring and Troubleshooting Windows 2008 Active Directory Domain Services

Installing Active Directory

TrueEdit Remote Connection Brief

How to use edgebox as a PDC and to Share Files

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

User Setup for SQL Security

Understanding & Configuring Mailbox Access Delegation in the UMROOT Forest

Group Policy 21/05/2013

Admin Report Kit for Active Directory

Planning and Implementing an OU Structure

Session 17 Windows 7 Professional DNS & Active Directory(Part 2)

2. Using Notepad, create a file called c:\demote.txt containing the following information:

Transcription:

Administering Active Directory Administering W2K Server (Week 9, Wednesday 3/7/2007) Abdou Illia, Spring 2007 1 Learning Objective Default Domain policies Creating OUs and managing their objects Controlling access to AD objects Administering User accounts Administering Group accounts 2 Default Domain Controller Policies By default only members of the following groups could log on to the LAN user a DC computer: Administrators Account Operators Print Operators Server Operators Backup Operators By default, members of all of the following groups could access a DC from the network: Administrators Authenticated Users Everyone 3 1

Default Domain Policies Password policy: 24 passwords remembered Minimum password age: 1 day Maximum password age: 42 days Minimum password length: 7 characters Password must meet complexity requirements Account lockout policy: No account lockout for invalid passwords 4 Common Objects in AD Computer Contact Group Printer User Shared Folder MSQM Represents a computer on the network. Contains information about a computer that is member of the domain Typically used to represent external people. Represents an account without security permissions. You cannot logon as contact Used to simplify management of objects. Can contain users, computers and other groups Represents a network printer published in AD. Is actually a pointer to a printer. Represents a user. Contains information needed for login and more. Represents a network share published in AD. Is actually a pointer to the share. A Message Queuing enables distributed applications running at different times to communicate across networks and with 5 computers that may be offline Graphic tools for managing AD Active Directory Users and Computers Create/manage user acc., group acc., computer acc., OU, printers, shared folders, policy objects, etc. Active Directory Sites and Services Active Directory Domains and Trusts 6 2

Command-line tools for managing AD dsadd for adding objects such as: user acc., group acc., OUs, etc. dsmod for modifying objects attributes dsmove for moving objects within AD dsrm for removing objects from AD 7 Dsadd user command-line Syntax: dsadd user UserDN [-samid SAMName] [-upn UPN] [-fn FirstName] [-mi Initial] [-ln LastName] [-display DisplayName] [-empid EmployeeID] [-pwd {Password *}] [-desc Description] [-memberof Group;...] [-office Office] [-tel PhoneNumber] [-email Email] [-hometel HomePhoneNumber] [-pager PagerNumber] [-mobile CellPhoneNumber] [-fax FaxNumber] [-iptel IPPhoneNumber] [-webpg WebPage] [-title Title] [-dept Department] [- company Company] [-mgr Manager] [-hmdir HomeDirectory] [-hmdrv DriveLetter:] [-profile ProfilePath] [-loscr ScriptPath] [-mustchpwd {yes no}] [-canchpwd {yes no}] [-reversiblepwd {yes no}] [-pwdneverexpires {yes no}] [-acctexpires NumberOfDays] [-disabled {yes no}] [{-s Server -d Domain}] [-u UserName] [-p {Password *}] [-q] [{-uc -uco -uci}] UserDN specifies the distinguished name of the user SAMName specifies the SAM account name (e.g. jdoe) UPN specifies the user principal name (e.g. jdoe@newcontoso.com) GroupDN specifies the distinguished names of the groups the user belongs to. 8 Creating OUs You should create an OU: To group objects that require similar administrative tasks. Example: Creating an OU for all temporary employees. To delegate administrative control to other users. You can create an OU under a domain, under a Domain Controller object, or within another OU To create an OU, you must have required permission to add OUs in the OU, under the domain or under the DC object. Note: By default, all members of the Administrators group have that permission 9 3

Creating OUs 1) Open the Active Directory Users and Computers snap-in 2) Select the domain or existing OU where you want to create the OU 3) Click the Action menu. Point to New, then click Organizational Unit. 4) Type the name of the new OU in the Name text box. Click OK 10 Exercise 1 Create a new OU named LastNameOU (where LastName is your last name). The new OU should be directly under your domain (e.g. region1.newcontoso.com) Note: It might take a few minutes before the replication take place. After replication, all users who are logged onto the domain can see the new OU. 11 Exercise 1 (continued) Suppose that the replication takes a long time to complete. What if two OUs with the same name are created? Explain what would happen. Open the Active Directory Users and Computers snap-in. Click Action/Refresh. How many OUs do you see? 12 4

