Week5-Groupaccounts - Week-5 Implementing and Managing...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Week-5 Implementing and Managing Implementing Group and Computer Accounts Group 1 Objectives Understand the purpose of using group accounts to simplify administration accounts Create group objects using both graphical and command-line tools and Manage security groups and distribution groups groups Explain the purpose of the built-iin groups n Explain created when Active Directory is installed created Create and manage computer accounts Create 2 Introduction to Group Introduction Accounts Accounts A group is a container object group Used to organize collections of users, computers, contacts, other groups computers, Used to simplify administration Used Similar to Organizational Units except Similar OUs are not security principals, groups are OUs OUs can only contain objects from their parent domain, groups can contain objects from within forest from 3 1 Group Types Security groups Security Defined by Security Identifier (SID) Defined Can be assigned permissions for resources Can In discretionary access control lists (DACLs) In Can be assigned rights to perform different tasks Can Can also be used as e-mail entities Can Distribution groups Distribution Primarily used as e-mail entities Primarily Do not have associated SID Do 4 Group Scopes Scope refers to logical boundary of permissions to specific resources permissions Both Security and Distribution Groups have scopes have Three scopes Objects possible within each scope dependent on configured functional level of a domain domain Scope types are global, domain local, and universal 5 Group Scopes (continued) Three domain functional levels: Three W indows 2000 mixed: default configuration, supports a combination of Windows NT Server 4.0, 2000 Server, and Server 2003 domain controllers domain W indows 2000 native: supports a combination of Windows 2000 Server and Server 2003 domain controllers domain W indows Server 2003: supports Windows Server 2003 domain controllers only Server 6 2 Global Groups Organize groups of users, computers, groups within the same domain groups Usually represents a geographic location or job function group or Types of objects in group related to configured functional level of the domain Depends on the types of domain controllers in environment environment 7 Domain Local Groups Created on domain controllers Created Can be assigned rights and permissions to any resource within the same domain any Can contain groups from other domains Can Specific objects allowed in group related to configured functional level of the domain configured 8 Universal Groups Typically created to aggregate users or groups in different domains groups Stored on domain controllers configured as global catalog servers as Can be assigned rights and permissions for any resource within a forest for Can only be created at the Windows 2000 native or Windows Server 2003 domain functional level functional 9 3 Universal Groups 10 Universal Groups (continued) 11 Creating Group Objects Group objects are stored in Active Directory database Variety of tools can be used can be used for creation and management for Active Directory Users and Computers Active Command-line utilities Command DSADD, DSMOD, DSQUERY, etc. DSADD, 12 4 Active Directory Users and Active Computers Computers Primary tool Primary To create group accounts To Can also be used to configure properties of group accounts group Groups can be created in any built-iin n Groups containers, at root of the domain object, or in custom OU objects or Possible group scopes determined by the functional level the domain is configured to configured 13 Active Directory Users and Active Computers (continued) Computers 14 Converting Group Types May need to change a security group to a distribution group or vice versa distribution Type of group can only be changed if domain functional level is Windows 2000 native or above native 15 5 Converting Group Scopes Scope of a group can be changed Scope Domain functional level must be at least Windows 2000 native W indows Supported changes Supported Global to universal Global Domain local to universal Domain Universal to global Universal Universal to domain local Universal 16 Command Line Utilities An alternative to Active Directory Users and Computers and Some administrators have a preference for command-line utilities command Command-lline utilities are more flexible for Command ine group management and creation in some situations situations 17 DSADD Introduced in Windows Server 2003 Introduced Used to create new user and group accounts Used Syntax is dsadd group distinguished-name switches distinguished Switches include: -secgrp, -scope, secgrp, scope, memberof, -members memberof, More help is available for switches and options at Windows Server 2003 Help and Support Center or at command-line Support 18 6 DSADD (continued) 19 DSMOD Also introduced in Windows Server 2003 Also Allows various object types to be modified from the command line from