MCST 2015 Active Directory

Objects and Accounts

Module 1

Organizational Unit (OU)

A container object that functions in a subordinate capacity to a domain, something like a subdomain, but without the complete separation of security policies. As a container object, OUs can contain other OUs, as well as leaf objects. You can apply separate Group Policy to an OU, and delegate the administration of an OU as needed. However, an OU is still part of the domain and still inherits policies and permissions from its parent objects.

Organizational Units
Can be created to represent your companys functional or geographical model. Can be used to delegate administrative control over a containers resources to lowerlevel or branch office administrators. Can be used to apply consistent configuration to client computers, users and member servers.

Organizational Units

Creating an Organizational Unit

To create an organizational unit, you would use the Active Directory Users and Computers console.

Delegation of Control
Creating OUs to support a decentralized administration model gives you the ability to allow others to manage portions of your Active Directory structure, without affecting the rest of the structure.
Delegating authority at a site level affects all domains and users within the site. Delegating authority at a domain level affects the entire domain. Delegating authority at the OU level affects only that OU and its hierarchy.

Delegation of Control
Using the Delegation of Control Wizard, you utilize a simple interface to delegate permissions for domains, OUs, or containers.
The interface allows you to specify to which users or groups you want to delegate management permissions and the specific tasks you wish them to be able to perform. You can delegate predefined tasks, or you can create custom tasks that allow you to be more specific.

Delegating Administrative Control of an OU

Open Active Directory Users and Computers. Right-click the object to which you wish to delegate control, and click Delegate Control. Click Next on the Welcome to the Delegation of Control Wizard page.

Delegating Administrative Control of an OU

Delegating Administrative Control of an OU

Delegating Administrative Control of an OU

Group Policy
One of the biggest reasons to use OUs is for the application of Group Policy. Create OUs for each group of objects that need to have different Group Policy settings. Group Policy objects (GPOs) can be linked to OUs. Policy settings apply to all objects within the OU. Through inheritance, settings applied to the domain or parent OUs apply to all child OUs and objects within those OUs

Accidental Deletion
Objects in Active Directory can be accidentally deleted through Active Directory Users and Computers and other management tools. The following types of deletions are most common: Leaf-node deletion is when a user selects and deletes a leaf object. Organizational Unit (OU) deletion is when a user selects and deletes an OU that has subordinate objects. Deleting the OU deletes all objects within the OU (including any child OUs and their objects).

Accidental Deletion
To protect objects from accidental deletion:
When you create an organizational unit, leave the Protect container from accidental deletion check box selected. This is the default. Other types of objects do not have this default setting and must be manually configured.

Default Containers
When you install Active Directory, several default containers and Organizational Units (OUs) are automatically created:
Builtin Computers Domain Controllers Foreign Security Principals LostAndFound

Default Containers
Default Containers (contd)
NTDS Quotas Program Data System Users

Default Containers
Default containers are automatically created and cannot be deleted. The Domain Controllers OU is the only default organizational unit object. All other containers are just containers, not OUs. As such, you cannot apply a GPO to any default container except for the Domain Controllers OU.

Default Containers
To apply Group Policy specifically to objects within a default container (except for the Domain Controllers OU), move the objects into an OU that you create, then link the GPO. The LostAndFound, NTDS Quotas, Program Data, and System containers are hidden in Active Directory Users and Computers. To view these containers, click Advanced Features from the View menu.

Understanding User Accounts

Three types of user accounts can be created and configured in Windows Server 2008:
Local accounts. Domain accounts. Built-in user accounts.

MCST 2015 - Administering the Active Directory

19

Local Accounts
Used to access the local computer only and are stored in the local Security Account Manager (SAM) database on the computer where they reside. Never replicated to other computers, nor do these accounts have domain access.

MCST 2015 - Administering the Active Directory

20

Domain Accounts
Accounts used to access Active Directory or network-based resources, such as shared folders or printers. Account information for these users is stored in the Active Directory database and replicated to all domain controllers within the same domain. A subset of the domain user account information is replicated to the global catalog, which is then replicated to other global catalog servers throughout the forest.
MCST 2015 - Administering the Active Directory 21

Built-in User Accounts

Automatically created when Microsoft Windows Server 2008 is installed. Built-in user accounts are created on a member server or a standalone server.
When you install Windows Server 2008 as a domain controller, the ability to create and manipulate these accounts is disabled.

