Managing Users, Groups, Computers and Resources

1
Managing Users, Groups, Computers and Resources

• Chapter Ten

2
Planning and Administering User Accounts

• Most frequently changed objects are user objects
• Users added, removed, etc.

3
User Classes, Properties, and Schema

• User class defines number of required and
  optional attributes
• Mandatory attributes
• cn
• instanceType, objectCategory, and objectClass
• objectSID
• sAMAccountName
• More than 200 optional attributes

4
The Names of a User

• Name attributes
• sAMAccountName
• Also called user logon name (pre-Windows 2000)
• userPrincipalName (UPN)
• Also called user logon name
• Decide on naming convention for user accounts
• Most common convention is to use users first
  initial followed by users last name

5
The Names of a User (continued)

• UPN composed of two parts
• Username
• UPN suffix
• UPN suffix is DNS name by default
• Can choose other suffix
• Joined by _at_ symbol
• Example SomeUser_at_mydomain.com

6
Name Suffix Routing

• Provides name resolution across forests
• Used to route authentication requests to correct
  forest
• Disabled when naming conflict occurs
• Given unique name suffix can only exist in one
  forest

7
Creating Users with Active Directory Users and
Computers

• Must be working at domain controller
• Or must have the administrative tools installed
  at your workstation
• Windows issues query to global catalog to verify
  that UPN is unique within forest

8
The New Object - User Dialog Box
9
New User Password and Security Attributes
10
Setting Additional Attributes

• Many user attributes exposed through property
  pages
• In Active Directory Users and Computers console
• Right-click object in Active Directory Users and
  Computers
• Choose Properties

11
Setting Additional Attributes (continued)

• Categories
• General and business information
• Account and profile settings
• Terminal Services settings
• Dial-in settings
• Advanced properties

12
Resetting Passwords

• Users password stored in encrypted form
• Operating system can access to validate user
• Administrator cannot retrieve forgotten user
  Password
• Must be reset
• Access to encrypted files may be lost

13
User Account Templates

• Preconfigured user account
• Already has common attributes associated with a
  particular type of user configured
• Reduces time and administrative burden
• Administrator copies template account to create
  new user

14
Command-line Utilities

• Dsadd.exe
• This tool adds a computer, contact, group,
  organization unit, or user to a directory.
• Dsget.exe
• This tool displays the selected attributes of a
  computer, contact, group, organizational unit,
  server, or user in a directory.
• Dsmod.exe
• This tool modifies an existing user, computer,
  contact, group, or organizational units in a
  directory.
• Dsmove.exe
• This tool moves any object from its current
  location in the directory to a new location
  (provided that the move can be accommodated in a
  single domain controller) and renames an object
  without moving it in the directory tree.
• Dsquery.exe
• This tool queries and finds a list of computers,
  groups, organizational units, servers, or users
  in the directory by using specified search
  criterion.
• Dsrm.exe
• This tool deletes an object of a specific type or
  any general object from the directory.

15
DSADD

• Introduced in Windows Server 2003
• Used to create new user and group accounts
• Syntax is
• dsadd group distinguished-name switches
• Switches include -secgrp, -scope, -memberof,
  -members
• More help is available for switches and options
  at Windows Server 2003 Help and Support Center or
  at command-line

16
DSADD (continued)
17
DSMOD

• Also introduced in Windows Server 2003
• Allows various object types to be modified from
  the command line
• Syntax is
• dsmod group distinguished-name switches
• Switches include -desc, -rmmbr, -addmbr
• More help is available for switches and options
  at Windows Server 2003 Help and Support Center or
  command-line

18
DSMOD (continued)
19
DSQUERY

• Also introduced in Windows Server 2003
• Used to query various object types from the
  command line, returns values
• Syntax for groups is
• dsquery group query
• Supports wildcard character ()
• Output can be piped as input to other
  command-line tools
• More help is available for switches and options
  at Windows Server 2003 Help and Support Center or
  command-line

20
DSMOVE

• Used to move or rename various object types from
  the command line
• Syntax for groups is
• dsmove group distinguished-name switches
• Switches include -newparent, -newname
• Can only be used for groups within a single
  domain
• More help is available for switches and options
  at Windows Server 2003 Help and Support Center or
  at the command-line

21
DSRM

• Used to delete various object types from the
  command line
• Syntax for groups is
• dsrm group distinguished-name switches
• Switches include -noprompt
• More help is available for switches and options
  at Windows Server 2003 Help and Support Center or
  command-line

22
Bulk Import and Export

• CSVDE
• Command-line tool
• Supports bulk export and import of Active
  Directory data
• File format comma-separated value (CSV) files
• LDIFDE
• Command-line tool
• Use to import and export data from Active
  Directory
• File format LDAP Interchange Format (LDIF)

23
Creating and Modifying User Accounts
Programmatically

• Many ways to create users besides the Users and
  Computers console
• Scripts or programs
• Automatically by variety of tools
• Active Directory Service Interface (ADSI)
• Provides single abstract set of directory service
  interfaces for management of network
• Makes it simple for administrators to automate
  common tasks

24
Creating and Modifying User Accounts

• Active Directory Service Interface (ADSI)
• Programmer can use ADSI from
• Visual Basic, C, or VC application
• Network administrators use
• Windows Scripting Host (WSH)
• VBScript (or another scripting language that WSH
  supports)

25
Planning and Administering Groups

• Groups simplify Active Directory management
• Save time and effort
• Eliminate some mistakes

26
Group Types

• Security groups
• Most popular type of group
• Defined by Security Identifier (SID)
• Used in discretionary access control lists
  (DACLs)
• Can also be used as e-mail entities
• Distribution groups
• Primary purpose for use with e-mail applications
• Do not impact user authentication process
  unnecessarily

