ACTIVE DIRECTORY ADMINISTRATION
-
Upload
colleen-lopez -
Category
Documents
-
view
25 -
download
0
description
Transcript of ACTIVE DIRECTORY ADMINISTRATION
![Page 1: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/1.jpg)
11
ACTIVE DIRECTORY ADMINISTRATION
Chapter 5
![Page 2: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/2.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 2
UNDERSTANDING USER ACCOUNTS
Authentication
User account types
Administrator
Guest
![Page 3: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/3.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 3
AUTHENTICATION AND ACCESS TOKEN
ActiveDirectory
Authentication
Process
Resources
Access TokenUser identificationGroup membershipsPrivileges assigned to user(also named system rights)
![Page 4: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/4.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 4
CATEGORIES OF USER ACCOUNTS
Security Accounts Manager (SAM) Local
Builtin user accounts
Domain user accounts (NTDS.dit) Domain local
Builtin user accounts
![Page 5: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/5.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 5
ADMINISTRATOR ACCOUNT
Full control of computer, domain, forest
Used to establish administrative structure and create other accounts
Should be renamed
Should be secured with a complex password
Can be disabled, but cannot be deleted
![Page 6: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/6.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 6
GUEST ACCOUNT
Designed to allow temporary access to the network
Disabled by default, but cannot be deleted
Should be secured with a complex password if enabled
![Page 7: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/7.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 7
GROUPS AND THEIR USERS
Resources
Local Groups
Users
Access Token
Permissionsand/or
Resource ACEs
![Page 8: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/8.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 8
GROUP TYPES
![Page 9: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/9.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 9
GROUP TYPES, SCOPES, AND CONVERTING
Distribution groups Typically used with applications to provide a
list of users (Microsoft Exchange)
Cannot be used to assign access permissions
Security groups Primarily used to grant access
Can also be used like a distribution group for e-mail, if the group has an e-mail address assigned
![Page 10: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/10.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 10
DOMAIN LOCAL GROUPS
Membership: user accounts, computer accounts, global groups, universal groups from any domain, and domain local groups from the same domain.
Purpose: Used to assign permissions to resources in the local domain.
Once you assign permissions to this group, you can use it to grant those permissions to other groups or users.
![Page 11: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/11.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 11
GLOBAL GROUPS
Membership: User accounts, computer accounts, and other global groups.
Purpose: Used to organize users.
Users are typically assigned to global groups based on job role, task, or title.
![Page 12: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/12.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 12
UNIVERSAL GROUPS
Membership: user accounts, computer accounts, global or universal groups.
Purpose: Used to organize users or groups of users in global groups.
Larger organizations typically use universal groups to group accounts from different domains.
![Page 13: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/13.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 13
GROUP NESTING: WINDOWS 2000 MIXED DOMAIN FUNCTIONAL LEVEL
Resources
Local GroupsGlobal GroupsUsers
Permissionsand/or
Resource ACEs
Access Token
![Page 14: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/14.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 14
GROUP NESTING: WINDOWS 2000 NATIVE OR LATER DOMAIN FUNCTIONAL LEVEL
Resources
DomainLocal
GlobalGroup
GlobalGroup
Users
Permissionsand/or
Resource ACEs
Access Token
UniversalGroup
![Page 15: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/15.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 15
DEFAULT GROUPS
Builtin security groups Pre-defined permissions
Placed in Builtin and Users containers by default
Groups are sometimes added when services are installed Dynamic Host Configuration Protocol (DHCP)
service adds DHCP Admins and DHCP Users
Domain Name System (DNS) adds DNS Admins and DNS UpdateProxy
![Page 16: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/16.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 16
SPECIAL IDENTITY GROUPS
Anonymous Logon
Everyone
Authenticated Users
Interactive
Network
![Page 17: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/17.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 17
LOCAL GROUPS
Only on non–Active Directory databases SAM database
Domain members’ local security databases
Typically used in peer-to-peer (workgroup) networks
Used to grant system rights and access to resources available on the local computer
![Page 18: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/18.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 18
DEVELOPING A GROUP IMPLEMENTATION PLAN
Determine who has the ability to create and manage users and groups.
Determine how domain local, global, and universal groups should be used.
Define the guidelines for the creation and deletion of users and groups.
Implement a common naming scheme for users and groups.
Determine the appropriate uses of group nesting.
![Page 19: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/19.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 19
CREATING USERS AND GROUPS
Batch files netdsadd
Directory Exchange Utilities CSVDE utility
LDIFDE utility
Windows Script Host (WSH)
![Page 20: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/20.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 20
USING BATCH FILES
net user
net group
dsadd user
dsadd group
![Page 21: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/21.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 21
USING CSVDE
Comma-separated values.
Header record must be defined using a distinguished name and schema attributes. Entries in the remainder of the file must follow the order of the header record.
Once the file is created, use csvde -i -f file.txt to import the users.
Cannot create users with passwords.
Cannot modify existing user accounts.
![Page 22: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/22.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 22
USING LDIFDE
Line-separated values. Object entries are separated by a hyphen.
Once the file is created, use ldifde -i -f file.txt to import the users.
Cannot create users with passwords.
Can modify passwords once users are created.
Can be used to import, export, and modify Active Directory objects.
![Page 23: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/23.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 23
USING WSH
Allows you to write scripts to create users and other Active Directory objects.
Scripts can be VBScript or Jscript.
Allows for highly customized solutions that automate the creation of user accounts.
![Page 24: ACTIVE DIRECTORY ADMINISTRATION](https://reader036.fdocuments.in/reader036/viewer/2022062720/568134d6550346895d9c02ef/html5/thumbnails/24.jpg)
Chapter 5: ACTIVE DIRECTORY ADMINISTRATION 24
SUMMARY
What are the two group types? Which type can be used to assign
permissions?
Which one is primarily for e-mail?
Name three group scopes.
What domain functional level is required for creating universal groups?
Name methods for automating user account creation.