Module 4: Administration in Active Directory. Overview Designing Active Directory to Delegate Administrative Authority Identifying Business Needs Identifying

Module 4: Module 4: Administration in Administration in Active DirectoryActive Directory

OverviewOverviewDesigning Active Directory to Delegate Designing Active Directory to Delegate

Administrative Authority Administrative Authority Identifying Business NeedsIdentifying Business Needs Characterizing the IT OrganizationCharacterizing the IT Organization Developing a Strategy for Administrative DesignDeveloping a Strategy for Administrative Design Developing a Strategy for DelegationDeveloping a Strategy for Delegation

Implementing Group PolicyImplementing Group Policy Group Policy StructureGroup Policy Structure Working with Group Policy ObjectsWorking with Group Policy Objects How Group Policy Settings Are Applied in Active How Group Policy Settings Are Applied in Active

DirectoryDirectory Modifying Group Policy InheritanceModifying Group Policy Inheritance

Designing Active Directory to Support Group Designing Active Directory to Support Group PolicyPolicy

Designing a Schema PolicyDesigning a Schema Policy

Identifying Business NeedsIdentifying Business Needs

Documenting the Administrative Process:Level of AdministrationWho Administers WhatBuild Flexibility Into Plan

Accounting

AccountsPayable

OrganizationalChart

ITInfrastructure

Infrastructure

Atlanta Seattle

NorthwestNortheastSoutheast

Charlotte

Information Technology

Portland

Information Technology

AccountsReceivable

LogisticsPurchasing

Human Resources

Production

CEO

Characterizing the IT Organization Characterizing the IT Organization

Centralized IT Centralized IT Centralized IT with Decentralized Centralized IT with Decentralized

ManagementManagementDecentralized IT Decentralized IT Outsourced ITOutsourced IT

Developing a Strategy for Developing a Strategy for Administrative DesignAdministrative Design

Designing a Hierarchy Based on LocationDesigning a Hierarchy Based on LocationDesigning a Hierarchy Based on OrganizationDesigning a Hierarchy Based on OrganizationDesigning a Hierarchy Based on FunctionDesigning a Hierarchy Based on FunctionDesigning a Hybrid Hierarchy by Location Designing a Hybrid Hierarchy by Location

then Organizationthen OrganizationDesigning a Hybrid Hierarchy by Organization Designing a Hybrid Hierarchy by Organization

then Locationthen LocationDesign GuidelinesDesign Guidelines

Designing a Hierarchy Based Designing a Hierarchy Based on Locationon Location

Is Resistant to ChangeIs Resistant to ChangeAccommodates Mergers and ExpansionsAccommodates Mergers and ExpansionsMay Compromise SecurityMay Compromise SecurityTakes Advantage of Network StrengthsTakes Advantage of Network Strengths

OUNew New

EnglandEnglandNew New

EnglandEngland

BostonBostonBostonBoston HartfordHartfordHartfordHartfordna.nwtraders.msft asia.nwtraders.msft

Domainnwtraders.msft

Reflects Business ModelReflects Business ModelIs Vulnerable to ReorganizationsIs Vulnerable to ReorganizationsMaintains Departmental AutonomyMaintains Departmental AutonomyAccommodates Mergers and ExpansionsAccommodates Mergers and ExpansionsMay Affect ReplicationMay Affect Replication

Designing a Hierarchy Based Designing a Hierarchy Based on Organizationon Organization

OUmanufacturingmanufacturingmanufacturingmanufacturing

engineeringengineeringengineeringengineering purchasingpurchasingpurchasingpurchasing

researchresearchresearchresearch

Domainnwtraders.msft

mfg.nwtraders.msftdistrib.nwtraders.msft

Designing a Hierarchy Based Designing a Hierarchy Based on Functionon Function

Is Immune to ReorganizationsIs Immune to ReorganizationsMay Require Additional LayersMay Require Additional LayersMay Affect ReplicationMay Affect Replication

salessalessalessales

consultantsconsultantsconsultantsconsultants marketingmarketingmarketingmarketing

hardwarehardwarehardwarehardware

project1project1project1project1 project2project2project2project2

Designing a Hybrid Hierarchy Designing a Hybrid Hierarchy by Location then Organization by Location then Organization

