This document discusses permissions and groups in Active Directory. It covers the different types of groups (distribution, security, etc.), and how a group's scope (domain local, global, universal) determines what objects it can include and what resources it can be assigned permissions for. The document also discusses domain and forest functional levels, inheritance and precedence of permissions, and how to use different types of groups effectively to structure access to resources.
The document discusses NoSQL databases and schema-less data models for big data. It describes key-value stores, document stores, tabular stores, object data stores, and graph databases. For each type, it provides examples and discusses characteristics like flexibility, structure, and querying capabilities. The goal of NoSQL databases is to allow for greater data manipulation and scaling for big data use cases compared to traditional relational databases.
This document discusses availability concepts for IT infrastructure architecture. Some key points include:
- Availability is calculated based on uptime percentage over time (usually annually or monthly), with 99.9% being a common service level agreement target.
- Downtime is influenced by factors like mean time between failures (MTBF) and mean time to repair (MTTR). Redundancy and failover help improve availability.
- Sources of downtime include human errors, software bugs, planned maintenance, hardware failures, environmental issues, and infrastructure complexity. Redundancy, failover, and fallback solutions can help address some causes of downtime.
This document provides an overview of storage technologies and concepts. It discusses the history of storage technologies from early drum memory to modern hard disks and solid state drives. Key concepts covered include RAID configurations, disk interfaces like SATA and SAS, tape storage technologies, storage controllers, and virtual tape libraries. The document concludes with a discussion of Kryder's law and projections for future disk capacity growth.
RAID (Redundant Array of Independent Disks) is a data storage virtualization technology that combines multiple physical disk drive components into a single logical unit to improve performance and provide redundancy. There are different RAID levels that distribute and protect data across disks in various ways. RAID 0 stripes data across disks for increased speed but provides no data protection. RAID 1 mirrors the same data onto two disks, providing fault tolerance if one disk fails. Higher RAID levels like 3, 4, and 5 provide redundancy through parity data stored on dedicated disks while still allowing for parallel I/O performance.
Raid : Redundant Array of Inexpensive DisksCloudbells.com
RAID (Redundant Array of Inexpensive Disks) systems allow for combining multiple physical disks into a single logical disk for the purposes of data redundancy, performance, and reliability. There are several RAID levels that offer different tradeoffs between these factors. RAID level 5 stripes both data and parity information across all disks, allowing writes to occur in parallel for improved performance compared to RAID level 4 which dedicates one disk solely to parity data. RAID level 1 mirrors all data onto a second disk for full data redundancy but at double the storage cost.
RAID is the use of multiple disks and data distribution techniques to improve resilience and performance. The document discusses different RAID levels including RAID0 for striping without redundancy, RAID1 for mirroring, RAID3 for fine-grained striping with dedicated parity, RAID5 for striping with distributed parity, and RAID6 which adds double disk failure protection. It notes that caching can improve performance of RAID3 and RAID5 arrays but RAID5 sees less benefit due to its complex write process.
Difference between Homogeneous and HeterogeneousFaraz Qaisrani
Muhammad Faraz Qaisrani from the 2nd Batch at Benazir Bhutto Shaheed University discusses types of distributed database management systems (DDBMS). There are two main types: homogeneous, where all data centers use the same software, and heterogeneous, where different data centers may use different database products. Homogeneous systems are easier to design and manage but can be difficult for organizations to implement uniformly. Heterogeneous systems allow integration of existing databases but require translations between different hardware and software.
A distributed operating system allows applications to run on multiple interconnected computers. It makes the distributed computers appear as a single centralized system to users. There are two main types - networking operating systems, which allow file and printer sharing on a local network, and distributed operating systems, where users are unaware of the underlying machines. Effective communication between the distributed systems requires addressing issues like naming, routing, connections, and dealing with contention for shared resources. While distributed systems provide benefits like improved performance and reliability, they also face challenges such as security, bandwidth limitations, and reduced performance due to network delays.
The document discusses NoSQL databases and schema-less data models for big data. It describes key-value stores, document stores, tabular stores, object data stores, and graph databases. For each type, it provides examples and discusses characteristics like flexibility, structure, and querying capabilities. The goal of NoSQL databases is to allow for greater data manipulation and scaling for big data use cases compared to traditional relational databases.
This document discusses availability concepts for IT infrastructure architecture. Some key points include:
- Availability is calculated based on uptime percentage over time (usually annually or monthly), with 99.9% being a common service level agreement target.
- Downtime is influenced by factors like mean time between failures (MTBF) and mean time to repair (MTTR). Redundancy and failover help improve availability.
- Sources of downtime include human errors, software bugs, planned maintenance, hardware failures, environmental issues, and infrastructure complexity. Redundancy, failover, and fallback solutions can help address some causes of downtime.
This document provides an overview of storage technologies and concepts. It discusses the history of storage technologies from early drum memory to modern hard disks and solid state drives. Key concepts covered include RAID configurations, disk interfaces like SATA and SAS, tape storage technologies, storage controllers, and virtual tape libraries. The document concludes with a discussion of Kryder's law and projections for future disk capacity growth.
RAID (Redundant Array of Independent Disks) is a data storage virtualization technology that combines multiple physical disk drive components into a single logical unit to improve performance and provide redundancy. There are different RAID levels that distribute and protect data across disks in various ways. RAID 0 stripes data across disks for increased speed but provides no data protection. RAID 1 mirrors the same data onto two disks, providing fault tolerance if one disk fails. Higher RAID levels like 3, 4, and 5 provide redundancy through parity data stored on dedicated disks while still allowing for parallel I/O performance.
Raid : Redundant Array of Inexpensive DisksCloudbells.com
RAID (Redundant Array of Inexpensive Disks) systems allow for combining multiple physical disks into a single logical disk for the purposes of data redundancy, performance, and reliability. There are several RAID levels that offer different tradeoffs between these factors. RAID level 5 stripes both data and parity information across all disks, allowing writes to occur in parallel for improved performance compared to RAID level 4 which dedicates one disk solely to parity data. RAID level 1 mirrors all data onto a second disk for full data redundancy but at double the storage cost.
RAID is the use of multiple disks and data distribution techniques to improve resilience and performance. The document discusses different RAID levels including RAID0 for striping without redundancy, RAID1 for mirroring, RAID3 for fine-grained striping with dedicated parity, RAID5 for striping with distributed parity, and RAID6 which adds double disk failure protection. It notes that caching can improve performance of RAID3 and RAID5 arrays but RAID5 sees less benefit due to its complex write process.
Difference between Homogeneous and HeterogeneousFaraz Qaisrani
Muhammad Faraz Qaisrani from the 2nd Batch at Benazir Bhutto Shaheed University discusses types of distributed database management systems (DDBMS). There are two main types: homogeneous, where all data centers use the same software, and heterogeneous, where different data centers may use different database products. Homogeneous systems are easier to design and manage but can be difficult for organizations to implement uniformly. Heterogeneous systems allow integration of existing databases but require translations between different hardware and software.
