Scribd
Upload
74 views

Chapter 4

The document discusses managing objects such as user accounts and groups in Active Directory Domain Services (AD DS). It covers topics such as creating and configuring user accounts, managing inactive and disabled accounts, different types of groups and their scopes, best practices for nesting groups, default privileged groups, and implementing and managing organizational units (OUs). The goal is to provide instructions and considerations for common identity and access management tasks in AD DS.

Uploaded by

Ehab Nathan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
74 views

Chapter 4

The document discusses managing objects such as user accounts and groups in Active Directory Domain Services (AD DS). It covers topics such as creating and configuring user accounts, managing inactive and disabled accounts, different types of groups and their scopes, best practices for nesting groups, default privileged groups, and implementing and managing organizational units (OUs). The goal is to provide instructions and considerations for common identity and access management tasks in AD DS.

Uploaded by

Ehab Nathan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

Managing objects in AD DS

Module Overview

• Managing user accounts


• Managing groups in AD DS
• Implementing and managing OUs

1
Managing user accounts

• Creating user accounts


• Configuring user account attributes
• Demonstration: Managing user accounts
• Managing inactive and disabled user accounts

Creating user accounts

• Users accounts:
• Allow or deny access to sign into computers
• Grant access to processes and services
• Manage access to network resources

• User accounts can be created by using:


• Active Directory Users and Computers
• Active Directory Administrative Center

• Considerations for naming users include:


• Naming formats
• UPN suffixes

2
Configuring user account attributes

User properties include the following categories:


• Account
• Organization
• Member of
• Password Settings
• Profile
• Policy
• Extensions

Demonstration: Managing user accounts

In this demonstration, you will see how to use


Active Directory Administrative Center to:
• Create a new user account
• Delete a user account
• Move a user account
• Configure user attributes:
• Change department
• Change group membership

3
Managing inactive and disabled user accounts

• Users accounts that will be inactive for a period


of time should be disabled rather than deleted
• To disable an account in Active Directory Users
and Computers, right-click the account and click
Disable Account from the menu

Managing groups in AD DS

• Group types
• Group scopes
• Implementing group management
• Managing group membership by using Group
Policy
• Default groups
• Special identities
• Demonstration: Managing groups in Windows
Server

4
Group types

• Distribution groups
• Used only with email applications
• Not security enabled (no SID)
• Cannot be given permissions

• Security groups
• Security principal with a SID
• Can be given permissions
• Can also be email-enabled

You can convert security groups to distribution groups


and distribution groups to security groups

Group scopes

• Local groups can contain users, computers, global groups,


domain-local groups and universal groups from the same
domain, domains in the same forest and other trusted domain
and can be given permissions to resources on the local
computer only
• Domain-local groups have the same membership possibilities
but can be given permission to resources anywhere in the
domain
• Universal groups can contain users, computers, global groups
and other universal groups from the same domain or domains
in the same forest and can be given permissions to any
resource in the forest
• Global groups can only contain users, computers and other
global groups from the same domain and can be given
permission to resources in the domain or any trusted domain

5
Implementing group management

This best practice for nesting


groups is known as IGDLA
Sales
(global group) Auditors
I: Identities, users, or computers, (global group)
which are members of
ACL_Sales_Read
G: Global groups, which collect (domain-local group)
members based on members’
roles, which are members of
DL: Domain-local groups, which
provide management such as
resource access which are
A: Assigned access to a resource

Implementing group management

I: Identities, users, or
computers,
which are members
of

6
Implementing group management

I: Identities, users, or
computers, which are
members of
G: Global groups, which Sales
(global group)
collect members based on
members’ roles, which are
members of

Auditors
(global group)

Implementing group management

I: Identities, users, or
computers, which are Sales
members of (global group) Auditors
(global group)
G: Global groups, which
collect members based on ACL_Sales_Read
members’ roles, which are (domain-local group)
members of
DL: Domain-local groups,
which provide management
such as resource access which
are