MCST 2015 - Administering the Active Directory

22

Built-in User Accounts

By default, two built-in user accounts are created on a Windows Server 2008 computer:
Administrator account. Guest account.

Built-in user accounts can be local accounts or domain accounts, depending on whether the server is configured as a standalone server or a domain controller.
MCST 2015 - Administering the Active Directory 23

Creating and Managing User Accounts

User accounts are usually created and managed with Active Directory Users and Computers.

MCST 2015 - Administering the Active Directory

24

User Account Properties

MCST 2015 - Administering the Active Directory

25

User Account Properties

MCST 2015 - Administering the Active Directory

26

User Account Properties

MCST 2015 - Administering the Active Directory

27

Managing User Accounts

Use Active Directory Users and Computers from a domain controller or workstation with Administrative Tools installed to configure domain accounts. To modify properties on multiple user accounts at once, use the Shift or Ctrl keys to select all users, then edit the necessary properties. Properties such as the logon name or password cannot be modified in this way.

Managing User Accounts

You can move user accounts to add them to the appropriate OUs. Grouping users within OUs allows you to apply Group Policy settings to groups of users. When creating a new user account or resetting a forgotten password, a common practice is to reset the user account password, then select User must change password at next logon. This forces the user to reset the password immediately following logon, ensuring that the user will be the only person who knows the password.

Managing User Accounts

You can configure an expiration date for temporary user accounts. Once the account is expired, it cannot be used for logon. If a user will be gone for an extended period of time, disable the account. This prevents the account from being used during the user's absence. Enable the account when the user returns.

Managing User Accounts

Configure the logon hours for a user account to allow the account to only be used between specific hours. Logon attempts outside of the specified hours will not be allowed. Users who are currently logged on will be allowed to continue working when the logon hours expire. To log a user off when the logon hours pass, configure Group Policy settings to log the user off automatically.

Managing User Accounts

If you accidentally delete a user account, restore it from backup rather than creating a new one with the same name. Creating a new account with the same name results in a user account with a different SID and will not automatically assume the permissions and memberships of the previously deleted account.

Managing User Accounts

To create another user account similar to an existing user, copy the existing user account. You will be prompted for a new name and password. Existing account settings and group memberships will be copied to the new account. Permissions will not be copied to the new account.

Managing Computer Accounts

A computer account is an Active Directory object that identifies a network computer. The account in Active Directory is associated with a specific hardware device. To identify a specific computer, two processes are required:
Create a computer account in Active Directory. Join a computer to the domain. When you join the domain, the device is associated with the Active Directory computer account.

Managing Computer Accounts

Because the Computers folder is not an OU, you cannot link a GPO to this container, meaning that only Group Policy settings in the domain will apply to these computers. For more control over Group Policy settings for computers or groups of computers, move computer accounts to OUs. To control where computer accounts are placed when the computer joins the domain, create computer accounts ahead of time before joining the domain from the workstation

Managing Computer Accounts

The following group members can create a computer account:
Account Operators Domain Admins Enterprise Admins

Managing Computer Accounts

Members of the Authenticated Users group can join up to 10 computers to a domain from a workstation (and create the computer account automatically if it does not already exist). This ability comes from the Add workstations to a domain user right. You can also allow specific users to join specific computers to a domain by selecting The following user or group can join this computer to a domain when creating the computer account.

Managing Computer Accounts

You can grant other users permissions to create computer accounts by giving them the Create Computer Objects right over the Active Directory OU. This permission does not have a limit on the number of accounts that can be created. Note: You must grant this right to the domain or specific OUs. To join a computer to a domain, you must be a member of the Administrators group on the local computer or be given the necessary rights.

Managing Service Accounts

A service account is a special user account that an application or service uses to interact with the operating system. Services use the service accounts to log on and make changes to the operating system or the configuration. Through permissions, you can control the actions that the service can perform.

Managing Service Accounts

Categories of Service Accounts:
Built-in local user account Domain user account Managed service account Virtual account

Managing Service Accounts

Built-in local user account
A built-in user account is a user account that is created automatically during installation. The following three built-in user accounts are used by most services:
Local System account (also called the System account) Local Service account Network Service account

Managing Service Accounts

Domain user account
User accounts are managed centrally in Active Directory. You can create a single user account for a single service, or share a user account for multiple services. You can grant only the specific privileges required by the service. You must manage account passwords. For example, you will need to periodically reset the account password on the account as well as reset the password used by the service.

