Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Lecture 7 naming and structuring objects

329 views

Published on

  • Be the first to comment

  • Be the first to like this

Lecture 7 naming and structuring objects

  1. 1. Lecture 7:Naming &Structuring ObjectsNetwork Design & Administration
  2. 2. Objects in a domain…• Leaf objects are those at lowest level in ADS.• Most important are Computers and Users.• Computer Accounts and User Accounts are both Network Design & Administration necessary to let a user on a computer access a resource.• Groups are ways of organising computers or users to give all members the same permissions or rights.• Organisational Units exist mainly to allow admin 2 job to be delegated to separate groups (e.g. at different physical sites).
  3. 3. Object Naming• This needs planning!• Must be considered in for all names within the network i.e. the namespaces used for workstations, servers, users, groups, printers etc. Network Design & Administration• Different companies have different policies, often reflecting their local “attitude”.• The larger the organisation, the better documented the policies must be. 3
  4. 4. Namespace Limitations• A flat namespace means names must be unique. e.g. Unix UIDs• A tree based namespace means the same name can be reused on different branches. Network Design & Administration• Reuse of the same naming structure on different branches may be useful for similar organisational structures. (e.g. sales, marketing, accounts names for the company’s offices in different cities) 4
  5. 5. Naming Methods[1]• Question: What considerations need to be taken into account when coming up with naming resources within the network?• Need to consider: Network Design & Administration • What names are permitted in the namespace? • What names are not permitted in the namespace? • How are names selected? • How are collisions resolved? • When is renaming allowed? 5
  6. 6. Naming Methods[1]• Formulaic – e.g. all NTU student logins are N123456• Descriptive – include facts. e.g. at NTU all lab machines are CIB<room>_<pcnum> (CIB205_13), Network Design & Administration printers are <Server>_<Location>_<Type> e.g. Panhard_CIB2nd_Konica_Col• Functional – specify roles or duties. e.g. admin, webserver01• Thematic – e.g. picard, riker, worf, crusher 6• No method – sometimes results from change in thematic methods.
  7. 7. Difficulties with Naming• Thematic names obscurity – remembering what functions are hosted on which server.• Formulaic names – if user reports a fault, do you need them to tell you which workstation they are using? Network Design & Administration• Thematic Security – if admins reserve boring names for standard machines, and name theirs specially, intruders will know which ones to avoid!• Descriptive names with unwanted longevity – names may end up lasting long after the useful information in them has gone (e.g. defunct departments). 7
  8. 8. User Accounts• Do not get confused between local and domain user accounts!• Local – grants user access to that particular computer only (used for Workgroups). Network Design & Administration• Domain – grants user access to resources across domain. Domain User Account = Logon Name + Password + Security Identifier (SID).• SID is used to generate security tokens for access to resources. 8
  9. 9. User Account Names Microsoft Linux1 to 20 chars * No more than 32 chars (8 in NIS) Network Design & AdministrationNot case sensitive Case sensitive*Not “/|*+:;|+=*?<>@ Any char except : or LF* can create name up to 256 * case ignored in emailchars, but cannot be used to addresses[2]log on! 9
  10. 10. Naming Policy• Should be sensible, documented and used!• Easily guessable names make email easier to use (since often use login names for email).• Should have standard way of resolving problems Network Design & Administration e.g. duplicates or too long.• Standard schemes e.g. • First.Last • Initial.Last 10
  11. 11. Passwords• Strong passwords make it harder for hackers (take longer to crack).• Do not avoid need for other security measures.• Schneier recommends very strong pw, written Network Design & Administration down and kept in wallet![3]• Password policies in AD include Complexity Requirements, Minimum and Maximum Password age, and PW history.• Default setting in AD for new user is “Change PW 11 at next logon”.
  12. 12. Security of Passwords• Users – make them understand consequences! Have procedures and documentation in place.• Admin – encrypted PW stored on system are liable to brute force attacks. • e.g. dictionary attacks. Network Design & Administration• In AD DS, disable (by default) Lan Manager Hash (LMHash) storage as password encryption is very weak and therefore, easy to crack. Only needed for backward compatibility to Win 95/98 and Macintosh[4].• In Linux systems, hide encrypted PW by using etc/shadow file readable only by superuser. • MD5 encryption is can be cracked quite easily. 12
  13. 13. Domain User Accounts System created – can disable but not delete Network Design & AdministrationDefault container– should reallycreate own OU 13
  14. 14. Creating User accounts• Must be done by member of Enterprise Admins, Domain Admins or Account Operators groups, or by those with delegated permissions• Should really be done after created OU for User Network Design & Administration accounts, though can be moved between containers• Simplest method for creating just 1 user – Select OU, then Action|New|User or Create New User button• Have 2 pages of information to configure… • Note - Account can be disabled at this stage for use as template or for staff arriving later 14