Allows for GrowthAllows for GrowthAllows for Security Allows for Security

BoundariesBoundariesLeverages Strength of Leverages Strength of

Physical Network Physical Network May Require Lower Level May Require Lower Level

Changes AfterChanges Aftera Reorganizationa Reorganization

asia.nwtraders.msft

MfgMfgMfgMfg

researchresearchresearchresearch

HRHRHRHR

recruitingrecruitingrecruitingrecruiting trainingtrainingtrainingtraining

Designing a Hybrid Hierarchy Designing a Hybrid Hierarchy by Organization then Locationby Organization then Location

Allows for Security Allows for Security BoundariesBoundaries

Allows Administration by Allows Administration by Location Location

Vulnerable to Vulnerable to ReorganizationsReorganizations

sales.nwtraders.msft

New EnglandNew EnglandNew EnglandNew England

BostonBostonBostonBoston HartfordHartfordHartfordHartford

Design GuidelinesDesign Guidelines

Hierarchy Hierarchy LocationLocation OrganizationOrganization FunctionFunction

Hybrid Hierarchy Hybrid Hierarchy By Location then OrganizationBy Location then Organization By Organization then LocationBy Organization then Location

Developing a Strategy for Developing a Strategy for DelegationDelegation

Determining Delegation MethodsDetermining Delegation MethodsDetermining Object OwnershipDetermining Object OwnershipCreating a Strategy for Object-Based and Creating a Strategy for Object-Based and

Task-Based DelegationTask-Based DelegationCreating a Strategy for Delegating Creating a Strategy for Delegating

AuthorityAuthorityCreating Strategies for Inheritance of Creating Strategies for Inheritance of

PermissionsPermissionsDesign Choice GuidelinesDesign Choice Guidelines

Determining Delegation Determining Delegation MethodsMethods

Delegating Authority Includes:Delegating Authority Includes: Changing Container PropertiesChanging Container Properties Creating, Changing, and Deleting Child Creating, Changing, and Deleting Child

ObjectsObjects Updating Object AttributesUpdating Object Attributes Creating New Users or GroupsCreating New Users or Groups Managing Small Groups of Users or GroupsManaging Small Groups of Users or Groups

Creating a Strategy for Delegating Creating a Strategy for Delegating AuthorityAuthority

Domain-Level Delegation Affects All Objects in the Domain

OU-Level Delegation Can Affect Parent OU Only, or Parent and All Child OUs

Site-Level Delegation May Affect Multiple Domains

Creating Strategies for Creating Strategies for Inheritance of PermissionsInheritance of Permissions

Full ControlOU

OU

OU

Full Control

Full Control

Objects Inherit Existing PermissionsObjects Inherit Existing PermissionsInheritance Can Be BlockedInheritance Can Be Blocked


Assign Permissions at the OU Level When Assign Permissions at the OU Level When PossiblePossible

Avoid Assigning Permissions at Property Avoid Assigning Permissions at Property or Task Level or Task Level

Use a Small Number of Domain Use a Small Number of Domain AdministratorsAdministrators

Assign Access Permissions to GroupsAssign Access Permissions to Groups







Introduction to Group PolicyIntroduction to Group Policy

Group Policy Enables You to:Group Policy Enables You to: Set centralized and decentralized policiesSet centralized and decentralized policies Ensure users have their required environmentsEnsure users have their required environments Lower total cost of ownership by controlling Lower total cost of ownership by controlling

user and computer environmentsuser and computer environments Enforce corporate policiesEnforce corporate policies

SiteSite

DomainDomain

OUOU

Windows 2000 Applies ContinuallyWindows 2000 Applies Continually

UsersUsers

ComputersComputers

Administrator Sets Group Policy OnceAdministrator Sets Group Policy Once

Group PolicyGroup Policy

Group Policy StructureGroup Policy Structure

Types of Group Policy SettingsTypes of Group Policy SettingsGroup Policy ObjectsGroup Policy ObjectsGroup Policy Settings for Computers and Group Policy Settings for Computers and

UsersUsersGroup Policy Objects and Active Directory Group Policy Objects and Active Directory

