Lecture 7:Naming & Structuring ObjectsNetwork Design & Administration

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Objects in a domain…

• Leaf objects are those at lowest level in ADS.• Most important are Computers and Users.• Computer Accounts and User Accounts are both

necessary to let a user on a computer access a resource.• Groups are ways of organising computers or

users to give all members the same permissions or rights.• Organisational Units exist mainly to allow admin

job to be delegated to separate groups (e.g. at different physical sites).

2

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Object Naming

• This needs planning!• Must be considered in for all names within the

network i.e. the namespaces used for workstations, servers, users, groups, printers etc. • Different companies have different policies, often

reflecting their local “attitude”.• The larger the organisation, the better

documented the policies must be.

3

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Namespace Limitations

• A flat namespace means names must be unique. e.g. Unix UIDs • A tree based namespace means the same name

can be reused on different branches.• Reuse of the same naming structure on different

branches may be useful for similar organisational structures. (e.g. sales, marketing, accounts names for the company’s offices in different cities)

4

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Naming Methods[1]

• Question: What considerations need to be taken into account when coming up with naming resources within the network?

• Need to consider:• What names are permitted in the namespace?• What names are not permitted in the namespace?• How are names selected?• How are collisions resolved?• When is renaming allowed?

5

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Naming Methods[1]

• Formulaic – e.g. all NTU student logins are N123456 • Descriptive – include facts. e.g. at NTU all lab

machines are CIB<room>_<pcnum> (CIB205_13), printers are <Server>_<Location>_<Type> e.g. Panhard_CIB2nd_Konica_Col• Functional – specify roles or duties. e.g. admin,

webserver01• Thematic – e.g. picard, riker, worf, crusher• No method – sometimes results from change in

thematic methods.

6

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Difficulties with Naming

• Thematic names obscurity – remembering what functions are hosted on which server.• Formulaic names – if user reports a fault, do you need

them to tell you which workstation they are using?• Thematic Security – if admins reserve boring names for

standard machines, and name theirs specially, intruders will know which ones to avoid! • Descriptive names with unwanted longevity – names

may end up lasting long after the useful information in them has gone (e.g. defunct departments).

7

Net

wor

k D

esig

n &

Adm

inist

ratio

n

User Accounts

• Do not get confused between local and domain user accounts!• Local – grants user access to that particular computer

only (used for Workgroups).• Domain – grants user access to resources across

domain. Domain User Account = Logon Name + Password + Security Identifier (SID).

• SID is used to generate security tokens for access to resources.

8

Net

wor

k D

esig

n &

Adm

inist

ratio

n

User Account Names

Microsoft

1 to 20 chars *

Not case sensitive

Not “/|[]:;|+=*?<>@

* can create name up to 256 chars, but cannot be used to log on!

Linux

No more than 32 chars (8 in NIS)

Case sensitive*

Any char except : or LF

* case ignored in email addresses[2]

9

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Naming Policy

• Should be sensible, documented and used!• Easily guessable names make email easier to use

(since often use login names for email).• Should have standard way of resolving problems

e.g. duplicates or too long.• Standard schemes e.g.• First.Last• Initial.Last

10

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Passwords

• Strong passwords make it harder for hackers (take longer to crack).• Do not avoid need for other security measures.• Schneier recommends very strong pw, written

down and kept in wallet![3]

• Password policies in AD include Complexity Requirements, Minimum and Maximum Password age, and PW history.• Default setting in AD for new user is “Change PW

at next logon”. 11

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Security of Passwords• Users – make them understand consequences! Have

procedures and documentation in place.• Admin – encrypted PW stored on system are liable to brute

force attacks.• e.g. dictionary attacks.

• In AD DS, disable (by default) Lan Manager Hash (LMHash) storage as password encryption is very weak and therefore, easy to crack. Only needed for backward compatibility to Win 95/98 and Macintosh[4].

• In Linux systems, hide encrypted PW by using etc/shadow file readable only by superuser.• MD5 encryption is can be cracked quite easily. 12

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Domain User Accounts

Default container – should really create own OU

System created – can disable but not delete

13

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Creating User accounts

• Must be done by member of Enterprise Admins, Domain Admins or Account Operators groups, or by those with delegated permissions• Should really be done after created OU for User

accounts, though can be moved between containers• Simplest method for creating just 1 user – Select OU,

then Action|New|User or Create New User button• Have 2 pages of information to configure…• Note - Account can be disabled at this stage for use as template

or for staff arriving later

14

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Creating User Accounts: Templates• Object templates can be used to base newly created object on.• First, setup a template and set all relevant details.• This can either be an existing account or,• One specifically for copying (but not a special account type)

• Make sure templates password has been set and the account is disabled.