27
Group Types (continued)

• Can change group type if domain is at
• Windows 2000 native
• Windows Server 2003 functional level
• Changed via group properties

28
Group Scopes

• Local Scope
• Exist only within context of specific machine
• Often called machine local groups
• Can only reference on local machine
• Stored in local SAM database on each local
  machine
• Can contain users from
• Local security database
• Any users, global groups, or universal groups in
  forest
• Any domain local groups in its own domain
• Any user or groups from trusted domain

29
Machine Local Group Membership and Resource Access
30
Group Scopes (continued)

• Domain local scope
• Created on domain controller
• Can only be assigned permissions to resource
  available in local domain in which it is created
• Group membership can come from any domain within
  the forest
• Can contain user or global groups from any domain
• Mainly used to assign access permissions to
  resources
• Can be used on any machine in domain

31
Group Scopes (continued)

• Global scope
• Can be assigned permissions to any resource in
  any domain within forest
• Any other trusting domain that trusts domain
  where global group exists
• Main limitation
• Can only contain users from same domain in which
  it is created
• Mainly used to organize user objects into logical
  groupings according to function

32
Group Scopes (continued)

• Universal scope
• Created for purpose of aggregating groups in
  different domains throughout forest
• Can be assigned permissions to any resource in
  any domain within forest
• Can consist of user objects from any domain in
  forest
• Only available when domain is configured at
  Windows 2000 native or Windows Server 2003
  functional level

33
Changing a Groups Scope

• May be possible to change scope if domain is at
• Windows 2000 native
• Windows Server 2003 functional level
• Allowed conversions
• Global to universal
• Domain local to universal
• Universal to global
• Universal to domain local

34
Managing Security Groups

• General strategy use acronym A G U DL P
• Create user Accounts, and organize them within
  Global groups
• Create Universal groups and place global groups
  from any domain within universal groups
• Create Domain Local groups that represent
  resources in which you want to control access,
  and add global or universal groups to domain
  local groups

35
Managing Security Groups (continued)

• A G U DL P
• Assign Permissions to domain local groups
• One of best practices that Microsoft loves to
  test on

36
Example of A G DL P Group Strategy
37
Group Nesting

• Nesting groups simplifies administrative tasks
• Only available for
• Windows 2000 native
• Windows Server 2003 functional level

38
Understanding the Built-in Groups

• Number of built-in local security groups with
  various preassigned rights are created
• Builtin container
• Contains number of domain local group accounts
• Are allocated different user rights based on
  common administrative or network-related tasks
• Users container
• Contains number of different domain local and
  global group accounts

39
Understanding Special Identities

• Several special identity groups
• Operating system controls membership
• Not administrator
• OS dynamically determines in which special
  identity groups user should be a member

40
Special Identity Groups and Members
41
Creating Groups

• Actually creating groups is simple
• Add members to group after it is created

42
Creating and Managing Computer Accounts

• Computers require computer accounts to be part of
  domain
• Tools to create computer accounts
• Active Directory Users and Computers
• System applet in Control Panel of target computer
• All authenticated users can add up to 10
  computers to domain
• Increase number or grant Create Computer Objects
  permission for technicians

43
Resetting Computer Accounts

• Computers use secure communication channel known
  to communicate with domain controller
• Password is associated with this secure channel
• Changed every 30 days by default
• Synchronized automatically between domain and
  workstation
• Synchronization problems can occur
• Administrator must reset computer account
  associated with workstation

44
Publishing Resources

• Object in directory represents resource
• Dont be confused between
• Creating directory object to represent resource
• Creating resource itself

45
Shared Folder

• Provides only representation of actual share
• Helps network users locate resources
• Active Directory does not even check to see if
  server or the share exists

46
Printers

• Dialog box requests network path to printer
• Active Directory does check for existence of
  printer

47
Other Resources

• As more Active Directory-aware and Active
  Directory-enabled applications are released
• Administrators will have ability to locate more
  and more information in Active Directory database

48
Organizing Objects in the Directory

• Large network must be well organized
• Major advantage of Active Directory
• Information can be organized in a logical way

49
Organizing and Controlling with Organizational
Units

• Organize Active Directory structure using
  organizational units
• Organizational units
• Provide way to separate objects belonging to one
  data owner from another
• Facilitate browsing directory
• Support application of group policy

50
Moving Objects between Organizational Units

• Fairly simple to move objects from one
  organizational unit to another
• Objects distinguished name changes when moved

51
Moving Objects between Domains

• Not nearly as simple as moving between
  organizational units
• Part of the SID must be changed
• SIDhistory attribute is used
• Contains SID used in previous domain
• System uses SIDhistory to include old SID in
  users access token
• Allows user to retain access to resources where
  DACL contains old SID

52
Moving Objects between Domains (continued)

• Tools
• MoveTree will move a user or container from one
  domain to another
• F\toolssupportgtmovetree /start /s
  tcpipinstr.pbcc.edu /d tcpip13.culinary.pbcc.
• edu /sdn OUEmployeesEH,DCpbcc,DCedu /ddn
  OUEmployeesEH,DCculinary,DCpbcc,D
• Cedu /u pbcc\administrator /p p_at_ssWord
• Netdom will move a workstation or member server
  to another domain
• F\toolssupportgtnetdom move /Domainculinary
  winxp16 /UserDculinary\Administrat
• or /PasswordDxyz123 /UserOpbcc\Administrator
  /PasswordOp_at_ssWord
• The command completed successfully.