ContainersContainers

Types of Group Policy SettingsTypes of Group Policy Settings

Types of Group Policy SettingsTypes of Group Policy SettingsTypes of Group Policy SettingsTypes of Group Policy Settings

AdministrativeTemplates

AdministrativeTemplates Registry-based Group Policy settingsRegistry-based Group Policy settings

SecuritySecurity Settings for local, domain, and network securitySettings for local, domain, and network security

Software Installation

Software Installation Settings for central management of software installationSettings for central management of software installation

ScriptsScripts Startup, shutdown, logon, and logoff scriptsStartup, shutdown, logon, and logoff scripts

Remote Installation Services

Remote Installation Services

Settings that control the options available to users when running the Client Installation wizard used by RIS

Settings that control the options available to users when running the Client Installation wizard used by RIS

Internet Explorer Maintenance

Internet Explorer Maintenance

Settings to administer and customize Microsoft Internet Explorer on Windows 2000–based computers

Settings to administer and customize Microsoft Internet Explorer on Windows 2000–based computers

Folder RedirectionFolder Redirection Settings for storing of users’ folders on a network serverSettings for storing of users’ folders on a network server

Group Policy ObjectsGroup Policy Objects

Group Policy Object

Contains Group Policy settings

Content stored in two locations

Located in domain controller shared Sysvol folder

Provides Group Policy settings that computers running Windows 2000 obtain and apply

Located in Active Directory Provides version information

used by domain controllers

Group Policy Template (GPT)

Group Policy Container (GPC)

Group Policy Settings for Group Policy Settings for Computers and UsersComputers and Users

Group Policy Settings for Computers:Group Policy Settings for Computers: Specify oSpecify operating system behavior, desktop perating system behavior, desktop

behavior, security settings, computer startup and behavior, security settings, computer startup and shutdown scripts, computer-assigned application shutdown scripts, computer-assigned application options, and application settingsoptions, and application settings

Apply when the operating system initializes and Apply when the operating system initializes and during the periodic refresh cycle during the periodic refresh cycle

Group Policy Settings for Users:Group Policy Settings for Users: Specify oSpecify operating system behavior, desktop perating system behavior, desktop

settings, security settings, assigned and settings, security settings, assigned and published application options, application published application options, application settings, folder redirection options, and user settings, folder redirection options, and user logon and logoff scriptslogon and logoff scripts

Apply when users log on to the computer and Apply when users log on to the computer and during the periodic refresh cycleduring the periodic refresh cycle

UsersUsers

ComputersComputers

Group Policy Objects and Group Policy Objects and Active Directory ContainersActive Directory Containers

GPO Settings Affect User and Computer Objects GPO Settings Affect User and Computer Objects Within Sites, Domains, and OUs to Which a GPO Is Within Sites, Domains, and OUs to Which a GPO Is LinkedLinked You can link one GPO to multiple sites, domains, or OUsYou can link one GPO to multiple sites, domains, or OUs You can link multiple GPOs to one site, domain, or OUYou can link multiple GPOs to one site, domain, or OU

You Cannot Link GPOs to Default Active Directory You Cannot Link GPOs to Default Active Directory ContainersContainers

SiteSite

DomainDomain

OUOU

OUOUOUOU

OU GPOOU GPO OU GPOOU GPO

Site GPOSite GPODomain GPODomain GPO

Working with Group Policy Working with Group Policy ObjectsObjects

Creating Linked Group Policy ObjectsCreating Linked Group Policy ObjectsCreating Unlinked Group Policy ObjectsCreating Unlinked Group Policy ObjectsLinking an Existing Group Policy ObjectLinking an Existing Group Policy ObjectSpecifying a Domain Controller for Specifying a Domain Controller for

Managing Group Policy ObjectsManaging Group Policy Objects

Creating Linked Group Policy Creating Linked Group Policy ObjectsObjects

To Apply Group Policy to To Apply Group Policy to a Container, Create a a Container, Create a GPO Linked to the GPO Linked to the Container:Container: Create GPOs linked to Create GPOs linked to

domains and OUs by domains and OUs by using Active Directory using Active Directory Users and ComputersUsers and Computers

Create GPOs linked to Create GPOs linked to sites by using Active sites by using Active Directory Sites and Directory Sites and ServicesServices

contoso.msft Properties

General Managed By Object Security Group Policy

Current Group Policy Object Links for contoso.msft

Group Policy Object Links No Override DisabledDefault Domain PolicyAccount Lockout Policy

Passwords Policy

Group Policy Objects higher in the list have the highest priority. This list obtained from: London.contoso.msft

New

Options...

