Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
2Activity
0 of .
Results for:
No results containing your search query
P. 1
ch20

ch20

Ratings: (0)|Views: 57 |Likes:
Published by api-27605687

More info:

Published by: api-27605687 on Oct 16, 2008
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

03/18/2014

pdf

text

original

20
CHAPTER

Planning and
Implementing User,
Computer, and
Group Strategies

In this chapter, you will learn how to

\ue000Add accounts
\u2022Add groups
\u2022 Plan a security group strategy
\u2022 Plan a user authentication strategy
\u2022 Plan an organizational unit (OU) structure
\u2022 Implement an OU structure
\u2022 Plan an administrative delegation strategy

Once you\u2019ve learned about the components of Active Directory\u2014the physical compo- nents that participate in directory replication, and the logical components that define how the organization defines its administrative structure\u2014it\u2019s time to start populating the Active Directory database with user accounts so users can start using the domain.

In this chapter, you\u2019ll learn to add and manage accounts. You\u2019ll organize your user and even computer accounts to simplify the administration when assigning permis- sions or delegating administration.

Every user participating in a Windows 2003 Active Directory domain needs a user ac- count and password. Further, user accounts are sometimes used as service accounts when accessing Back Office applications such as Exchange Server and SQL Server. And even if you are not using an Active Directory domain for access to network resources, you still need an account to use the local Windows Server 2003 machine. In this case, you will be using a local account.

Users will be created, and then they will log on to begin accessing domain resources. But just howthe users present their logon credentials is yet another area where adminis- trators can exert discretion. Most networks use user names and passwords to access the

1
domain, although other credential presentation methods, such as smart cards, are also
configurable.

After adding accounts and creating security groups, you\u2019ll learn more about the orga- nizational unit creation process and how you can use OUs to divide up administrative responsibilities throughout the domain.

Adding Accounts

Once you\u2019ve decided how best to implement the Windows Server 2003 operating system, including if andhowto deploy the Active Directory environment, the next essential task is creating accounts. Only once an account has beenpresented and authenticated will a user be able to access a Windows Server 2003 domain\u2019s resources.

As first explored in Chapter 18, a user account allows a user to log on to the local computer, or, in the case of a Windows 2003 Active Directory environment, one of the domains in your forest. The user account\u2019s credentials are validated against the directory database to which they are submitted, and if authenticated, the user account is granted anaccess token at logon time. Included in this access token is the user account security identifier (SID), along with the SIDs for any group account of which the user is a mem- ber. This access token is presented against access control lists (ACLs) to determine a level of access to a resource.

Most of the accounts you\u2019ll create in a Windows Server 2003 environment will be do- main accounts\u2014they will be created in the Active Directory database. But before we dis- cuss the creation of Active Directory accounts, to set the foundation, we\u2019ll examine a local account in some detail.

Local Accounts

When you create alocal account, you create a new security identifier in a directory data- base. That directory database is local to that particular machine; that is, it\u2019s stored in a folder on the machine\u2019s local hard disk. You can create a local account on any computer that\u2019s a part of a workgroup, or on any member computers of an Active Directory do- main, as long as the computer is not also a domain controller.

NOTEPotential member computers in a domain include systems running

Windows NT 4.0, Windows 2000 Professional, Windows XP Professional, and Windows Server 2003. Other operating systems, such as Windows 98 and XP Home, do not create computer accounts in the domain; therefore,

they are not considered members. You can still log on to a domain from one of these
\u201clesser\u201d operating systems, but the computer itself won\u2019t be a member of the domain.

With a local account, a user has the ability to log on locally to the machine where the account resides. However, when using a local account, he or she is restricted to using only the resources on that computer. If the user wants toaccess a resource on a computer

MCSE Windows Server 2003 All-in-One Exam Guide
2
elsewhere in the network, the user will have to do so in the context of a user account
valid on the target machine.

This caveat becomes a disadvantage as the network starts to grow, because users need multiple accounts defined to access resources that are stored on multiple computers. Figure 20-1 shows the principles of local accounts in a workgroup environment.

How do you know you\u2019re using a local account when logging on? You specify where the account will be submitted in the Log On To section of the Log On To Windows dia- log box. If the selection in the drop-down menu sayscomputername (This Computer), then you are trying to submit a local account for logon.

Domain Accounts

Adomain user account, conversely, is created on a domain controller, and is stored in the Active Directory database. The domain controller stores a replica of this database, keeps it up to date with the latest changes by synchronizing with other domain controllers, and checks the database when validating the user logon attempt.

Because the account credentials are submitted to a central location, they can be sub- mitted from any computer in the domain. (Unless, that is, you\u2019ve restricted which com- puters the user can log on from, which is your prerogative as the Windows Server 2003 Active Directory administrator. There are exceptions to just about everything, depend- ing on the instructions you\u2019ve given the computer.)

And because account credentials are stored and authenticated against a single en- tity\u2014the Active Directory database\u2014it\u2019s not wise to create two Brian accounts for logon, one for the domain and one for the local computer. All the user needs is the single do- main account. The domain account still gives Brian the right to use every computer in the domain (except the domain controllers themselves, which by default restrict who is able to log on at those machines). As shown in Figure 20-2, a domain account needs to be defined only once per user.

TIPRemember, you don\u2019t need to use thelocal Administrator account to

perform administrative tasks. The domain account will do just fine, unless the default group memberships have been tempered with. We\u2019ll discuss some of the default group memberships, especially the Administrators groups memberships, in the next section.

Chapter 20: Planning and Implementing User, Computer, and Group Strategies
3
PARTIV
Figure 20-1
Using a local account

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->