A distributed operating system allows applications to run on multiple interconnected computers. It makes the distributed computers appear as a single centralized system to users. There are two main types - networking operating systems, which allow file and printer sharing on a local network, and distributed operating systems, where users are unaware of the underlying machines. Effective communication between the distributed systems requires addressing issues like naming, routing, connections, and dealing with contention for shared resources. While distributed systems provide benefits like improved performance and reliability, they also face challenges such as security, bandwidth limitations, and reduced performance due to network delays.
Distributed databases allow data to be shared across a computer network while being stored on multiple machines. A distributed database management system (DDBMS) allows for the management of distributed databases and makes the distribution transparent to users. Key concepts in distributed DBMS design include fragmentation, allocation, and replication of data across multiple sites. Transparency, performance, and handling failures and concurrency are important considerations for DDBMS.
A distributed file system allows files to be stored on multiple computers that are connected over a network. It implements a common file system that can be accessed by all computers. Key goals are network transparency, so users can access files without knowing their location, and high availability, so files can always be easily accessed regardless of physical location. The main components are a name server that maps file names to locations, and cache managers that store copied of remote files locally to improve performance. Mechanisms like mounting, caching, bulk data transfer, and encryption help build robust distributed file systems.
OPERATING SYSTEMSDESIGN AND IMPLEMENTATIONsathish sak
This document provides an overview of operating systems design and implementation. It discusses the basic functions of an operating system as an extended virtual machine and a resource manager. It describes the evolution of operating systems through four generations from the earliest batch systems using vacuum tubes and plugboards to today's personal computers. The document outlines key components of operating systems including processes, file systems, system calls, and virtual machines. It provides examples of early batch processing systems, multiprogramming, and the structure of system calls. Finally, it discusses different approaches to operating system structure such as layered systems, virtual machines, and the client-server model.
This document discusses distributed file systems. It begins by defining key terms like filenames, directories, and metadata. It then describes the goals of distributed file systems, including network transparency, availability, and access transparency. The document outlines common distributed file system architectures like client-server and peer-to-peer. It also discusses specific distributed file systems like NFS, focusing on their protocols, caching, replication, and security considerations.
This document discusses the history and types of end user devices used to access IT infrastructure. It describes how teletypes and terminals were replaced by personal computers starting with IBM's 1981 introduction of the PC. Common devices now include desktops, laptops, mobile devices, and virtual desktops. Issues around BYOD and ensuring availability, reliability, and backup of end user devices are also covered.
PowerPoint Presentation on Distributed Operating Systems,reasons for opting for distributed systems over centralized systems,types of Distributed Systems,Process Migration and its advantages.
PCD – Process Control Daemon is a light-weight system level process manager for Embedded-Linux based projects (consumer electronics, network devices, etc.).
PCD starts, stops and monitors all the user space processes in the system, in a synchronized manner, using a textual configuration file.
PCD recovers the system in case of errors and provides useful and detailed debug information.
Windows is a popular operating system that runs on both PCs and servers. It provides a large collection of software solutions due to its popularity. While early versions of Windows were not true operating systems, modern versions like Windows Server provide stable and secure platforms for business applications and services. Failover clustering allows applications to remain highly available by failing over from one node to another in the case of hardware or software failures. The performance of an operating system depends on the underlying hardware, application load, and OS configuration.
This document provides an overview of an introductory database course, including information about the instructors, schedule, topics to be covered, expectations for student conduct, and how to succeed in the course. The topics that will be covered include database fundamentals, the database development process, conceptual and logical data modeling, physical database design, implementation with SQL, and an advanced topic. Students are expected to attend lectures and labs, be punctual, not distract others, and are advised to attend lectures, read the textbook, review materials, and ask questions.
The document discusses the four layer architecture of UNIX systems: hardware, kernel, shell, and utilities. The kernel is the core component that manages processes, memory allocation, I/O, and communication between hardware and processes. It runs in privileged kernel mode while user programs run in unprivileged user mode. The shell provides an interface for users to interact with the operating system and run commands. Common shell types are Bourne and C shells. Utilities are programs that perform tasks for users like copying files. Multiple shells can run simultaneously to serve different users while only one kernel runs.
This document provides an overview of different RAID levels from 0 to 6. It describes the key characteristics of each level including minimum drive requirements, data protection mechanisms, performance advantages and disadvantages, and recommended applications. RAID levels range from striped arrays without parity (RAID 0) to more advanced techniques with dual parity protection (RAID 6). The document contains diagrams and explanations of how each RAID level works to provide varying balances of performance, capacity, and fault tolerance.
This document discusses different approaches to memory management in operating systems. It begins by describing monoprogramming without swapping or paging, where one program uses all available memory at a time. It then describes multiprogramming using fixed memory partitions, either with separate queues for each partition or a single queue. The challenges of relocation and protection when programs are loaded at different addresses are also covered. Finally, it introduces the concepts of swapping and virtual memory for handling situations where not all active processes fit in main memory.
Oracle stores data logically in tablespaces and physically in datafiles associated with the corresponding tablespace. Tablespaces can be created, altered by resizing datafiles, have additional datafiles added, and dropped along with their contents. Users are created with a default tablespace assigned and granted privileges like connect and resource privileges.
The document discusses various techniques for process synchronization and solving the critical section problem where multiple processes need exclusive access to shared resources. It describes the critical section problem and requirements that must be met (mutual exclusion, progress, and bounded waiting). It then summarizes several algorithms to solve the problem for two processes and multiple processes, including using semaphores which are basic synchronization tools using wait and signal operations.
This document discusses file sharing and secondary storage management in operating systems. It covers several topics:
File sharing allows multiple users to access files, but access rights and simultaneous access must be managed. Access rights include permissions levels from none to deletion. Simultaneous access requires enforcing mutual exclusion to prevent conflicts.
Secondary storage management involves allocating blocks to files from available disk space. File allocation methods include contiguous, chained, and indexed allocation. Contiguous allocates all blocks at once while chained uses pointers between non-contiguous blocks. Indexed addresses problems with the other methods.
Free space is managed using techniques like bit tables to track used/free blocks, chained free portions, or a free block list maintained on disk
Threads in Operating System | Multithreading | Interprocess CommunicationShivam Mitra
This document provides an introduction to threads. It discusses the differences between processes and threads, how threads are implemented in Linux, and challenges with multithreading like race conditions. Interprocess communication methods like shared memory and message passing are also covered. The benefits of multithreading include improved responsiveness and resource sharing. Multiprocessing uses multiple CPU cores to run programs in parallel while multithreading shares memory between threads.
This presentation several topics of subjects RDBMS and DBMS including Distributed Database Design,Architecture of Distributed database processing system,Data Communication concept,Concurrency control and recovery. All the topics are briefly described according to syllabus of BCA II and BCA III year subjects.