  15. 15. Creating User Accounts:Templates• Object templates can be used to base newly created object on.• First, setup a template and set all relevant details. • This can either be an existing account or, • One specifically for copying (but not a special account type) Network Design & Administration• Make sure templates password has been set and the account is disabled.• To create a new user account based on template: • Action | Copy will bring up a wizard. • This will copy some of the user accounts properties but not the User Login name. • New account will have a new SID. 15
  16. 16. Creating User Accounts:Importing from a CSV file• Can add multiple users by using csvde.exe (CSV Directory Exchange) to import from a file.• First, create a comma-separated-value (CSV) text file of the user information to be imported.• Use, csvde.exe to import in to AD DS. Network Design & AdministrationSyntax: Input into ADDS: csvde –i –f <input file name> -k Dump ADDS database to CSV: scvde –f <output file name>File format example: objectClass, sAMAcctName, dn user, KentC, “CN=Clark Kent, OU=reporters, DC=DailyPlanet, DC=com” user, LaneL, “CN=Lois Lane, OU=reporters, DC=DailyPlanet, DC=com” 16
  17. 17. Creating User Accounts:Powershell• We will cover Powershell in a lot more detail in a future lecture.• Can use existing command line tool (dsadd) in a script. Syntax: dsadd <user> <UserDN> [parameters] Network Design & Administration Example: dsadd user “cn=Clark Kent, OU=reporters, DC=dailyplanet, DC=com” –ln Kent –fn Clark –upn clark.kent@dailyplanet.com• Or, use a Powershell cmdlet: Syntax : new-aduser <user name> [parameters] 17 Example: new-aduser “Clark Kent”
  18. 18. Groups• Used to ease burden of administering resources to users.• By clustering users based on their shared needs, work can be reduced, clarified and made less error-prone.• For example, if the Sales Department contains 15 people, Network Design & Administration consider difference in administration workload if they all need access to 5 resources. Solution: use a group to manage required workload 18
  19. 19. Active Directory Groups• Groups and Group Policy not directly related but a Group Policy can affect a Group. ( will see more on group policies in later sessions)• A group is not restricted by the structure of the Network Design & Administration AD DS tree.• Groups are generally used to cluster resources and users. 19
  20. 20. Creating New Groups• As with Users, Groups can be maintained using the Active Directory Users and Computers snap-in.• To add new groups, need to have elevated rights (i.e. members of Enterprise Admins, Domain Admins, Account Operators or those who have been explicitly granted the right) Network Design & Administration• Once the group has been created, can then add new members via the properties dialogue, or via Powershell.Examples:1. dsadd group <groupDN> [parameters] –scope l|g|u e.g. dsadd group “cn=copyeditors , ou=personnel, dc=dailyplanet, dc=com” –scope g 202. New-ADGroup <group name> -groupscope domainlocal | global | universal e.g. New-ADGroup “copyeditors” –groupscope global
  21. 21. Computer Objects• A logical representation in Active Directory Domain Services of a physical object.• Authorises that physical device as a legitimate member of a domain. Network Design & Administration• Has a name, location and who is allowed to manage it.• Inherits group policy settings from its containers. e.g. domain, site or OU.• During user login, computer object interacts with the Domain controller to check the domain. If OK, then user authorisation occurs. 21
  22. 22. Adding a Computer to aDomain• First create the computer object in AD DS.• Then join computer to the domain.• (the computer object can be created as part of the domain-joining process) Network Design & Administration• To create a computer object, user must have appropriate permissions for the container in which the object will be located :– • Administrators can create objects anywhere in the domain. • Account Operators can create objects in the Computers container (and OU’s they create). 22
  23. 23. Creating Computer Objects –AD DS Users and Computers• Use the Active Directory Users and Computers console. Network Design & Administration 23
  24. 24. Creating Computer Objects -Powershell1. Use dsadd.exeSyntax: dsadd computer <computerDN> [parameters]Example: Network Design & Administration dsadd computer “cn=webserver1, cn=computers, dc=dailyplanet, dc=com”2. Use Powershell cmdlet (New-ADComputer)Syntax: New-ADComputer <computer name>Example: New-ADComputer “webserver1” 24 (inserts new computer into the Computers container by default)
  25. 25. Joining Computers to a Domain• Must occur at the computer and be performed by local admin group member.• Use system properties dialogue box. Network Design & Administration • Either specify a name that already exists (but has not yet been associated with a machine). • Or specify new name for computer object to be created on the fly. 25
  26. 26. Next Time & References• Group Scope• How, why, what to assign to groups• Access control Network Design & Administration*1+ “The Practice of System and Network Administration”, Limoncelli, Chapter 8.[2] RFC 822 section 3.4.7 (1982)[3] http://www.schneier.com/blog/archives/2005/06/write_down_your.html[4] http://support.microsoft.com/kb/299656 26

×