Security Planning and

Administrative Delegation
Lesson 6

Skills Matrix
Technology Skill

Objective Domain

Objective #

Creating an OU Structure

Maintain Active Directory

accounts

4.2

Naming Standard
User logon names will typically follow a
corporate naming standard set forth
during the planning stages of an Active
Directory deployment.
You will usually create a naming
standards document to outline the rules
for naming all Active Directory objects.
This document will specify conventions
such as the number and type of
characters to use when creating a new
object in Active Directory.

Strong Passwords
Since user names are often easily
guessed, it is essential to have strong
passwords:
At least eight characters in length.
Contains uppercase and lowercase letters,
numbers, and non-alphabetic characters.
At least one character from each of the
previous character types.
Differs significantly from other previously
used passwords.

Strong Passwords
A strong password should not be left
blank or contain any of the following
information:
Your user name, real name, or
company name.
A complete dictionary word.
Windows passwords for Windows Server
2008, Windows Vista, Windows Server
2003 and Microsoft Windows XP clients
can be up to 127 characters in length.

Strong Passwords

If you use group policies to

enforce strong passwords:
Must be at least seven characters.
Must contain three of the four
types (uppercase and lowercase
letters, numbers, and nonalphabetic characters).
Cannot contain your user name or
real name.

Authentication
Authentication is the process of proving
who you are.
There are multiple methods of
authentication:
What you know (password or PIN).
Who you are (retinal scan or thumb
print).
What you have (smart card).

Some of these methods can be used so

that users no longer need to remember
passwords.

Smart Card
Smart cards are cards about the size of a
credit card.
Login information can be stored on the
smart card, making it difficult for anyone
except the intended user to use or access
it.
Security operations, such as
cryptographic functions, are performed on
the smart card itself rather than on the
network server or local computer. This
provides a higher level of security for
sensitive transactions.

Implementing Smart Cards for

Authentication
Smart cards can be used from
remote locations, such as a home
office, to provide authentication
services.
The risk of remote attacks using a
username and password is
significantly reduced by smart cards.

Implementing Smart Cards for

Authentication
Requires Active
Directory
Certificate
Services.
Smart cards for
authentication
must be enabled
in the user
account
properties.

Using Run As from the GUI

From the Start button, navigate to
the application you wish to run.
Press and hold the Shift key and
right-click the desired application.
Select the Run as administrator
option.

Administrative Accounts
You should not use an account possessing
administrative privileges for daily tasks, such as
browsing the Web or monitoring email.
Administrative accounts should be reserved for
tasks that require administrator privileges.
Using the Administrator account or an account that
is a member of Domain Admins, Enterprise
Admins, or Schema Admins for daily tasks offers an
opportunity for hackers to attack your network and
potentially cause severe and irreversible damage.
Limiting the use of the Administrator account for
daily tasks, such as email, application use, and
access to the Internet, reduces the potential for
this type of damage.

Run as Administrator and Runas

Command

The recommended solution for reducing the

risks associated with the Administrator
account is to use a standard user account
and the Run as administrator option in the
GUI or the runas command-line tool when it
is necessary to perform an administrative
task.
The Run as administrator or runas option
allows you to maintain your primary logon as
a standard user and creates a secondary
session for access to an administrative tool.
During the use of a program or tool opened
using Run as administrator or runas, your
administrative credentials are valid only until
you close that program or tool.

Run as Administrator and Runas

Command
Run as administrator and runas
require the Secondary Logon
service to be running.
The runas command-line tool is not
limited to administrator accounts. You
can use runas to log on with separate
credentials from any account. This
can be a valuable tool in testing
resource access permissions.

Using Run As from the GUI

If you are using User Account Control, you may
be prompted for administrative credentials
when performing system tasks
You can access the Run as Administrator option
if you by find the program you want to start
from the Start button, and press and hold the
Shift key, right-click the desired application,
and select the Run as administrator option.
You can also use the runas command, such as:
runas
/user:lucernepublishing.com\domainadmin
mmc %windir%\system32\dnsmgmt.msc

Organizational Units
Can be created to represent your
companys functional or geographical
model.
Can be used to delegate
administrative control over a
containers resources to lower-level or
branch office administrators.
Can be used to apply consistent
configuration to client computers,
users and member servers.

Creating an Organizational Unit

To create an organizational unit, you
would use the Active Directory Users
and Computers console.

Delegation of Control
Creating OUs to support a decentralized
administration model gives you the
ability to allow others to manage portions
of your Active Directory structure,
without affecting the rest of the
structure.
Delegating authority at a site level affects
all domains and users within the site.
Delegating authority at a domain level
affects the entire domain.
Delegating authority at the OU level
affects only that OU and its hierarchy.

Delegation of Control
Using the Delegation of Control
Wizard, you utilize a simple interface to
delegate permissions for domains, OUs, or
containers.
The interface allows you to specify to which
users or groups you want to delegate
management permissions and the specific
tasks you wish them to be able to perform.
You can delegate predefined tasks, or you
can create custom tasks that allow you to
be more specific.

Delegating Administrative Control of

an OU
Open Active Directory Users and
Computers.
Right-click the object to which you
wish to delegate control, and click
Delegate Control.
Click Next on the Welcome to the
Delegation of Control Wizard page.

Delegating Administrative Control of

an OU

Delegating Administrative Control of

an OU

Delegating Administrative Control of

an OU

Verifying and Removing AD

Permissions
Must Enable Advanced Features in
Active Directory Users and
Computers.
Found in the View menu.

Then right-click an OU or an account

and select Properties.
Select the Security tab.

Verifying and Removing AD

Permissions

Moving Objects within Active Directory

Windows Server 2008 allows you to
restructure your Active Directory database by
moving leaf objects such as users, computers,
and printers between OUs, in addition to
moving OUs into other OUs to create a nested
structure.
When you move objects between OUs in a
domain, permissions that are assigned
directly to objects remain the same.
Objects inherit permissions from the new OU.
All permissions that were inherited previously
from the old OU no longer affect the objects.

Moving Objects within Active Directory

Windows Server 2008 provides two
methods for moving objects between
OUs in the same domain:
Drag-and-drop within Active Directory
Users and Computers.
If you wish to move multiple objects,
press and hold the Ctrl key while
selecting the objects you wish to move.

Use the Move menu option within Active

Directory Users and Computers.
You can also use the dsmove command.

Summary
Creating a naming standards document
will assist in planning a consistent
Active Directory environment that is
easier to manage.
Securing user accounts includes
educating users to the risks of attacks,
implementing a strong password policy,
and possibly introducing a smart card
infrastructure into your environment.

Summary
As part of creating a secure environment,
you should create standard user accounts
for administrators and direct them to use
Run as administrator or runas when
performing administrative tasks.
When planning your OU structure, consider
the business function, organizational
structure, and administrative goals for
your network.
Delegation of administrative tasks should
be a consideration in your plan.

Summary
Administrative tasks can be
delegated for a domain, OU, or
container to achieve a decentralized
management structure.
Permissions can be delegated using
the Delegation of Control Wizard.
Verification or removal of these
permissions must be achieved through
the Security tab in the Properties
dialog box of the affected container.

Summary
Moving objects between containers
and OUs within a domain can be
achieved by using the Move menu
command, the drag-and-drop feature
in Active Directory Users and
Computers, or the dsmove utility
from a command line.