This document discusses distributed database systems. It defines centralized, distributed, and decentralized database systems. The key topics covered include distributed database management systems (DDBMS), advantages and disadvantages of DDBMS, distributed database design involving data fragmentation, replication and allocation, functions of a DDBMS, types of DDBMS including homogeneous and heterogeneous, and database transparency and gateways. The document is presented by a group with members Zupash, Sana, Marhaba and a group leader Hira Anwar.
An Oracle database consists of physical files on disk that store data and logical memory structures that manage the files. The database is made up of data files that contain tables and indexes, control files that track the physical components, and redo log files that record changes. The instance in memory associates with one database and manages access through background processes. The database is divided into logical storage units called tablespaces that map to the physical data files. Common tablespaces include SYSTEM, SYSAUX, undo and temporary tablespaces.
This document provides an overview of remote management technologies in Windows-based infrastructure, including legacy technologies like WMI and RPC as well as newer tools like PowerShell. It discusses how WMI allows managing both local and remote Windows computers using classes that describe manageable elements. It also covers administrative tools for remote management like MMC, Sysinternals PsTools, and built-in command line utilities. The document concludes with a discussion of administrative shares and an invitation for any final questions.
Windows Server 2003 supports three main file systems: FAT, FAT32, and NTFS. NTFS is recommended as it provides greater security and scalability. Two types of permissions can be configured: shared folder permissions for network access, and NTFS permissions for local and network access. Shared folder permissions are managed through Windows Explorer and Computer Management, while NTFS permissions are configured through the Security tab in file/folder properties. Determining effective permissions takes into account membership in multiple security groups. The CONVERT utility can change a FAT or FAT32 partition to the NTFS file system.
Distributed databases allow data to be shared across a computer network while being stored on multiple machines. A distributed database management system (DDBMS) allows for the management of distributed databases and makes the distribution transparent to users. Key concepts in distributed DBMS design include fragmentation, allocation, and replication of data across multiple sites. Transparency, performance, and handling failures and concurrency are important considerations for DDBMS.
A distributed file system allows files to be stored on multiple computers that are connected over a network. It implements a common file system that can be accessed by all computers. Key goals are network transparency, so users can access files without knowing their location, and high availability, so files can always be easily accessed regardless of physical location. The main components are a name server that maps file names to locations, and cache managers that store copied of remote files locally to improve performance. Mechanisms like mounting, caching, bulk data transfer, and encryption help build robust distributed file systems.
OPERATING SYSTEMSDESIGN AND IMPLEMENTATIONsathish sak
This document provides an overview of operating systems design and implementation. It discusses the basic functions of an operating system as an extended virtual machine and a resource manager. It describes the evolution of operating systems through four generations from the earliest batch systems using vacuum tubes and plugboards to today's personal computers. The document outlines key components of operating systems including processes, file systems, system calls, and virtual machines. It provides examples of early batch processing systems, multiprogramming, and the structure of system calls. Finally, it discusses different approaches to operating system structure such as layered systems, virtual machines, and the client-server model.
This document discusses distributed file systems. It begins by defining key terms like filenames, directories, and metadata. It then describes the goals of distributed file systems, including network transparency, availability, and access transparency. The document outlines common distributed file system architectures like client-server and peer-to-peer. It also discusses specific distributed file systems like NFS, focusing on their protocols, caching, replication, and security considerations.
This document discusses the history and types of end user devices used to access IT infrastructure. It describes how teletypes and terminals were replaced by personal computers starting with IBM's 1981 introduction of the PC. Common devices now include desktops, laptops, mobile devices, and virtual desktops. Issues around BYOD and ensuring availability, reliability, and backup of end user devices are also covered.
PowerPoint Presentation on Distributed Operating Systems,reasons for opting for distributed systems over centralized systems,types of Distributed Systems,Process Migration and its advantages.
PCD – Process Control Daemon is a light-weight system level process manager for Embedded-Linux based projects (consumer electronics, network devices, etc.).
PCD starts, stops and monitors all the user space processes in the system, in a synchronized manner, using a textual configuration file.
PCD recovers the system in case of errors and provides useful and detailed debug information.
Windows is a popular operating system that runs on both PCs and servers. It provides a large collection of software solutions due to its popularity. While early versions of Windows were not true operating systems, modern versions like Windows Server provide stable and secure platforms for business applications and services. Failover clustering allows applications to remain highly available by failing over from one node to another in the case of hardware or software failures. The performance of an operating system depends on the underlying hardware, application load, and OS configuration.
This document provides an overview of an introductory database course, including information about the instructors, schedule, topics to be covered, expectations for student conduct, and how to succeed in the course. The topics that will be covered include database fundamentals, the database development process, conceptual and logical data modeling, physical database design, implementation with SQL, and an advanced topic. Students are expected to attend lectures and labs, be punctual, not distract others, and are advised to attend lectures, read the textbook, review materials, and ask questions.
The document discusses the four layer architecture of UNIX systems: hardware, kernel, shell, and utilities. The kernel is the core component that manages processes, memory allocation, I/O, and communication between hardware and processes. It runs in privileged kernel mode while user programs run in unprivileged user mode. The shell provides an interface for users to interact with the operating system and run commands. Common shell types are Bourne and C shells. Utilities are programs that perform tasks for users like copying files. Multiple shells can run simultaneously to serve different users while only one kernel runs.
This document provides an overview of different RAID levels from 0 to 6. It describes the key characteristics of each level including minimum drive requirements, data protection mechanisms, performance advantages and disadvantages, and recommended applications. RAID levels range from striped arrays without parity (RAID 0) to more advanced techniques with dual parity protection (RAID 6). The document contains diagrams and explanations of how each RAID level works to provide varying balances of performance, capacity, and fault tolerance.
This document discusses different approaches to memory management in operating systems. It begins by describing monoprogramming without swapping or paging, where one program uses all available memory at a time. It then describes multiprogramming using fixed memory partitions, either with separate queues for each partition or a single queue. The challenges of relocation and protection when programs are loaded at different addresses are also covered. Finally, it introduces the concepts of swapping and virtual memory for handling situations where not all active processes fit in main memory.
Oracle stores data logically in tablespaces and physically in datafiles associated with the corresponding tablespace. Tablespaces can be created, altered by resizing datafiles, have additional datafiles added, and dropped along with their contents. Users are created with a default tablespace assigned and granted privileges like connect and resource privileges.
The document discusses various techniques for process synchronization and solving the critical section problem where multiple processes need exclusive access to shared resources. It describes the critical section problem and requirements that must be met (mutual exclusion, progress, and bounded waiting). It then summarizes several algorithms to solve the problem for two processes and multiple processes, including using semaphores which are basic synchronization tools using wait and signal operations.
This document discusses file sharing and secondary storage management in operating systems. It covers several topics:
File sharing allows multiple users to access files, but access rights and simultaneous access must be managed. Access rights include permissions levels from none to deletion. Simultaneous access requires enforcing mutual exclusion to prevent conflicts.
