Professional Documents
Culture Documents
Active Directory Administration
Active Directory Administration
Lesson 5
Administration
Skills Matrix
Technology Skill
Objective Domain
Objective #
Creating Users,
Computers, and Groups
Automate creation of
4.1
Active Directory accounts
Creating Users,
Computers, and Groups
4.2
Local Accounts
Used to access the local computer
only and are stored in the local
Security Account Manager (SAM)
database on the computer where
they reside.
Never replicated to other computers,
nor do these accounts have domain
access.
Domain Accounts
Accounts used to access Active Directory or
network-based resources, such as shared
folders or printers.
Account information for these users is
stored in the Active Directory database and
replicated to all domain controllers within
the same domain.
A subset of the domain user account
information is replicated to the global
catalog, which is then replicated to other
global catalog servers throughout the forest.
Group Accounts
Groups are implemented to allow
administrators to assign rights and
permissions to multiple users
simultaneously.
A group can be defined as a
collection of user or computer
accounts that is used to simplify the
assignment of rights or permissions
to network resources.
Group Accounts
When a user logs on, an access token is
created that identifies the user and all of the
users group memberships.
This access token is used to verify a users
permissions when the user attempts to access a
local or network resource.
By using groups, multiple users can be given the
same permission level for resources on the
network.
Since a users access token is only generated
when they first log on to the network from their
workstation, if you add a user to a group, they
will need to log off and log back on again for that
change to take effect.
Group Types
Distribution groups Non-securityrelated groups created for the
distribution of information to one or
more persons.
Security groups - Security-related
groups created for purposes of
granting resource access permissions
to multiple users.
Group Nesting
Users can be members of more than
one group.
Groups can contain other Active
Directory objects, such as computers,
and other groups.
Groups containing groups is called
group nesting.
Group Scopes
Global
Domain Local
Universal
Domain local
Universal Groups
These groups can include users and
groups from any domain in the AD DS
forest and can be employed to grant
permissions to any resource in the
forest.
A universal group can include users,
computers, and global groups from any
domain in the forest.
Changes to universal group membership
lists are replicated to all global catalog
servers throughout the forest.
AGUDLP
Microsoft approach to using groups:
add Accounts to Global groups.
add those global groups to Universal
groups.
Add universal groups to Domain
Local groups.
Finally, assign Permissions to the
domain local groups.
Group Properties
Group Properties
Summary
Three types of user accounts exist in
Windows Server 2008:
Local user accounts reside on a local
computer and are not replicated to other
computers by Active Directory.
Domain user accounts are created and
stored in Active Directory and replicated to
all domain controllers within a domain.
Built-in user accounts are automatically
created when the operating system is
installed and when a member server is
promoted to a domain controller.
Summary
The Administrator account is a built-in
domain account that serves as the primary
supervisory account in Windows Server
2008.
It can be renamed, but it cannot be deleted.
Summary
Windows Server 2008 group options
include two types (security and
distribution) and three scopes
(domain local, global, and universal).
Domain local groups are placed on
the ACL of resources and assigned
permissions. They typically contain
global groups in their membership
list.
Summary
Global groups are used to organize
domain users according to their
resource access needs.
Global groups are placed in the
membership list of domain local
groups, which are then assigned the
desired permissions to resources.
Summary
Universal groups are used to provide
access to resources anywhere in the
forest.
Their membership lists can contain
global groups and users from any
domain.
Changes to universal group
membership lists are replicated to all
global catalog servers throughout the
forest.
Summary
The recommended permission
assignment strategy (AGUDLP)
places users needing access
permissions in a global group, the
global group in a universal group,
and the universal group in a domain
local group and then assigns
permissions to the domain local
group.
Summary
Group nesting is the process of placing
group accounts in the membership of
other group accounts for the purpose
of simplifying permission assignments.
Multiple users and groups can be
created in Active Directory by using
several methods. Windows Server
2008 offers the ability to use batch
files, CSVDE, LDIFDE, and WSH to
accomplish your administrative goals.