Introduction to Active Directory

Transcription

1 UT ntroduction to Active irectory 5-1

2 Topics for this Unit irectory ervices Active irectory Forests omains rganizational Units Groups A features ites Accounts 5-1

3 irectory ervice A directory service is a listing of the resources hardware, software, and human that are available on the network The primary uses of directory services is both user authentication and resource authorization Authentication is the process of verifying a user s identity. Authorization is the process of granting the user access only to the resources he or she is permitted to use 5-1

4 Active irectory s based on Banyan ines treet Talk which was designed in the late 197s to be used on a global scale and uses the internet Uniform esource Locator (UL) system to identify users and resources Both Microsoft and ovell adopted (read stole) parts of street talk and incorporated them into their directory services Finally, Microsoft licensed street talk, renamed in Active irectory and introduced it in indows server 5-1

5 omain A domain is a security boundary ach domain is hosted on a separate server called a domain controller ach domain has independent administration 5-1

6 Active irectory bjects An Active irectory domain is tree structure verything in active directory is an object There are two basic classes of objects container object - one that can hold other objects in it omain Group Folder leaf object can not hold other objects User Printer File 5-1

7 Active irectory Attributes information stored about an object User name phone number, etc File size, name, location, etc. ome attributes are created automatically, such as the globally unique identifier (GU) that the domain controller assigns to each object when it creates it 5-1

8 chema atabase design, structure and relationship definitions efines the objects stored within Active irectory and the properties (attributes) associated within each object The nature and function of an object determine what are reasonable properties 5-1

9 rganizational Unit (U) A container object that exists within a domain Us can contain other Us, as well as leaf objects You can apply separate Group Policy to an U, and delegate the administration of an U as needed However, an U is still part of the domain and still inherits policies and permissions from its parent objects. 5-1

10 Groups ecurity groups use security groups to assign permissions and user rights to objects omain local groups assign permissions to resources in the same domain Global groups used to organize users who share similar network access requirements Universal groups used to assign permissions to related resources in multiple domains istribution groups Applications use distribution groups for non-security related functions, such as sending messages to multiple recipients 5-1

11 Forest Consists of one or more separate domain trees Have two-way trust relationships between them as two domains in the same tree hen you create the first domain on an Active irectory network, that first domain becomes the forest root domain. 5-1

12 ther Features Global Catalog List of all objects in the forest, along with a subset of each object s attributes Forest root will become the default global catalog server Functional levels xist to allow backward compatibility Lightweight irectory Access Protocol (LAP) tandard communications protocol for directory service products, including Active irectory eplication atabase replicated to all domain controllers ead only domain controllers 5-1

13 ites The physical design of the network Typically each site is a LA ites are normally connected by A links called site links Most sites also contain multiple subnets as well 5-1

14 Active irectory Users and Groups 5-1

15 efinitions User - individual granted access to the system with the following User properties Groups associated with the user Profile path Login script Home directory Groups - logical collection of users Accounts - Logical construct containing all information that defines a user to the environment 5-1

16 efinitions esources - All equipment attached to the workstation or network Home irectories - dedicated locations on a file server for a specific user to store files Policy - a set of configurations that allows an administrator to restrict a user s access and rights Profile - file containing a user s environmental settings and preferences 5-1

17 User omain Accounts Accounts used to access Active irectory or network-based resources, such as shared folders or printers Account information for these users is stored in the Active irectory database and replicated to all domain controllers within the same domain A subset of the domain user account information is replicated to the global catalog, which is then replicated to other global catalog servers throughout the forest 5-1

18 User/Group ame ules The name must be unique to the domain The username cannot be the same as a group name The name may be up to characters, upper or lowercase or a combination of both 5-1

19 User/Group ame ules To avoid confusion with special syntax characters, names may not include any of the following: " / \ [ ] : ; =, + *? < > The name may include spaces and periods, but may not consist entirely of spaces or periods T: ames including spaces have to be enclosed in quotes for both scripting or command-line use. Better to avoid using spaces 5-1

20 Accounts User and group accounts are managed using the Active irectory Users and Computers snap in Computer Management snap ins Account operations Copy elete isable ename 5-1

21 User Account ptions User Must Change Password at ext Logon - Forces a user to change their password the next time they log on and afterward the box will be unchecked. User Cannot Change Password - f checked, prevents the user from changing the account s password. 5-1

22 User Account ptions Password ever xpires - f checked, the user account ignores the password expiration policy, and the password for the account never expires Account s isabled - f checked, the account is disabled and no one can log on to it until it is enabled (it is not, however, removed from the database) 5-1

