Administering Windows 2008 Server Introduction Administering a Windows

  • Slides: 37
Download presentation
Administering Windows 2008 Server

Administering Windows 2008 Server

Introduction • Administering a Windows 2008 Server involves some of the following: – Installation

Introduction • Administering a Windows 2008 Server involves some of the following: – Installation of the Operating System – Installation and configuration of Active Directory including creating of domains, and Domain Controllers – Managing Users, groups, computers, organizational units, – Managing Group Policies

Managing Users • Active Directory user accounts represent physical entities, such as people. You

Managing Users • Active Directory user accounts represent physical entities, such as people. You can also user accounts as dedicated service accounts for some applications. • User accounts are also referred to as security principals. Security principals are directory objects that are automatically assigned security identifiers (SIDs), which can be used to access domain resources

Managing Users • A user account primarily does the following: – Authenticates the identity

Managing Users • A user account primarily does the following: – Authenticates the identity of a user. A user account enables a user to log on to computers and domains with an identity that the domain can authenticate. Each user who logs on to the network should have his or her own unique user account and password. To maximize security, avoid having multiple users sharing one account. – Authorizes or denies access to domain resources. After a user is authenticated, the user is authorized or denied access to domain resources based on the explicit permissions that are assigned to that user on the resource.

User Account • The Users container in the Active Directory Users and Computers snap-in

User Account • The Users container in the Active Directory Users and Computers snap-in displays three built-in user accounts: – Administrator, – Guest, – Help Assistant. • These built-in user accounts are created automatically when you create the domain. • Each built-in account has a different combination of rights and permissions. The Administrator account has the most extensive rights and permissions over the domain, while the Guest account has limited rights and permissions.

User Account • The Administrator account has full control of the domain. It can

User Account • The Administrator account has full control of the domain. It can assign user rights and access control permissions to domain users as necessary. Use this account only for tasks that require administrative credentials. • The Administrator account is a default member of the following Active Directory groups: – Administrators, – Domain Admins, – Enterprise Admins, – Group Policy Creator Owners, – Schema Admins. • The Administrator account can never be deleted or removed from the Administrators group, but it can be renamed or disabled. Because the Administrator account is known to exist on many versions of Windows, renaming or disabling this account will make it more difficult for malicious users to try to gain access to it. • The Administrator account is the first account that is created when you set up a new domain with the Active Directory Domain Services Installation Wizard.

Securing User Account • If built-in account rights and permissions are not modified or

Securing User Account • If built-in account rights and permissions are not modified or disabled by a network administrator, they can be used by a malicious user (or service) to illegally log on to a domain using the Administrator account or Guest account. • A good security practice for protecting these accounts is to rename or disable them. Because it retains its SID, a renamed user account retains all its other properties, such as its description, password, group memberships, user profile, account information, and any assigned permissions and user rights.

Securing User Accounts • To obtain the security advantages of user authentication and authorization,

Securing User Accounts • To obtain the security advantages of user authentication and authorization, use Active Directory Users and Computers to create an individual user account for each user who will participate in your network. • You can then add each user account (including the Administrator account and Guest account) to a group to control the rights and permissions that are assigned to the account. When you have accounts and groups that are appropriate for your network, you ensure that you can identify users that log on to your network and that they have access only to the permitted resources.

Account Options • Each Active Directory user account has a number of account options

Account Options • Each Active Directory user account has a number of account options that determine how someone logging on with that particular user account is authenticated on the network. You can use the options to configure password settings and security-specific information for user accounts.

Account Options • The following are some of the account options: – User must

Account Options • The following are some of the account options: – User must change password at next logon – User cannot change password – Password never expire – Account is disabled – Smart card is required for interactive logon

Creating a New User • Open Active Directory Users and Computers, click Start ,

Creating a New User • Open Active Directory Users and Computers, click Start , click Administrative Tools , and then double-click Active Directory Users and Computers. • Point to New , and then click User. In First name , type the user's first name. In Initials , type the user's initials. • In Last name , type the user's last name

Creating a New User • In User logon name , type the user logon

Creating a New User • In User logon name , type the user logon name, click the user principal name (UPN) suffix in the drop-down list, and then click Next. • If the user will use a different name to log on to computers running Microsoft® Windows® 95, Windows 98, or Windows NT® operating systems, you can change the user logon name as it appears in User logon name (pre-Windows 2000) to the different name. • In Password and Confirm password , type the user's password, and then select the appropriate password options.