Add...

Delete...

Edit

Properties

Up

DownDown

Block Policy inheritance

Close CancelCancel ApplyApply

To create a GPOTo create a GPO

Name of linked GPO

Name of linked GPO

Creating Unlinked Group Policy Creating Unlinked Group Policy ObjectsObjects

Select Group Policy Object

Local Computer

Browse…

Allow the focus of the Group Policy Snap-in to be changed when launching from the command line. This only applies if you save the console.

View

Arrange Icons

Line up Icons

Refresh

NewTo create an unlinked GPOTo create an

unlinked GPO

Browse for a Group Policy Object

Domains/OUs Sites Computers All

Look in: contoso.msft

All Group Policy Objects stored in this domain:Name

Application DeploymentDefault Domain Controllers PolicyDefault Domain PolicyNew Group Policy ObjectNew Group Policy ObjectNew Group Policy ObjectNew Group Policy ObjectTest

How Group Policy Settings Are How Group Policy Settings Are Applied in Active DirectoryApplied in Active Directory

Group Policy InheritanceGroup Policy InheritanceHow Group Policy Settings Are ProcessedHow Group Policy Settings Are ProcessedControlling the Processing of Group PolicyControlling the Processing of Group PolicyGroup Policy and Slow Network Group Policy and Slow Network

Connections (Links)Connections (Links)Resolving Conflicts Between Group Policy Resolving Conflicts Between Group Policy

SettingsSettingsClass Discussion: How Group Policy Is Class Discussion: How Group Policy Is

Applied Applied

Group Policy InheritanceGroup Policy Inheritance

Windows 2000 Applies GPO Windows 2000 Applies GPO Settings in a Specific OrderSettings in a Specific Order

SiteSite

DomainDomain

OUOU

Child Containers Inherit Child Containers Inherit GPO Settings from Parent GPO Settings from Parent ContainersContainers

Computers

Users

Payroll

Domain

Domain GPODomain GPO

How Group Policy Settings Are How Group Policy Settings Are ProcessedProcessed

Computer starts

User logs on

Computer settings applied

Startup scripts run

User settings applied Logon scripts run

The GetGPOList Function Executes on the Client Computer During:

Computer startup to determine which GPOs contain computer configurations settings to be applied

User logon to determine which GPOs contain user configurations settings to be applied

Controlling the Processing of Controlling the Processing of Group PolicyGroup Policy

Synchronous and Asynchronous Synchronous and Asynchronous ProcessingProcessing By default, the processing of Group Policy is By default, the processing of Group Policy is

synchronoussynchronous You can change the processing of Group Policy You can change the processing of Group Policy

to asynchronous by using a Group Policy setting to asynchronous by using a Group Policy setting for both computers and usersfor both computers and users

Refreshing Refreshing Group Policy at Established Group Policy at Established Intervals of:Intervals of: 90 minutes for computers running Windows 2000 90 minutes for computers running Windows 2000

Professional and for member servers running Professional and for member servers running Windows 2000 ServerWindows 2000 Server

5 minutes for domain controllers5 minutes for domain controllers Processing Unchanged Group Policy Processing Unchanged Group Policy

SettingsSettings You can configure each client-side extension to You can configure each client-side extension to

process all applicable Group Policy settings process all applicable Group Policy settings

Resolving Conflicts Between Resolving Conflicts Between Group Policy SettingsGroup Policy Settings

All Group Policy Settings Apply Unless All Group Policy Settings Apply Unless There Are ConflictsThere Are Conflicts

The Last Setting Processed AppliesThe Last Setting Processed Applies When settings from different GPOs in the When settings from different GPOs in the

Active Directory hierarchy conflict, the Active Directory hierarchy conflict, the child container GPO settings applychild container GPO settings apply

When settings from GPOs linked to the When settings from GPOs linked to the same container conflict, the settings for same container conflict, the settings for the GPO highest in the GPO list apply the GPO highest in the GPO list apply

