Scribd
Upload
23 views36 pages

Day 5 PPT 1

This document outlines a training module on Windows administration, focusing on managing user accounts, groups, and computer accounts within Active Directory Domain Services (AD DS). It covers tools for administration, creating and configuring user accounts, group management, and delegating administration. Additionally, it addresses best practices for managing permissions and the structure of organizational units.

Uploaded by

rajbharathi821
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
23 views36 pages

Day 5 PPT 1

This document outlines a training module on Windows administration, focusing on managing user accounts, groups, and computer accounts within Active Directory Domain Services (AD DS). It covers tools for administration, creating and configuring user accounts, group management, and delegating administration. Additionally, it addresses best practices for managing permissions and the structure of organizational units.

Uploaded by

rajbharathi821
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 36

Windows administration

windows Training DAY 5


Module Overview

Managing User Accounts


Managing Groups
Managing Computer Accounts
• Delegating Administration
Managing ADDS objects

• Managing ADDS objects


Lesson 1: Managing User Accounts

AD DS Administration Tools
Creating User Accounts
Configuring User Account Attributes
Creating User Profiles
• Demonstration: Managing User Accounts
AD DS Administration Tools

To manage AD DS objects, you can


use the following graphical tools:
• Active Directory Administration
snap-ins
• Active Directory Administrative
Center

You can also use the following


command-line tools: C:/
• Active Directory module in Windows
PowerShell
• Directory Service commands
Creating User Accounts

The Account section of the Active


Directory Administrative Center Create
User window
Configuring User Account Attributes

The Log on hours dialog box


Creating User Profiles

The Profile section of the User


Properties window
Demonstration: Managing User Accounts

In this demonstration, you will see how to:


• Use the Active Directory Administrative
Center to manage user accounts
• Delete a user account
• Create a new user account
• Move the user account
• View the WINDOWS POWERSHELL HISTORY
Lesson 2: Managing Groups

Group Types
Group Scopes
Implementing Group Management
Default Groups
Special Identities
• Demonstration: Managing Groups
Group Types

• Distribution groups
• Used only with email
applications
• Not security-enabled (no SID);
cannot be given permissions

• Security groups
• Security principal with a SID;
can be given permissions
• Can also be email-enabled

Both security groups and


distribution groups can be
converted to the other type of
Group Scopes
Members
Members Can be
Members from
Group from trusted assigned
from same domain in
scope external permissions to
domain same
domain resources
forest
U, C,
GG, DLG, UG U, C, U, C, On the local
Local
and local GG, UG GG computer only
users
Domain U, C, U, C, U, C, Anywhere in the
-local GG, DLG, UG GG, UG GG domain
Univers U, C, U, C, Anywhere in the
N/A
al GG, UG GG, UG forest
Anywhere in the
U, C,
Global N/A N/A domain or a
GG
trusted domain
U User DLG Domain-local group
C Computer UG Universal group
GG Global group
Implementing Group Management

I Identities
Users or computers,
which are members
of
G Global groups Sales
Which collect members (Global Auditors
based on members’ group) (Global
roles, group)
which are members of ACL_Sales_Read
DLDomain-local groups (Domain-local group)
Which provide
management
such as resource access,
which areaccess to a
A Assigned
resource
Implementing Group Management

I Identities
Users or computers,
which are members
of
Implementing Group Management

I Identities
Users or computers,
which are members
of
G Global groups Sales
Which collect members (Global Auditors
based on members’ group) (Global
roles, group)
which are members of
Implementing Group Management

I Identities
Users or computers,
which are members
of
G Global groups Sales
Which collect members (Global Auditors
group)
based on members’ (Global
roles, group)
ACL_Sales_Read
which are members of
DLDomain-local groups (Domain-local group)
Which provide
management
such as resource access,
which are
Implementing Group Management

I Identities
Users or computers,
which are members
G of
Global groups Sales
Which collect members (Global Auditors
based on members’ group) (Global
roles, group)
which are members of ACL_Sales_Read
DL Domain-local groups (Domain-local group)
Which provide
management
such as resource access,
which areaccess to a
A Assigned
resource
Implementing Group Management

I Identities
Users or computers,
which are members
of
G Global groups Sales
Which collect members (Global Auditors
based on members’ group) (Global
roles, group)
which are members of ACL_Sales_Read
DL Domain-local groups (Domain-local group)
Which provide
management
such as resource access,
A which are access to a
Assigned
resource
Default Groups
• Carefully manage the default groups that provide
administrative privileges, because these groups:
• Typically have broader privileges than are necessary
for most delegated environments
• Often apply protection to their members
Group Location
Enterprise Admins Users container of the forest root domain
Schema Admins Users container of the forest root domain
Administrators Built-in container of each domain
Domain Admins Users container of each domain
Server Operators Built-in container of each domain
Account Operators Built-in container of each domain
Backup Operators Built-in container of each domain
Print Operators Built-in container of each domain
Cert Publishers Users container of each domain
Special Identities

