Lesson 5 Active Directory Administration Skills Matrix Technology Skill Objective Domain Objective # Creating Users, Computers, and Groups Automate creation of 4.1 Active Directory accounts Creating Users, Computers, and Groups Maintain Active Directory accounts 4.2 Understanding User Accounts • Three types of user accounts can be created and configured in Windows Server 2008: – Local accounts. – Domain accounts. – Built-in user accounts. Local Accounts • Used to access the local computer only and are stored in the local Security Account Manager (SAM) database on the computer where they reside. • Never replicated to other computers, nor do these accounts have domain access. Domain Accounts • Accounts used to access Active Directory or network-based resources, such as shared folders or printers. • Account information for these users is stored in the Active Directory database and replicated to all domain controllers within the same domain. • A subset of the domain user account information is replicated to the global catalog, which is then replicated to other global catalog servers throughout the forest. Built-in User Accounts • Automatically created when Microsoft Windows Server 2008 is installed. • Built-in user accounts are created on a member server or a standalone server. – When you install Windows Server 2008 as a domain controller, the ability to create and manipulate these accounts is disabled. Built-in User Accounts • By default, two built-in user accounts are created on a Windows Server 2008 computer: – Administrator account. – Guest account. • Built-in user accounts can be local accounts or domain accounts, depending on whether the server is configured as a standalone server or a domain controller. Creating and Managing User Accounts • User accounts are usually created and managed with Active Directory Users and Computers. User Account Properties User Account Properties User Account Properties Group Accounts • Groups are implemented to allow administrators to assign rights and permissions to multiple users simultaneously. • A group can be defined as a collection of user or computer accounts that is used to simplify the assignment of rights or permissions to network resources. RECOMMENDED GROUP STRATEGY AGUDLP Group Accounts • When a user logs on, an access token is created that identifies the user and all of the user’s group memberships. • This access token is used to verify a user’s permissions when the user attempts to access a local or network resource. • By using groups, multiple users can be given the same permission level for resources on the network. • Since a user’s access token is only generated when they first log on to the network from their workstation, if you add a user to a group, they will need to log off and log back on again for that change to take effect. Group Types • Distribution groups – Non-security-related groups created for the distribution of information to one or more persons. • Security groups - Security-related groups created for purposes of granting resource access permissions to multiple users. Group Nesting • Users can be members of more than one group. • Groups can contain other Active Directory objects, such as computers, and other groups. • Groups containing groups is called group nesting. Group Scopes • Global • Domain Local • Universal Using Global and Domain Local Groups • Global – These groups can include users, computers, and other global groups from the same domain. – You can use them to organize users who have similar functions and therefore similar requirements on the network. • Domain local – These groups can include users, computers, and groups from any domain in the forest. – They are most often utilized to grant permissions for local resources and may be used to provide access to any resource in the domain in which they are located. Using Global and Domain Local Groups • Assign users within a domain to global groups. • Add global groups to domain local groups. • Assign permissions to domain local group. Universal Groups • These groups can include users and groups from any domain in the AD DS forest and can be employed to grant permissions to any resource in the forest. • A universal group can include users, computers, and global groups from any domain in the forest. • Changes to universal group membership lists are replicated to all global catalog servers throughout the forest. AGUDLP • Microsoft approach to using groups: – add Accounts to Global groups. – add those global groups to Universal groups. – Add universal groups to Domain Local groups. – Finally, assign Permissions to the domain local groups. Creating and Managing Groups • Creating and managing groups is usually done with Active Directory Users and Computers. Group Properties Group Properties Working with Default Groups • Account Operators – Can create, modify and delete accounts for users, groups, and computers in all containers and OUs. – Cannot modify administrators, domain admins and enterprise admin groups. • Administrators – Complete and unrestricted access to the computer or domain controller. • Backup Operators - Can back up and restore all files on the computer. Working with Default Groups • Guests – Same privileges as members of the Users group. – Disabled by default • Print Operators – Can manage printers and document queues. • Server Operators – Can log on a server interactively, create and delete shares, start and stop some services, back up and restore files, format the disk, shutdown the computer and modify the system date and time. Working with Default Groups • Users – Allows general access to run applications, use printers, shut down and start the computer and use network shares for which they are assigned permissions. • DNSAdmins – Permits administrative access to the DNS server service. Working with Default Groups • Domain Admins – Can perform administrative tasks on any computer anywhere in the domain. • Domain Computers – Contains all computers. – Used to make computer management easier through group policies. • Domain Controllers – Contains all computers installed in the domain as a domain controller. Working with Default Groups • Domain Guests – Members include all domain guests. • Domain Users – Members include all domain users. – Used to assign permissions to all users in the domain. • Enterprise Admins – Allows the global administrative privileges associated with this group, such as the ability to create and delete domains. Working with Default Groups • Schema Admins – Members can manage and modify the Active Directory schema. Special Identity Groups and Local Groups • Authenticated Users – Used to allow controlled access to resources throughout the forest or domain. • Everyone – Used to provide access to resource for all users and guest. – Not recommended to assign this group to resources. Group Implementation Plan • A plan that states who has the ability and responsibility to create, delete, and manage groups. • A policy that states how domain local, global, and universal groups are to be used. • A policy that states guidelines for creating new groups and deleting old groups. • A naming standards document to keep group names consistent. • A standard for group nesting. Creating Users and Groups • Active Directory Users and Computers. • DS command line i.e. – dsadd user • Batch files. • Comma-Separated Value Directory Exchange (CSVDE). • LDAP Data Interchange Format Directory Exchange (LDIFDE). • Windows Script Host (WSH). Summary • Three types of user accounts exist in Windows Server 2008: – Local user accounts reside on a local computer and are not replicated to other computers by Active Directory. – Domain user accounts are created and stored in Active Directory and replicated to all domain controllers within a domain. – Built-in user accounts are automatically created when the operating system is installed and when a member server is promoted to a domain controller. Summary • The Administrator account is a built-in domain account that serves as the primary supervisory account in Windows Server 2008. – It can be renamed, but it cannot be deleted. • The Guest account is a built-in account used to assign temporary access to resources. – It can be renamed, but it cannot be deleted. – This account is disabled by default and the password can be left blank. Summary • Windows Server 2008 group options include two types (security and distribution) and three scopes (domain local, global, and universal). • Domain local groups are placed on the ACL of resources and assigned permissions. They typically contain global groups in their membership list. Summary • Global groups are used to organize domain users according to their resource access needs. – Global groups are placed in the membership list of domain local groups, which are then assigned the desired permissions to resources. Summary • Universal groups are used to provide access to resources anywhere in the forest. – Their membership lists can contain global groups and users from any domain. – Changes to universal group membership lists are replicated to all global catalog servers throughout the forest. Summary • The recommended permission assignment strategy (AGUDLP) places users needing access permissions in a global group, the global group in a universal group, and the universal group in a domain local group and then assigns permissions to the domain local group. Summary • Group nesting is the process of placing group accounts in the membership of other group accounts for the purpose of simplifying permission assignments. • Multiple users and groups can be created in Active Directory by using several methods. Windows Server 2008 offers the ability to use batch files, CSVDE, LDIFDE, and WSH to accomplish your administrative goals.