cn1276 server ( v3)
DESCRIPTION
CN1276 Server ( V3). Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS , MCDST, MCP, A+. Agenda. Chapter 5: Active Directory Administration Quiz Exercise. Understanding User Accounts. Three types of user accounts can be created and configured in Windows Server 2008: Local accounts - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/1.jpg)
CN1276 Server (V3)Kemtis KunanuraksapongMSIS with DistinctionMCT, MCTS, MCDST, MCP, A+
![Page 2: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/2.jpg)
Agenda•Chapter 5: Active Directory
Administration•Quiz•Exercise
![Page 3: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/3.jpg)
Understanding User Accounts•Three types of user accounts can be
created and configured in Windows Server 2008:▫Local accounts▫Domain accounts▫Built-in user accounts
![Page 4: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/4.jpg)
Security guidelines•Rename the Administrator account
▫Set a strong password•Limit knowledge of administrator
passwords to only a few individuals•Do not use the Administrator account for
daily non-administrative tasks•Rename the Guest account after enabling
it for use▫Set a strong password
![Page 5: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/5.jpg)
Group Accounts•Groups are implemented to allow
administrators to assign rights and permissions to multiple users simultaneously.
•A group can be defined as a collection of user or computer accounts that is used to simplify the assignment of rights or permissions to network resources.
![Page 6: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/6.jpg)
Group Types•Distribution groups
▫Non-security-related groups created for the distribution of information to one or more persons.
•Security groups▫Security-related groups created for
purposes of granting resource access permissions to multiple users.
![Page 7: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/7.jpg)
Group Nesting•Users can be members of more than one
group. •Groups can contain other Active Directory
objects, such as computers, and other groups.
•Groups containing groups is called group nesting.
![Page 8: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/8.jpg)
Group Scopes• Domain Local
▫ These groups can include users, computers, global groups, and universal groups from any domain
▫ To assign permissions to any resource in the domain in which they are located
• Global▫ These groups can include users, computers, and global
groups only from within the same domain ▫ To assign permission to resources that reside in any domain
in the forest ▫ Global group memberships are replicated only to DC within
the same domain• Universal
▫ Same as global group, but the group memberships should not change frequently because these groups are stored in the GC
![Page 9: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/9.jpg)
Using Global and Domain Local Groups•Assign users within a domain to global
groups.•Add global groups to domain local groups.•Assign permissions to domain local group.
![Page 10: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/10.jpg)
AGUDLP•Microsoft approach to using groups:
▫add Accounts to Global groups.▫add those global groups to Universal
groups.▫Add universal groups to Domain Local
groups.▫Finally, assign Permissions to the domain
local groups.
![Page 11: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/11.jpg)
Creating and Managing Groups•Creating and managing groups is usually
done with Active Directory Users and Computers.
![Page 12: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/12.jpg)
Working with Default Groups•Account Operators
▫Can create, modify and delete accounts for users, groups, and computers in all containers and OUs.
▫Cannot modify administrators, domain admins and enterprise admin groups.
•Administrators•Backup Operators•Guests
▫Disabled by default
![Page 13: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/13.jpg)
Working with Default Groups•Print Operators
▫Can manage printers and document queues.•Server Operators
▫Can log on a server interactively▫Create and delete shares, start and stop
some services▫Back up and restore files▫Format the disk, shutdown the computer
and modify the system date and time.
![Page 14: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/14.jpg)
Working with Default Groups•Users•DNSAdmins
▫Permits administrative access to the DNS server service.
•Domain Admins•Domain Computers
▫Contains all computers.▫Used to make computer management easier
through group policies.•Domain Controllers – Contains all computers
installed in the domain as a domain controller.
![Page 15: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/15.jpg)
Working with Default Groups•Domain Guests
▫Members include all domain guests.•Domain Users
▫Used to assign permissions to all users in the domain.
•Enterprise Admins▫Allows the global administrative privileges
associated with this group, such as the ability to create and delete domains.
![Page 16: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/16.jpg)
Working with Default Groups•Schema Admins
▫Members can manage and modify the Active Directory schema.
•See Table 5-1 on Page 106 - 111
![Page 17: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/17.jpg)
Special Identity Groups and Local Groups•Authenticated Users
▫Used to allow controlled access to resources throughout the forest or domain.
•Everyone •See Table 5-2 on Page 112 - 113
![Page 18: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/18.jpg)
Group Implementation Plan•A plan that states
▫who has the ability and responsibility to create, delete, and manage groups.
•A policy that states▫how domain local, global, and universal
groups are to be used.▫guidelines for creating new groups and
deleting old groups.•A naming standards document to keep
group names consistent.•A standard for group nesting.
![Page 19: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/19.jpg)
Creating Users and Groups•Active Directory Users and Computers•Batch files
▫DSAdd user username DN –samid SAM account name
▫Dsadd user cn=jsmith,ou=Accounts,dc=lucernepublishing,dc=com –samid jsmith
![Page 20: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/20.jpg)
Creating Users and Groups (Cont.)•Comma-Separated Value Directory
Exchange (CSVDE)▫Header record (See Page 119)▫Csvde.exe –i –f newusers.csv
-i is to import -f is to specify the file to import
![Page 21: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/21.jpg)
Creating Users and Groups (Cont.)•LDAP Data Interchange Format Directory
Exchange (LDIFDE)▫You can Add/Modify/Delete the object▫Ldifde –i –f newobjects.ldf
•Windows Script Host (WSH)▫See code on Page 121
![Page 22: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/22.jpg)
Creating Users and Groups (Cont.)•Windows PowerShell
▫$objOU=[ADSI]”LDAP://OU=People, DC=contoso, DC=Com”
▫$objUser = $objOU.Create(“user”,”CN=Mary North”)
▫$objUser.put(SamAccountName”,”mary.north”)▫$objUser.SetInfo()▫Windows 2008 R2
Import-module ActiveDirectory New-ADusers –SamAccountName “mary.north”
![Page 23: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/23.jpg)
Creating Users and Groups (Cont.)•Note:
▫CSVDE and LDIFDE cannot import user’s password, hence the user will be disabled by default
▫Only DSADD supports specifying the password
![Page 24: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/24.jpg)
Offline Domain Join• Offline domain join is a process to add computers to a domain
in locations where there is no connectivity to a corporate network.▫ Windows Server 2008 R2▫ Windows 7 image or on running computer
• The offline domain join process includes the following phases:▫ Run the djoin.exe/provision
To create computer account metadata from the text file djoin /provision /domain <domain_name> /machine <destination
computer> /savefile <filename.txt> ▫ Run the djoin.exe/requestODJ
To insert the computer account metadata into the Windows directory of the destination computer:
djoin /requestodj /loadfile <filename.txt>
![Page 25: CN1276 Server ( V3)](https://reader030.vdocuments.us/reader030/viewer/2022020721/56815e09550346895dcc61ec/html5/thumbnails/25.jpg)
Assignment•Fill in the blank
▫1-10•Multiple Choice
▫1-10•Online Lab 5