Chapter 4: Implementing and Managing Group and Computer Accounts. Objectives



Similar documents
Active Directory Commands ( )

CHAPTER THREE. Managing Groups

11 essential tools for managing Active Directory

Microsoft Virtual Labs. Active Directory New User Interface

Core Active Directory Administration

Module 4. Managing Groups. Contents: Lesson 1: Overview of Groups 4-3. Lesson 2: Administer Groups Lab A: Administer Groups 4-36

Understanding Active Directory. Heng Sovannarith

Chapter 1 Manage Users, Computers and Groups...2. Chapter 2 Managing and Maintaining Access to Resources...43

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Module 1: Introduction to Active Directory Infrastructure

Introduction to Auditing Active Directory

Administering Active Directory Administering W2K Server

CardAccess 3000 V2.9.x New Features Configuration Guide

Lesson Plans LabSim for Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

Active Directory. By: Kishor Datar 10/25/2007

Restructuring Active Directory Domains Within a Forest

Stellar Active Directory Manager

R4: Configuring Windows Server 2008 Active Directory

Configuring Windows Server 2008 Active Directory

Administering Active Directory. Administering Active Directory. Reading. Review: Organizational Units. Review: Domains. Review: Domain Trees

Administering Computer Accounts and Resources in Active Directory

Module 4: Implementing User, Group, and Computer Accounts

Module 3: Implementing an Organizational Unit Structure

Admin Report Kit for Active Directory

ADMT v3.1 Guide: Migrating and Restructuring Active Directory Domains

Windows Server 2012 Directory Partition Containers- A Walk Through

How to monitor AD security with MOM

ADMT v3 Migration Guide

Virtual CD v10. Network Management Server Manual. H+H Software GmbH

ITCertMaster. Safe, simple and fast. 100% Pass guarantee! IT Certification Guaranteed, The Easy Way!

PassTest. Bessere Qualität, bessere Dienstleistungen!

EventTracker: Support to Non English Systems

Introduction. Versions Used Windows Server 2003

Creating Organizational Units, Accounts, and Groups. Active Directory Users and Computers (ADUC) 21/05/2013

User Migration Tool. Note. Staging Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0(1) 1

Chapter. Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

Websense Support Webinar: Questions and Answers

Using Logon Agent for Transparent User Identification

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

User Document. Adobe Acrobat 7.0 for Microsoft Windows Group Policy Objects and Active Directory

Using LDAP Authentication in a PowerCenter Domain

CONFIGURING ACTIVE DIRECTORY IN LIFELINE

LDAP Implementation AP561x KVM Switches. All content in this presentation is protected 2008 American Power Conversion Corporation

CC4 TEN: Pre-installation instructions for Windows Server networks

User Management Resource Administrator 7.2

PC Power Down. MSI Deployment Guide

Special Edition for FastTrack Software

AVG Business SSO Connecting to Active Directory

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Forests, trees, and domains

LDAP Directory Integration with Cisco Unity Connection

Windows Offline Files

Installation Troubleshooting Guide

FastPass Password Manager Version 3.5.1

Role Based Access Control for Industrial Automation and Control Systems

Lesson Plans LabSim for Microsoft s Implementing a Server 2003 Active Directory Infrastructure

Lepide Active Directory Self Service. Configuration Guide. Follow the simple steps given in this document to start working with

SARANGSoft WinBackup Business v2.5 Client Installation Guide

Active Directory Cleaner User Guide 1. Active Directory Cleaner User Guide

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain MOC 6425

9. Which is the command used to remove active directory from a domain controller? Answer: Dcpromo /forceremoval

Active Directory Disaster Recovery Workshop. Lab Manual Revision 1.7

Portland State University Office of Information Technologies Active Directory Standards and Guidelines for Campus Administrators

PriveonLabs Research. Cisco Security Agent Protection Series:

Windows Server 2008 R2: Active Directory and Server Manager Remoting

Introduction to Windows Server 2003

User Management Resource Administrator. UMRA tables. User Guide

Managing and Maintaining a Windows Server 2003 Network Environment

Windows 2008 Server DIRECTIVAS DE GRUPO. Administración SSII

Introduction to Active Directory Services

Installing a Second Operating System

Javelina Software, LLC 3524 South River Terrace Edgewater, MD USA

Owner of the content within this article is Written by Marc Grote

Active Directory Integration

Intel Entry Storage System SS4200-E Active Directory Implementation and Troubleshooting

