Академический Документы
Профессиональный Документы
Культура Документы
Organizational Units
Can be created to represent your companys functional or geographical model. Can be used to delegate administrative control over a containers resources to lowerlevel or branch office administrators. Can be used to apply consistent configuration to client computers, users and member servers.
Organizational Units
Delegation of Control
Creating OUs to support a decentralized administration model gives you the ability to allow others to manage portions of your Active Directory structure, without affecting the rest of the structure.
Delegating authority at a site level affects all domains and users within the site. Delegating authority at a domain level affects the entire domain. Delegating authority at the OU level affects only that OU and its hierarchy.
Delegation of Control
Using the Delegation of Control Wizard, you utilize a simple interface to delegate permissions for domains, OUs, or containers.
The interface allows you to specify to which users or groups you want to delegate management permissions and the specific tasks you wish them to be able to perform. You can delegate predefined tasks, or you can create custom tasks that allow you to be more specific.
Group Policy
One of the biggest reasons to use OUs is for the application of Group Policy. Create OUs for each group of objects that need to have different Group Policy settings. Group Policy objects (GPOs) can be linked to OUs. Policy settings apply to all objects within the OU. Through inheritance, settings applied to the domain or parent OUs apply to all child OUs and objects within those OUs
Accidental Deletion
Objects in Active Directory can be accidentally deleted through Active Directory Users and Computers and other management tools. The following types of deletions are most common: Leaf-node deletion is when a user selects and deletes a leaf object. Organizational Unit (OU) deletion is when a user selects and deletes an OU that has subordinate objects. Deleting the OU deletes all objects within the OU (including any child OUs and their objects).
Accidental Deletion
To protect objects from accidental deletion:
When you create an organizational unit, leave the Protect container from accidental deletion check box selected. This is the default. Other types of objects do not have this default setting and must be manually configured.
Default Containers
When you install Active Directory, several default containers and Organizational Units (OUs) are automatically created:
Builtin Computers Domain Controllers Foreign Security Principals LostAndFound
Default Containers
Default Containers (contd)
NTDS Quotas Program Data System Users
Default Containers
Default containers are automatically created and cannot be deleted. The Domain Controllers OU is the only default organizational unit object. All other containers are just containers, not OUs. As such, you cannot apply a GPO to any default container except for the Domain Controllers OU.
Default Containers
To apply Group Policy specifically to objects within a default container (except for the Domain Controllers OU), move the objects into an OU that you create, then link the GPO. The LostAndFound, NTDS Quotas, Program Data, and System containers are hidden in Active Directory Users and Computers. To view these containers, click Advanced Features from the View menu.
19
Local Accounts
Used to access the local computer only and are stored in the local Security Account Manager (SAM) database on the computer where they reside. Never replicated to other computers, nor do these accounts have domain access.
20
Domain Accounts
Accounts used to access Active Directory or network-based resources, such as shared folders or printers. Account information for these users is stored in the Active Directory database and replicated to all domain controllers within the same domain. A subset of the domain user account information is replicated to the global catalog, which is then replicated to other global catalog servers throughout the forest.
MCST 2015 - Administering the Active Directory 21
22
Built-in user accounts can be local accounts or domain accounts, depending on whether the server is configured as a standalone server or a domain controller.
MCST 2015 - Administering the Active Directory 23
24
25
26
27
Group Accounts
Groups are implemented to allow administrators to assign rights and permissions to multiple users simultaneously. A group can be defined as a collection of user or computer accounts that is used to simplify the assignment of rights or permissions to network resources.
MCST 2015 - Administering the Active Directory 45
Group Accounts
When a user logs on, an access token is created that identifies the user and all of the users group memberships. This access token is used to verify a users permissions when the user attempts to access a local or network resource. By using groups, multiple users can be given the same permission level for resources on the network. Since a users access token is only generated when they first log on to the network from their workstation, if you add a user to a group, they will need to log off and log back on again for that change to take effect.
MCST 2015 - Administering the Active Directory
46
Group Types
Distribution groups Non-security-related groups created for the distribution of information to one or more persons. Security groups - Security-related groups created for purposes of granting resource access permissions to multiple users.
47
Group Nesting
Users can be members of more than one group. Groups can contain other Active Directory objects, such as computers, and other groups. Groups containing groups is called group nesting.
