1 / 25

CN1276 Server ( V3)

CN1276 Server ( V3). Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS , MCDST, MCP, A+. Agenda. Chapter 5: Active Directory Administration Quiz Exercise. Understanding User Accounts. Three types of user accounts can be created and configured in Windows Server 2008: Local accounts

cira
Télécharger la présentation

CN1276 Server ( V3)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CN1276 Server (V3) Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+

  2. Agenda • Chapter 5: Active Directory Administration • Quiz • Exercise

  3. Understanding User Accounts • Three types of user accounts can be created and configured in Windows Server 2008: • Local accounts • Domain accounts • Built-in user accounts

  4. Security guidelines • Rename the Administrator account • Set a strong password • Limit knowledge of administrator passwords to only a few individuals • Do not use the Administrator account for daily non-administrative tasks • Rename the Guest account after enabling it for use • Set a strong password

  5. Group Accounts • Groups are implemented to allow administrators to assign rights and permissions to multiple users simultaneously. • A group can be defined as a collection of user or computer accounts that is used to simplify the assignment of rights or permissions to network resources.

  6. Group Types • Distribution groups • Non-security-related groups created for the distribution of information to one or more persons. • Security groups • Security-related groups created for purposes of granting resource access permissions to multiple users.

  7. Group Nesting • Users can be members of more than one group. • Groups can contain other Active Directory objects, such as computers, and other groups. • Groups containing groups is called group nesting.

  8. Group Scopes • Domain Local • These groups can include users, computers, global groups, and universal groups from any domain • To assign permissions to any resource in the domain in which they are located • Global • These groups can include users, computers, and global groups only from within the same domain • To assign permission to resources that reside in any domain in the forest • Global group memberships are replicated only to DC within the same domain • Universal • Same as global group, but the group memberships should not change frequently because these groups are stored in the GC

  9. Using Global and Domain Local Groups • Assign users within a domain to global groups. • Add global groups to domain local groups. • Assign permissions to domain local group.

  10. AGUDLP • Microsoft approach to using groups: • add Accounts to Global groups. • add those global groups to Universal groups. • Add universal groups to Domain Local groups. • Finally, assign Permissions to the domain local groups.

  11. Creating and Managing Groups • Creating and managing groups is usually done with Active Directory Users and Computers.

  12. Working with Default Groups • Account Operators • Can create, modify and delete accounts for users, groups, and computers in all containers and OUs. • Cannot modify administrators, domain admins and enterprise admin groups. • Administrators • Backup Operators • Guests • Disabled by default

  13. Working with Default Groups • PrintOperators • Can manage printers and document queues. • ServerOperators • Can log on a server interactively • Create and delete shares, start and stop some services • Back up and restore files • Format the disk, shutdown the computer and modify the system date and time.

  14. Working with Default Groups • Users • DNSAdmins • Permits administrative access to the DNS server service. • Domain Admins • Domain Computers • Contains all computers. • Used to make computer management easier through group policies. • Domain Controllers – Contains all computers installed in the domain as a domain controller.

  15. Working with Default Groups • DomainGuests • Members include all domain guests. • DomainUsers • Used to assign permissions to all users in the domain. • EnterpriseAdmins • Allows the global administrative privileges associated with this group, such as the ability to create and delete domains.

  16. Working with Default Groups • SchemaAdmins • Members can manage and modify the Active Directory schema. • See Table 5-1 on Page 106 - 111

  17. Special Identity Groups and Local Groups • AuthenticatedUsers • Used to allow controlled access to resources throughout the forest or domain. • Everyone • See Table 5-2 on Page 112 - 113

  18. Group Implementation Plan • A plan that states • who has the ability and responsibility to create, delete, and manage groups. • A policy that states • how domain local, global, and universal groups are to be used. • guidelines for creating new groups and deleting old groups. • A naming standards document to keep group names consistent. • A standard for group nesting.

  19. Creating Users and Groups • Active Directory Users and Computers • Batch files • DSAdd user username DN –samid SAM account name • Dsadd user cn=jsmith,ou=Accounts,dc=lucernepublishing,dc=com –samidjsmith

  20. Creating Users and Groups (Cont.) • Comma-Separated Value Directory Exchange (CSVDE) • Header record (See Page 119) • Csvde.exe –i –f newusers.csv • -i is to import • -f is to specify the file to import

  21. Creating Users and Groups (Cont.) • LDAP Data Interchange Format Directory Exchange (LDIFDE) • You can Add/Modify/Delete the object • Ldifde –i –f newobjects.ldf • Windows Script Host (WSH) • See code on Page 121

  22. Creating Users and Groups (Cont.) • Windows PowerShell • $objOU=[ADSI]”LDAP://OU=People, DC=contoso, DC=Com” • $objUser = $objOU.Create(“user”,”CN=Mary North”) • $objUser.put(SamAccountName”,”mary.north”) • $objUser.SetInfo() • Windows 2008 R2 • Import-module ActiveDirectory • New-ADusers –SamAccountName “mary.north”

  23. Creating Users and Groups (Cont.) • Note: • CSVDE and LDIFDE cannot import user’s password, hence the user will be disabled by default • Only DSADD supports specifying the password

  24. Offline Domain Join • Offline domain join is a process to add computers to a domain in locations where there is no connectivity to a corporate network. • Windows Server 2008 R2 • Windows 7 image or on running computer • The offline domain join process includes the following phases: • Run the djoin.exe/provision • To create computer account metadata from the text file • djoin/provision /domain <domain_name> /machine <destination computer> /savefile <filename.txt> • Run the djoin.exe/requestODJ • To insert the computer account metadata into the Windows directory of the destination computer: • djoin /requestodj /loadfile <filename.txt>

  25. Assignment • Fill in the blank • 1-10 • Multiple Choice • 1-10 • Online Lab 5

More Related