• To create a new user account based on template:• Action | Copy will bring up a wizard.• This will copy some of the user accounts properties but not the

User Login name.• New account will have a new SID.

15

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Creating User Accounts: Importing from a CSV file• Can add multiple users by using csvde.exe (CSV Directory

Exchange) to import from a file.• First, create a comma-separated-value (CSV) text file of the user

information to be imported.• Use, csvde.exe to import in to AD DS.

Syntax:Input into ADDS: csvde –i –f <input file name> -kDump ADDS database to CSV: scvde –f <output file name>

File format example:objectClass, sAMAcctName, dnuser, KentC, “CN=Clark Kent, OU=reporters, DC=DailyPlanet, DC=com”user, LaneL, “CN=Lois Lane, OU=reporters, DC=DailyPlanet, DC=com” 16

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Creating User Accounts: Powershell• We will cover Powershell in a lot more detail in a future lecture.• Can use existing command line tool (dsadd) in a script.

Syntax:dsadd <user> <UserDN> [parameters]

Example:dsadd user “cn=Clark Kent, OU=reporters, DC=dailyplanet, DC=com” –ln Kent –fn Clark –upn clark.kent@dailyplanet.com

• Or, use a Powershell cmdlet:

Syntax : new-aduser <user name> [parameters]

Example:new-aduser “Clark Kent”

17

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Groups• Used to ease burden of administering resources to users.• By clustering users based on their shared needs, work can be

reduced, clarified and made less error-prone.

• For example, if the Sales Department contains 15 people, consider difference in administration workload if they all need access to 5 resources.

18Solution: use a group to manage required workload

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Active Directory Groups

• Groups and Group Policy not directly related but a Group Policy can affect a Group. ( will see more on group policies in later sessions)• A group is not restricted by the structure of the

AD DS tree.• Groups are generally used to cluster resources

and users.

19

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Creating New Groups• As with Users, Groups can be maintained using the Active Directory

Users and Computers snap-in.• To add new groups, need to have elevated rights (i.e. members of

Enterprise Admins, Domain Admins, Account Operators or those who have been explicitly granted the right)

• Once the group has been created, can then add new members via the properties dialogue, or via Powershell.

Examples:

1. dsadd group <groupDN> [parameters] –scope l|g|ue.g. dsadd group “cn=copyeditors , ou=personnel, dc=dailyplanet, dc=com” –scope g

2. New-ADGroup <group name> -groupscope domainlocal | global | universale.g. New-ADGroup “copyeditors” –groupscope global

20

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Computer Objects

• A logical representation in Active Directory Domain Services of a physical object.• Authorises that physical device as a legitimate member

of a domain.• Has a name, location and who is allowed to manage it.• Inherits group policy settings from its containers. e.g.

domain, site or OU.• During user login, computer object interacts with the

Domain controller to check the domain. If OK, then user authorisation occurs.

21

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Adding a Computer to a Domain• First create the computer object in AD DS.• Then join computer to the domain.• (the computer object can be created as part of the

domain-joining process)• To create a computer object, user must have appropriate

permissions for the container in which the object will be located :–• Administrators can create objects anywhere in the

domain.• Account Operators can create objects in the

Computers container (and OU’s they create). 22

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Creating Computer Objects –AD DS Users and Computers• Use the Active Directory Users and Computers console.

23

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Creating Computer Objects - Powershell1. Use dsadd.exe

Syntax:dsadd computer <computerDN> [parameters]

Example:dsadd computer “cn=webserver1, cn=computers,

dc=dailyplanet, dc=com”

2. Use Powershell cmdlet (New-ADComputer)

Syntax:New-ADComputer <computer name>

Example:New-ADComputer “webserver1”(inserts new computer into the Computers container by default)

24

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Joining Computers to a Domain• Must occur at the computer and be performed by local admin

group member.

25

• Use system properties dialogue box.• Either specify a name

that already exists (but has not yet been associated with a machine).

• Or specify new name for computer object to be created on the fly.

Net

wor

k D

esig

n &

Adm

inist

ratio

n

Next Time & References

• Group Scope• How, why, what to assign to groups• Access control

[1] “The Practice of System and Network Administration”, Limoncelli, Chapter 8.[2] RFC 822 section 3.4.7 (1982)[3] http://www.schneier.com/blog/archives/2005/06/write_down_your.html[4] http://support.microsoft.com/kb/299656

26