Syntax is Syntax dsmod group distinguished-name switches distinguished Switches include: -desc, -rmmbr, -addmbr desc, rmmbr, More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line Support 20 DSMOD (continued) 21 7 DSQUERY Also introduced in Windows Server 2003 Also Used to query various object types from the command line, returns values command Syntax for groups is dsquery group query query Supports wildcard character (*) Supports Output can be piped as input to other command-line tools command More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line Support 22 DSMOVE Used to move or rename various object types from the command line from Syntax for groups is dsmove group distinguished-name switches distinguished Switches include: -newparent, -newname newparent, Can only be used for groups within a single domain domain More help is available for switches and options at Windows Server 2003 Help and Support Center or at the command-line Support 23 DSRM Used to delete various object types from the command line the Syntax for groups is dsrm group distinguished-name distinguished name switches switches Switches include: -noprompt More help is available for switches and options at Windows Server 2003 Help and Support Center or command-line and 24 8 Managing Security Groups Strategy for managing security groups uses acronym A G U DL P: uses 1. 2. 3. 4. Create user Accounts (A) and organize them Create within Global groups (G) within Optional: Create Universal groups (U) and Optional: place global groups from any domain in universal groups universal Create Domain Local groups (DL) and add Create global and universal groups global Assign Permissions (P) to the domain local Assign groups groups 25 Determining Group Determining Membership Membership Important task for administrators is to ensure that users are members of correct groups groups One method is via Member Of tab in the properties of a user account properties Only shows first level of groups (not groups of groups) groups) Second method is to use DSGET Second Returns values to a query Returns 26 Determining Group Determining Membership (continued) Membership Syntax is Syntax dsget group distinguished-name switches distinguished Switches include: -members, members, memberof Can also be used as dsget user to get membership information about a specific user Output can be saved to a file: Output dsget group distinguished-name switches distinguished >> filename >> filename 27 9 Built-In Groups When Windows Server 2003 Active Directory is installed Directory Built-in groups are created automatically Built Rights are pre-assigned Rights Stored in Builtin container and Users container container Use built-in groups where possible Use Eases implementation of security rights Eases 28 The Builtin Container Contains a number of domain local group accounts accounts Allocated different user rights based on common administrative or network-related common related tasks tasks 29 The Builtin Container (continued) 30 10 The Users Container Contains a number of domain local and global group accounts global Some groups only found in the root domain of an Active Directory forest rather than in individual domains than 31 The Users Container (continued) 32 Creating and Managing Creating Computer Accounts Computer Computer accounts needed on Windows NT 4.0, 2000, XP, Server 2003 NT Can be created during installation or added manually later added Creation and management tools Creation Active Directory Users and Computers Active System applet in Control Panel System Command-line utilities Command 33 11 Resetting Computer Accounts Secure channel Secure Used by computers that are domain members to communicate with domain controller communicate Uses password that is changed every 30 days Uses Automatically synchronized between domain controller and workstation controller Occasional synchronization issues arise Occasional Administrator must reset computer account Administrator Using Active Directory Users and Computers or Netdom.exe command from Windows Support Tools Tools 34 Summary Group accounts reduce administrative effort by enabling assignment of common rights and permissions to multiple users simultaneously multiple Two group security types: Two Security groups Security Distribution groups Distribution Three types of scoping possible for groups Three Global groups Global Domain local groups Domain Universal groups Universal 35 Summary (continued) Group and computer accounts can be created and managed created From Active Directory Users and Computers From From command-line utilities From Builtin and User groups and containers are automatically created at installation with specific pre-assigned rights and permissions specific W indows NT 4.0, 2000, XP, and Server 2003 require computer accounts in Active Directory require 36 12 ...
View Full Document

This note was uploaded on 03/28/2010 for the course IMPLEMENTI 70-290 70- taught by Professor None during the Three '10 term at University of Sydney.

Ask a homework question - tutors are online