Lesson 5
Active Directory Administration
Skills Matrix
Technology Skill
Objective Domain
Objective #
Creating Users,
Computers, and Groups
Automate creation of
4.1
Active Directory accounts
Creating Users,
Computers, and Groups
Maintain Active Directory
accounts
4.2
Understanding User Accounts
• Three types of user accounts can be created
and configured in Windows Server 2008:
– Local accounts.
– Domain accounts.
– Built-in user accounts.
Local Accounts
• Used to access the local computer only and
are stored in the local Security Account
Manager (SAM) database on the computer
where they reside.
• Never replicated to other computers, nor do
these accounts have domain access.
Domain Accounts
• Accounts used to access Active Directory or
network-based resources, such as shared folders
or printers.
• Account information for these users is stored in the
Active Directory database and replicated to all
domain controllers within the same domain.
• A subset of the domain user account information is
replicated to the global catalog, which is then
replicated to other global catalog servers
throughout the forest.
Built-in User Accounts
• Automatically created when Microsoft
Windows Server 2008 is installed.
• Built-in user accounts are created on a
member server or a standalone server.
– When you install Windows Server 2008 as a
domain controller, the ability to create and
manipulate these accounts is disabled.
Built-in User Accounts
• By default, two built-in user accounts are
created on a Windows Server 2008
computer:
– Administrator account.
– Guest account.
• Built-in user accounts can be local accounts
or domain accounts, depending on whether
the server is configured as a standalone
server or a domain controller.
Creating and Managing User Accounts
• User accounts are usually created and
managed with Active Directory Users and
Computers.
User Account Properties
User Account Properties
User Account Properties
Group Accounts
• Groups are implemented to allow
administrators to assign rights and
permissions to multiple users
simultaneously.
• A group can be defined as a collection of
user or computer accounts that is used to
simplify the assignment of rights or
permissions to network resources.
RECOMMENDED GROUP STRATEGY
AGUDLP
Group Accounts
• When a user logs on, an access token is created that
identifies the user and all of the user’s group
memberships.
• This access token is used to verify a user’s permissions
when the user attempts to access a local or network
resource.
• By using groups, multiple users can be given the same
permission level for resources on the network.
• Since a user’s access token is only generated when
they first log on to the network from their workstation,
if you add a user to a group, they will need to log off
and log back on again for that change to take effect.
Group Types
• Distribution groups – Non-security-related
groups created for the distribution of
information to one or more persons.
• Security groups - Security-related groups
created for purposes of granting resource
access permissions to multiple users.
Group Nesting
• Users can be members of more than one
group.
• Groups can contain other Active Directory
objects, such as computers, and other
groups.
• Groups containing groups is called group
nesting.
Group Scopes
• Global
• Domain Local
• Universal
Using Global and Domain Local Groups
• Global
– These groups can include users, computers, and
other global groups from the same domain.
– You can use them to organize users who have
similar functions and therefore similar requirements
on the network.
• Domain local
– These groups can include users, computers, and
groups from any domain in the forest.
– They are most often utilized to grant permissions for
local resources and may be used to provide access
to any resource in the domain in which they are
located.
Using Global and Domain Local Groups
• Assign users within a domain to global
groups.
• Add global groups to domain local groups.
• Assign permissions to domain local group.
Universal Groups
• These groups can include users and groups
from any domain in the AD DS forest and
can be employed to grant permissions to any
resource in the forest.
• A universal group can include users,
computers, and global groups from any
domain in the forest.
• Changes to universal group membership
lists are replicated to all global catalog
servers throughout the forest.
AGUDLP
• Microsoft approach to using groups:
– add Accounts to Global groups.
– add those global groups to Universal groups.
– Add universal groups to Domain Local
groups.
– Finally, assign Permissions to the domain
local groups.
Creating and Managing Groups
• Creating and managing groups is usually
done with Active Directory Users and
Computers.
Group Properties
Group Properties
Working with Default Groups
• Account Operators – Can create, modify and
delete accounts for users, groups, and
computers in all containers and OUs.