A Computer Setting Applies When It A Computer Setting Applies When It Conflicts with a User SettingConflicts with a User Setting

Modifying Group Policy Modifying Group Policy InheritanceInheritance

Enabling Block InheritanceEnabling Block InheritanceEnabling No OverrideEnabling No OverrideFiltering Group Policy SettingsFiltering Group Policy SettingsClass Discussion: Changing Group Policy Class Discussion: Changing Group Policy

InheritanceInheritance

Enabling Block InheritanceEnabling Block Inheritance

Block Inheritance:Block Inheritance: Stops inheritance Stops inheritance

of all GPOs from all of all GPOs from all parent containersparent containers

Cannot selectively Cannot selectively choose which choose which GPOs are blockedGPOs are blocked

Cannot stop No Cannot stop No OverrideOverride

GPOs GPOs

Sales

Production

Domain

No GPO settings apply

No GPO settings apply

Enabling No OverrideEnabling No Override

No Override:No Override: Overrides Block Overrides Block

Inheritance and GPO Inheritance and GPO conflictsconflicts

Should be set high in the Should be set high in the Active Directory treeActive Directory tree

Is applicable to links and Is applicable to links and not to GPOsnot to GPOs

Enforces corporate-wide Enforces corporate-wide rulesrules

Sales

Production

Domain

Domain GPO settings applyDomain GPO settings apply

Conflicting GPO Settings

Conflicting GPO Settings

No Override GPO SettingsNo Override GPO Settings

Filtering Group Policy SettingsFiltering Group Policy Settings

Domain

Sales

Mengph

Kimyo

Group Deny Apply Group Policy

Deny Apply Group Policy

Allow Read and Apply Group

Policy

Allow Read and Apply Group

Policy

Filter Group Policy Settings by:

Explicitly denying the Apply Group Policy permission

Omitting an explicit Apply Group Policy permission

Delegating Administrative Delegating Administrative Control of Group PolicyControl of Group Policy

Enable a User to Manage Group Policy Links for a Enable a User to Manage Group Policy Links for a Site, Domain, or OU by:Site, Domain, or OU by: Assigning the user read and write permissions to the gPLink Assigning the user read and write permissions to the gPLink

and gPOptions attributes of the site, domain, or OUand gPOptions attributes of the site, domain, or OU Using the Delegation of Control wizard Using the Delegation of Control wizard

Enable a User or Group to Create GPOs by:Enable a User or Group to Create GPOs by: Adding the user or group to the Group Policy Creator Owners Adding the user or group to the Group Policy Creator Owners

groupgroup Enable a User to Edit GPOs by:Enable a User to Edit GPOs by:

Assigning the user read and write permissions to the GPOAssigning the user read and write permissions to the GPO Making the user a member of either Domain Admins, Making the user a member of either Domain Admins,

Enterprise Admins, or GPO Creator Owners groupsEnterprise Admins, or GPO Creator Owners groups Granting the user access to the GPO by using the Security Granting the user access to the GPO by using the Security

tab in the GPO Properties dialog boxtab in the GPO Properties dialog box

Group Policy Troubleshooting Group Policy Troubleshooting ToolsTools

Windows 2000 Support Tools for Windows 2000 Support Tools for Group Policy TroubleshootingGroup Policy Troubleshooting:: Netdiag.exe Netdiag.exe Replmon.exeReplmon.exe

Windows 2000 Resource Kit Windows 2000 Resource Kit Tools for Group Policy Tools for Group Policy Troubleshooting:Troubleshooting: Gpotool.exe Gpotool.exe Gpresult.exe Gpresult.exe

Best PracticesBest Practices

Limit the Use of Blocking, No Override, and Filtering of GPOs Limit the Use of Blocking, No Override, and Filtering of GPOs

Limit the Number of GPOs That Affect Any Computer or User Limit the Number of GPOs That Affect Any Computer or User

Group Related Settings in a Single GPOGroup Related Settings in a Single GPO

Delegate Administrative Control of a GPO to One or Two UsersDelegate Administrative Control of a GPO to One or Two Users

