CN1276 Server (V3) Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+ Agenda • Chapter 5: Active Directory Administration • Quiz • Exercise Understanding User Accounts • Three types of user accounts can be created and configured in Windows Server 2008: ▫ Local accounts ▫ Domain accounts ▫ Built-in user accounts Security guidelines • Rename the Administrator account ▫ Set a strong password • Limit knowledge of administrator passwords to only a few individuals • Do not use the Administrator account for daily non-administrative tasks • Rename the Guest account after enabling it for use ▫ Set a strong password Group Accounts • Groups are implemented to allow administrators to assign rights and permissions to multiple users simultaneously. • A group can be defined as a collection of user or computer accounts that is used to simplify the assignment of rights or permissions to network resources. Group Types • Distribution groups ▫ Non-security-related groups created for the distribution of information to one or more persons. • Security groups ▫ Security-related groups created for purposes of granting resource access permissions to multiple users. Group Nesting • Users can be members of more than one group. • Groups can contain other Active Directory objects, such as computers, and other groups. • Groups containing groups is called group nesting. Group Scopes • Domain Local ▫ These groups can include users, computers, global groups, and universal groups from any domain ▫ To assign permissions to any resource in the domain in which they are located • Global ▫ These groups can include users, computers, and global groups only from within the same domain ▫ To assign permission to resources that reside in any domain in the forest ▫ Global group memberships are replicated only to DC within the same domain • Universal ▫ Same as global group, but the group memberships should not change frequently because these groups are stored in the GC Using Global and Domain Local Groups • Assign users within a domain to global groups. • Add global groups to domain local groups. • Assign permissions to domain local group. AGUDLP • Microsoft approach to using groups: ▫ add Accounts to Global groups. ▫ add those global groups to Universal groups. ▫ Add universal groups to Domain Local groups. ▫ Finally, assign Permissions to the domain local groups. Creating and Managing Groups • Creating and managing groups is usually done with Active Directory Users and Computers. Working with Default Groups • Account Operators ▫ Can create, modify and delete accounts for users, groups, and computers in all containers and OUs. ▫ Cannot modify administrators, domain admins and enterprise admin groups. • Administrators • Backup Operators • Guests ▫ Disabled by default Working with Default Groups • Print Operators ▫ Can manage printers and document queues. • Server Operators ▫ Can log on a server interactively ▫ Create and delete shares, start and stop some services ▫ Back up and restore files ▫ Format the disk, shutdown the computer and modify the system date and time. Working with Default Groups • Users • DNSAdmins ▫ Permits administrative access to the DNS server service. • Domain Admins • Domain Computers ▫ Contains all computers. ▫ Used to make computer management easier through group policies. • Domain Controllers – Contains all computers installed in the domain as a domain controller. Working with Default Groups • Domain Guests ▫ Members include all domain guests. • Domain Users ▫ Used to assign permissions to all users in the domain. • Enterprise Admins ▫ Allows the global administrative privileges associated with this group, such as the ability to create and delete domains. Working with Default Groups • Schema Admins ▫ Members can manage and modify the Active Directory schema. • See Table 5-1 on Page 106 - 111 Special Identity Groups and Local Groups • Authenticated Users ▫ Used to allow controlled access to resources throughout the forest or domain. • Everyone • See Table 5-2 on Page 112 - 113 Group Implementation Plan • A plan that states ▫ who has the ability and responsibility to create, delete, and manage groups. • A policy that states ▫ how domain local, global, and universal groups are to be used. ▫ guidelines for creating new groups and deleting old groups. • A naming standards document to keep group names consistent. • A standard for group nesting. Creating Users and Groups • Active Directory Users and Computers • Batch files ▫ DSAdd user username DN –samid SAM account name ▫ Dsadd user cn=jsmith,ou=Accounts,dc=lucernepublishing,dc =com –samid jsmith Creating Users and Groups (Cont.) • Comma-Separated Value Directory Exchange (CSVDE) ▫ Header record (See Page 119) ▫ Csvde.exe –i –f newusers.csv -i is to import -f is to specify the file to import Creating Users and Groups (Cont.) • LDAP Data Interchange Format Directory Exchange (LDIFDE) ▫ You can Add/Modify/Delete the object ▫ Ldifde –i –f newobjects.ldf • Windows Script Host (WSH) ▫ See code on Page 121 Creating Users and Groups (Cont.) • Windows PowerShell ▫ $objOU=[ADSI]”LDAP://OU=People, DC=contoso, DC=Com” ▫ $objUser = $objOU.Create(“user”,”CN=Mary North”) ▫ $objUser.put(SamAccountName”,”mary.north”) ▫ $objUser.SetInfo() ▫ Windows 2008 R2 Import-module ActiveDirectory New-ADusers –SamAccountName “mary.north” Creating Users and Groups (Cont.) • Note: ▫ CSVDE and LDIFDE cannot import user’s password, hence the user will be disabled by default ▫ Only DSADD supports specifying the password Offline Domain Join • Offline domain join is a process to add computers to a domain in locations where there is no connectivity to a corporate network. ▫ Windows Server 2008 R2 ▫ Windows 7 image or on running computer • The offline domain join process includes the following phases: ▫ Run the djoin.exe/provision To create computer account metadata from the text file djoin /provision /domain <domain_name> /machine <destination computer> /savefile <filename.txt> ▫ Run the djoin.exe/requestODJ To insert the computer account metadata into the Windows directory of the destination computer: djoin /requestodj /loadfile <filename.txt> Assignment • Fill in the blank ▫ 1-10 • Multiple Choice ▫ 1-10 • Online Lab 5