Managing Service Accounts

Managed service account
A managed service account is a new account type available in Windows Server 2008 R2 and Windows 7. A managed service account provides the same benefits of using a domain user with the added benefit that Passwords are managed and reset automatically. An account can be used on only one computer (you must create at least one account per computer). Each account can be used by multiple services on a computer. You can also create a separate account for each service.

Managing Service Accounts

Virtual account
A virtual account is a new account type available in Windows Server 2008 R2 and Windows 7. Virtual accounts:
Are not created or deleted. Use a single account for a single service. If you have multiple services that use virtual accounts, there will be a different account for each service.

Group Accounts
Groups are implemented to allow administrators to assign rights and permissions to multiple users simultaneously. A group can be defined as a collection of user or computer accounts that is used to simplify the assignment of rights or permissions to network resources.
MCST 2015 - Administering the Active Directory 45

Group Accounts
When a user logs on, an access token is created that identifies the user and all of the users group memberships. This access token is used to verify a users permissions when the user attempts to access a local or network resource. By using groups, multiple users can be given the same permission level for resources on the network. Since a users access token is only generated when they first log on to the network from their workstation, if you add a user to a group, they will need to log off and log back on again for that change to take effect.
MCST 2015 - Administering the Active Directory

46

Group Types
Distribution groups Non-security-related groups created for the distribution of information to one or more persons. Security groups - Security-related groups created for purposes of granting resource access permissions to multiple users.

MCST 2015 - Administering the Active Directory

47

Group Nesting
Users can be members of more than one group. Groups can contain other Active Directory objects, such as computers, and other groups. Groups containing groups is called group nesting.
MCST 2015 - Administering the Active Directory 48

Group Scopes
Global Domain Local Universal

MCST 2015 - Administering the Active Directory

49

Using Global and Domain Local Groups

Global
These groups can include users, computers, and other global groups from the same domain. You can use them to organize users who have similar functions and therefore similar requirements on the network.

Domain local

These groups can include users, computers, and groups from any domain in the forest. They are most often utilized to grant permissions for local resources and may be used to provide access to any resource in the domain in which they are located.
MCST 2015 - Administering the Active Directory 50

Using Global and Domain Local Groups

Assign users within a domain to global groups. Add global groups to domain local groups. Assign permissions to domain local group.

MCST 2015 - Administering the Active Directory

51

Universal Groups
These groups can include users and groups from any domain in the AD DS forest and can be employed to grant permissions to any resource in the forest. A universal group can include users, computers, and global groups from any domain in the forest. Changes to universal group membership lists are replicated to all global catalog servers throughout the forest.
MCST 2015 - Administering the Active Directory 52

AGUDLP
Microsoft approach to using groups:
add Accounts to Global groups. add those global groups to Universal groups. Add universal groups to Domain Local groups. Finally, assign Permissions to the domain local groups.
MCST 2015 - Administering the Active Directory 53

Creating and Managing Groups

Creating and managing groups is usually done with Active Directory Users and Computers.

MCST 2015 - Administering the Active Directory

54

Group Properties

MCST 2015 - Administering the Active Directory

55

Group Properties

MCST 2015 - Administering the Active Directory

56

Working with Default Groups

Account Operators Can create, modify and delete accounts for users, groups, and computers in all containers and OUs.
Cannot modify administrators, domain admins and enterprise admin groups.

Administrators Complete and unrestricted access to the computer or domain controller. Backup Operators - Can back up and restore all files on the computer.
MCST 2015 - Administering the Active Directory 57

Working with Default Groups

Guests Same privileges as members of the Users group.
Disabled by default

Print Operators Can manage printers and document queues. Server Operators Can log on a server interactively, create and delete shares, start and stop some services, back up and restore files, format the disk, shutdown the computer and modify the system date and time.
MCST 2015 - Administering the Active Directory 58

Working with Default Groups

Users Allows general access to run applications, use printers, shut down and start the computer and use network shares for which they are assigned permissions. DNSAdmins Permits administrative access to the DNS server service.

