0
Active Directory Administration <ul><li>Lesson 5 </li></ul>
Skills Matrix Technology Skill Objective Domain Objective # Creating Users, Computers, and Groups  Automate creation of Ac...
Understanding User Accounts <ul><li>Three types of user accounts can be created and configured in Windows Server 2008: </l...
Local Accounts <ul><li>Used to access the local computer only and are stored in the local  Security Account Manager (SAM) ...
Domain Accounts <ul><li>Accounts used to access Active Directory or network-based resources, such as shared folders or pri...
Built-in User Accounts <ul><li>Automatically created when Microsoft Windows Server 2008 is installed.  </li></ul><ul><li>B...
Built-in User Accounts <ul><li>By default, two built-in user accounts are created on a Windows Server 2008 computer: </li>...
Creating and Managing User Accounts <ul><li>User accounts are usually created and managed with Active Directory Users and ...
User Account Properties
User Account Properties
User Account Properties
Group Accounts <ul><li>Groups are implemented to allow administrators to assign rights and permissions to multiple users s...
Group Accounts <ul><li>When a user logs on, an  access token  is created that identifies the user and all of the user’s gr...
Group Types <ul><li>Distribution groups  – Non-security-related groups created for the distribution of information to one ...
Group Nesting <ul><li>Users can be members of more than one group.  </li></ul><ul><li>Groups can contain other Active Dire...
Group Scopes <ul><li>Global </li></ul><ul><li>Domain Local </li></ul><ul><li>Universal </li></ul>
Using Global and Domain Local Groups <ul><li>Global </li></ul><ul><ul><li>These groups can include users, computers, and o...
Using Global and Domain Local Groups <ul><li>Assign users within a domain to global groups. </li></ul><ul><li>Add global g...
Universal Groups <ul><li>These groups can include users and groups from any domain in the AD DS forest and can be employed...
AGUDLP <ul><li>Microsoft approach to using groups: </li></ul><ul><ul><li>add  A ccounts to  G lobal groups. </li></ul></ul...
Creating and Managing Groups <ul><li>Creating and managing groups is usually done with Active Directory Users and Computer...
Group Properties
Group Properties
Working with Default Groups <ul><li>Account Operators  – Can create, modify and delete accounts for users, groups, and com...
Working with Default Groups <ul><li>Guests  – Same privileges as members of the Users group. </li></ul><ul><ul><li>Disable...
Working with Default Groups <ul><li>Users  – Allows general access to run applications, use printers, shut down and start ...
Working with Default Groups <ul><li>Domain   Admins  – Can perform administrative tasks on any computer anywhere in the do...
Working with Default Groups <ul><li>Domain   Guests  – Members include all domain guests. </li></ul><ul><li>Domain   Users...
Working with Default Groups <ul><li>Schema   Admins  – Members can manage and modify the Active Directory schema. </li></ul>
Special Identity Groups and Local Groups <ul><li>Authenticated   Users  – Used to allow controlled access to resources thr...
Group Implementation Plan <ul><li>A plan that states who has the ability and responsibility to create, delete, and manage ...
Creating Users and Groups <ul><li>Active Directory Users and Computers. </li></ul><ul><li>Batch files. </li></ul><ul><li>C...
Summary <ul><li>Three types of user accounts exist in Windows Server 2008:  </li></ul><ul><ul><li>Local user accounts resi...
Summary <ul><li>The Administrator account is a built-in domain account that serves as the primary supervisory account in W...
Summary <ul><li>Windows Server 2008 group options include two types (security and distribution) and three scopes (domain l...
Summary <ul><li>Global groups are used to organize domain users according to their resource access needs.  </li></ul><ul><...
Summary <ul><li>Universal groups are used to provide access to resources anywhere in the forest.  </li></ul><ul><ul><li>Th...
Summary <ul><li>The recommended permission assignment strategy (AGUDLP) places users needing access permissions in a globa...
