43
DPW © 2005-2010 DPW © Donna Warren W I N D O W S S E R V E R 2 0 0 8 Introduction to Active Directory UNIT 2

E Introduction to Active Directory 2008...Introduction to Active Directory UNIT 2 DPW © 2005-2010 DPW © Donna Warren W I N D O W S S E R V E R 2 0 0 8 Topics for this Unit • Directory

Embed Size (px)

Citation preview

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Introduction to Active

Directory

UNIT 2

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Topics for this Unit

• Directory Services

• Active Directory

• Forests

• Domains

• Organizational Units

• Groups

• AD features

• Sites

• Accounts

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Directory Service

• A directory service is a listing of the

resources — hardware, software, and human

— that are available on the network

• The primary uses of directory services is both

user authentication and resource

authorization

– Authentication is the process of verifying a

user’s identity.

– Authorization is the process of granting the

user access only to the resources he or

she is permitted to use

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Active Directory

• Is based on Banyan Vines Street Talk which

was designed in the late 1970s to be used on

a global scale and uses the internet Uniform

Resource Locator (URL) system to identify

users and resources

• Both Microsoft and Novell adopted (read

stole) parts of street talk and incorporated

them into their directory services

• Finally, Microsoft licensed street talk,

renamed in Active Directory and introduced it

in Windows 2000 server

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Domain

• A domain is a security boundary

• Each domain is hosted on a separate

server called a domain controller

• Each domain has independent

administration

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Active Directory Objects

• An Active Directory domain is tree structure

• Everything in active directory is an object

• There are two basic classes of objects

– container object - one that can hold other objects

in it

• Domain

• Group

• Folder

– leaf object can not hold other objects

• User

• Printer

• File

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Active Directory Attributes • information stored

about an object

– User – name phone

number, etc

– File – size, name,

location, etc.

• Some attributes are

created automatically,

such as the globally

unique identifier (GUID)

that the domain

controller assigns to

each object when it

creates it

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Schema

• Database design, structure and

relationship definitions

• Defines the objects stored within Active

Directory and the properties (attributes)

associated within each object

• The nature and function of an object

determine what are reasonable

properties

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Organizational Unit (OU) • A container object that exists within a domain

• OUs can contain other OUs, as well as leaf objects

• You can apply separate Group Policy to an OU, and delegate the administration of an OU as needed

• However, an OU is still part of the domain and still inherits policies and permissions from its parent objects.

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Groups

• Security groups —use security groups to

assign permissions and user rights to objects

– Domain local groups —assign permissions to

resources in the same domain

– Global groups —used to organize users who share

similar network access requirements

– Universal groups —used to assign permissions to

related resources in multiple domains

• Distribution groups — Applications use

distribution groups for non-security–related

functions, such as sending email messages to

multiple recipients

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Forest

• Consists of one or more separate

domain trees

• Have two-way trust relationships

between them as two domains in the

same tree

• When you create the first domain on an

Active Directory network, that first

domain becomes the forest root

domain.

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Other Features • Global Catalog

– List of all objects in the forest, along with a subset of each object’s attributes

– Forest root will become the default global catalog server

• Functional levels – Exist to allow backward compatibility

• Lightweight Directory Access Protocol (LDAP) – Standard communications protocol for directory

service products, including Active Directory

• Replication – Database replicated to all domain controllers

• Read only domain controllers

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Sites

• The physical design of the network

• Typically each site is a LAN

• Sites are normally connected by WAN links

called site links

• Most sites also contain multiple subnets as

well

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Active Directory Users and

Groups

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Definitions

• User - individual granted access to the system

with the following User properties

– Groups associated with the user

– Profile path

– Login script

– Home directory

• Groups - logical collection of users

• Accounts - Logical construct containing all

information that defines a user to the 2008

environment

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Definitions

• Resources - All equipment attached to

the workstation or network

• Home Directories - dedicated locations

on a file server for a specific user to

store files

• Policy - a set of configurations that

allows an administrator to restrict a

user’s access and rights

• Profile - file containing a user’s

environmental settings and preferences

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

User Domain Accounts

• Accounts used to access Active Directory

or network-based resources, such as

shared folders or printers

• Account information for these users is

stored in the Active Directory database and

replicated to all domain controllers within

the same domain

• A subset of the domain user account

information is replicated to the global

catalog, which is then replicated to other

global catalog servers throughout the forest

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

User/Group Name Rules

• The name must be unique to the

domain

• The username cannot be the same as a

group name

• The name may be up to 20 characters,

upper or lowercase or a combination of

both

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

User/Group Name Rules

• To avoid confusion with special syntax

characters, names may not include any of the

following:

" / \ [ ] : ; | = , + * ? < >

• The name may include spaces and periods,

but may not consist entirely of spaces or

periods

NOTE: Names including spaces have to be enclosed

in quotes for both scripting or command-line use.

Better to avoid using spaces

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Accounts

• User and group accounts are

managed using the Active Directory

Users and Computers snap in

Computer Management snap ins

• Account operations

– Copy

– Delete

– Disable

– Rename

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

User Account Options

• User Must Change Password at Next

Logon - Forces a user to change their

password the next time they log on and

afterward the box will be unchecked.

• User Cannot Change Password - If

checked, prevents the user from

changing the account’s password.

