Lesson 5

Active Directory Administration

Skills Matrix
Technology Skill Objective Domain Objective #

Creating Users, Automate creation of 4.1

Computers, and Groups Active Directory accounts

Creating Users, Maintain Active Directory 4.2

Computers, and Groups accounts
Understanding User Accounts
Three types of user accounts can be
created and configured in Windows
Server 2008:
Local accounts.
Domain accounts.
Built-in user accounts.
Local Accounts
Used to access the local computer
only and are stored in the local
Security Account Manager (SAM)
database on the computer where
they reside.
Never replicated to other computers,
nor do these accounts have domain
access.
Domain Accounts
Accounts used to access Active Directory or
network-based resources, such as shared
folders or printers.
Account information for these users is
stored in the Active Directory database and
replicated to all domain controllers within
the same domain.
A subset of the domain user account
information is replicated to the global
catalog, which is then replicated to other
global catalog servers throughout the forest.
Built-in User Accounts
Automatically created when Microsoft
Windows Server 2008 is installed.
Built-in user accounts are created on
a member server or a standalone
server.
When you install Windows Server
2008 as a domain controller, the
ability to create and manipulate these
accounts is disabled.
Built-in User Accounts
By default, two built-in user accounts
are created on a Windows Server 2008
computer:
Administrator account.
Guest account.
Built-in user accounts can be local
accounts or domain accounts,
depending on whether the server is
configured as a standalone server or a
domain controller.
Creating and Managing User Accounts
User accounts are usually created
and managed with Active Directory
Users and Computers.
User Account Properties
User Account Properties
User Account Properties
Group Accounts
Groups are implemented to allow
administrators to assign rights and
permissions to multiple users
simultaneously.
A group can be defined as a
collection of user or computer
accounts that is used to simplify the
assignment of rights or permissions
to network resources.
RECOMMENDED GROUP STRATEGY

