Vous êtes sur la page 1sur 39

Active Directory Administration

Lesson 5

Skills Matrix
Technology Skill Objective Domain Objective # 4.1 4.2 Creating Users, Computers, Automate creation of and Groups Active Directory accounts Creating Users, Computers, Maintain Active Directory and Groups accounts

Understanding User Accounts Three types of user accounts can be created and configured in Windows Server 2008:
Local accounts. Domain accounts. Built-in user accounts.

Local Accounts Used to access the local computer only and are stored in the local Security Account Manager (SAM) database on the computer where they reside. Never replicated to other computers, nor do these accounts have domain access.

Domain Accounts
Accounts used to access Active Directory or network-based resources, such as shared folders or printers. Account information for these users is stored in the Active Directory database and replicated to all domain controllers within the same domain. A subset of the domain user account information is replicated to the global catalog, which is then replicated to other global catalog servers throughout the forest.

Built-in User Accounts Automatically created when Microsoft Windows Server 2008 is installed. Built-in user accounts are created on a member server or a standalone server.
When you install Windows Server 2008 as a domain controller, the ability to create and manipulate these accounts is disabled.

Built-in User Accounts By default, two built-in user accounts are created on a Windows Server 2008 computer:
Administrator account. Guest account.

Built-in user accounts can be local accounts or domain accounts, depending on whether the server is configured as a standalone server or a domain controller.

Creating and Managing User Accounts User accounts are usually created and managed with Active Directory Users and Computers.

User Account Properties

User Account Properties

User Account Properties

Group Accounts Groups are implemented to allow administrators to assign rights and permissions to multiple users simultaneously. A group can be defined as a collection of user or computer accounts that is used to simplify the assignment of rights or permissions to network resources.

Group Accounts
When a user logs on, an access token is created that identifies the user and all of the users group memberships. This access token is used to verify a users permissions when the user attempts to access a local or network resource. By using groups, multiple users can be given the same permission level for resources on the network. Since a users access token is only generated when they first log on to the network from their workstation, if you add a user to a group, they will need to log off and log back on again for that change to take effect.

Group Types Distribution groups Non-securityrelated groups created for the distribution of information to one or more persons. Security groups - Security-related groups created for purposes of granting resource access permissions to multiple users.

Group Nesting Users can be members of more than one group. Groups can contain other Active Directory objects, such as computers, and other groups. Groups containing groups is called group nesting.

Group Scopes Global Domain Local Universal

Using Global and Domain Local Groups

These groups can include users, computers, and other global groups from the same domain. You can use them to organize users who have similar functions and therefore similar requirements on the network. These groups can include users, computers, and groups from any domain in the forest. They are most often utilized to grant permissions for local resources and may be used to provide access to any resource in the domain in which they are located.

Domain local

Using Global and Domain Local Groups Assign users within a domain to global groups. Add global groups to domain local groups. Assign permissions to domain local group.

Universal Groups These groups can include users and groups from any domain in the AD DS forest and can be employed to grant permissions to any resource in the forest. A universal group can include users, computers, and global groups from any domain in the forest. Changes to universal group membership lists are replicated to all global catalog servers throughout the

AGUDLP Microsoft approach to using groups:

add Accounts to Global groups. add those global groups to Universal groups. Add universal groups to Domain Local groups. Finally, assign Permissions to the domain local groups.

Creating and Managing Groups Creating and managing groups is usually done with Active Directory Users and Computers.

Group Properties

Group Properties

Working with Default Groups Account Operators Can create, modify and delete accounts for users, groups, and computers in all containers and OUs.
Cannot modify administrators, domain admins and enterprise admin groups.

Administrators Complete and unrestricted access to the computer or domain controller. Backup Operators - Can back up

Working with Default Groups

Guests Same privileges as members of the Users group.
Disabled by default

Print Operators Can manage printers and document queues. Server Operators Can log on a server interactively, create and delete shares, start and stop some services, back up and restore files, format the disk, shutdown the computer and modify the system date and time.

Working with Default Groups Users Allows general access to run applications, use printers, shut down and start the computer and use network shares for which they are assigned permissions. DNSAdmins Permits administrative access to the DNS server service.

Working with Default Groups Domain Admins Can perform administrative tasks on any computer anywhere in the domain. Domain Computers Contains all computers.
Used to make computer management easier through group policies.

Domain Controllers Contains all computers installed in the domain as a domain controller.

Working with Default Groups Domain Guests Members include all domain guests. Domain Users Members include all domain users.
Used to assign permissions to all users in the domain.

Enterprise Admins Allows the global administrative privileges associated with this group, such as the ability to create and delete domains.

Working with Default Groups Schema Admins Members can manage and modify the Active Directory schema.

Special Identity Groups and Local Groups Authenticated Users Used to allow controlled access to resources throughout the forest or domain. Everyone Used to provide access to resource for all users and guest.
Not recommended to not assign this group to resources.

Group Implementation Plan A plan that states who has the ability and responsibility to create, delete, and manage groups. A policy that states how domain local, global, and universal groups are to be used. A policy that states guidelines for creating new groups and deleting old groups. A naming standards document to keep group names consistent.

Creating Users and Groups Active Directory Users and Computers. Batch files. Comma-Separated Value Directory Exchange (CSVDE). LDAP Data Interchange Format Directory Exchange (LDIFDE). Windows Script Host (WSH).

Three types of user accounts exist in Windows Server 2008:
Local user accounts reside on a local computer and are not replicated to other computers by Active Directory. Domain user accounts are created and stored in Active Directory and replicated to all domain controllers within a domain. Built-in user accounts are automatically created when the operating system is installed and when a member server is promoted to a domain controller.

Summary The Administrator account is a builtin domain account that serves as the primary supervisory account in Windows Server 2008.
It can be renamed, but it cannot be deleted.

The Guest account is a built-in account used to assign temporary access to resources.
It can be renamed, but it cannot be deleted.

Summary Windows Server 2008 group options include two types (security and distribution) and three scopes (domain local, global, and universal). Domain local groups are placed on the ACL of resources and assigned permissions. They typically contain global groups in their membership list.

Summary Global groups are used to organize domain users according to their resource access needs.
Global groups are placed in the membership list of domain local groups, which are then assigned the desired permissions to resources.

Summary Universal groups are used to provide access to resources anywhere in the forest.
Their membership lists can contain global groups and users from any domain. Changes to universal group membership lists are replicated to all global catalog servers throughout the forest.

Summary The recommended permission assignment strategy (AGUDLP) places users needing access permissions in a global group, the global group in a universal group, and the universal group in a domain local group and then assigns permissions to the domain local group.

Summary Group nesting is the process of placing group accounts in the membership of other group accounts for the purpose of simplifying permission assignments. Multiple users and groups can be created in Active Directory by using several methods. Windows Server 2008 offers the ability to use batch files, CSVDE, LDIFDE, and WSH to