Upload
truongnhan
View
220
Download
0
Embed Size (px)
Citation preview
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Introduction to Active
Directory
UNIT 2
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Topics for this Unit
• Directory Services
• Active Directory
• Forests
• Domains
• Organizational Units
• Groups
• AD features
• Sites
• Accounts
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Directory Service
• A directory service is a listing of the
resources — hardware, software, and human
— that are available on the network
• The primary uses of directory services is both
user authentication and resource
authorization
– Authentication is the process of verifying a
user’s identity.
– Authorization is the process of granting the
user access only to the resources he or
she is permitted to use
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Active Directory
• Is based on Banyan Vines Street Talk which
was designed in the late 1970s to be used on
a global scale and uses the internet Uniform
Resource Locator (URL) system to identify
users and resources
• Both Microsoft and Novell adopted (read
stole) parts of street talk and incorporated
them into their directory services
• Finally, Microsoft licensed street talk,
renamed in Active Directory and introduced it
in Windows 2000 server
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Domain
• A domain is a security boundary
• Each domain is hosted on a separate
server called a domain controller
• Each domain has independent
administration
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Active Directory Objects
• An Active Directory domain is tree structure
• Everything in active directory is an object
• There are two basic classes of objects
– container object - one that can hold other objects
in it
• Domain
• Group
• Folder
– leaf object can not hold other objects
• User
• Printer
• File
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Active Directory Attributes • information stored
about an object
– User – name phone
number, etc
– File – size, name,
location, etc.
• Some attributes are
created automatically,
such as the globally
unique identifier (GUID)
that the domain
controller assigns to
each object when it
creates it
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Schema
• Database design, structure and
relationship definitions
• Defines the objects stored within Active
Directory and the properties (attributes)
associated within each object
• The nature and function of an object
determine what are reasonable
properties
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Organizational Unit (OU) • A container object that exists within a domain
• OUs can contain other OUs, as well as leaf objects
• You can apply separate Group Policy to an OU, and delegate the administration of an OU as needed
• However, an OU is still part of the domain and still inherits policies and permissions from its parent objects.
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Groups
• Security groups —use security groups to
assign permissions and user rights to objects
– Domain local groups —assign permissions to
resources in the same domain
– Global groups —used to organize users who share
similar network access requirements
– Universal groups —used to assign permissions to
related resources in multiple domains
• Distribution groups — Applications use
distribution groups for non-security–related
functions, such as sending email messages to
multiple recipients
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Forest
• Consists of one or more separate
domain trees
• Have two-way trust relationships
between them as two domains in the
same tree
• When you create the first domain on an
Active Directory network, that first
domain becomes the forest root
domain.
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Other Features • Global Catalog
– List of all objects in the forest, along with a subset of each object’s attributes
– Forest root will become the default global catalog server
• Functional levels – Exist to allow backward compatibility
• Lightweight Directory Access Protocol (LDAP) – Standard communications protocol for directory
service products, including Active Directory
• Replication – Database replicated to all domain controllers
• Read only domain controllers
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Sites
• The physical design of the network
• Typically each site is a LAN
• Sites are normally connected by WAN links
called site links
• Most sites also contain multiple subnets as
well
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Active Directory Users and
Groups
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Definitions
• User - individual granted access to the system
with the following User properties
– Groups associated with the user
– Profile path
– Login script
– Home directory
• Groups - logical collection of users
• Accounts - Logical construct containing all
information that defines a user to the 2008
environment
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Definitions
• Resources - All equipment attached to
the workstation or network
• Home Directories - dedicated locations
on a file server for a specific user to
store files
• Policy - a set of configurations that
allows an administrator to restrict a
user’s access and rights
• Profile - file containing a user’s
environmental settings and preferences
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
User Domain Accounts
• Accounts used to access Active Directory
or network-based resources, such as
shared folders or printers
• Account information for these users is
stored in the Active Directory database and
replicated to all domain controllers within
the same domain
• A subset of the domain user account
information is replicated to the global
catalog, which is then replicated to other
global catalog servers throughout the forest
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
User/Group Name Rules
• The name must be unique to the
domain
• The username cannot be the same as a
group name
• The name may be up to 20 characters,
upper or lowercase or a combination of
both
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
User/Group Name Rules
• To avoid confusion with special syntax
characters, names may not include any of the
following:
" / \ [ ] : ; | = , + * ? < >
• The name may include spaces and periods,
but may not consist entirely of spaces or
periods
NOTE: Names including spaces have to be enclosed
in quotes for both scripting or command-line use.
Better to avoid using spaces
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Accounts
• User and group accounts are
managed using the Active Directory
Users and Computers snap in
Computer Management snap ins
• Account operations
– Copy
– Delete
– Disable
– Rename
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
User Account Options
• User Must Change Password at Next
Logon - Forces a user to change their
password the next time they log on and
afterward the box will be unchecked.
• User Cannot Change Password - If
checked, prevents the user from
changing the account’s password.
