ITEC1420_Chapter 4.pptx

Full Transcript

MCSA Guide to Installing and
Configuring Windows Server
2012/R2, Exam 70-410

Chapter 4
Managing OUs and Active Directory
Accounts
 Objectives
Work with organizational units
Manage user accounts
Manage group accounts
Work with computer accounts
Automate account management

MCSA Guide to Installing and Configuring Windows Server 201 2
2/R2, Exam 70-410 © Cengage Learning 2015
 Working with Organizational Units
Benefits of using OUs:
– Create hierarchical structures based on an
organizational chart to allow easy resource
access.
– Delegation of administrative authority
– Group users and computers for the
purposes of assigning administrative and
security policies.

MCSA Guide to Installing and Configuring Windows Server 201 3
2/R2, Exam 70-410 © Cengage Learning 2015
 Figure 4-1 Single-level and multilevel OU structures

MCSA Guide to Installing and Configuring Windo 4
ws Server 2012/R2, Exam 70-410 © Cengage Learning 2015
 OU Delegation of Control
Delegation of control - a person with higher security
privileges assigns authority to a person of lesser
security privileges to perform certain tasks.

Commonly delegated tasks include
– Create, delete, and manager user accounts
– Reset user passwords and force password change at
next logon
– Read all user information
– Create, delete, and manage groups
– Modify the membership of a group

MCSA Guide to Installing and Configuring Windows Server 5
© Cengage Learning 2015
2012/R2, Exam 70-410
 Permission Inheritance in OUs
Permission inheritance defines how permissions
are transmitted from a parent object to a child
object
All objects in AD are child objects of the domain.
By default, permissions applied to the parent OU
with the Delegation of Control Wizard are inherited
by all child objects of that OU

MCSA Guide to Installing and Configuring Windows Server 6
© Cengage Learning 2015
2012/R2, Exam 70-410
 Managing User Accounts
User accounts have two main functions in AD:
– Provide a method for user authentication to the
network
– Provide detailed information about a user
Windows machines not part of a domain store
accounts in the Security Accounts Manager (SAM)
database on the local computer
User accounts created in AD are referred to as
“domain user accounts”
– These accounts can usually log on to any computer
that’s in the Active Directory forest.

MCSA Guide to Installing and Configuring Windows Server 7
© Cengage Learning 2015
2012/R2, Exam 70-410
 Managing User Accounts
The following guidelines apply to the built-in
Administrator account:
– Local administrator account has full access to all aspects of
a computer, while domain administrator account has full
access to all aspects of the domain.
– The domain administrator account in the forest root domain
has full access to all aspects of the forest.
– Administrator account should be renamed and given a
strong password
– Administrator account should only be used while
performing administrative operations.
– Administrator account can be renamed or disabled but
not deleted.

MCSA Guide to Installing and Configuring Windows Server 8
© Cengage Learning 2015
2012/R2, Exam 70-410
 Managing User Accounts
The following guidelines apply to the built-in Guest
account
– Guest account is disabled by default after install, and must
be enabled before it can be used for log on.

– Guest account can have a blank password.

– Should be renamed if it is to be used.

– Guest account has limited access to a computer or
domain.

MCSA Guide to Installing and Configuring Windows Server 9
© Cengage Learning 2015
2012/R2, Exam 70-410
 Managing User Accounts
When creating a user account in an AD domain, keep
the following considerations in mind:
– User accounts must be unique throughout the domain
– Account names aren’t case sensitive, and can be from
1 to 20 characters.
Can use letters, numbers, and special characters (with
some exceptions).
– Develop a standard naming convention.

– By default, complex passwords are required and
passwords are case sensitive.
– By default, only a logon name is required to create a
user account.

MCSA Guide to Installing and Configuring Windows Server 10
© Cengage Learning 2015
2012/R2, Exam 70-410
 Disabling User Accounts

Reasons you might want to disable a user account
– A user has left the company
– The account is not ready to use
– A user goes on extended leave.