MCST 2015 - Administering the Active Directory 48
Group Scopes
Global Domain Local Universal
49
Domain local
These groups can include users, computers, and groups from any domain in the forest. They are most often utilized to grant permissions for local resources and may be used to provide access to any resource in the domain in which they are located.
MCST 2015 - Administering the Active Directory 50
51
Universal Groups
These groups can include users and groups from any domain in the AD DS forest and can be employed to grant permissions to any resource in the forest. A universal group can include users, computers, and global groups from any domain in the forest. Changes to universal group membership lists are replicated to all global catalog servers throughout the forest.
MCST 2015 - Administering the Active Directory 52
AGUDLP
Microsoft approach to using groups:
add Accounts to Global groups. add those global groups to Universal groups. Add universal groups to Domain Local groups. Finally, assign Permissions to the domain local groups.
MCST 2015 - Administering the Active Directory 53
54
Group Properties
55
Group Properties
56
Administrators Complete and unrestricted access to the computer or domain controller. Backup Operators - Can back up and restore all files on the computer.
MCST 2015 - Administering the Active Directory 57
Print Operators Can manage printers and document queues. Server Operators Can log on a server interactively, create and delete shares, start and stop some services, back up and restore files, format the disk, shutdown the computer and modify the system date and time.
MCST 2015 - Administering the Active Directory 58
59
Domain Controllers Contains all computers installed in the domain as a domain controller.
MCST 2015 - Administering the Active Directory 60
Enterprise Admins Allows the global administrative privileges associated with this group, such as the ability to create and delete domains.
MCST 2015 - Administering the Active Directory 61
62
63
Summary
When planning your OU structure, consider the business function, organizational structure, and administrative goals for your network.
Delegation of administrative tasks should be a consideration in your plan. Moving objects between containers and OUs within a domain can be achieved by using the Move menu command, the drag-and-drop feature in Active Directory Users and Computers, or the dsmove utility from a command line.
Summary
Administrative tasks can be delegated for a domain, OU, or container to achieve a decentralized management structure.
Permissions can be delegated using the Delegation of Control Wizard. Verification or removal of these permissions must be achieved through the Security tab in the Properties dialog box of the affected container.
Summary
Moving objects between containers and OUs within a domain can be achieved by using the Move menu command, the dragand-drop feature in Active Directory Users and Computers, or the dsmove utility from a command line.
Summary
Three types of user accounts exist in Windows Server 2008:
Local user accounts reside on a local computer and are not replicated to other computers by Active Directory. Domain user accounts are created and stored in Active Directory and replicated to all domain controllers within a domain. Built-in user accounts are automatically created when the operating system is installed and when a member server is promoted to a domain controller.
MCST 2015 - Administering the Active Directory 69
Summary
The Administrator account is a built-in domain account that serves as the primary supervisory account in Windows Server 2008.
It can be renamed, but it cannot be deleted.
The Guest account is a built-in account used to assign temporary access to resources.
It can be renamed, but it cannot be deleted. This account is disabled by default and the password can be left blank.
MCST 2015 - Administering the Active Directory 70
Summary
Windows Server 2008 group options include two types (security and distribution) and three scopes (domain local, global, and universal). Domain local groups are placed on the ACL of resources and assigned permissions. They typically contain global groups in their membership list.
MCST 2015 - Administering the Active Directory 71
Summary
Global groups are used to organize domain users according to their resource access needs.
Global groups are placed in the membership list of domain local groups, which are then assigned the desired permissions to resources.
72
Summary
Universal groups are used to provide access to resources anywhere in the forest.
Their membership lists can contain global groups and users from any domain. Changes to universal group membership lists are replicated to all global catalog servers throughout the forest.
MCST 2015 - Administering the Active Directory 73
Summary
The recommended permission assignment strategy (AGUDLP) places users needing access permissions in a global group, the global group in a universal group, and the universal group in a domain local group and then assigns permissions to the domain local group.
74
Summary
Group nesting is the process of placing group accounts in the membership of other group accounts for the purpose of simplifying permission assignments. Multiple users and groups can be created in Active Directory by using several methods. Windows Server 2008 offers the ability to use batch files, CSVDE, LDIFDE, and WSH to accomplish your administrative goals.
MCST 2015 - Administering the Active Directory 75