Avoid Linking GPOs to a Site with Multiple Domains Avoid Linking GPOs to a Site with Multiple Domains

Plan and Test GPOs Before You Implement ThemPlan and Test GPOs Before You Implement Them








Group Policy Is Applied: Group Policy Is Applied: Frequently in Highly Managed IT NetworksFrequently in Highly Managed IT Networks Infrequently in Minimally Managed IT NetworksInfrequently in Minimally Managed IT Networks

Group Policy Is Used to:Group Policy Is Used to: Enforce SecurityEnforce Security Create Common ConfigurationsCreate Common Configurations Simplify Computer Build ProcessSimplify Computer Build Process Limit Distribution of ApplicationsLimit Distribution of Applications

Applying Group Policy in Applying Group Policy in Active DirectoryActive Directory

Applying Group Policy at the Site LevelApplying Group Policy at the Site LevelApplying Group Policy at the Domain LevelApplying Group Policy at the Domain LevelApplying Group Policy at the OU LevelApplying Group Policy at the OU LevelDesign GuidelinesDesign Guidelines

Applying Group Policy at the Applying Group Policy at the Site LevelSite Level

Single Site GPOs Affect All Single Site GPOs Affect All Domains Within the SiteDomains Within the Site

Site Level GPOs Can Cross Site Level GPOs Can Cross Domain BoundariesDomain Boundaries

Site

Domains

Applying Group Policy at the Applying Group Policy at the Domain LevelDomain Level

In Single Domain, GPOs Affect In Single Domain, GPOs Affect Entire Domain and Cannot Be Entire Domain and Cannot Be DelegatedDelegated

In Multiple Domains, Domain In Multiple Domains, Domain Level GPOs Do Not Affect Level GPOs Do Not Affect Other Domains Unless LinkedOther Domains Unless Linked

Parent Domain

Child Domain

Single Domain

Multiple Domains

At OU Level, GPOs At OU Level, GPOs Are Inherited from Are Inherited from Parent to Child OUParent to Child OU

Applying Group Policy at the Applying Group Policy at the OU LevelOU Level

Same Group Policy Inherited from GPO of Parent OU

GPO Linked to Parent OUs

OU Specifically Created for Group Policy

OU

OUOU

OUOU

OUOU OU


Create As Few GPOs As PossibleCreate As Few GPOs As PossibleMap Each GPO to a Single Site, Domain, or Map Each GPO to a Single Site, Domain, or

OU ContainerOU ContainerAvoid Linking GPOs Between DomainsAvoid Linking GPOs Between DomainsMinimize the Number of GPOs Applied to a Minimize the Number of GPOs Applied to a

User or ComputerUser or Computer

Planning for Group PolicyPlanning for Group Policy

Designing Group Policy to Meet Designing Group Policy to Meet Administrative NeedsAdministrative Needs

Prioritizing Application of Group Policy Prioritizing Application of Group Policy ObjectsObjects

Filtering Group Policy ObjectsFiltering Group Policy ObjectsGroup Policy Inheritance and BlockingGroup Policy Inheritance and BlockingOptimizing Group Policy PerformanceOptimizing Group Policy PerformanceTesting and Documenting the Group Policy Testing and Documenting the Group Policy

PlanPlanDesign GuidelinesDesign Guidelines

Designing Group Policy to Meet Designing Group Policy to Meet Administrative NeedsAdministrative Needs

StrategyStrategyStrategyStrategy

Delegate the Right to Create New GPOs Throughout Active Directory

Delegate the Right to Create New GPOs Throughout Active Directory

Delegate the Right to Modify an Existing GPO

Delegate the Right to Modify an Existing GPO

Delegate the Right to Link GPOs to a Site, Domain, or OU

Delegate the Right to Link GPOs to a Site, Domain, or OU

Filtering Group Policy ObjectsFiltering Group Policy Objects Roanoke OU

__Apply Group Policy to Roanoke Admins

__Apply Group Policy to Roanoke Admins

Users

Roanoke Admins

DENY

Filtering Prevents Group Policy from Being Applied

Group Policy Inheritance and Group Policy Inheritance and BlockingBlocking

When Blocked, GPO Does Not Apply to Child OU

GPO Linked to Parent OU

OUOU

OUOU

OU OUOUOUOU

Inheritance BlockedOU

Optimizing Group Policy Optimizing Group Policy PerformancePerformance

Optimize Group Policy Performance Over Optimize Group Policy Performance Over Slow Connections by Adjusting:Slow Connections by Adjusting: Slow Link ProcessingSlow Link Processing Periodic Refresh ProcessingPeriodic Refresh Processing Client Side ExtensionsClient Side Extensions