Secondary storage management involves allocating blocks to files from available disk space. File allocation methods include contiguous, chained, and indexed allocation. Contiguous allocates all blocks at once while chained uses pointers between non-contiguous blocks. Indexed addresses problems with the other methods.
Free space is managed using techniques like bit tables to track used/free blocks, chained free portions, or a free block list maintained on disk
Threads in Operating System | Multithreading | Interprocess CommunicationShivam Mitra
This document provides an introduction to threads. It discusses the differences between processes and threads, how threads are implemented in Linux, and challenges with multithreading like race conditions. Interprocess communication methods like shared memory and message passing are also covered. The benefits of multithreading include improved responsiveness and resource sharing. Multiprocessing uses multiple CPU cores to run programs in parallel while multithreading shares memory between threads.
This presentation several topics of subjects RDBMS and DBMS including Distributed Database Design,Architecture of Distributed database processing system,Data Communication concept,Concurrency control and recovery. All the topics are briefly described according to syllabus of BCA II and BCA III year subjects.
This document discusses distributed database systems. It defines centralized, distributed, and decentralized database systems. The key topics covered include distributed database management systems (DDBMS), advantages and disadvantages of DDBMS, distributed database design involving data fragmentation, replication and allocation, functions of a DDBMS, types of DDBMS including homogeneous and heterogeneous, and database transparency and gateways. The document is presented by a group with members Zupash, Sana, Marhaba and a group leader Hira Anwar.
An Oracle database consists of physical files on disk that store data and logical memory structures that manage the files. The database is made up of data files that contain tables and indexes, control files that track the physical components, and redo log files that record changes. The instance in memory associates with one database and manages access through background processes. The database is divided into logical storage units called tablespaces that map to the physical data files. Common tablespaces include SYSTEM, SYSAUX, undo and temporary tablespaces.
This document provides an overview of remote management technologies in Windows-based infrastructure, including legacy technologies like WMI and RPC as well as newer tools like PowerShell. It discusses how WMI allows managing both local and remote Windows computers using classes that describe manageable elements. It also covers administrative tools for remote management like MMC, Sysinternals PsTools, and built-in command line utilities. The document concludes with a discussion of administrative shares and an invitation for any final questions.
Windows Server 2003 supports three main file systems: FAT, FAT32, and NTFS. NTFS is recommended as it provides greater security and scalability. Two types of permissions can be configured: shared folder permissions for network access, and NTFS permissions for local and network access. Shared folder permissions are managed through Windows Explorer and Computer Management, while NTFS permissions are configured through the Security tab in file/folder properties. Determining effective permissions takes into account membership in multiple security groups. The CONVERT utility can change a FAT or FAT32 partition to the NTFS file system.
This document summarizes different methods for monitoring and remotely accessing systems. It discusses the differences between historical and real-time monitoring, and outlines ways to monitor user machines, servers, and remotely log into machines using Remote Desktop Services. Specific monitoring tools covered include Microsoft Management Console, Event Viewer, Task Manager, Performance Monitor, and event and performance logs. The document provides examples of information to monitor and considerations for remote access and server monitoring.
This document discusses servers and services in a network. It describes domain controllers, file and print servers, and server roles like Windows Internet Name Service (WINS) and Domain Name System (DNS). It also discusses Windows Server 2008 editions, reasons for using servers over desktops, best practices for running servers, and provides a case study of Nottingham Trent University's network infrastructure.
Group Policy Objects (GPOs) allow administrators to apply settings and restrictions to users and computers in Active Directory. GPOs can configure software, security, and other settings. Administrators use the Group Policy Management console to create and edit GPOs. Administrative templates define where specific policy settings are stored in the registry and are used to configure GPO settings. GPOs help administrators centrally manage network configurations and security policies.
This document provides an overview of object naming and structuring in Active Directory domains. It discusses the different types of objects like computers, users, and groups. It emphasizes the importance of planning object naming conventions and describes different naming methods. The document also covers creating and managing user and computer accounts, as well as creating and using groups to administer permissions to resources. Best practices are provided around setting strong passwords, using templates for consistency, and importing accounts.
Overview of Identity and Access Management Product LineNovell
Attend the two-hour foundation session on the Identity and Access Management product line from Novell and start your BrainShare right! This session will deliver a high-level overview of the full Identity and Access Management product line. It will highlight how the products work together as an integrated solution, and the session has a modular format so you can attend the product overviews you are most interested in. The session will provide real life examples of integration-focused benefits, followed by a 25 minute overview and update on each of the products: Novell Identity Manager, Novell Access Manager and Novell SecureLogin.
Active Directory File Permissions. Get Fast Answers to Who? What?SolarWinds
Need instantaneous visibility into user group permissions? Look no further. SolarWinds has a Free Tool that provides you a complete hierarchical view of the effective permissions access rights for a specific file folder (NTFS) or share drive! Learn more.
Intel IT's Identity and Access Management JourneyIntel IT Center
Intel IT's identity and access management journey involved moving from a 20-year old custom solution to a new agile approach using a small set of off-the-shelf solutions and web services. The goals were to provide simple, easy, and controlled access from any device or location while improving user experience, flexibility, and risk mitigation. A high-level reference architecture was proposed using core identity management services, entitlement management, authentication, and authorization federated through cloud applications. A co-existence strategy would transition applications gradually to the new platform while treating the legacy system as a managed source. Significant progress had been made but more work remained to fully achieve the vision.
Hacking Microsoft Remote Desktop Services for Fun and ProfitAlisa Esage Шевченко
This document discusses hacking Microsoft Remote Desktop Services to gain unauthorized access and control of systems. It proposes solutions to bypass authentication, allow multiple concurrent user sessions, and monitor/control the active console session through a combination of patching key system functions and configuration changes. The author outlines exploiting existing Remote Desktop functionality rather than writing custom code, noting operating systems contain plenty of reusable code and functionality for offensive purposes.
Identity and Access Management in the Era of Digital TransformationWSO2
Solutions for strong identity and access management (IAM), whether the user is a person or a device, is critical to the success of a digital business. And, because a variety of digital apps and services now span many ecosystems, federated identity management is that much more important for ensuring robust security without compromising usability and the customer’s experience.
The more systems you integrate while using a single identity, the weaker security becomes, creating high demand for multi-factor authentication and authorization. This makes IAM a necessity rather than an option when transforming digitally.
In this session, Prabath Siriwardena, director of security architecture at WSO2, explored the challenges of IAM that needs to be addressed when preparing your enterprise for digital transformation. He also explains why these are important considerations.
Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017Amazon Web Services
The document discusses security, identity, and access management on AWS. It covers physical security of AWS data centers, network security best practices, the shared security responsibility model between AWS and customers, authentication and authorization methods including IAM users and roles, security group configuration, and best practices for access management and monitoring on AWS.