MCSA Guide to Installing and Configuring Windows Server 11
© Cengage Learning 2015
2012/R2, Exam 70-410
 The General Tab
Contains descriptive information about the account,
but does not affect the user’s account logon, group
memberships, rights, or permissions.
Fields worth mentioning:
– Display name - same as the CN when account is
first created
– E-mail - can be used to send an E-mail to the user
using the default mail application
– Web page - can contain a URL and allows you to
open the specified URL by right-clicking the user
account

MCSA Guide to Installing and Configuring Windows Server 12
© Cengage Learning 2015
2012/R2, Exam 70-410
 The Account Tab
Contains the information that most affects a user’s
logon to the domain
– User logon name
– Logon Hours
– Log On To
– Unlock account
– Account options
Store password using reversible encryption
Smart card is required for interactive logon
Account is sensitive and cannot be delegated
– Account expires

MCSA Guide to Installing and Configuring Windows Server 13
© Cengage Learning 2015
2012/R2, Exam 70-410
 Figure 4-18 Setting logon hours

MCSA Guide to Installing and Configuring Windo 14
ws Server 2012/R2, Exam 70-410 © Cengage Learning 2015
 The Member of Tab
Lists groups the user belongs to
Can be used to change group memberships

MCSA Guide to Installing and Configuring Windows Server 15
© Cengage Learning 2015
2012/R2, Exam 70-410
 Using Contacts and Distribution
Groups
A contact is an Active Directory object that
usually represents a person for informational
purposes only.
Most common use of a contact is for integration
into Microsoft Exchange’s address book.

A distribution group is used with Microsoft
Exchange to send e-mails, but to several people at
once.

MCSA Guide to Installing and Configuring Windows Server 16
© Cengage Learning 2015
2012/R2, Exam 70-410
 Managing Group Accounts
Active Directory group objects are the main security
principal administrators use to grant rights and
permissions to users.
Groups are easier to manage
– Users with similar access requirements to resources can
be made members of a group
When a group is created in ADUC, aside from
assigning a name, there are two other settings :
– Group type
– Group scope

MCSA Guide to Installing and Configuring Windows Server 17
© Cengage Learning 2015
2012/R2, Exam 70-410
 Group Types
There are two group types: security and distribution
A distribution group is used to group users together
– Mainly for sending e-mails to several people at once with
an AD integrated e-mail application, such as Microsoft
Exchange
Can have the following objects as members:
– User accounts
– Contacts
– Other distribution groups
– Security groups
– Computers

MCSA Guide to Installing and Configuring Windows Server 18
© Cengage Learning 2015
2012/R2, Exam 70-410
 Group Types
Security groups are the main AD object
administrators use to manage network resource
access and grant rights to users

Can contain the same types of objects as distribution
groups

MCSA Guide to Installing and Configuring Windows Server 19
© Cengage Learning 2015
2012/R2, Exam 70-410
 Group Scope
Group scope determines the reach of a group’s
application in a domain or a forest
Three group scope options are possible in a
Windows Server 2012 forest:
– Domain local
– Global
– Universal
A fourth scope called “local” applies only to groups
created in the Security Account Manager (SAM)
database of a member computer or stand-alone
computer

MCSA Guide to Installing and Configuring Windows Server 20
© Cengage Learning 2015
2012/R2, Exam 70-410
 Domain Local Groups
A domain local group is the main security principal
recommended for assigning rights and permissions
to domain resources.
In a single domain environment, or when users from
only one domain are assigned access to a resource,
use AGDLP Role based Strategy
– Accounts are made members of
– Global groups, which are made members of
– Domain Local groups, which are assigned
– Permissions to resources

MCSA Guide to Installing and Configuring Windows Server 21
© Cengage Learning 2015
2012/R2, Exam 70-410
MCSA Guide to Installing and Configuring Windows Server 22
© Cengage Learning 2015
2012/R2, Exam 70-410
 Global Groups
A global group is used mainly to group users
from the same domain with similar access or
rights requirements
– Considered global because it can be made a
member of a domain local group in any domain in
the forest or trusted domains in other forests
A common use is creating a global group for
each department, location, or both

MCSA Guide to Installing and Configuring Windows Server 23
© Cengage Learning 2015
2012/R2, Exam 70-410
 Universal Groups
A universal group can contain users from any
domain in the forest and be assigned permission
to resources in any domain in the forest.

