Week 4 - AD Users and Computers (1).pptx

Full Transcript

Week 4: AD Users and
Computers
NTWK-8070: Windows Server Roles and
Features

This week…
This week we will learn about:
• Introduction to ADUC
• Types of Objects in ADUC
• Working with ADUC
• ADAC (Active Directory Admin Center)

ADUC/MMC – What is it?

Active Directory Users and Computers
• ADUC stands for Active Directory Users
and Computers
• It is a MMC (We’ll talk about that in a bit)
snap-in
• Has been around since Windows Server
2000
• Most popular method of managing Users
and Computers (as well as other things)

What ADUC Looks like

What is MMC?
In the previous slide, we mentioned that
ADUC was an MMC Snap-In, but what is
MMC?
• MMC stands for Microsoft Management
Console
• A “dashboard” that is a collection of “snapins” that are administrative tools
• We manage many roles and services with
Snap-Ins

MMC Continued
You use Microsoft Management Console
(MMC) to create, save and open
administrative tools, called consoles, which
manage the hardware, software, and
network components of your Microsoft
Windows operating system. MMC runs on all
client operating systems that are currently
supported.

What do you use MMCs for
• Managing Server Roles
–
–
–
–

•
•
•
•

DNS
DHCP
Users and Computers
Lots of other services

Device Manager
Group Policies
Administrating the above on Local and Remote machines
And more…

Examples of MMCs (Blank MMC)

Adding MMC Components (Snap-ins)

Summing up MMCs
MMC contain Snap-ins, such as Active
Directory Users and Computers (and other
management tools, such as DNS and
DHCP), which allow you to manage these
services.
Active Directory Users and Computers is a
Snap-in that works either as a standalone
snap-in, or added into the MMC console.

What do you do in ADUC?

Core tasks in ADUC
•
•
•
•
•
•

Create and Modify User Accounts
Create and Modify Groups
Create and Modify Computer Accounts
Assign Users to Groups
Create OUs (organizational units)
Organize your directory by moving Users,
Groups and Computers to OUs

Get ready to live in ADUC
Aside from using automation tools (such as
Scripted Automation, PowerShell, or other
Automated processes) – you will be doing a
significant amount of work in ADUC:
• Assigning Users to Groups
– Create and Delete

• Resetting Passwords
• Managing the logical layout of users and
computers (moving them to OUs)

Let’s talk about Organization
OUs are the fundamental organizational
method in ADUC. Much like folders on a
computer, OUs serve a way to group and
organize objects (either Users, groups
computers, etc).

What OUs look like
Objects in an
OU (can display
other OUs)

OUs

Defining your organizational structure
OUs group objects under a hierarchical structure,
much like folders and subfolders do.
They serve as an organizational tool to help you
logically define boundaries, managerial areas, or
sperate resources.
It is imperative that you plan out a OU structure
while an organization is small, to avoid drastic
changes (and moves) later.

Example OU structure
yourlastname.com
Domain

Groups OU

Accounting
Sub-OU

Administrative OU

IT Services OU

Employee OU

SuperAdministrators

Human Resources
Sub-OU

Users

Users

Regular Users

Users

Computers

Computers

Accounting Users

Computers

Department 1

Department 2

Users

Users

Computers

Computers

Objects in AD

AD houses objects, you organize them
Active Directory is home to a large number of
objects, but these can be classified as a number of
types and subtypes.
• User Account objects
• Computer Account objects
• Groups
• Printers
• OUs
These are typically classified as Leaf and Container
Objects.

Attributes/Properties
All Active Directory
Objects have Attributes
and Values.
You may access the list
of Properties of an
object by simply Right
Clicking on it, and
selecting “Properties”

Attributes/Properties, Con’t
Attributes/properties are
also displayed in
Human Readable form.
The human-readable
attributes are also
known as “Friendly
Names” and are also
displayed in the
Properties dialog.

The User object
The User object is the cornerstone of Active
Directory. It is essentially a “User”, usually a
person, who has rights and permissions on
the Directory. They have a number of
common Attributes. Users are also assigned
a password, email address (typically used in
conjunction with Exchange) and groups.

Common User Attributes
Properties – General
tab

Properties – Account
tab

Friendly Name

Attribute Name

Example

Friendly Name

Attribute Name

Example

First Name

givenName

Serge

User Logon Name

userPrincipalName

Initials

initials

ST

strunkin@conesto
gac.on.ca

Last Name

sn

Trunkin

sAMAccountName

strunkin

Display Name

displayName

Serge Trunkin

User Logon Name
(Pre W2K)

Description

description

Teacher

Office

physicalDeliveryOfficeN
ame

London Office

Telephone Number

telephoneNumber

5555

Properties – Organization tab
Friendly Name

Attribute Name

Example

Title

title

Teacher

Department

department

Professors

Company

company

Conestoga

Manager

manager

CN=manager,OU=Ma
nagers,DC=Domain,D
C=Com

Employee ID

employeeID

123456789

Group object in Active Directory
Groups in Active Directory are collections of
Users and Computers. The primary use
case for groups depends on the types of
Groups:
• Security
• Distribution

Security vs Distribution
Security groups are the most
common used groups. They are
used for granting access to
resources (assigning permissions such as rights to shared drives, etc).
Distribution Groups are used for
email, and are used for “sending
bulk email” to users of the group.
A typical use case for Distribution
Groups are to communicate to all
users of a specific department.
Distribution Groups cannot have
permissions assigned to them!