MCST 2015 - Administering the Active Directory

59

Working with Default Groups

Domain Admins Can perform administrative tasks on any computer anywhere in the domain. Domain Computers Contains all computers.
Used to make computer management easier through group policies.

Domain Controllers Contains all computers installed in the domain as a domain controller.
MCST 2015 - Administering the Active Directory 60

Working with Default Groups

Domain Guests Members include all domain guests. Domain Users Members include all domain users.
Used to assign permissions to all users in the domain.

Enterprise Admins Allows the global administrative privileges associated with this group, such as the ability to create and delete domains.
MCST 2015 - Administering the Active Directory 61

Working with Default Groups

Schema Admins Members can manage and modify the Active Directory schema.

MCST 2015 - Administering the Active Directory

62

Special Identity Groups and Local Groups

Authenticated Users Used to allow controlled access to resources throughout the forest or domain. Everyone Used to provide access to resource for all users and guest.
Not recommended to not assign this group to resources.

MCST 2015 - Administering the Active Directory

63

Group Implementation Plan

A plan that states who has the ability and responsibility to create, delete, and manage groups. A policy that states how domain local, global, and universal groups are to be used. A policy that states guidelines for creating new groups and deleting old groups. A naming standards document to keep group names consistent. A standard for group nesting.
MCST 2015 - Administering the Active Directory 64

Creating Users and Groups

Active Directory Users and Computers. Batch files. Comma-Separated Value Directory Exchange (CSVDE). LDAP Data Interchange Format Directory Exchange (LDIFDE). Windows Script Host (WSH).
MCST 2015 - Administering the Active Directory 65

Summary
When planning your OU structure, consider the business function, organizational structure, and administrative goals for your network.
Delegation of administrative tasks should be a consideration in your plan. Moving objects between containers and OUs within a domain can be achieved by using the Move menu command, the drag-and-drop feature in Active Directory Users and Computers, or the dsmove utility from a command line.

Summary
Administrative tasks can be delegated for a domain, OU, or container to achieve a decentralized management structure.
Permissions can be delegated using the Delegation of Control Wizard. Verification or removal of these permissions must be achieved through the Security tab in the Properties dialog box of the affected container.

Summary
Moving objects between containers and OUs within a domain can be achieved by using the Move menu command, the dragand-drop feature in Active Directory Users and Computers, or the dsmove utility from a command line.

Summary
Three types of user accounts exist in Windows Server 2008:
Local user accounts reside on a local computer and are not replicated to other computers by Active Directory. Domain user accounts are created and stored in Active Directory and replicated to all domain controllers within a domain. Built-in user accounts are automatically created when the operating system is installed and when a member server is promoted to a domain controller.
MCST 2015 - Administering the Active Directory 69

Summary
The Administrator account is a built-in domain account that serves as the primary supervisory account in Windows Server 2008.
It can be renamed, but it cannot be deleted.

The Guest account is a built-in account used to assign temporary access to resources.
It can be renamed, but it cannot be deleted. This account is disabled by default and the password can be left blank.
MCST 2015 - Administering the Active Directory 70

Summary
Windows Server 2008 group options include two types (security and distribution) and three scopes (domain local, global, and universal). Domain local groups are placed on the ACL of resources and assigned permissions. They typically contain global groups in their membership list.
MCST 2015 - Administering the Active Directory 71

Summary
Global groups are used to organize domain users according to their resource access needs.
Global groups are placed in the membership list of domain local groups, which are then assigned the desired permissions to resources.

MCST 2015 - Administering the Active Directory

72

Summary
Universal groups are used to provide access to resources anywhere in the forest.
Their membership lists can contain global groups and users from any domain. Changes to universal group membership lists are replicated to all global catalog servers throughout the forest.
MCST 2015 - Administering the Active Directory 73

Summary
The recommended permission assignment strategy (AGUDLP) places users needing access permissions in a global group, the global group in a universal group, and the universal group in a domain local group and then assigns permissions to the domain local group.

MCST 2015 - Administering the Active Directory

74

Summary
Group nesting is the process of placing group accounts in the membership of other group accounts for the purpose of simplifying permission assignments. Multiple users and groups can be created in Active Directory by using several methods. Windows Server 2008 offers the ability to use batch files, CSVDE, LDIFDE, and WSH to accomplish your administrative goals.
MCST 2015 - Administering the Active Directory 75