Universal groups can be a member of other
universal groups or domain local groups from any
domain in the forest.

Universal groups’ membership information is stored
only on global catalog servers.

MCSA Guide to Installing and Configuring Windows Server 24
© Cengage Learning 2015
2012/R2, Exam 70-410
 Local Groups
A local group is created in the local SAM database on a
member server or workstation or a stand-alone computer
When a computer joins a domain, Windows changes the
membership of two local groups automatically:
– Administrators - Domain Admins global group is made a member
– Users - Domain users global group is made a member
Local groups can have the following account types as
members:
– Local user accounts
– Domain user accounts and computer accounts from any domain in the
forest
– Domain local groups from the same domain
– Global or universal groups from any domain in the forest

MCSA Guide to Installing and Configuring Windows Server 25
© Cengage Learning 2015
2012/R2, Exam 70-410
 Nesting Groups
Nesting groups - making a group a member of another
group.
Usually used to group users who have similar roles but
work in different departments.

MCSA Guide to Installing and Configuring Windows Server 26
© Cengage Learning 2015
2012/R2, Exam 70-410
 Creating Computer Accounts
Computer accounts are created in Active Directory
when a client computer becomes a member of a
domain.
A computer account is a security principal with an SID
and a password and must authenticate to the domain
Computer accounts are created in AD two ways:
– A user changes the computer membership from
Workgroup to Domain in the System Properties
dialog box
Joining the domain and account is created
automatically
– An administrator creates the account manually in
Active Directory
MCSA Guide to Installing and Configuring Windows Server 27
© Cengage Learning 2015
2012/R2, Exam 70-410
 Figure 7-23 Creating a computer account

MCSA Guide to Installing and Configuring Windo 28
ws Server 2012/R2, Exam 70-410 © Cengage Learning 2015
 Managing Computer Accounts
It may be necessary to reset a computer account
– If the computer account has become
unsynchronized with the domain controller

MCSA Guide to Installing and Configuring Windows Server 29
© Cengage Learning 2015
2012/R2, Exam 70-410
 Disabling Computer Accounts
When a computer leaves the domain, its
computer account is disabled automatically
You might need to disable a computer account
manually if the computer won’t be in contact with
the domain controller for an extended period

MCSA Guide to Installing and Configuring Windows Server 30
© Cengage Learning 2015
2012/R2, Exam 70-410
 Summary
OUs can be designed to mirror a company’s
organizational chart
OU permissions and permission inheritance work much
the same way as they do in the file system
User accounts provide a way for users to authenticate to
the network and contain user information that can be
used in a company directory
ADUC and ADAC are GUI tools for creating and
maintaining user accounts
User templates facilitate creating users who have some
attributes in common, such as group memberships

MCSA Guide to Installing and Configuring Windows Server 201 31
2/R2, Exam 70-410 © Cengage Learning 2015
 Summary
This chapter covers the user account properties in the
General, Account, Profile, and Member Of tabs.
Groups are the main security principal used to grant rights
and permission.
There are three group scopes in AD: domain local, global,
and universal.
Computer that are domain members have computer
accounts in AD.
Computer accounts are created automatically when a
computer joins a domain or manually by an administrator.

MCSA Guide to Installing and Configuring Windows Server 201 32
2/R2, Exam 70-410 © Cengage Learning 2015