Release Note RM Unify CSV Extraction Tool

Freshservice Discovery Probe User Guide

Active Directory Integration Guide

Active Directory Integration Manual

Configuring and Troubleshooting Windows 2008 Active Directory Domain Services

Structure of Active Directory for University of Edinburgh

Implementing Domain Name Service (DNS)

Administering Group Policy with Group Policy Management Console

Managing and Supporting Windows XP Chapter #16

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

IBM Rational ClearCase 4.x and Active Directory

NOTE NOTE 2008 R If either or both partitions are not listed, type dnscmd /enlistdirectorypartition

Z-Term V4 Administration Guide

Troubleshooting File and Printer Sharing in Microsoft Windows XP

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Protected Trust Directory Sync Guide

Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure

INUVIKA OVD VIRTUAL DESKTOP ENTERPRISE

Transcription:

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts Objectives Understand the purpose of using group accounts to simplify administration Create group objects using both graphical and commandline tools Understand the difference between security groups and distribution groups Understand Group Scopes: Global, Domain Local and Universal Explain the purpose of the built-in groups created when Active Directory is installed Create and manage computer accounts 2 1

Introduction to Group Accounts A group is a container object Used to refer to collections of users, computers, contacts, other groups Used to simplify administration Differences between OU and groups: OUs are not security principals, groups are OUs can only contain objects from their parent domain, groups can contain members from within forest 3 Group Type:Used to define how the group can be used within an Active Directory Domain or Forest Security groups Defined by Security Identifier (SID) Can be assigned permissions for resources Can be assigned rights to perform different tasks Can also be used as e-mail entities Distribution groups Primarily used as e-mail entities Do not have associated SID 4 2

Group Scopes Scope refers to logical boundary within which a group can be assigned permissions to a specific resource in the domain or forest Both Security and Distribution Groups have scopes Three scopes Global Domain Local Universal 5 Group Scopes (continued) Objects possible within each scope are dependent on configured functional level of a domain Three domain functional levels: Windows 2000 mixed: default configuration, supports a combination of Windows NT Server 4.0, 2000 Server, and Server 2003 domain controllers Windows 2000 native: supports a combination of Windows 2000 Server and Server 2003 domain controllers Windows Server 2003: supports Windows Server 2003 domain controllers only 6 3

Global Groups Organize groups of users, computers, groups within the same domain Usually represents a geographic location or job function group Types of objects in group is related to configured functional level of the domain Windows 2000 Mixed Functional Level Can contain user accounts from the same domain Can be added to local groups or domain local groups in any domain Windows 2000 Native or Windows 2003 Functional Level Can contain user accounts or other global groups from the same domain Can be added to Universal groups Can be added to local groups or domain local groups in any domain 7 Domain Local Groups Created on domain controllers Can be assigned rights and permissions to any resource within the same domain Can contain groups from other domains Specific objects allowed in group are related to configured functional level of the domain Windows 2000 Mixed Functional Level Can contain user accounts from any domain Can contain global groups from any domain Windows 2000 Native or Windows 2003 Functional Level Can contain users accounts from any domain Can contain Global Groups from any domain Can contain universal groups Can contain other domain local groups from the same domain 8 4

Universal Groups Typically created to aggregate users or groups in different domains Stored on domain controllers configured as global catalog servers Can be assigned rights and permissions for any resource within a forest Can only be created at the Windows 2000 native or Windows Server 2003 domain functional level Can contain user accounts from any trusted domain Can contain global group accounts from any trusted domain Can contain other universal groups. 9 Groups Scope Summary 10 5

Creating Group Objects Group objects are stored in Active Directory database Variety of tools can be used can be used for creation and management Active Directory Users and Computers Command-line utilities DSADD, DSMOD, DSQUERY, etc. 11 Active Directory Users and Computers Primary tool To create group accounts Can also be used to configure properties of group accounts Groups can be created in any built-in containers, at root of the domain object, or in custom OU objects Possible group scopes determined by the functional level the domain is configured to 12 6

Converting Group Types May need to change a security group to a distribution group or vice versa Type of group can only be changed if domain functional level is Windows 2000 native or above 13 Converting Group Scopes Scope of a group can be changed Domain functional level must be at least Windows 2000 native Supported changes Global to universal Domain local to universal Universal to global Universal to domain local 14 7