Adding objects to OUs 1) Open the Active Directory Users and Computers snap-in 2) Select the OU you want to add the object to 3) Click the Action menu. Point to New 4) Click the type of object want to add. 5) Enter the appropriate information in the dialog box(es) that appear(s). Exercise 2 Add a new user and a new group to the OU you created earlier. It is up to you to choose the name of the user and the name of the group. 13 Delegating Administrative control of OUs 1) Open the Active Directory Users and Computers snap-in 2) Select the OU for which you want to delegate control 3) Click the Action menu. 4) Click Delegate Control to start the wizard 5) Follow the instructions. 14 Planning new User Accounts You should plan the naming conventions for user accounts. Points to consider in determining the naming convention Unique user logon name 20 characters maximum - Domain user account names must be unique to the directory - Local user account names must be unique on the computer The field accept more than 20 uppercase/lowercase characters, but W2003 recognizes only the first 20. Invalid characters Invalid characters are: / \ [ ] : ; =, + *? < > @ 15 5

Planning new User Accounts You should, also, plan Account options, such as logon hours, computers from which users can logon, and account expiration. Logon hours By default W2003 allows users to access 24/7. You can determine the logon days/hours. Computers from which users can logon By default, users can logon to the domain by using any computer in the domain. For security, you can restrict users to logging on only from their own computers. 16 Administering user accounts Use the Active Directory Users and Computers snap-in to create Domain user accounts Disabling and Enabling User Accounts Common Administrative tasks Lock/Unlocking User Accounts Resetting Passwords Moving User Accounts in a domain Account can be locked when the user violates a Group policy. No need to know the user password. Right-click the appropriate user account, and click Reset Password You can move an account from one OU to another. Object permissions assigned directly to the user account move with the user account. Permissions inherited from parent object no longer apply. 17 Administering user accounts: User Profiles A user profile is a collection of folders and data that stores your current desktop environment and application settings as well as personal data. Microsoft Windows 2003 creates a local user profile the first time you log on at a computer. By default, User profiles in the ntuser.dat file in the Documents and Settings\username folder 18 6

Administering user accounts: User Profiles Local User Profile Roaming User Profile Mandatory Profiles Default user profile stored in ntuser.dat Available on the local computer. Set on a network server. Stored in ntuser.dat No matter what computer you use to logon, W2003 apply your user profile settings to that computer. When you log off, W2003 copies changes made back to the server Read-Only Roaming User Profile stored in ntuser.man When the user logs off, W2003 doesn t save any changes made during the session. 19 Group type and Group scope Group type Used (with global or Security local scope) to secure domain resources Used for distribution Distribution list (i.e mail list). Used with a universal scope to secure resources all over the network. Client computer DC DC DC Member server Universal Domain local Local Group scope Resides in the Catalog. Could be assigned permissions on any resources. Normally contains users with some similarities (e.g. managers, executives, same division, etc.) from same domain. Exist in the domain s AD database. Typically contains users from the domain the users belong to. May contain groups from another domain if there is a trust relationship. Exist on the computer s local database: - on computers in a workgroup or - on Client or member server in a domain MS Win Pro Win Pro MS Win Pro 20 AGLP strategy Domain A Domain B Account 1 Account 2 Account 3 Account 1 Account 2 Account 3 Managers Local group Pay_Data Permissions Finance Executives Local group Color_Printer Permissions A G (D)L P 21 7

Understanding Universal groups catalog (stored on 1 st DC) contains partial information about any AD object in each domain Universal groups reside in the catalog, and can contain global groups Universal groups could be assigned permissions on network resources Low speed connections between sites/domains limit the use of universal groups in a multi-site network because the Catalog is regularly replicated to all domains. DC 56K catalog Universal group 1 3 2 T1 56K Note: Security Universal groups can only be created in native mode. To change mode: (1) Go to AD Users and Computers, (2) Right-click the domain, (3) Click Properties, (4) Click Change Mode 22 70-215:3 @ 18:00/33:00 AGUP strategy Create user accounts in each domain as needed Create appropriate global groups in each domain as needed and add individual accounts to them Create appropriate universal groups and add appropriate global groups to them Assign permissions on network resources to universal groups. Note: Microsoft suggests using an AGULP strategy A G U P 23 Built-in Groups 24 8

Special groups Can be seen in Security tab when assigning permissions Automatically generated. You cannot change their membership. 25 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information