Resetting Password • Open Active Directory Users and Computers, click Start , click Administrative

Resetting Password • Open Active Directory Users and Computers, click Start , click Administrative Tools , and then double-click Active Directory Users and Computers. • In the details pane, right-click the user whose password you want to reset, and then click Reset Password. Type and then confirm the password. • If you want to require the user to change this password at the next logon process, select the User must change password at next logon check box.

Set Logon Hours • To set logon on hous double-click Active Directory Users and

Set Logon Hours • To set logon on hous double-click Active Directory Users and Computers. • Right-click the user account, and then click Properties. On the Account tab, click Logon Hours , and then set the permitted or denied logon hours for the user.

Disable a User • To disable a user double-click doubleclick Active Directory Users and

Disable a User • To disable a user double-click doubleclick Active Directory Users and Computers. • In the details pane, right-click the user. Depending on the status of the account, do one of the following: – To disable the account, click Disable Account. – To enable the account, click Enable Account.

Organizational Units (OU) • An OU is an Active Directory object that is used

Organizational Units (OU) • An OU is an Active Directory object that is used to organize other objects that are created and contained within the Active Directory infrastructure. • OUs are unique from Containers, which are another type of organizational object that is contained within Active Directory. OUs differ from Containers primarily because an OU can have a Group Policy Object (GPO) linked to it, where a Container cannot. This might not sound all that important, but it is paramount

Importance of OU • OUs primarily will be used to organize the following objects

Importance of OU • OUs primarily will be used to organize the following objects – User accounts – Group accounts – Computers. • When an OU is used to grant administrative privileges over an object that is contained with it is called Delegation • There is a delegation wizard for each OU, as well as an administrator who can modify permissions on the OU directly. There approximately 15, 000 individual Allow permissions for each OU.

Importance • OU’s are also used to deploy Group Policy Objects (GPO) settings. When

Importance • OU’s are also used to deploy Group Policy Objects (GPO) settings. When a GPO is linked to an OU, the settings within the GPO only apply to the objects in that OU and child OUs to that OU. This allows for easy and efficient deployment of GPO settings to only the users and computers that need the settings. • GPOs can be linked to the domain and Active Directory sites, but it is more difficult to manage and configure GPOs deployed at these locations within Active Directory. For efficiency of GPO management, deployment, and troubleshooting, it is suggested to design OUs for the deployment of GPOs

Designing the OU Structure • When it comes to design the OU structure, many

Designing the OU Structure • When it comes to design the OU structure, many questions and discussions need to occur. It is far better to design the OU before implementing the overall Active Directory infrastructure, and not after Active Directory is up and running. Far too often companies feel it is easier to “redesign” Active Directory “again” than do it right the first time.

Things to Consider When Designing OU’s • Who will be involved in the administration

Things to Consider When Designing OU’s • Who will be involved in the administration of users, groups, and computers? • Will everyone who is responsible for managing users, groups, and computers be in control of all objects, or just a portion of the objects? • Which user accounts need to have the same settings and which user accounts need to have different settings? • Which computer accounts need to have the same settings and which computer accounts need to have different settings?

How Many OU’s Should be Created? • The answer lies within your overall goals

How Many OU’s Should be Created? • The answer lies within your overall goals for Active Directory and how you will manage delegation and GPO deployment. There are really three rules of design, which your organization might develop for OU design. – Too many? – Too few? – Just Enough?

Creating a New OU • To create a new OU double-click, doubleclick Active Directory

Creating a New OU • To create a new OU double-click, doubleclick Active Directory Users and Computers. • In the console tree, right-click the domain name, Point to New , and then click Organizational Unit. Type the name of the organizational unit (OU)

To Delegate Control of an OU • In the console tree, right-click the organizational

To Delegate Control of an OU • In the console tree, right-click the organizational unit (OU) for which you want to delegate control. • Click Delegate Control to start the Delegation of Control Wizard, and then follow the instructions in the wizard

Default OU • When Active Directory is initially installed there is only one OU.

Default OU • When Active Directory is initially installed there is only one OU. The Default Domain Controllers OU is the only OU that comes as a default. • This OU is designed to contain and manage the domain controllers for the domain. The domain administrator can create an unlimited number of OUs for the domain over time, but too many OUs can become cumbersome and cause management issues

Managing Groups • A group is a collection of user and computer accounts, contacts,

Managing Groups • A group is a collection of user and computer accounts, contacts, and other groups that can be managed as a single unit. Users and computers that belong to a particular group are referred to as group members. • Groups in Active Directory Domain Services (AD DS) are directory objects that reside in a domain and in organizational unit (OU) container objects. AD DS provides a set of default groups at installation. It also provides an option to create groups.