Identity and Access Management from Microsoft and Razor TechnologyDavid J Rosenthal
Azure Active Directory provides identity and access management capabilities that enable enterprises to securely manage access to thousands of cloud, mobile, and on-premises applications using a single identity for each user. The document discusses features of Azure Active Directory including single sign-on, user lifecycle management, integration with on-premises directories, security capabilities like multifactor authentication and conditional access, and tools for IT administration and end user self-service. Case studies are presented that highlight how various large companies leverage Azure Active Directory.
Security from the cloud is challenging traditional approaches. As organizations transition from perimeter-based security towards user-centric approaches, Security and Risk professionals are transitioning to cloud IAM services or IDaaS (Identity as a Service) to manage identities across cloud environments. By overcoming the limitations of legacy on-premises IAM solutions, organizations are accelerating SaaS adoption, increasing user productivity and recognizing greater returns on their cloud investments.
View our slides for IAM overview and learn about:
• Trends in cloud, and the standards to support them
• State of Identity, Digital Trust, Authentication and Access
• Directory Services and Federation
• SSO (Desktop SSO, Web SSO, and Mobile SSO)
• Automating Onboarding Practices, Provisioning and Deprovisioning
Watch the on-demand webinar here: https://www.brighttalk.com/channel/12923/onelogin?utm_source=brighttalk
- Windows Server 2003 provides various security features including authentication, access control, encryption, security policies, and service packs/hot fixes to secure systems.
- It includes tools like Security Configuration Manager to configure and analyze security settings using security templates and Group Policy objects.
- Auditing can be used to track access to resources and review security logs, and features allow configuring auditing of events, objects, and specific resource access.
This document provides an overview of Microsoft Active Directory, including definitions of key terms like domain, domain controller, organizational units, and group policy objects. It also discusses why PPM standalone may not work in an Active Directory environment due to Microsoft defaults preventing unknown programs from running and potential group policy restrictions. The document emphasizes getting accurate details about any issues and working with domain administrators, and reassures that the Level 2 support team can help if needed.
Identity and Access Management (IAM) is a crucial part of living in a connected world. It involves managing multiple identities of an individual or entity, distributed across disparate portals. In an enterprise, IAM solutions serve as a mean to secure access, control user activities and manage authentication for an App or a group of software (infrastructure).
This detailed PowerPoint brings you the most fundamental concepts and ideas related to identity and access management. Plus, we have debunked some popular IAM myths, so do checkout!
IAM Methods 2.0 Presentation Michael Nielsen DeloitteIBM Sverige
Deloitte gave their view on an approach for successful identity and access management governance projects togehter with IBM Security Systems and CrossIdeas, an IBM company.
GraphTalks Rome - Identity and Access ManagementNeo4j
This document summarizes a presentation about using graph databases for identity and access management (IAM). It discusses how IAM systems traditionally assume rigid hierarchies that do not reflect modern complex organizations. Graph databases provide a flexible model for IAM by representing relationships between users, roles, devices, and other entities as nodes connected by relationships. This allows querying complex access scenarios and augmenting existing IAM systems. The presentation provides examples of building full IAM systems or augmenting existing ones using a graph database to better model complex real-world relationships.
SQL Server on Linux will provide the SQL Server database engine running natively on Linux. It allows customers choice in deploying SQL Server on the platform of their choice, including Linux, Windows, and containers. The public preview of SQL Server on Linux is available now, with the general availability target for 2017. It brings the full power of SQL Server to Linux, including features like In-Memory OLTP, Always Encrypted, and PolyBase.
This lecture discusses access control and permissions in Windows systems. It covers the structure and use of registry keys, how permissions are applied to registry entries and shares, and differences between NTFS, share, and Active Directory permissions. It also discusses printer server topologies like locally attached printers versus printers connected to a print server. The lecture concludes with a brief overview of permissions in old and modern UNIX/Linux systems.
Active Directory (AD) is a centralized directory service that provides a single point of access for network resources. It utilizes standards like LDAP and DNS to organize users, groups, computers, policies and other objects in a hierarchical structure. Key components of AD include domains, trees, forests, organizational units, and sites. Domains define the boundaries for authentication, administration and replication. Trees and forests connect related domains. Organizational units help organize objects. Sites represent physical network locations and define replication scopes.
Security and LDAP integration in InduSoft Web StudioAVEVA
With cybersecurity threat vectors increasing and attacks on industrial control systems on the rise, it’s more important than ever to take proper safety precautions when developing HMI or SCADA applications. In this webinar, we’ll go over how your application can be integrated with LDAP, and some best practices for developing more secure SCADA/HMI systems.
This document discusses Microsoft Active Directory (AD), a directory service that centrally manages network resources and users. AD utilizes a distributed architecture that replicates information across domain controllers to provide redundancy and availability. Key features of AD include integrating with DNS, providing user and resource management capabilities, and supporting authentication. The document also provides an example of how AD was implemented at a company to reduce IT costs and improve security. Open directory services from Apple are mentioned as an open source alternative to AD.
Active Directory is a directory service and database that allows organizations to centrally manage users, groups, computers, and other network resources. It provides authentication, authorization, and accounting services to clients on the network. Active Directory uses domain controllers to manage objects in the directory and authenticate users. It stores data in an Extensible Storage Engine database and uses sites, domains, organizational units, and other structures to logically organize objects in the directory.
Windows networks can be configured as either a workgroup or domain model. A workgroup treats each computer as equal peers where users directly access shared resources, while a domain uses a centralized domain controller server to authenticate users and allow single sign-on access to resources across multiple client computers. The domain controller contains user and system access credentials and policies to securely manage the network domain. DNS is the domain name system that translates hostname requests to IP addresses through a hierarchical global namespace and allows networks and Internet resources to be located and identified.
This document provides an overview of user and group account types and management in Active Directory. It discusses the three types of user accounts - local, domain, and built-in - and explains how domain accounts are stored centrally and replicated across domains. It also outlines the different types of groups - security, distribution, domain local, global, and universal - and how they can be nested to simplify permission assignments using the AGUDLP strategy. Finally, it lists several methods for automating user and group creation in Active Directory.
The document discusses various technical questions related to Active Directory. It begins by defining Active Directory as a directory structure used on Microsoft Windows to store network and domain information. It then discusses LDAP, connecting Active Directory to third-party directories, the AD database location, SYSVOL folder, application partitions, Global Catalog, and support tools. The remainder of the document provides answers to questions on replication, sites, KCC, ISTG, demoting domain controllers, and other AD administration topics.
Active Directory is a directory service that stores information about a computer network and allows centralized management. It provides features like hierarchical organization, a distributed database, scalability, security, and flexibility. When deploying Active Directory, it is important to plan the domain structure and verify the file system is using NTFS. Windows Server 2016 supports domain and forest functionality levels that determine available features. New features in Windows Server 2016 Active Directory include privileged access management, Azure AD join, and Microsoft Passport. Read-only domain controllers allow read-only access to Active Directory in less secure locations. Prerequisites like server hardware requirements must be met before installing Active Directory.