7
Implementing group management

I: Identities, users, or
computers, which are
members of Sales
Auditors
G: Global groups, which (global group)
(global group)
collect members based on
members’ roles, which are ACL_Sales_Read
members of (domain-local group)

DL: Domain-local groups,


which provide management
such as resource access
which are
A: Assigned access to a
resource

Implementing group management

This best practice for nesting


groups is known as IGDLA
I: Identities, users, or Sales
computers, which are (global group) Auditors
members of (global group)

G: Global groups, which ACL_Sales_Read


collect members based on (domain-local group)
members’ roles, which are
members of
DL: Domain-local groups,
which provide management
such as resource access
which are
A: Assigned access to a
resource

8
Managing group membership by using Group Policy

• Restricted Groups can simplify group


management
• You use it to manage local and AD DS groups

Managing group membership by using Group Policy

Members can be added to the group and the


group can be nested into other groups

9
Default groups

Carefully manage the default groups that provide administrative


privileges, because these groups:
• Typically have broader privileges than are necessary for
most delegated environments
• Often apply protection to their members

Group Location
Enterprise Admins Users container of the forest root domain
Schema Admins Users container of the forest root domain
Administrators Built-in container of each domain
Domain Admins Users container of each domain
Server Operators Built-in container of each domain
Account Operators Built-in container of each domain
Backup Operators Built-in container of each domain
Print Operators Built-in container of each domain
Cert Publishers Users container of each domain

Special identities

• Special identities:
• Are groups for which the operating system controls
membership
• Can be used by the Windows Server operating system
to provide access to resources based on the type of
authentication or connection, not on the user account

• Important special identities include:

• Anonymous Logon • Interactive


• Authenticated Users • Network
• Everyone • Creator Owner

10
Demonstration: Managing groups in Windows Server

In this demonstration, you will see how to:


• Create a new group and add members to the group
• Add users to the group
• Change the group type and scope
• Configure a manager for the group

Implementing and managing OUs

• Planning OUs
• OU hierarchy considerations
• Considerations for using OUs
• AD DS permissions
• Delegating AD DS permissions
• Demonstration: Delegating administrative
permissions on an OU

11
Planning OUs

Location-based strategy • Static


• Delegation can be complicated

Organization-based strategy • Not static


• Easy to categorize

Resource-based strategy • Not static


• Easy to delegate administration

Multitenancy-based strategy • Static


• Easy to delegate administration
• Easy to include and separate new
tenants

Hybrid strategy

OU hierarchy considerations

Align OU strategy to administrative requirements, not the


organizational chart, because organizational charts are
more subject to change than your IT administration model

AD DS inheritance behavior can simplify Group Policy


administration because it allows group polices to be set on
an OU and flow down to lower OUs in the hierarchy

Plan to accommodate changes in the IT administration


model

12
Considerations for using OUs

• OUs can be created using AD DS graphical tools


or command-line tools
• New OUs are protected from accidental deletion
by default
• When objects are moved between OUs:
• Directly assigned permissions remain in place
• Inherited permissions will change
• Appropriate permissions are required to move
objects between OUs

AD DS permissions

• Users receive their token (list of SIDs) during


sign in
• Objects have a security descriptor that describes:
• Who (SID) has been granted or denied access
• Which permissions (Read, Write, Create or Delete child)
• What kind of objects
• Which sublevels

• When users browse the Active Directory


structure, their token is compared to the security
descriptor to evaluate their access rights

13
Delegating AD DS permissions

• Permissions on AD DS objects can be granted to


users or groups
• Permission models are usually object-based or
role-based
• The Delegation of Control Wizard can simplify
assigning common administrative tasks
• The OU advanced security properties allow you
to grant granular permissions

Module Review and Takeaways

• Real-world Issues and Scenarios


• Tools
• Best Practice
• Common Issues and Troubleshooting Tips

14

You might also like