Importance of Groups • Simplify administration by assigning permissions on a shared resource to

Importance of Groups • Simplify administration by assigning permissions on a shared resource to a group, rather than to individual users. Assigning permissions to a group assigns the same access to the resource to all members of that group. • Delegate administration by assigning user rights once to a group through Group Policy. You can then add members to the group that you want to have the same rights as the group.

Default Groups • Default groups, such as the Domain Admins group, are security groups

Default Groups • Default groups, such as the Domain Admins group, are security groups that are created automatically when you create an Active Directory domain. You can use these predefined groups to help control access to shared resources and delegate specific domain-wide administrative roles. • Many default groups are automatically assigned a set of user rights that authorize members of the group to perform specific actions in a domain, such as logging on to a local system or backing up files and folders. For example, a member of the Backup Operators group has the right to perform backup operations for all domain controllers in the domain. • Default groups are located in the Built-in container

Group Scope • Groups are characterized by a scope that identifies the extent to

Group Scope • Groups are characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest. • There are three group scopes: – Domain local, • Members of these groups can be assigned permissions only within a domain – Global, • Members of these groups can be assigned permissions in any domain in the forest. – Universal. • Members of these groups can be assigned permissions in any domain in the domain tree or forest.

Group Type • Distribution Group – You can use distribution groups only with e-mail

Group Type • Distribution Group – You can use distribution groups only with e-mail applications (such as Microsoft Exchange Server 2007) to send e-mail to collections of users. Distribution groups are not security enabled • Security Group – Security groups provide an efficient way to assign access to resources on your network. By using security groups, you can assign user rights to security groups in AD DS and also assign permissions to security groups on resources. – Permissions are different from user rights. Permissions determine who can access a shared resource, and they determine the level of access, such as Full Control.

Creating a New Group • To create a ne group, doubleclick Active Directory Users

Creating a New Group • To create a ne group, doubleclick Active Directory Users and Computers. • In the console tree, right-click the folder under which you want to create a new group. Point to New , and then click Group. Type the name of the new group. By default, the name that you type is also entered as the pre– Windows 2000 name of the new group. • In Group scope , click one of the options. • In Group type , click one of the options

Adding a Member to Group • In the console tree, click the folder that

Adding a Member to Group • In the console tree, click the folder that contains the group to which you want to add a member. In the details pane, right-click the group, and then click Properties. • On the Members tab, click Add. • In Enter the object names to select , type the name of the user, group, or computer that you want to add to the group, and then click OK

Finding Groups in Which a User is a Member • In the console tree,

Finding Groups in Which a User is a Member • In the console tree, click Users. • Or, click the folder that contains the user account whose group membership you want to view. • In the details pane, right-click a user account, and then click Properties. • Click the Member Of tab.

Group Policy • You can use Windows Server 2008 Group Policy to manage configurations

Group Policy • You can use Windows Server 2008 Group Policy to manage configurations for groups of computers and users, including options for registry-based policy settings, security settings, software deployment, scripts, folder redirection, and preferences. • Group Policy preferences, new in Windows Server 2008, and has more than 20 Group Policy extensions that expand the range of configurable policy settings within a Group Policy object (GPO). In contrast to Group Policy settings, preferences are not enforced. Users can change preferences after initial deployment

Group Policy Management Console (GPMC) • The GPMC consists of a set of scriptable

Group Policy Management Console (GPMC) • The GPMC consists of a set of scriptable interfaces for managing Group Policy and an MMC-based user interface. The GPMC provides unified management of all aspects of Group Policy across multiple forests in an organization which means GPMC lets you manage all GPOs. • Think of the GPMC as your primary access point to Group Policy, with all the Group Policy management tools available from the GPMC interface.

OU and Group Policy • In an Active Directory environment, you assign Group Policy

OU and Group Policy • In an Active Directory environment, you assign Group Policy settings by linking GPOs to sites, domains, or OUs. Typically, you assign most GPOs at the OU level, so make sure that your OU structure supports your Group Policy-based client-management strategy. • You might also apply some Group Policy settings at the domain level, particularly those such as password policies. Very few policy settings are applied at the site level. A well-designed OU structure that reflects the administrative structure of your organization and takes advantage of GPO inheritance simplifies the application of Group Policy.

Applying Group Policy to New User and Computer Account • Open Active Directory Users

Applying Group Policy to New User and Computer Account • Open Active Directory Users and Computers, navigate to the organizational unit (OU) in question, right click and select properties. Select the Group Policy tab and add the Group Policy element you would like to apply.

END OF LECTURE

END OF LECTURE