Active Directory Domain Services (AD DS) is a core component of Active Directory that provides authentication of users and determines access to network resources using security certificates, LDAP, and rights management. It stores identity data in a directory on domain controllers that is replicated across domains. Administrative policies can be centrally configured and applied to objects like users, groups, and organizational units stored in the Active Directory data store.
Windows Server 2003 can function as a domain controller, hosting Active Directory which stores security policies, users, and computers for a centralized domain. It can also provide infrastructure services like DNS, DHCP, and legacy WINS name resolution. Administrators can remotely manage Windows Server 2003 using the Microsoft Management Console with snap-ins, web-based administration, or remote desktop. The server requires configuration of networking settings like static IP addressing when providing infrastructure services to the local area network.
Directory services are used to store information about network resources and users in an enterprise. They provide a centralized, organized method for locating and managing these resources. A directory service stores data in a hierarchical structure with objects and attributes. Some key directory services are Microsoft Active Directory, Novell eDirectory, LDAP, and DNS. Active Directory in particular is widely used and provides features like user authentication, authorization, and policies across a Windows network.
This document provides an overview of managing a Windows Server 2003 environment, including:
1. It describes the different editions of Windows Server 2003 and the roles of standalone servers, member servers, and domain controllers.
2. It explains the goals of Windows Server 2003 network administration and the concepts of workgroups and domains.
3. It provides an introduction to Active Directory, including its logical structure, domains and organizational units, trees and forests, and global catalog.
Ctive directory interview question and answerssankar palla
Active Directory is a centralized database that stores information about a network. It allows for centralized management of users, computers, printers, and other network resources. A domain controller is a server that authenticates users and authorizes access to resources on the network. Active Directory uses protocols like LDAP and KCC to enable replication and management of directory data across multiple domain controllers. Application partitions allow specific Active Directory data to be replicated only to designated domain controllers, providing redundancy.
The document provides information about fundamentals of Windows Server 2008-R2 including chapters on installation of Server 2008, planning storage solutions, Active Directory, creating users and groups, FSMO roles, DHCP server, and child domain controllers. The key points discussed are the minimum hardware requirements for Server 2008, different storage technologies and RAID levels, components of Active Directory like objects and domains, commands for creating users and groups, roles of FSMO components, advantages of additional domain controllers, and concepts related to DHCP servers like scopes, address pools, and reservations.
Active Directory is a directory service that stores information about users, groups, and computers on a network. Domain controllers host Active Directory and perform identity and access management. Administrators can create and manage user accounts locally or through a centralized Active Directory. User accounts must be properly planned, created, maintained, and secured to manage network access.
A domain controller is a server that authenticates users and enforces security policies on a network domain. It stores user account information and allows access to domain resources. The primary responsibilities of a domain controller are to authenticate users when they log in and check their credentials to grant or deny network access. Domain controllers are typically deployed in clusters to ensure high availability. In Microsoft Windows environments, one domain controller acts as the primary domain controller while others act as backup domain controllers.
Active Directory is Microsoft's directory service that is the successor to LAN Manager domains. It aims to provide open standards, high scalability, simplified administration and compatibility with existing Windows NT systems and applications. Active Directory uses a hierarchical structure with domains, trees and forests. It contains objects like users, groups, computers and distribution lists. Changes are replicated between domain controllers to provide multi-master replication. Active Directory relies on DNS and requires at least two domain controllers. It is an important part of Microsoft's strategy with many applications now integrating with it.
This document provides an overview of server management and administration topics including:
1. Managing user and group accounts, including creating accounts in Windows and Linux. Groups are used to organize users and assign permissions.
2. Configuring storage and file systems such as NTFS and Linux partitions. NTFS permissions control file access on Windows servers.
3. Sharing files and printers using protocols like SMB and setting share permissions in Windows. Tools for sharing resources in Windows and Linux are described.
4. Monitoring system performance and reliability using tools in Windows Server like Event Viewer, Performance Monitor, and Windows System Resource Manager.
This document summarizes aspects of the user experience that are affected by network design, including disk space, printing, login access to resources, applications, email, and speed of task completion. It provides details on configuring disk quotas in Windows and Linux to manage disk space usage. It also covers configuring shared printers for clients and using printer pooling. The use of user profiles to provide customized environments for users is described.
This document summarizes aspects of the user experience that are affected by network design, including disk space, printing, login access to resources, applications, email, and speed of task completion. It provides details on configuring disk quotas in Windows and Linux to manage disk space usage. It also covers configuring shared printers for users and using printer pooling. The use of user profiles to provide customized environments is described.
The document discusses Microsoft workgroups and domain networks. A workgroup has no central authority, with each computer storing its own local user accounts. This requires setting up the same account on each machine. A domain network uses directory services like Active Directory to centrally manage user accounts across multiple servers and client computers, providing a more scalable solution for large organizations. Hash tables and functions are also discussed as a method for mapping user names to account information in a directory service database.
This document summarizes key points about installing and managing workstations and client machines on a network. It discusses various methods for installing operating systems, such as locally, using Windows Automated Installation Kit (AIK), or deploying images via the network or servers. Maintaining consistency across workstations is important. The document also outlines the life cycle of a workstation and challenges around configuring systems and addressing entropy over time. Integrating Linux clients is briefly addressed.
This document discusses servers and services in a computer network. It describes the similarities between client and server operating systems like Windows and Linux. Servers can take on different roles to provide services like file storage, printing, email, and more. The document explains DHCP and how it automatically assigns IP addresses to devices on the network. It also discusses the advantages of using server hardware designed for high availability, performance, and reliability over desktop machines.
This document provides an overview of the Network Design & Administration module. It is a second year, 20 credit module that requires an introduction to networks as a prerequisite. The aim is to enable students to plan, configure, and manage networking solutions to support business needs. Learning outcomes include analyzing needs and evaluating solutions, fulfilling legal obligations of a network administrator, and setting up and managing servers. Teaching methods include lectures, seminars, and lab sessions. The module will cover topics like network administration, Powershell scripting, server roles, domains, security, and virtualization. It assumes an existing network infrastructure and focuses on access control and data structures.
Lecture 13, 14 & 15 c# cmd let programming and scriptingWiliam Ferraciolli
This document provides an overview of programming cmdlets and scripting in PowerShell. It discusses why a systems administrator needs programming knowledge, introduces PowerShell and cmdlets, and covers the basics of C# needed to program cmdlets, including classes, methods, properties, exceptions, and namespaces. It describes the anatomy of a cmdlet, including parameters, processing methods, and snap-ins. Finally, it provides an example PowerShell script and discusses additional scripting features. The document aims to equip readers with the fundamental skills to begin programming their own PowerShell cmdlets and scripts.
This document discusses different methods for password authentication and recovery. It describes captchas as a challenge-response test to verify humans by having them type distorted text from images. It also discusses graphical passwords that use image recognition and click-based patterns. For password recovery, it explains using challenge-response pairs where users enroll questions and answers, or systems probe the user's knowledge through recent interactions or personal details. Security aspects like guessing difficulty of the answers are also covered.