Summary <ul><li>Group nesting is the process of placing group accounts in the membership of other group accounts for the p...
Upcoming SlideShare
Loading in...5
×

70 640 Lesson05 Ppt 041009

4,407

Published on

Published in: Education
1 Comment
2 Likes
Statistics
Notes
  • the page could not load error
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
4,407
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
584
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide
  • Show and explain all tabs of the User Account.
  • Emphasize that when assigning rights, it is always preferred to assign first to groups before assigning to users.
  • Troubleshooting 101. You must log off to get new tokens when added to a group.
  • You cannot assign rights and permissions to a distribution group.
  • Show all tabs.
  • Mention that it is ideal to have two user accounts for administrators. One for everyday stuff, including checking email, and one for administration. Also, if you have Blackberry devices and you are added to domain admins or account operators, you may not work with a Blackberry device/Enterprise server.
  • Transcript of "70 640 Lesson05 Ppt 041009"

    1. 1. Active Directory Administration <ul><li>Lesson 5 </li></ul>
    2. 2. Skills Matrix Technology Skill Objective Domain Objective # Creating Users, Computers, and Groups Automate creation of Active Directory accounts 4.1 Creating Users, Computers, and Groups Maintain Active Directory accounts 4.2
    3. 3. Understanding User Accounts <ul><li>Three types of user accounts can be created and configured in Windows Server 2008: </li></ul><ul><ul><li>Local accounts. </li></ul></ul><ul><ul><li>Domain accounts. </li></ul></ul><ul><ul><li>Built-in user accounts. </li></ul></ul>
    4. 4. Local Accounts <ul><li>Used to access the local computer only and are stored in the local Security Account Manager (SAM) database on the computer where they reside. </li></ul><ul><li>Never replicated to other computers, nor do these accounts have domain access. </li></ul>
    5. 5. Domain Accounts <ul><li>Accounts used to access Active Directory or network-based resources, such as shared folders or printers. </li></ul><ul><li>Account information for these users is stored in the Active Directory database and replicated to all domain controllers within the same domain. </li></ul><ul><li>A subset of the domain user account information is replicated to the global catalog, which is then replicated to other global catalog servers throughout the forest. </li></ul>
    6. 6. Built-in User Accounts <ul><li>Automatically created when Microsoft Windows Server 2008 is installed. </li></ul><ul><li>Built-in user accounts are created on a member server or a standalone server. </li></ul><ul><ul><li>When you install Windows Server 2008 as a domain controller, the ability to create and manipulate these accounts is disabled. </li></ul></ul>
    7. 7. Built-in User Accounts <ul><li>By default, two built-in user accounts are created on a Windows Server 2008 computer: </li></ul><ul><ul><li>Administrator account. </li></ul></ul><ul><ul><li>Guest account. </li></ul></ul><ul><li>Built-in user accounts can be local accounts or domain accounts, depending on whether the server is configured as a standalone server or a domain controller. </li></ul>
    8. 8. Creating and Managing User Accounts <ul><li>User accounts are usually created and managed with Active Directory Users and Computers. </li></ul>
    9. 9. User Account Properties
    10. 10. User Account Properties
    11. 11. User Account Properties
    12. 12. Group Accounts <ul><li>Groups are implemented to allow administrators to assign rights and permissions to multiple users simultaneously. </li></ul><ul><li>A group can be defined as a collection of user or computer accounts that is used to simplify the assignment of rights or permissions to network resources. </li></ul>
    13. 13. Group Accounts <ul><li>When a user logs on, an access token is created that identifies the user and all of the user’s group memberships. </li></ul><ul><li>This access token is used to verify a user’s permissions when the user attempts to access a local or network resource. </li></ul><ul><li>By using groups, multiple users can be given the same permission level for resources on the network. </li></ul><ul><li>Since a user’s access token is only generated when they first log on to the network from their workstation, if you add a user to a group, they will need to log off and log back on again for that change to take effect. </li></ul>
