Active Directory
Administration
Lesson 5
Technology Skill
Objective Domain
Creating Users,
Computers, and Groups
Automate creation of
4.1
Active Directory accounts
Creating Users,
Computers, and Groups
Maintain Active Directory
accounts
Skills Matrix
Objective #
4.2
Understanding User Accounts

Local accounts

Domain accounts

Built-in user accounts
Lesson 5
Understanding Group Accounts

Distribution groups

Security groups
Lesson 5
Working with Default Groups

Account Operators

Administrators

Backup Operators

Certificate Services DCOM Access

Cryptographic Operators
Lesson 5
Working with Default Groups
(cont.)

Distributed COM Users

Event Log Readers

Guests

IIS_IUSRS

Incoming Forest Trust Builders
Lesson 5
Working with Default Groups
(cont.)

Network Configuration Operators

Performance Log Users

Performance Monitor Users

Pre-Windows 2000 Compatible Access

Print Operators
Lesson 5
Working with Default Groups
(cont.)

Remote Desktop Users

Replicator

Server Operators

Terminal

Server License Servers
Lesson 5
Working with Default Groups
(cont.)

Users

Windows Authorization Access Group

Allowed RODC Password Replication Group

Cert Publishers

Denied RODC Password Replication Group
Lesson 5
Working with Default Groups
(cont.)

DnsAdmins

DnsUpdateProxy

Domain Admins

Domain Computers

Domain Controllers
Lesson 5
Working with Default Groups
(cont.)

Domain Guests

Domain Users

Enterprise Admins

Enterprise Read-Only Domain Controllers

Group Policy Creator Owners
Lesson 5
Working with Default Groups
(cont.)

RAS and IAS Servers

Read-Only Domain Controllers

Schema Admins
Lesson 5
Understanding Special Identity
Groups and Local Groups

Anonymous Logon

Authenticated Users

Batch

Creator Group

Creator Owner
Lesson 5
Understanding Special Identity
Groups and Local Groups (cont.)

Dial-up

Digest Authentication

Enterprise Domain Controllers

Everyone

Interactive
Lesson 5
Understanding Special Identity
Groups and Local Groups (cont.)

IUSR

Local Service

Network

Network Service

Remote Interactive Logon
Lesson 5
Understanding Special Identity
Groups and Local Groups (cont.)

Restricted

Self

Service

System

Terminal Server User
Lesson 5
Developing a Group
Implementation Plan

Group implementation plan:

A plan that states who has the ability and
responsibility to create, delete, and manage
groups

A policy that states how domain local, global,
and universal groups are to be used
Lesson 5
Developing a Group
Implementation Plan (cont.)

Group implementation plan (cont.):

A policy that states guidelines for creating new
groups and deleting old groups

A naming standards document to keep group
names consistent

A standard for group nesting
Lesson 5
Creating Users and Groups

Batch files

Comma-Separated Value Directory Exchange
(CSVDE)

LDAP Data Interchange Format Directory
Exchange (LDIFDE)

Windows Script Host (WSH)
Lesson 5
You Learned

Three types of user accounts exist in Windows
Server 2008: local user accounts, domain user
accounts, and built-in user accounts. Local user
accounts reside on a local computer and are not
replicated to other computers by Active Directory.
Domain user accounts are created and stored in
Active Directory and replicated to all domain
controllers within a domain. Built-in user accounts
are automatically created when the operating system
is installed and when a member server is promoted
to a domain controller.
Summary
You Learned (cont.)

The Administrator account is a built-in domain
account that serves as the primary supervisory
account in Windows Server 2008. It can be
renamed, but it cannot be deleted. The Guest
account is a built-in account used to assign
temporary access to resources. It can be
renamed, but it cannot be deleted. This account
is disabled by default, and the password can be
left blank.
Summary
You Learned (cont.)
 Windows Server 2008 group options include
two types: security and distribution, and three
scopes: domain local, global, and universal.
 Domain local groups are placed on the ACL of
resources and assigned permissions. They
typically contain global groups in their
membership list.
Summary
You Learned (cont.)
 Global groups are used to organize domain
users according to their resource access needs.
Global groups are placed in the membership list
of domain local groups, which are then assigned
the desired permissions to resources.
Summary
You Learned (cont.)
 Universal groups are used to provide access to
resources anywhere in the forest. Their
membership lists can contain global groups and
users from any domain. Changes to universal
group membership lists are replicated to all
global catalog servers throughout the forest.
Summary
You Learned (cont.)
 The recommended permission assignment
strategy places users needing access
permissions in a global group, the global group
in a universal group, and the universal group in
a domain local group and then assigns
permissions to the domain local group.
Summary
You Learned (cont.)
 Group nesting is the process of placing group
accounts in the membership of other group
accounts for the purpose of simplifying
permission assignments.
 Multiple users and groups can be created in
Active Directory by using several methods.
Windows Server 2008 offers the ability to use
batch files, CSVDE, LDIFDE, and WSH to
accomplish your administrative goals.
Summary