Access control permits or denies access to resources based on authentication and authorization. Authentication verifies the identity of users and systems, while authorization determines the resources a user can access based on discretionary access control using access control lists, mandatory access control using security labels, or role-based access control assigning roles and permissions.
This document discusses methods of computer security defense. It describes threats like viruses that can harm systems by exploiting vulnerabilities. It then outlines various defense methods including software controls like access limitations in operating systems and applications, encryption to scramble sensitive data, and physical/hardware controls like locks, firewalls and intrusion detection systems. The goal is to prevent, deter, detect, and recover from harms using a combination of these technical and physical countermeasures.
The document discusses social engineering techniques used to manipulate people into providing confidential information or performing actions. It describes various social engineering attacks like pretexting, phishing, phone phishing, baiting, and quid pro quo. Pretexting involves creating a fake scenario to get information, while phishing uses fraudulent emails. Phone phishing replicates legitimate phone systems to steal information. Baiting leaves infected devices in public places, and quid pro quo offers to help with technical issues in exchange for access.
This document discusses various web application attacks including session hijacking, code injection, cross-site scripting (XSS), pharming, and URL spoofing. It provides details on how each attack works, examples, and potential defenses. Session hijacking involves stealing valid session IDs to take over user sessions. Code injection involves introducing malicious code via data inputs. XSS involves injecting client-side scripts to bypass access controls. Pharming and URL spoofing involve redirecting users to fake websites to steal login credentials.
This document discusses various OS-based attacks and password attacks that can be used by attackers once they have exploited vulnerabilities in operating systems or application software. It describes buffer overflows, stack smashing attacks, dangling and wild pointers, and different types of password attacks like guessing, dictionary attacks, and brute-force attacks. The document is divided into multiple pages and provides details on how these attacks work, including diagrams of call stacks and processes in memory.
This document summarizes network-based attacks including IP address spoofing, man-in-the-middle attacks, and denial-of-service attacks. IP address spoofing involves forging the source IP address to gain unauthorized access or hide an attacker's identity. Man-in-the-middle attacks allow an attacker to intercept and control communications between two parties. Denial-of-service attacks like SYN flooding, Smurf attacks, and distributed denial-of-service attacks aim to overload systems by exceeding their resources. Specific techniques for each attack are described in further detail.
This document provides an overview of network security concepts including:
- The OSI reference model which defines 7 layers of network architecture.
- Common network devices like switches, routers, and hubs.
- Reconnaissance and scanning phases that attackers use to identify vulnerabilities.
- Network-based attacks such as sniffing, spoofing, and denial-of-service attacks.
- Sniffing software and hardware that can intercept and analyze network traffic.
This document provides an overview of various types of host-based attacks, including backdoors, viruses, worms, trojans, rootkits, and spyware. It discusses the characteristics and infection methods of each type of malicious code or software. The document emphasizes that host-based attacks are becoming more sophisticated over time, leading to an arms race between attackers and security developers, with attackers usually staying one step ahead due to their professional training and links to organized crime.
The document summarizes key findings from the 2010/2011 CSI Computer Security Survey. It found that the most expensive incidents were financial fraud at an average cost of $500,000, while bot infections averaged $350,000. Viruses were the most common incident at 49% of respondents. Other frequent incidents included insider abuse (44%) and theft of mobile devices (42%). Respondents reported using technologies like firewalls, antivirus software, and encryption to combat security threats.
This document discusses different types of attackers that threaten computer security:
- Opportunists seize opportunities without concern of getting caught. Emotional attackers seek revenge or fun and accept high risks. Cold intellectual attackers are professionals who attack for personal gain while minimizing risks. Terrorists and insiders also pose threats.
- Insider attackers are particularly concerning as employees are one of the biggest threats, whether malicious or accidental. Insiders are often unwittingly manipulated by outsiders through tricks. Their motivations can include expected personal gains, revenge, or improving their position.
- Common insider attacks include leaking information, stealing data or services, tampering with systems, sabotage, and vandalism. Pre
This document summarizes a lecture on computer security threats and vulnerabilities. It defines harm, threats, and vulnerabilities, and outlines six basic types of harm: modification, destruction, disclosure, interception, interruption, and fabrication. It also discusses common vulnerabilities like password flaws, software bugs, and social engineering. Finally, it notes that defenses against threats aim to satisfy security requirements through encryption, software controls, and physical/hardware controls.
This document provides an overview of a computer security management module. It introduces the module leader, assessments, and gives a high-level overview of topics to be covered including threats and risk management, security strategy, and ethics and law. It defines key concepts such as computer security, security risks, and aspects of computer security including host, network, people, and forensic security. The module aims to develop awareness of security threats and apply risk management principles to address threats and enable business continuity.
2. Group Types
• When defining a group, need to consider its type.
• This will dictate what it can and cannot do (i.e. security and
permissions of group).
• Four basic types of groups:
• Distribution groups
Network Design & Administration
• Security groups
• Application basic groups
• LDAP query groups
• Administrators mostly use security groups to specify what
permissions the group has when interacting with a resource.
• Distribution groups are used when limited access to a
resource is required (e.g. used extensively in MS Exchange
Server for sending emails to groups) 2
3. Groups Scope
• Groups have a Scope.
• Depending on its scope, a group can be assigned permissions
to different extents in the domain structure.
• There are three types of scope:
• Domain Local
Network Design & Administration
• Global
• Universal
• Group scope is affected by the Functional Level of the domain
in which it exists.
• The functional level of a domain is dictated by the lowest
version of windows server running as a domain controller
within the domain.
• This can also dictate the functional level of a forest. 3
4. Domain Functional Levels[1]
• Limits what functionality domain controllers offer within the domain.
• All functional levels provide the default Active Directory Domain
Services feature set plus additional features depending on the operating
system.
Functional Level Features[1]
Windows 2000 Native Universal groups enabled for distribution and
Network Design & Administration
security groups; group nesting; group
conversion; SID history.
Windows Server 2003 Domain rename; last logon timestamp;
password setting on inetOrgPerson / User
objects; redirect users/computers containers;
authorisation manager policies; constrained
delegation; selective authorisation.
Windows Server 2008 Distributed File System replication of SYSVOL;
Advanced Encryption Services for Kerberos;
interactive logon info; fine-grained password 4
policies
Windows Server 2008 R2 Active Directory domain recycle bin.
5. Forest Functional Levels[1]
• Functional levels impact the forest functional level.
• Each Server version adds more features to basic forest
functionality.
Forest Functional Level Features[1]
Network Design & Administration
Windows 2000 Default AD feature set
Windows Server 2003 Forest trust; domain rename; linked value
replication; Read-only domain controllers
(RODC); improved knowledge consistency
checker; dynamic objects;
deactivation/redefinition of attributes and
classes in schema.