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
• Password Never Expires - If checked,
the user account ignores the password
expiration policy, and the password for
the account never expires
• Account Is Disabled - If checked, the
account is disabled and no one can log
on to it until it is enabled (it is not,
however, removed from the database)
User Account Options
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Built-in User Accounts
• Automatically created during the install
• Built-in user accounts can be local accounts
or domain accounts, depending on whether
the server is configured as a standalone
server or a domain controller
• When you install a domain controller, the
ability to create and manipulate local
accounts is disabled
• By default, two built-in user accounts are
created on a Windows Server 2008 computer
– Administrator account
– Guest account
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Administrator
• Full control of computer, domain or forest depending on the context
• Used to establish administrative structure and create other accounts
• Should be renamed
• Should be secured with a complex password
• Can be disabled, but cannot be deleted
• Should not be used for every day user tasks
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Guest Account
• Designed to allow temporary access to
the network
• Disabled by default, but cannot be
deleted
• Should be secured with a complex
password if enabled
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Authentication
Active
Directory
Authentication
Process
Resources
Access Token
User identification
Group memberships
Privileges assigned to user
(also named system rights)
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Access Tokens • When a user logs on, an access token is created
that identifies the user and all of the user’s group
memberships
• This access token is used to verify a user’s
permissions when the user attempts to access a
local or network resource
• By using groups, multiple users can be given the
same permission level for resources on the
network
• Since a user’s access token is only generated
when they first log on to the network from their
workstation, if you add a user to a group, they will
need to log off and log back on again for that
change to take effect
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Group Nesting
• Users can be members of more than
one group.
• Groups can contain other Active
Directory objects, such as computers,
and other groups.
• Groups containing groups is called
group nesting.
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Domain Local Groups
• Valid members - user accounts,
computer accounts, global groups,
universal groups from any domain, and
domain local groups from the same
domain.
• Used to assign permissions to
resources in the local domain.
• Once you assign permissions to this
group, you can use it to grant those
permissions to other groups or users.
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Global Groups
• Valid members - User accounts,
computer accounts, and other global
groups
• Used primarily to organize users
• Users are typically assigned to global
groups based on job role, task, or title
• You can use them to organize users
who have similar functions and
therefore similar requirements on the
network.
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Universal Groups
• Valid members - user accounts, computer
accounts, global or universal groups
• Used to organize users or groups of users
in global groups
• Larger organizations typically use
universal groups to group accounts from
different domains
• Changes to universal group membership
lists are replicated to all global catalog
servers throughout the forest
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Default Groups
• Built-in security groups
– Pre-defined permissions Administrators,
Backup Operators, Guests, Power Users,
Remote Desktop, Network Configuration
and Users
– Placed in Built-in and Users containers by
default
• Groups are sometimes added when services
are installed such as:
– DHCP Admins and DHCP Users
– DNS Admins and DNS UpdateProxy
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Special Identity Groups
• Anonymous Logon - no used id or
password required
• Everyone – means everyone
• Authenticated Users – logon with valid
user id and password
• Interactive – currently logged on the
local computer
• Network – all currently connected
network users
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
AGUDLP
• Microsoft’s approach to using groups:
– add Accounts to Global groups.
– add those global groups to Universal
groups.
– Add universal groups to Domain Local
groups.
– Finally, assign Permissions to the domain
local groups.
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Default Domain Groups
• Account Operators – Can create, modify
and delete accounts for users, groups,
and computers in all containers and OUs
– Cannot modify administrators, domain
admins and enterprise admin groups
• Administrators – Complete and
unrestricted access to the computer or
domain controller
• Backup Operators - Can bypass security
and back up and restore all files on the
computer
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Default Domain Groups
• Guests – Same privileges as members of
the Users group
– Disabled by default
• Print Operators – Can manage printers
and document queues
• Server Operators – Can log on a server
interactively, create and delete shares,
start and stop some services, back up and
restore files, format the disk, shutdown the
computer and modify the system date and
time
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Default DomainGroups
• Users – Allows general access to run
applications, use printers, shut down
and start the computer and use network
shares for which they are assigned
permissions
• DNSAdmins – Permits administrative
access to the DNS server service
• Domain Admins – Can perform
administrative tasks on any computer
anywhere in the domain
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Default Domain Groups
• Domain Computers – Contains all computers
and is used to make computer management
easier through group policies
• Domain Controllers – Contains all computers
installed in the domain as a domain controller
• Domain Guests – Members include all
domain guests
• Domain Users – Members include all
domain users
– Used to assign permissions to all users in
the domain.
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Default Domain Groups
• Enterprise Admins – Allows the global
administrative privileges associated with this
group, such as the ability to create and
delete domains
• Schema Admins – Members can manage
and modify the Active Directory schema
controlled access to resources throughout
the forest or domain.
• Authenticated Users –allow controlled access
to resources throughout the forest or domain
• Everyone – allow access to resources to all
users and guests
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Special Identity Groups
• Authenticated Users – Used to allow
controlled access to resources
throughout the forest or domain
• Everyone – Used to provide access to
resource for all users and guest
– Not recommended to deny this group
access to resources
DPW © 2005-2010
DPW © Donna Warren
W
I
N
D
O
W
S
S
E
R
V
E
R
2
0
0
8
Summary
• AD was created with businesses in
mind
• The hierarchical structure allows
administrators to provide granular
administrative control of each object
• AD allows centralized control of your
network simplifying administration
• AD provides a single logon to your
network
• Permissions grant access to resources