AGUDLP
Group Accounts
When a user logs on, an access token is
created that identifies the user and all of the
users group memberships.
This access token is used to verify a users
permissions when the user attempts to access a
local or network resource.
By using groups, multiple users can be given the
same permission level for resources on the
network.
Since a users access token is only generated
when they first log on to the network from their
workstation, if you add a user to a group, they
will need to log off and log back on again for that
change to take effect.
Group Types
Distribution groups Non-security-
related groups created for the
distribution of information to one or
more persons.
Security groups - Security-related
groups created for purposes of
granting resource access permissions
to multiple users.
Group Nesting
Users can be members of more than
one group.
Groups can contain other Active
Directory objects, such as computers,
and other groups.
Groups containing groups is called
group nesting.
Group Scopes
Global
Domain Local
Universal
Using Global and Domain Local Groups
Global
These groups can include users, computers,
and other global groups from the same
domain.
You can use them to organize users who
have similar functions and therefore similar
requirements on the network.
Domain local
These groups can include users, computers,
and groups from any domain in the forest.
They are most often utilized to grant
permissions for local resources and may be
used to provide access to any resource in
the domain in which they are located.
Using Global and Domain Local Groups
Assign users within a domain to
global groups.
Add global groups to domain local
groups.
Assign permissions to domain local
group.
Universal Groups
These groups can include users and
groups from any domain in the AD DS
forest and can be employed to grant
permissions to any resource in the
forest.
A universal group can include users,
computers, and global groups from any
domain in the forest.
Changes to universal group membership
lists are replicated to all global catalog
servers throughout the forest.
AGUDLP
Microsoft approach to using groups:
add A ccounts to G lobal groups.
add those global groups to U niversal
groups.
Add universal groups to D omain L ocal
groups.
Finally, assign P ermissions to the
domain local groups.
Creating and Managing Groups
Creating and managing groups is
usually done with Active Directory
Users and Computers.
Group Properties
Group Properties
Working with Default Groups
Account Operators Can create, modify
and delete accounts for users, groups,
and computers in all containers and OUs.
Cannot modify administrators, domain
admins and enterprise admin groups.
Administrators Complete and
unrestricted access to the computer or
domain controller.
Backup Operators - Can back up and
restore all files on the computer.
Working with Default Groups
Guests Same privileges as members of
the Users group.
Disabled by default
Print Operators Can manage printers
and document queues.
Server Operators Can log on a server
interactively, create and delete shares,
start and stop some services, back up and
restore files, format the disk, shutdown the
computer and modify the system date and
time.
Working with Default Groups
Users Allows general access to run
applications, use printers, shut down
and start the computer and use
network shares for which they are
assigned permissions.
DNSAdmins Permits
administrative access to the DNS
server service.
Working with Default Groups
Domain Admins Can perform
administrative tasks on any
computer anywhere in the domain.
Domain Computers Contains all
computers.
Used to make computer management
easier through group policies.
Domain Controllers Contains all
computers installed in the domain as
a domain controller.
Working with Default Groups
Domain Guests Members include all
domain guests.
Domain Users Members include all
domain users.
Used to assign permissions to all users
in the domain.
Enterprise Admins Allows the
global administrative privileges
associated with this group, such as the
ability to create and delete domains.
Working with Default Groups
Schema Admins Members can
manage and modify the Active
Directory schema.
Special Identity Groups and Local Groups
Authenticated Users Used to
allow controlled access to resources
throughout the forest or domain.
Everyone Used to provide access
to resource for all users and guest.
Not recommended to assign this
group to resources.
Group Implementation Plan
A plan that states who has the ability and
responsibility to create, delete, and
manage groups.
A policy that states how domain local,
global, and universal groups are to be
used.
A policy that states guidelines for creating
new groups and deleting old groups.
A naming standards document to keep
group names consistent.
A standard for group nesting.
Creating Users and Groups
Active Directory Users and
Computers.
DS command line i.e. dsadd user
Batch files.
Comma-Separated Value Directory
Exchange (CSVDE).
LDAP Data Interchange Format
Directory Exchange (LDIFDE).
Windows Script Host (WSH).
Summary
Three types of user accounts exist in
Windows Server 2008:
Local user accounts reside on a local
computer and are not replicated to other
computers by Active Directory.
Domain user accounts are created and
stored in Active Directory and replicated to
all domain controllers within a domain.
Built-in user accounts are automatically
created when the operating system is
installed and when a member server is
promoted to a domain controller.
Summary
The Administrator account is a built-in
domain account that serves as the primary
supervisory account in Windows Server
2008.
It can be renamed, but it cannot be deleted.
The Guest account is a built-in account
used to assign temporary access to
resources.
It can be renamed, but it cannot be deleted.
This account is disabled by default and the
password can be left blank.
Summary
Windows Server 2008 group options
include two types (security and
distribution) and three scopes
(domain local, global, and universal).
Domain local groups are placed on
the ACL of resources and assigned
permissions. They typically contain
global groups in their membership
list.
Summary
Global groups are used to organize
domain users according to their
resource access needs.
Global groups are placed in the
membership list of domain local
groups, which are then assigned the
desired permissions to resources.
Summary
Universal groups are used to provide
access to resources anywhere in the
forest.
Their membership lists can contain
global groups and users from any
domain.
Changes to universal group
membership lists are replicated to all
global catalog servers throughout the
forest.
Summary
The recommended permission
assignment strategy (AGUDLP)
places users needing access
permissions in a global group, the
global group in a universal group,
and the universal group in a domain
local group and then assigns
permissions to the domain local
group.
Summary
Group nesting is the process of placing
group accounts in the membership of
other group accounts for the purpose
of simplifying permission assignments.
Multiple users and groups can be
created in Active Directory by using
several methods. Windows Server
2008 offers the ability to use batch
files, CSVDE, LDIFDE, and WSH to
accomplish your administrative goals.