Testing and Documenting the Testing and Documenting the Group Policy PlanGroup Policy Plan

When Testing Group Policy:When Testing Group Policy: Use an Off-Line Test EnvironmentUse an Off-Line Test Environment Test During Off-Peak Hours if Testing Test During Off-Peak Hours if Testing

Environment Is Not AvailableEnvironment Is Not AvailableWhen Documenting Group Policy:When Documenting Group Policy:

List Name of GPOList Name of GPO List Site, Domain, or OU Where AppliedList Site, Domain, or OU Where Applied List Individual SettingsList Individual Settings List Special SettingsList Special Settings


Disable Unused Parts of a GPODisable Unused Parts of a GPO Reduce Need for Filtering By Creating Reduce Need for Filtering By Creating

Additional OUsAdditional OUsUse the Block Policy Inheritance and No Use the Block Policy Inheritance and No

Override Features SparinglyOverride Features Sparingly








Primary Reasons for Schema Primary Reasons for Schema Modification:Modification:

Enabling Schema to Address Enabling Schema to Address Business NeedsBusiness Needs

Installing Directory-Enabled Installing Directory-Enabled ApplicationsApplications

Schema

Schema FundamentalsSchema Fundamentals

Schema ComponentsSchema ComponentsModifying the SchemaModifying the SchemaObtaining and Extending Object IdentifiersObtaining and Extending Object IdentifiersDeactivating Schema ComponentsDeactivating Schema Components

Schema ComponentsSchema ComponentsClass-SchemaClass-Schema

ObjectsObjectsExamples:Examples:

UsersUsers

ComputersComputers

Some possible User ClassSome possible User ClassAttributes :Attributes :Some possible User ClassSome possible User ClassAttributes :Attributes :

accountExpiresbadPasswordTimemailname

accountExpiresbadPasswordTimemailname

Attribute Definition Attribute Definition includesincludesAttribute Definition Attribute Definition includesincludes

Object NameObject IdentifierSyntaxOptional Range Limits

Object NameObject IdentifierSyntaxOptional Range Limits

Class Definition includesClass Definition includesClass Definition includesClass Definition includes

Object NameObject Identifier“May Contain” Attributes“Must Contain” Attributes

Object NameObject Identifier“May Contain” Attributes“Must Contain” Attributes

List of AttributesList of AttributesList of AttributesList of Attributes

accountExpiresbadPasswordTimemailcAConnectdhcpTypeeFSPolicyfromServergovernsIDName…

accountExpiresbadPasswordTimemailcAConnectdhcpTypeeFSPolicyfromServergovernsIDName…

Attribute-Schema Attribute-Schema Objects Examples:Objects Examples:

ServersServers

Modifying the SchemaModifying the Schema

Schema Modification Occurs When You:Schema Modification Occurs When You: Use the Active Directory Schema to create, Use the Active Directory Schema to create,

modify, or deactivate classes or attributesmodify, or deactivate classes or attributes Write scripts to automate schema Write scripts to automate schema

modificationmodification Install software applications that add classes Install software applications that add classes

or attributesor attributes

To Control Membership of Schema To Control Membership of Schema Admins Group:Admins Group: Control Membership of Local Admins, Domain Control Membership of Local Admins, Domain

Admins, and Enterprise Admins GroupsAdmins, and Enterprise Admins Groups

Obtaining and Extending Obtaining and Extending Object IdentifiersObject Identifiers

Object IdentifiersObject Identifiers Unique identifiers for class and object Unique identifiers for class and object

attributesattributes Obtained from an ISO issuing authorityObtained from an ISO issuing authority Extend to accommodate your Extend to accommodate your

enterpriseenterprise

Object Identifier Format, Object Identifier Format, 1.2.840.x.w.y.z1.2.840.x.w.y.z 1.2.840, issuing authority1.2.840, issuing authority x.w.y.z for extensionx.w.y.z for extension

Deactivating Schema Deactivating Schema ComponentsComponents

Classes and Attributes Are Not Classes and Attributes Are Not Deleted, but Deactivated.Deleted, but Deactivated.