– Cannot modify administrators, domain
admins and enterprise admin groups.
• Administrators – Complete and unrestricted
access to the computer or domain controller.
• Backup Operators - Can back up and
restore all files on the computer.
Working with Default Groups
• Guests – Same privileges as members of the Users
group.
– Disabled by default
• Print Operators – Can manage printers and
document queues.
• Server Operators – Can log on a server
interactively, create and delete shares, start and
stop some services, back up and restore files,
format the disk, shutdown the computer and
modify the system date and time.
Working with Default Groups
• Users – Allows general access to run
applications, use printers, shut down and
start the computer and use network shares
for which they are assigned permissions.
• DNSAdmins – Permits administrative access
to the DNS server service.
Working with Default Groups
• Domain Admins – Can perform
administrative tasks on any computer
anywhere in the domain.
• Domain Computers – Contains all
computers.
– Used to make computer management easier
through group policies.
• Domain Controllers – Contains all computers
installed in the domain as a domain
controller.
Working with Default Groups
• Domain Guests – Members include all
domain guests.
• Domain Users – Members include all
domain users.
– Used to assign permissions to all users in the
domain.
• Enterprise Admins – Allows the global
administrative privileges associated with this
group, such as the ability to create and
delete domains.
Working with Default Groups
• Schema Admins – Members can manage
and modify the Active Directory schema.
Special Identity Groups and Local Groups
• Authenticated Users – Used to allow
controlled access to resources throughout
the forest or domain.
• Everyone – Used to provide access to
resource for all users and guest.
– Not recommended to assign this group to
resources.
Group Implementation Plan
• A plan that states who has the ability and
responsibility to create, delete, and manage
groups.
• A policy that states how domain local, global,
and universal groups are to be used.
• A policy that states guidelines for creating
new groups and deleting old groups.
• A naming standards document to keep
group names consistent.
• A standard for group nesting.
Creating Users and Groups
• Active Directory Users and Computers.
• DS command line i.e. – dsadd user
• Batch files.
• Comma-Separated Value Directory Exchange
(CSVDE).
• LDAP Data Interchange Format Directory
Exchange (LDIFDE).
• Windows Script Host (WSH).
Summary
• Three types of user accounts exist in Windows
Server 2008:
– Local user accounts reside on a local computer and
are not replicated to other computers by Active
Directory.
– Domain user accounts are created and stored in
Active Directory and replicated to all domain
controllers within a domain.
– Built-in user accounts are automatically created
when the operating system is installed and when a
member server is promoted to a domain controller.
Summary
• The Administrator account is a built-in
domain account that serves as the primary
supervisory account in Windows Server
2008.
– It can be renamed, but it cannot be deleted.
• The Guest account is a built-in account used
to assign temporary access to resources.
– It can be renamed, but it cannot be deleted.
– This account is disabled by default and the
password can be left blank.
Summary
• Windows Server 2008 group options include
two types (security and distribution) and
three scopes (domain local, global, and
universal).
• Domain local groups are placed on the ACL
of resources and assigned permissions. They
typically contain global groups in their
membership list.
Summary
• Global groups are used to organize domain
users according to their resource access
needs.
– Global groups are placed in the membership
list of domain local groups, which are then
assigned the desired permissions to
resources.
Summary
• Universal groups are used to provide access
to resources anywhere in the forest.
– Their membership lists can contain global
groups and users from any domain.
– Changes to universal group membership lists
are replicated to all global catalog servers
throughout the forest.
Summary
• The recommended permission assignment
strategy (AGUDLP) places users needing
access permissions in a global group, the
global group in a universal group, and the
universal group in a domain local group and
then assigns permissions to the domain
local group.
Summary
• Group nesting is the process of placing
group accounts in the membership of other
group accounts for the purpose of
simplifying permission assignments.
• Multiple users and groups can be created in
Active Directory by using several methods.
Windows Server 2008 offers the ability to
use batch files, CSVDE, LDIFDE, and WSH to
accomplish your administrative goals.