    14. 14. Group Types <ul><li>Distribution groups – Non-security-related groups created for the distribution of information to one or more persons. </li></ul><ul><li>Security groups - Security-related groups created for purposes of granting resource access permissions to multiple users. </li></ul>
    15. 15. Group Nesting <ul><li>Users can be members of more than one group. </li></ul><ul><li>Groups can contain other Active Directory objects, such as computers, and other groups. </li></ul><ul><li>Groups containing groups is called group nesting . </li></ul>
    16. 16. Group Scopes <ul><li>Global </li></ul><ul><li>Domain Local </li></ul><ul><li>Universal </li></ul>
    17. 17. Using Global and Domain Local Groups <ul><li>Global </li></ul><ul><ul><li>These groups can include users, computers, and other global groups from the same domain. </li></ul></ul><ul><ul><li>You can use them to organize users who have similar functions and therefore similar requirements on the network. </li></ul></ul><ul><li>Domain local </li></ul><ul><ul><li>These groups can include users, computers, and groups from any domain in the forest. </li></ul></ul><ul><ul><li>They are most often utilized to grant permissions for local resources and may be used to provide access to any resource in the domain in which they are located. </li></ul></ul>
    18. 18. Using Global and Domain Local Groups <ul><li>Assign users within a domain to global groups. </li></ul><ul><li>Add global groups to domain local groups. </li></ul><ul><li>Assign permissions to domain local group. </li></ul>
    19. 19. Universal Groups <ul><li>These groups can include users and groups from any domain in the AD DS forest and can be employed to grant permissions to any resource in the forest. </li></ul><ul><li>A universal group can include users, computers, and global groups from any domain in the forest. </li></ul><ul><li>Changes to universal group membership lists are replicated to all global catalog servers throughout the forest. </li></ul>
    20. 20. AGUDLP <ul><li>Microsoft approach to using groups: </li></ul><ul><ul><li>add A ccounts to G lobal groups. </li></ul></ul><ul><ul><li>add those global groups to U niversal groups. </li></ul></ul><ul><ul><li>Add universal groups to D omain L ocal groups. </li></ul></ul><ul><ul><li>Finally, assign P ermissions to the domain local groups. </li></ul></ul>
    21. 21. Creating and Managing Groups <ul><li>Creating and managing groups is usually done with Active Directory Users and Computers. </li></ul>
    22. 22. Group Properties
    23. 23. Group Properties
    24. 24. Working with Default Groups <ul><li>Account Operators – Can create, modify and delete accounts for users, groups, and computers in all containers and OUs. </li></ul><ul><ul><li>Cannot modify administrators, domain admins and enterprise admin groups. </li></ul></ul><ul><li>Administrators – Complete and unrestricted access to the computer or domain controller. </li></ul><ul><li>Backup Operators - Can back up and restore all files on the computer. </li></ul>
    25. 25. Working with Default Groups <ul><li>Guests – Same privileges as members of the Users group. </li></ul><ul><ul><li>Disabled by default </li></ul></ul><ul><li>Print Operators – Can manage printers and document queues. </li></ul><ul><li>Server Operators – Can log on a server interactively, create and delete shares, start and stop some services, back up and restore files, format the disk, shutdown the computer and modify the system date and time. </li></ul>
    26. 26. Working with Default Groups <ul><li>Users – Allows general access to run applications, use printers, shut down and start the computer and use network shares for which they are assigned permissions. </li></ul><ul><li>DNSAdmins – Permits administrative access to the DNS server service. </li></ul>
    27. 27. Working with Default Groups <ul><li>Domain Admins – Can perform administrative tasks on any computer anywhere in the domain. </li></ul><ul><li>Domain Computers – Contains all computers. </li></ul><ul><ul><li>Used to make computer management easier through group policies. </li></ul></ul><ul><li>Domain Controllers – Contains all computers installed in the domain as a domain controller. </li></ul>