Classes and Attributes Can Be Classes and Attributes Can Be ReactivatedReactivated

Implications of Modifying the Implications of Modifying the SchemaSchema

Schema Modification Can Impact:Schema Modification Can Impact:Validity of Existing ObjectsValidity of Existing ObjectsReplication LatencyReplication LatencyNetwork Performance During ReplicationNetwork Performance During Replication

Planning for Schema Planning for Schema ModificationModification

Deciding when to Modify the SchemaDeciding when to Modify the SchemaPlanning for Directory-Enabled Planning for Directory-Enabled

ApplicationsApplicationsAnticipating Microsoft Exchange 2000Anticipating Microsoft Exchange 2000Testing Schema ModificationsTesting Schema ModificationsDeveloping a Schema Modification PolicyDeveloping a Schema Modification PolicyDesign GuidelinesDesign Guidelines

Deciding when to Modify the Deciding when to Modify the SchemaSchema

SituationSituationSituationSituation Suggested SolutionsSuggested SolutionsSuggested SolutionsSuggested Solutions

No existing class meets needsNo existing class meets needsNo existing class meets needsNo existing class meets needs

Existing class needs attributes but Existing class needs attributes but otherwise meets needsotherwise meets needsExisting class needs attributes but Existing class needs attributes but otherwise meets needsotherwise meets needs

Need a new set of unique attributes, Need a new set of unique attributes, but not a new classbut not a new classNeed a new set of unique attributes, Need a new set of unique attributes, but not a new classbut not a new class

Existing classes or attributes no Existing classes or attributes no longer neededlonger neededExisting classes or attributes no Existing classes or attributes no longer neededlonger needed

Create a new classCreate a new classCreate a new classCreate a new class

Create new attributes, derive a new child Create new attributes, derive a new child class, or create an auxiliary classclass, or create an auxiliary class

Create new attributes, derive a new child Create new attributes, derive a new child class, or create an auxiliary classclass, or create an auxiliary class

Create auxiliary classCreate auxiliary classCreate auxiliary classCreate auxiliary class

Deactivate existing class or Deactivate existing class or attributeattributeDeactivate existing class or Deactivate existing class or attributeattribute

Planning for Directory-Enabled Planning for Directory-Enabled ApplicationsApplications

Directory-Enabled Applications Modify the Directory-Enabled Applications Modify the Schema in Two Phases:Schema in Two Phases:1. Schema Admins Perform the Schema 1. Schema Admins Perform the Schema

Components Phase of the InstallComponents Phase of the Install2. Any Authorized Individual Can Complete the 2. Any Authorized Individual Can Complete the

InstallInstall

Anticipating Exchange 2000Anticipating Exchange 2000

Integration of Exchange 2000 and Active Integration of Exchange 2000 and Active Directory Improves PerformanceDirectory Improves Performance Separate Databases No Longer NecessarySeparate Databases No Longer Necessary

Initial Configuration of Exchange 2000 May Initial Configuration of Exchange 2000 May Take Extra Time to CompleteTake Extra Time to Complete LDIF Files ReplicatedLDIF Files Replicated Global Catalog ReplicationGlobal Catalog Replication

Testing Schema ChangesTesting Schema Changes

When Testing Schema Modifications, When Testing Schema Modifications, Always:Always: Test Changes in a Non-Production Test Changes in a Non-Production

EnvironmentEnvironment Use Thoroughly Tested ScriptsUse Thoroughly Tested Scripts Remember that Objects and Attributes Can Remember that Objects and Attributes Can

Only Be DeactivatedOnly Be Deactivated


Plan and Implement with CarePlan and Implement with CarePrevent ConfusionPrevent ConfusionPrevent Unauthorized Schema Prevent Unauthorized Schema

ModificationsModifications

Documents

Module 4: Administration in Active Directory. Overview Designing Active Directory to Delegate Administrative Authority Identifying Business Needs Identifying