IS6110 Knowledge Management

advertisement
CN1276 Server (V3)
Kemtis Kunanuraksapong
MSIS with Distinction
MCT, MCTS, MCDST, MCP, A+
Agenda
• Chapter 5: Active Directory Administration
• Quiz
• Exercise
Understanding User Accounts
• Three types of user accounts can be created and
configured in Windows Server 2008:
▫ Local accounts
▫ Domain accounts
▫ Built-in user accounts
Security guidelines
• Rename the Administrator account
▫ Set a strong password
• Limit knowledge of administrator passwords to
only a few individuals
• Do not use the Administrator account for daily
non-administrative tasks
• Rename the Guest account after enabling it for
use
▫ Set a strong password
Group Accounts
• Groups are implemented to allow administrators
to assign rights and permissions to multiple
users simultaneously.
• A group can be defined as a collection of user or
computer accounts that is used to simplify the
assignment of rights or permissions to network
resources.
Group Types
• Distribution groups
▫ Non-security-related groups created for the
distribution of information to one or more
persons.
• Security groups
▫ Security-related groups created for purposes of
granting resource access permissions to multiple
users.
Group Nesting
• Users can be members of more than one group.
• Groups can contain other Active Directory
objects, such as computers, and other groups.
• Groups containing groups is called group
nesting.
Group Scopes
• Domain Local
▫ These groups can include users, computers, global groups,
and universal groups from any domain
▫ To assign permissions to any resource in the domain in
which they are located
• Global
▫ These groups can include users, computers, and global
groups only from within the same domain
▫ To assign permission to resources that reside in any domain
in the forest
▫ Global group memberships are replicated only to DC within
the same domain
• Universal
▫ Same as global group, but the group memberships should
not change frequently because these groups are stored in
the GC
Using Global and Domain Local Groups
• Assign users within a domain to global groups.
• Add global groups to domain local groups.
• Assign permissions to domain local group.
AGUDLP
• Microsoft approach to using groups:
▫ add Accounts to Global groups.
▫ add those global groups to Universal groups.
▫ Add universal groups to Domain Local groups.
▫ Finally, assign Permissions to the domain local
groups.
Creating and Managing Groups
• Creating and managing groups is usually done
with Active Directory Users and Computers.
Working with Default Groups
• Account Operators
▫ Can create, modify and delete accounts for users,
groups, and computers in all containers and OUs.
▫ Cannot modify administrators, domain admins
and enterprise admin groups.
• Administrators
• Backup Operators
• Guests
▫ Disabled by default
Working with Default Groups
• Print Operators
▫ Can manage printers and document queues.
• Server Operators
▫ Can log on a server interactively
▫ Create and delete shares, start and stop some
services
▫ Back up and restore files
▫ Format the disk, shutdown the computer and
modify the system date and time.
Working with Default Groups
• Users
• DNSAdmins
▫ Permits administrative access to the DNS server
service.
• Domain Admins
• Domain Computers
▫ Contains all computers.
▫ Used to make computer management easier
through group policies.
• Domain Controllers – Contains all computers
installed in the domain as a domain controller.
Working with Default Groups
• Domain Guests
▫ Members include all domain guests.
• Domain Users
▫ Used to assign permissions to all users in the
domain.
• Enterprise Admins
▫ Allows the global administrative privileges
associated with this group, such as the ability to
create and delete domains.
Working with Default Groups
• Schema Admins
▫ Members can manage and modify the Active
Directory schema.
• See Table 5-1 on Page 106 - 111
Special Identity Groups and Local
Groups
• Authenticated Users
▫ Used to allow controlled access to resources
throughout the forest or domain.
• Everyone
• See Table 5-2 on Page 112 - 113
Group Implementation Plan
• A plan that states
▫ who has the ability and responsibility to create,
delete, and manage groups.
• A policy that states
▫ how domain local, global, and universal groups
are to be used.
▫ guidelines for creating new groups and deleting
old groups.
• A naming standards document to keep group
names consistent.
• A standard for group nesting.
Creating Users and Groups
• Active Directory Users and Computers
• Batch files
▫ DSAdd user username DN –samid SAM account
name
▫ Dsadd user
cn=jsmith,ou=Accounts,dc=lucernepublishing,dc
=com –samid jsmith
Creating Users and Groups (Cont.)
• Comma-Separated Value Directory Exchange
(CSVDE)
▫ Header record (See Page 119)
▫ Csvde.exe –i –f newusers.csv
 -i is to import
 -f is to specify the file to import
Creating Users and Groups (Cont.)
• LDAP Data Interchange Format Directory
Exchange (LDIFDE)
▫ You can Add/Modify/Delete the object
▫ Ldifde –i –f newobjects.ldf
• Windows Script Host (WSH)
▫ See code on Page 121
Creating Users and Groups (Cont.)
• Windows PowerShell
▫ $objOU=[ADSI]”LDAP://OU=People,
DC=contoso, DC=Com”
▫ $objUser = $objOU.Create(“user”,”CN=Mary
North”)
▫ $objUser.put(SamAccountName”,”mary.north”)
▫ $objUser.SetInfo()
▫ Windows 2008 R2
 Import-module ActiveDirectory
 New-ADusers –SamAccountName “mary.north”
Creating Users and Groups (Cont.)
• Note:
▫ CSVDE and LDIFDE cannot import user’s
password, hence the user will be disabled by
default
▫ Only DSADD supports specifying the password
Offline Domain Join
• Offline domain join is a process to add computers to a domain
in locations where there is no connectivity to a corporate
network.
▫ Windows Server 2008 R2
▫ Windows 7 image or on running computer
• The offline domain join process includes the following phases:
▫ Run the djoin.exe/provision
 To create computer account metadata from the text file
 djoin /provision /domain <domain_name> /machine
<destination computer> /savefile <filename.txt>
▫ Run the djoin.exe/requestODJ
 To insert the computer account metadata into the Windows
directory of the destination computer:
 djoin /requestodj /loadfile <filename.txt>
Assignment
• Fill in the blank
▫ 1-10
• Multiple Choice
▫ 1-10
• Online Lab 5
Download