    28. 28. Working with Default Groups <ul><li>Domain Guests – Members include all domain guests. </li></ul><ul><li>Domain Users – Members include all domain users. </li></ul><ul><ul><li>Used to assign permissions to all users in the domain. </li></ul></ul><ul><li>Enterprise Admins – Allows the global administrative privileges associated with this group, such as the ability to create and delete domains. </li></ul>
    29. 29. Working with Default Groups <ul><li>Schema Admins – Members can manage and modify the Active Directory schema. </li></ul>
    30. 30. Special Identity Groups and Local Groups <ul><li>Authenticated Users – Used to allow controlled access to resources throughout the forest or domain. </li></ul><ul><li>Everyone – Used to provide access to resource for all users and guest. </li></ul><ul><ul><li>Not recommended to not assign this group to resources. </li></ul></ul>
    31. 31. Group Implementation Plan <ul><li>A plan that states who has the ability and responsibility to create, delete, and manage groups. </li></ul><ul><li>A policy that states how domain local, global, and universal groups are to be used. </li></ul><ul><li>A policy that states guidelines for creating new groups and deleting old groups. </li></ul><ul><li>A naming standards document to keep group names consistent. </li></ul><ul><li>A standard for group nesting. </li></ul>
    32. 32. Creating Users and Groups <ul><li>Active Directory Users and Computers. </li></ul><ul><li>Batch files. </li></ul><ul><li>Comma-Separated Value Directory Exchange (CSVDE). </li></ul><ul><li>LDAP Data Interchange Format Directory Exchange (LDIFDE). </li></ul><ul><li>Windows Script Host (WSH). </li></ul>
    33. 33. Summary <ul><li>Three types of user accounts exist in Windows Server 2008: </li></ul><ul><ul><li>Local user accounts reside on a local computer and are not replicated to other computers by Active Directory. </li></ul></ul><ul><ul><li>Domain user accounts are created and stored in Active Directory and replicated to all domain controllers within a domain. </li></ul></ul><ul><ul><li>Built-in user accounts are automatically created when the operating system is installed and when a member server is promoted to a domain controller. </li></ul></ul>
    34. 34. Summary <ul><li>The Administrator account is a built-in domain account that serves as the primary supervisory account in Windows Server 2008. </li></ul><ul><ul><li>It can be renamed, but it cannot be deleted. </li></ul></ul><ul><li>The Guest account is a built-in account used to assign temporary access to resources. </li></ul><ul><ul><li>It can be renamed, but it cannot be deleted. </li></ul></ul><ul><ul><li>This account is disabled by default and the password can be left blank. </li></ul></ul>
    35. 35. Summary <ul><li>Windows Server 2008 group options include two types (security and distribution) and three scopes (domain local, global, and universal). </li></ul><ul><li>Domain local groups are placed on the ACL of resources and assigned permissions. They typically contain global groups in their membership list. </li></ul>
    36. 36. Summary <ul><li>Global groups are used to organize domain users according to their resource access needs. </li></ul><ul><ul><li>Global groups are placed in the membership list of domain local groups, which are then assigned the desired permissions to resources. </li></ul></ul>
    37. 37. Summary <ul><li>Universal groups are used to provide access to resources anywhere in the forest. </li></ul><ul><ul><li>Their membership lists can contain global groups and users from any domain. </li></ul></ul><ul><ul><li>Changes to universal group membership lists are replicated to all global catalog servers throughout the forest. </li></ul></ul>
    38. 38. Summary <ul><li>The recommended permission assignment strategy (AGUDLP) places users needing access permissions in a global group, the global group in a universal group, and the universal group in a domain local group and then assigns permissions to the domain local group. </li></ul>
    39. 39. Summary <ul><li>Group nesting is the process of placing group accounts in the membership of other group accounts for the purpose of simplifying permission assignments. </li></ul><ul><li>Multiple users and groups can be created in Active Directory by using several methods. Windows Server 2008 offers the ability to use batch files, CSVDE, LDIFDE, and WSH to accomplish your administrative goals. </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×