Group Scopes
You may have also
noticed “Group Scope”
on the previous slide.
Group scopes are a
little a little advanced,
and will be covered in
the “Value Added
Learning section”

Computer Objects
Computer objects are either desktops,
laptops, or servers (DCs, member servers)
that are joined to the domain. You can apply
various policies to computers (we will
discuss these in the Group Policy module of
this course)
When computers are joined to a domain, they automatically go to the
“Computers” OU in Active Directory (a built-in OU). This is default
behaviour. They should be moved according to your organizational
standards.

UPNs
User Principle Names are the way that
Active Directory recognizes users. An
example is [email protected]

In the above screenshot, the UPN would be
[email protected]

Security Principals
When dealing with Assigning rights to users,
computers and groups (security groups), we
refer to these entities as “Security Principals”
Security principals are any entity that can be authenticated by the
operating system, such as a user account, a computer account, or a
thread or process that runs in the security context of a user or
computer account, or the security groups for these accounts. Security
principals have long been a foundation for controlling access to
securable resources on Windows computers.

DNs
Active Directory uses a protocol known as
LDAP (Lightweight Directory Access
Protocol).
Objects (groups, users, computers) are
referenced using DN.
DN stands for Distinguished Name.

Example DN
CN=Bob Smith,OU=Sales,DC=yourlastname,DC=com
This means that Bob Smith, is located in the OU “Sales”
that is located off the root domain yourlastname.com
Youlastname.com

Sales

Bob Smith

HR

Kelly Ann

Finance

George Rincon

Example DN - 2
CN=Bob Smith,OU=Users,OU=Sales,OU=Financial Services,DC=yourlastname,DC=com
Youlastname.com

Financial Services

Bob Smith

HR

Finance

Sales

Support

Admins

Purchasing

Users

Users

Users

Accounting

Sam

Kevin

Users

George Rincon

Breaking down the DN
CN = Common Name, this is the “final
object name”
OU = Organizational Unit
DC = The domain component, split
between the subdomains and periods
(i.e. sales.yourlastname.com =
dc=sales,dc=yourlastname,dc=com)

ADAC

Active Directory Admin Center
ADAC is a new suite of tools that was introduced in
Windows Server 2012 R2, that added and
expanded upon the administrative and
management features in Active Directory.
The main additions of Active Directory
Administrative Center is the inclusion of:
• Active Directory Recycle Bin
• Fine-Grained Password Policy
• Windows PowerShell History Viewer

What ADAC Looks Like

Some UI Changes
ADAC is a drastically redesigned “modern”
UI from the old Active Directory Users and
Computers. It allows you quicker access to
common tasks, such as being able to:
• View all information in a scrollable single
pane
• Common admin tasks – reset passwords,
etc
• More robust searching

Under the hood
Directly addressing the new addition Windows PowerShell History Viewer
ADAC is a user interface tool built on top of Windows PowerShell. In
Windows Server 2012 and newer, IT administrators can leverage ADAC
to learn Windows PowerShell for Active Directory cmdlets by using the
Windows PowerShell History Viewer. As actions are executed in the
user interface, the equivalent Windows PowerShell command is shown
to the user in Windows PowerShell History Viewer. This allows
administrators to create automated scripts and reduce repetitive tasks,
thus increasing IT productivity. Also, this feature reduces the time to
learn Windows PowerShell for Active Directory and increases the users'
confidence in the correctness of their automation scripts.

An example of the PowerShell
History

A output of the “PowerShell equivalent” will
appear after a certain action is performed,
along with the full cmdlet used.

Active Directory Recycle Bin
Accidental deletion of Security Principals is
a common occurrence in Active Directory.
Unfortunately, simply recreating objects
manually is not a valid strategy:
• All security principals have an SID
associated with them. Think of SID
(Security Identifier) as DNA. Every object
(principal) has a unique DNA.

SIDs and Deleted Objects
Since an SID is unique, recreating a user
after deletion, while keeping the user name
(UPN) the same, will result in a different SID.
When adding access to users, you are
actually adding access to an SID. Meaning
that the newly recreated user will lose all of
their group memberships and access due to
the SID being new.

AD Recycle Bin solves this issue
In past versions of Active Directory and
Windows Server, you could use a few tools
to help you recover deleted objects, however
this would require you to turn off a domain
controller (bring it offline), then use “DSRM”
or Directory Services Restore Mode to
restore the object. Bringing down a domain
controller is problematic in a production
environment.

AD Recycle bin makes it easy
Before AD Recycle Bin is enabled – a few
things must be done:
• Domain and Forest functionality levels
must be at least Server 2008 R2 or higher.
• It must be enabled, which is an irreversible
step (done either through ADAC or
PowerShell)

Then simply go to the “Deleted Objects” OU

Fine-Grained Password Policies
Fine-Grained Password Polices will be covered in a later NTWK-8090: Server
Planning lecture.

The Windows Server 2008 operating system provides organizations
with a way to define different password and account lockout policies for
different sets of users in a domain. In Active Directory domains prior to
Windows Server 2008, only one password policy and account lockout
policy could be applied to all users in the domain
You can use fine-grained password policies to specify multiple
password policies within a single domain and apply different restrictions
for password and account lockout policies to different sets of users in a
domain.

End of Lecture, Questions?