23 Built-in User Accounts Automatically created during the install Built-in user accounts can be local accounts or domain accounts, depending on whether the server is configured as a standalone server or a domain controller hen you install a domain controller, the ability to create and manipulate local accounts is disabled By default, two built-in user accounts are created on a indows erver computer Administrator account Guest account 5-1

24 Administrator Full control of computer, domain or forest depending on the context Used to establish administrative structure and create other accounts hould be renamed hould be secured with a complex password Can be disabled, but cannot be deleted hould not be used for every day user tasks 5-1

25 Guest Account esigned to allow temporary access to the network isabled by default, but cannot be deleted hould be secured with a complex password if enabled 5-1

26 Active irectory Authentication Authentication Process esources Access Token User identification Group memberships Privileges assigned to user (also named system rights) 5-1

27 Access Tokens hen a user logs on, an access token is created that identifies the user and all of the user s group memberships This access token is used to verify a user s permissions when the user attempts to access a local or network resource By using groups, multiple users can be given the same permission level for resources on the network ince a user s access token is only generated when they first log on to the network from their workstation, if you add a user to a group, they will need to log off and log back on again for that change to take effect 5-1

28 Group esting Users can be members of more than one group. Groups can contain other Active irectory objects, such as computers, and other groups. Groups containing groups is called group nesting. 5-1

29 omain Local Groups alid members - user accounts, computer accounts, global groups, universal groups from any domain, and domain local groups from the same domain. Used to assign permissions to resources in the local domain. nce you assign permissions to this group, you can use it to grant those permissions to other groups or users. 5-1

30 Global Groups alid members - User accounts, computer accounts, and other global groups Used primarily to organize users Users are typically assigned to global groups based on job role, task, or title You can use them to organize users who have similar functions and therefore similar requirements on the network. 5-1

31 Universal Groups alid members - user accounts, computer accounts, global or universal groups Used to organize users or groups of users in global groups Larger organizations typically use universal groups to group accounts from different domains Changes to universal group membership lists are replicated to all global catalog servers throughout the forest 5-1

32 efault Groups Built-in security groups Pre-defined permissions Administrators, Backup perators, Guests, Power Users, emote esktop, etwork Configuration and Users Placed in Built-in and Users containers by default Groups are sometimes added when services are installed such as: HCP Admins and HCP Users Admins and UpdateProxy 5-1

33 pecial dentity Groups Anonymous Logon - no used id or password required veryone means everyone Authenticated Users logon with valid user id and password nteractive currently logged on the local computer etwork all currently connected network users 5-1

34 Group cope 5-1

35 AGULP Microsoft s approach to using groups: add Accounts to Global groups. add those global groups to Universal groups. Add universal groups to omain Local groups. Finally, assign Permissions to the domain local groups. 5-1

36 efault omain Groups Account perators Can create, modify and delete accounts for users, groups, and computers in all containers and Us Cannot modify administrators, domain admins and enterprise admin groups Administrators Complete and unrestricted access to the computer or domain controller Backup perators - Can bypass security and back up and restore all files on the computer 5-1

37 efault omain Groups Guests ame privileges as members of the Users group isabled by default Print perators Can manage printers and document queues erver perators Can log on a server interactively, create and delete shares, start and stop some services, back up and restore files, format the disk, shutdown the computer and modify the system date and time 5-1

38 efault omaingroups Users Allows general access to run applications, use printers, shut down and start the computer and use network shares for which they are assigned permissions Admins Permits administrative access to the server service omain Admins Can perform administrative tasks on any computer anywhere in the domain 5-1

39 efault omain Groups omain Computers Contains all computers and is used to make computer management easier through group policies omain Controllers Contains all computers installed in the domain as a domain controller omain Guests Members include all domain guests omain Users Members include all domain users Used to assign permissions to all users in the domain. 5-1

40 efault omain Groups nterprise Admins Allows the global administrative privileges associated with this group, such as the ability to create and delete domains chema Admins Members can manage and modify the Active irectory schema controlled access to resources throughout the forest or domain. Authenticated Users allow controlled access to resources throughout the forest or domain veryone allow access to resources to all users and guests 5-1

41 pecial dentity Groups Authenticated Users Used to allow controlled access to resources throughout the forest or domain veryone Used to provide access to resource for all users and guest ot recommended to deny this group access to resources 5-1

42 ummary A was created with businesses in mind The hierarchical structure allows administrators to provide granular administrative control of each object A allows centralized control of your network simplifying administration A provides a single logon to your network Permissions grant access to resources 5-1

43 Lab nstall Active irectory on erver 1 Create a child domain on server Create Administrative Accounts, egular Users and Groups Answer Lab Questions 5-1