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

• Password Never Expires - If checked,

the user account ignores the password

expiration policy, and the password for

the account never expires

• Account Is Disabled - If checked, the

account is disabled and no one can log

on to it until it is enabled (it is not,

however, removed from the database)

User Account Options

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Built-in User Accounts

• Automatically created during the install

• Built-in user accounts can be local accounts

or domain accounts, depending on whether

the server is configured as a standalone

server or a domain controller

• When you install a domain controller, the

ability to create and manipulate local

accounts is disabled

• By default, two built-in user accounts are

created on a Windows Server 2008 computer

– Administrator account

– Guest account

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Administrator

• Full control of computer, domain or forest depending on the context

• Used to establish administrative structure and create other accounts

• Should be renamed

• Should be secured with a complex password

• Can be disabled, but cannot be deleted

• Should not be used for every day user tasks

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Guest Account

• Designed to allow temporary access to

the network

• Disabled by default, but cannot be

deleted

• Should be secured with a complex

password if enabled

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Authentication

Active

Directory

Authentication

Process

Resources

Access Token

User identification

Group memberships

Privileges assigned to user

(also named system rights)

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Access Tokens • When a user logs on, an access token is created

that identifies the user and all of the user’s group

memberships

• This access token is used to verify a user’s

permissions when the user attempts to access a

local or network resource

• By using groups, multiple users can be given the

same permission level for resources on the

network

• Since a user’s access token is only generated

when they first log on to the network from their

workstation, if you add a user to a group, they will

need to log off and log back on again for that

change to take effect

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Group Nesting

• Users can be members of more than

one group.

• Groups can contain other Active

Directory objects, such as computers,

and other groups.

• Groups containing groups is called

group nesting.

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Domain Local Groups

• Valid members - user accounts,

computer accounts, global groups,

universal groups from any domain, and

domain local groups from the same

domain.

• Used to assign permissions to

resources in the local domain.

• Once you assign permissions to this

group, you can use it to grant those

permissions to other groups or users.

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Global Groups

• Valid members - User accounts,

computer accounts, and other global

groups

• Used primarily to organize users

• Users are typically assigned to global

groups based on job role, task, or title

• You can use them to organize users

who have similar functions and

therefore similar requirements on the

network.

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Universal Groups

• Valid members - user accounts, computer

accounts, global or universal groups

• Used to organize users or groups of users

in global groups

• Larger organizations typically use

universal groups to group accounts from

different domains

• Changes to universal group membership

lists are replicated to all global catalog

servers throughout the forest

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Default Groups

• Built-in security groups

– Pre-defined permissions Administrators,

Backup Operators, Guests, Power Users,

Remote Desktop, Network Configuration

and Users

– Placed in Built-in and Users containers by

default

• Groups are sometimes added when services

are installed such as:

– DHCP Admins and DHCP Users

– DNS Admins and DNS UpdateProxy

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Special Identity Groups

• Anonymous Logon - no used id or

password required

• Everyone – means everyone

• Authenticated Users – logon with valid

user id and password

• Interactive – currently logged on the

local computer

• Network – all currently connected

network users

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Group Scope

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

AGUDLP

• Microsoft’s approach to using groups:

– add Accounts to Global groups.

– add those global groups to Universal

groups.

– Add universal groups to Domain Local

groups.

– Finally, assign Permissions to the domain

local groups.

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Default Domain Groups

• Account Operators – Can create, modify

and delete accounts for users, groups,

and computers in all containers and OUs

– Cannot modify administrators, domain

admins and enterprise admin groups

• Administrators – Complete and

unrestricted access to the computer or

domain controller

• Backup Operators - Can bypass security

and back up and restore all files on the

computer

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Default Domain Groups

• Guests – Same privileges as members of

the Users group

– Disabled by default

• Print Operators – Can manage printers

and document queues

• Server Operators – Can log on a server

interactively, create and delete shares,

start and stop some services, back up and

restore files, format the disk, shutdown the

computer and modify the system date and

time

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Default DomainGroups

• Users – Allows general access to run

applications, use printers, shut down

and start the computer and use network

shares for which they are assigned

permissions

• DNSAdmins – Permits administrative

access to the DNS server service

• Domain Admins – Can perform

administrative tasks on any computer

anywhere in the domain

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Default Domain Groups

• Domain Computers – Contains all computers

and is used to make computer management

easier through group policies

• Domain Controllers – Contains all computers

installed in the domain as a domain controller

• Domain Guests – Members include all

domain guests

• Domain Users – Members include all

domain users

– Used to assign permissions to all users in

the domain.

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Default Domain Groups

• Enterprise Admins – Allows the global

administrative privileges associated with this

group, such as the ability to create and

delete domains

• Schema Admins – Members can manage

and modify the Active Directory schema

controlled access to resources throughout

the forest or domain.

• Authenticated Users –allow controlled access

to resources throughout the forest or domain

• Everyone – allow access to resources to all

users and guests

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Special Identity Groups

• Authenticated Users – Used to allow

controlled access to resources

throughout the forest or domain

• Everyone – Used to provide access to

resource for all users and guest

– Not recommended to deny this group

access to resources

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Summary

• AD was created with businesses in

mind

• The hierarchical structure allows

administrators to provide granular

administrative control of each object

• AD allows centralized control of your

network simplifying administration

• AD provides a single logon to your

network

• Permissions grant access to resources

DPW © 2005-2010

DPW © Donna Warren

W

I

N

D

O

W

S

S

E

R

V

E

R

2

0

0

8

Lab 2

• Install Active Directory on Server 1

• Create a child domain on server 2

• Create Administrative Accounts,

Regular Users and Groups

• Answer Lab 2 Questions