Command Line Utilities An alternative to Active Directory Users and Computers Some administrators have a preference for commandline utilities Command-line utilities are more flexible for group management and creation in some situations 15 DSADD Introduced in Windows Server 2003 Used to create new user and group accounts Syntax is dsadd group distinguished-name switches Switches include: -secgrp, -scope, -memberof, -members More help is available for switches and options at Windows Server 2003 Help and Support Center or at command-line 16 8

DSMOD Also introduced in Windows Server 2003 Allows various object types to be modified from the command line Syntax is dsmod group distinguished-name switches Switches include: -desc, -rmmbr, -addmbr More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line 17 DSQUERY Also introduced in Windows Server 2003 Used to query various object types from the command line, returns values Syntax for groups is dsquery group query More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line 18 9

DSMOVE Used to move or rename various object types from the command line Syntax for groups is dsmove distinguished-name switches Switches include: -newparent, -newname Can only be used for objects within a single domain More help is available for switches and options at Windows Server 2003 Help and Support Center or at the command-line 19 DSRM Used to delete various object types from the command line Syntax for groups is dsrm distinguished-name switches Switches include: -noprompt More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line 20 10

Security Group Strategies (Best Practice) Windows 2000 Mixed Domain Functional Level Users should be members of Global Security Groups Global Security groups should be members of Domain Local Security Groups Permissions to resources should be assigned to Domain Local Security Groups. Windows 2000 Native and Windows 2003 Domain Functional Level Users should be members of Global Security Groups Global Security groups should be members of Universal Security Groups Universal Security Groups should be Members of Domain Local Security Groups Permissions to resources should be assigned to Domain Local Security Groups. 21 Managing Security Groups Strategy for managing security groups uses acronym A G U DL P: 1. Create user Accounts (A) and organize them within Global groups (G) 2. Optional: Create Universal groups (U) and place global groups from any domain in universal groups 3. Create Domain Local groups (DL) and add global and universal groups 4. Assign Permissions (P) to the domain local groups 22 11

Determining Group Membership Important task for administrators is to ensure that users are members of correct groups One method is via Member Of tab in the properties of a user account Only shows first level of groups (not groups of groups) Second method is to use DSGET Returns values to a query 23 Determining Group Membership (continued) Syntax is dsget group distinguished-name switches Switches include: -members, -memberof Can also be used as dsget user to get membership information about a specific user Output can be saved to a file: dsget group distinguished-name switches >> filename 24 12

Built-In Groups When Windows Server 2003 Active Directory is installed Built-in groups are created automatically Rights are pre-assigned Stored in Builtin container and Users container Use built-in groups where possible Eases implementation of security rights 25 The Builtin Container Contains a number of domain local group accounts Allocated different user rights based on common administrative or network-related tasks 26 13

The Builtin Container (continued) 27 The Builtin Container (continued) 28 14

The Users Container Contains a number of domain local and global group accounts Some groups only found in the root domain of an Active Directory forest rather than in individual domains 29 The Users Container (continued) 30 15

Creating and Managing Computer Accounts Computer accounts needed on Windows NT 4.0, 2000, XP, Server 2003 Can be created during installation or added manually later Creation and management tools Active Directory Users and Computers System applet in Control Panel Command-line utilities 31 Resetting Computer Accounts Secure channel Used by computers that are domain members to communicate with domain controller Uses password that is changed every 30 days Automatically synchronized between domain controller and workstation Occasional synchronization issues arise Administrator must reset computer account Using Active Directory Users and Computers or Netdom.exe command from Windows Support Tools (netdom is only available after installing the support pack from the OS CD \support\tools\suptools.msi) 32 16

Summary Group accounts reduce administrative effort by enabling assignment of common rights and permissions to multiple users simultaneously Two group security types: Security groups Distribution groups Three types of scoping possible for groups Global groups Domain local groups Universal groups 33 Summary (continued) Group and computer accounts can be created and managed From Active Directory Users and Computers From command-line utilities Builtin and User groups and containers are automatically created at installation with specific pre-assigned rights and permissions Windows NT 4.0, 2000, XP, and Server 2003 require computer accounts in Active Directory 34 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information