ITEC1420_Chapter 4-1.pptx
Document Details
Uploaded by IndebtedOwl
Full Transcript
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410 Chapter 4 Managing OUs and Active Directory Accounts Public Objectives Work with organizational units Manage user accounts Manage group accounts W...
MCSA Guide to Installing and Configuring Windows Server 2012/R2, Exam 70-410 Chapter 4 Managing OUs and Active Directory Accounts Public Objectives Work with organizational units Manage user accounts Manage group accounts Work with computer accounts Automate account management Public 2 © Cengage Learning 2015 Working with Organizational Units Benefits of using OUs: – Create hierarchical structures based on an organizational chart to allow easy resource access. – Delegation of administrative authority – Group users and computers for the purposes of assigning administrative and security policies. Public 3 © Cengage Learning 2015 Figure 4-1 Single-level and multilevel OU structures Public 4 © Cengage Learning 2015 OU Delegation of Control Delegation of control - a person with higher security privileges assigns authority to a person of lesser security privileges to perform certain tasks. Commonly delegated tasks include – Create, delete, and manager user accounts – Reset user passwords and force password change at next logon – Read all user information – Create, delete, and manage groups – Modify the membership of a group Public 5 © Cengage Learning 2015 Permission Inheritance in OUs Permission inheritance defines how permissions are transmitted from a parent object to a child object All objects in AD are child objects of the domain. By default, permissions applied to the parent OU with the Delegation of Control Wizard are inherited by all child objects of that OU Public 6 © Cengage Learning 2015 Managing User Accounts User accounts have two main functions in AD: – Provide a method for user authentication to the network – Provide detailed information about a user Windows machines not part of a domain store accounts in the Security Accounts Manager (SAM) database on the local computer User accounts created in AD are referred to as “domain user accounts” – These accounts can usually log on to any computer that’s in the Active Directory forest. Public 7 © Cengage Learning 2015 Managing User Accounts The following guidelines apply to the built-in Administrator account: – Local administrator account has full access to all aspects of a computer, while domain administrator account has full access to all aspects of the domain. – The domain administrator account in the forest root domain has full access to all aspects of the forest. – Administrator account should be renamed and given a strong password – Administrator account should only be used while performing administrative operations. – Administrator account can be renamed or disabled but not deleted. Public 8 © Cengage Learning 2015 Managing User Accounts The following guidelines apply to the built-in Guest account – Guest account is disabled by default after install, and must be enabled before it can be used for log on. – Guest account can have a blank password. – Should be renamed if it is to be used. – Guest account has limited access to a computer or domain. Public 9 © Cengage Learning 2015 Managing User Accounts When creating a user account in an AD domain, keep the following considerations in mind: – User accounts must be unique throughout the domain – Account names aren’t case sensitive, and can be from 1 to 20 characters. Can use letters, numbers, and special characters (with some exceptions). – Develop a standard naming convention. – By default, complex passwords are required and passwords are case sensitive. – By default, only a logon name is required to create a user account. Public 10 © Cengage Learning 2015 Disabling User Accounts Reasons you might want to disable a user account – A user has left the company – The account is not ready to use – A user goes on extended leave. Public 11 © Cengage Learning 2015 The General Tab Contains descriptive information about the account, but does not affect the user’s account logon, group memberships, rights, or permissions. Fields worth mentioning: – Display name - same as the CN when account is first created – E-mail - can be used to send an E-mail to the user using the default mail application – Web page - can contain a URL and allows you to open the specified URL by right-clicking the user account Public 12 © Cengage Learning 2015 The Account Tab Contains the information that most affects a user’s logon to the domain – User logon name – Logon Hours – Log On To – Unlock account – Account options Store password using reversible encryption Smart card is required for interactive logon Account is sensitive and cannot be delegated – Account expires Public 13 © Cengage Learning 2015 Figure 4-18 Setting logon hours Public 14 © Cengage Learning 2015 The Member of Tab Lists groups the user belongs to Can be used to change group memberships Public 15 © Cengage Learning 2015