Windows Server 2008 No additional forest level features; will default
to a Server 2008 FL instead of a 2003 FL. 5
Windows Server 2008 R2
6. Group Scope Revisited![2]
• Scope can be domain local, global, or universal.
Group Scope Group Membership Can Include[2] Can be used to [2]
Domain Local User accounts from any domain in the Assign access to resources
forest; global groups or universal groups only in the local domain; on
from any domain in the forest; user all servers in domain
Network Design & Administration
accounts or global or universal groups running Windows Server
from any domain in trusted forest; 2000/2003/2008.
nested domain local groups from the
local domain.
Global User accounts from the domain where Assign access to resources in
the group is created; nested global all domains in forest or
groups from the local domain. between trusted forests;
member servers running
Windows Server.
Universal User accounts from any domain in Assign access to resources in 6
forest; global groups from any domain all domains in forest or
in forest; nested universal groups from between trusted forests; on
any domain in forest. all servers running 2000 +
7. Why?
• Allows different groups different degrees of
permission when included within each other.
• Different sorts of objects are allowed
membership of different group types (scopes)
Network Design & Administration
• Remember, this applies to security groups.
Distribution groups, as mentioned
previously, only relate to directory-aware
applications (e.g. MS Exchange)
• Since security groups can also be used as
distribution groups, often don’t bother with the 7
latter.
8. Domain Local Groups
• Available even in lower domain functional levels.
• Typically assigned permissions to resources. (e.g. shared
folder or printer)
• Then allows easier group nesting
Network Design & Administration
• Can also be used to group users from the same domain
needing the same permissions to access a resource in the
same domain.
• Can only be used to assign permissions to resources in
the domain in which they were created (the meaning of
domain local!)
• See table for permitted membership. 8
9. Global groups
• Often used to gather users or computers together in the
same domain with same role or function, or requiring
similar access requirements.
• Can only include members from within their own domain
Network Design & Administration
(including other global groups from the same domain).
• Can be granted permissions for resources in any domain
in the forest and in trusted domains in other forests.
• Not replicated outside of their own domain – using them
minimises replication traffic to the global catalogue.
• Use these for objects that require frequent maintenance.
(e.g. user or computer accounts) 9
10. Universal groups
• Used mainly to grant access to related resources in
multiple domains.
• e.g. if executives need access to printers throughout the network.
• Mainly used to consolidate groups than span multiple
Network Design & Administration
domains – unnecessary in single-domain networks.
• Best practice:
• Create global group in each domain for user or computer
accounts, then universal group contains the global groups.
• Avoids too much replication traffic, since universal group
membership changes infrequently.
10
11. Global & Domain Local Groups
- Planning
1. Create domain local groups for shared resources
(e.g. A group for a set of colour printers)
2. Assign resource permissions to domain local
group (e.g. Whatever permissions needed to use
Network Design & Administration
printers)
3. Create Global groups for users with common
roles (e.g. Accounts or Sales)
4. Add global groups into appropriate domain local
groups (e.g. To give Sales access to the specialist
11
printers)
12. Permissions
• A privilege granted to a user, group or computer
to perform a particular action or access a
particular resource.
• Windows Server 2008 has many different sorts
Network Design & Administration
of permissions – most visible are:
• File-system – access to files & folders under NTFS.
• Share – access to file system and printer shares.
• AD – access to Active Directory objects.
• Registry – access to registry keys.
12
• They are all separate/different!
13. Access Control Lists (ACL)
• An Access Control List is associated to an object being accessed, not
the object accessing it.
• Lists all permissions that can access that object. (e.g. users, groups,
etc.)
• Also lists what operations can be done to the object.
Network Design & Administration
• List made out of Access Control Entries (ACE’s) (i.e. the name of the
security principle and the permissions it has been granted)
• Example:
/home/cmp3robinj/
[ACL] Access Control Entry
(cmp3robinj, read)
(cmp3robinj, write)
(cmp3robinj, create)
(cmp3robinj, delete)
13
(admins, read)
(admins, write)
14. NTFS Permissions
• Mostly can use Standard permissions for NTFS files
and folders:
• Read, Read & Execute, Write, Modify, List Folder
Contents, Full Control
Network Design & Administration
• Occasionally need to set up more fine-grained, using
the 14 NTFS Special Permissions.
• The Standard permissions are just a convenient
grouping into most frequently used sets.
• There are slight differences when permissions are
applied to a file rather than a folder (and List Folder
14
Contents is obviously not applicable to files!)
15. Example Permissions
Creator Owner is a ‘Special
Network Design & Administration
User’. Will discuss again
later.
Permissions can be
explicitly Allowed or
Denied.
Note: list in this case gives
Users Read & Execute, List 15
folder contents and read
permissions only.
16. Access to Special Permissions
Note that permissions
can be inherited from
higher folders (not
applicable when it’s c: )
Network Design & Administration
To make more detailed
changes, need to edit
an individual ACE.
16
17. Example Permissions Breakdown
“Read & Execute” is composed of:
List Folder/Read Data
Read Attributes
Network Design & Administration
Read Extended Attributes
Read Permissions
Synchronise
Traverse Folder/Execute File
Lets security principals move through Without this, get “Read”
Standard Permissions. 17
inaccessible folders to reach folders /
files they are allowed to access.
18. Inheritance Rules for
Permissions
• By default, subordinate objects inherit
permissions possessed by parent.
• e.g. if user is granted permission to root of
Network Design & Administration
a drive, they have same permission on all
files and subfolders.
• Can counteract inheritance by either:
• Turning off inheritance – when working with
special permissions.
• Deny permissions explicitly. 18
19. Precedence Rules for Permissions
• Allowed permissions are cumulative:
• All of the permissions of a security principal
combine to give the Effective Permissions.
• Denied permissions override Allowed
Network Design & Administration
permissions:
• Explicitly denying permissions overrides Allowed
from any other source.
• Explicit permissions take precedence over
inherited permissions
19
• So explicitly Allowed override inherited Denied.
20. Permissions can get complicated!
• As a result, depending on a user’s group membership
and any permissions given explicitly to that user, get
combination of all of them!
• Not directly shown in Properties window since it shows
Network Design & Administration
separate groups etc.
• e.g. User cmp3robinj is granted Allow Read & Execute
on folder ModuleSpecs. But cmp3robinj is also
member of the Lecturers group, which has been
granted Allow Full Control and the Everyone group,
granted Allow Read.
• Therefore, cmp3robinj has effective permission of 20
Allow Full Control on this folder.
• Need to use Effective Permissions view.
21. Effective Permissions
Checking on a single
folder or file to
determine a particular
user’s permissions.
Network Design & Administration
Only takes account of
NTFS interactions. Does
not include effects of
Share Permissions or
login method.
21
Read-only!
22. Next time & References
• Further different sorts of permissions – including file shares.
[1] Windows Server 2008 Active Directory Resource Kit, page 181-
Network Design & Administration
[2] Windows Server 2008 Active Directory Resource Kit, page 368-
369
22