• Special identities:
• Are groups for which membership is controlled by
the operating system
• Can be used by the Windows Server operating
system to provide access to resources:
• Based on the type of authentication or connection
• Not based on the user account

• Important special identities include:


•Anonymous Logon •Interactive
•Authenticated Users •Network
•Everyone •Creator Owner
Demonstration: Managing Groups

In this demonstration, you will see how to:


• Create a new group
• Add members to the group
• Add a user to the group
• Change the group type and scope
• Modifying the group’s Managed By property
Lesson 3: Managing Computer Accounts

What Is the Computers Container?


Specifying the Location of Computer
Accounts
Controlling Permissions to Create Computer
Accounts
Performing an Offline Domain Join
Computer Accounts and Secure Channels
Resetting the Secure Channel
• Bring Your Own Device
What Is the Computers Container?
Active Directory Administrative Center, opened to the
Adatum (local)\Computers container
Distinguished Name is
cn=Computers,DC=Adatum,DC=com
Specifying the Location of Computer
Accounts
• Best practice is to create OUs for
computer objects
• Servers
• Typically subdivided by server
role
• Client computers
• Typically subdivided by region

• Divide OUs:
• By administration
• To facilitate configuration with
Group Policy
Controlling Permissions to Create Computer
Accounts
The Delegation of Control Wizard
window
The administrator is creating a custom
delegation for computer objects
Performing an Offline Domain Join

Offline domain join is used to join computers


to a domain when they cannot contact a
domain controller
• Create a domain join file using:

djoin.exe /Provision /Domain <DomainName>


/Machine <MachineName> /SaveFile <filepath>

• Import the domain join file using:


djoin.exe /requestODJ /LoadFile <filepath>
/WindowsPath <path to the Windows directory of
the offline image>
Computer Accounts and Secure Channels

• Computers have accounts


• sAMAccountName and password
• Used to create a secure channel between the
computer and a domain controller
• Scenarios in which a secure channel can be
broken
• Reinstalling a computer, even with same name,
generates a new SID and password
• Restoring a computer from an old backup, or
rolling back a computer to an old snapshot
• Computer and domain disagree about what the
password is
Resetting the Secure Channel

• Do not delete a computer from the domain


and then rejoin it
• This creates a new account, resulting in a new
SID and lost group memberships
• Options for resetting the secure channel
• Active Directory Users and Computers
• Active Directory Administrative Center
• dsmod
• netdom
• nltest
• Windows PowerShell
Bring Your Own Device

AD FS has been enhanced to support BYOD


programs
• Workplace Join creates an AD DS object for
consumer devices

Limit content access to specific devices


• Using Dynamic Access Control or conditions
on permissions you can limit content access
to domain-joined devices
Support for iOS
• iOS devices can be workplace-joined as well
Lesson 4: Delegating Administration

Considerations for Using Organizational Units


AD DS Permissions
Effective AD DS Permissions
• Demonstration: Delegating Administrative
Permissions
Considerations for Using Organizational
Units

• OUs allow you to


subdivide the domain for
management purposes
• OUs are used for:
• Delegation of control
• Application of GPOs
• The OU structure can be:
• Flat, one to two levels
deep
• Deep, more than 5 levels
deep
• Narrow, anything in
between
AD DS Permissions

Advanced Security Settings for IT


Effective AD DS Permissions
Permissions assigned to users and groups
accumulate
Best practice is to assign permissions to groups, not
to individual users
In the event of conflicts:
• Deny permissions override Allow permissions
• Explicit permissions override Inherited
permissions
• Explicit Allow overrides Inherited Deny

To evaluate effective permissions, you can use:


• The Effective Access tab
• Manual analysis
Demonstration: Delegating Administrative
Permissions
In this demonstration, you will see how to:
• Create an OU
• Move objects into an OU
• Delegate a standard task
• Delegate a custom task
• View AD DS permissions resulting from these
delegations
Lab Review

What are the options for modifying the


attributes of new and existing users?
What types of objects can be members of
global groups?
What types of objects can be members of
domain-local groups?
• Which two credentials are necessary for any
computer to join a domain?
Module Review and Takeaways

Review Questions
• Best Practices
• Tools

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy