Active Directory Active Directory AdministrationAdministration

Lesson 5

Skills MatrixSkills Matrix

Technology Skill Objective Domain Objective #

Creating Users, Computers, and Groups

Automate creation of Active Directory accounts

4.1

Creating Users, Computers, and Groups

Maintain Active Directory accounts

4.2

Lesson 5Lesson 5

Understanding User Accounts

Local accounts

Domain accounts

Built-in user accounts

Lesson 5Lesson 5

Understanding Group Accounts

Distribution groups

Security groups

Lesson 5Lesson 5

Working with Default Groups

Account Operators

Administrators

Backup Operators

Certificate Services DCOM Access

Cryptographic Operators

Lesson 5Lesson 5

Working with Default Groups (cont.)

Distributed COM Users

Event Log Readers

Guests

IIS_IUSRS

Incoming Forest Trust Builders

Lesson 5Lesson 5

Working with Default Groups (cont.)

Network Configuration Operators

Performance Log Users

Performance Monitor Users

Pre-Windows 2000 Compatible Access

Print Operators

Lesson 5Lesson 5

Working with Default Groups (cont.)

Remote Desktop Users

Replicator

Server Operators

Terminal

Server License Servers

Lesson 5Lesson 5

Working with Default Groups (cont.)

Users

Windows Authorization Access Group

Allowed RODC Password Replication Group

Cert Publishers

Denied RODC Password Replication Group

Lesson 5Lesson 5

Working with Default Groups (cont.)

DnsAdmins

DnsUpdateProxy

Domain Admins

Domain Computers

Domain Controllers

Lesson 5Lesson 5

Working with Default Groups (cont.)

Domain Guests

Domain Users

Enterprise Admins

Enterprise Read-Only Domain Controllers

Group Policy Creator Owners

Lesson 5Lesson 5

Working with Default Groups (cont.)

RAS and IAS Servers

Read-Only Domain Controllers

Schema Admins

Lesson 5Lesson 5

Understanding Special Identity Groups and Local Groups

Anonymous Logon

Authenticated Users

Batch

Creator Group

Creator Owner

Lesson 5Lesson 5

Understanding Special Identity Groups and Local Groups (cont.)

Dial-up

Digest Authentication

Enterprise Domain Controllers

Everyone

Interactive

Lesson 5Lesson 5

Understanding Special Identity Groups and Local Groups (cont.)

IUSR

Local Service

Network

Network Service

Remote Interactive Logon

Lesson 5Lesson 5

Understanding Special Identity Groups and Local Groups (cont.)

Restricted

Self

Service

System

Terminal Server User

Lesson 5Lesson 5

Developing a Group Implementation Plan

Group implementation plan: A plan that states who has the ability and

responsibility to create, delete, and manage groups

A policy that states how domain local, global, and universal groups are to be used

Lesson 5Lesson 5

Developing a Group Implementation Plan (cont.)

Group implementation plan (cont.): A policy that states guidelines for creating new

groups and deleting old groups

A naming standards document to keep group names consistent

A standard for group nesting

Lesson 5Lesson 5

Creating Users and Groups

Batch files

Comma-Separated Value Directory Exchange (CSVDE)

LDAP Data Interchange Format Directory Exchange (LDIFDE)

Windows Script Host (WSH)

SummarySummary

You LearnedThree types of user accounts exist in Windows Server

2008: local user accounts, domain user accounts, and built-in user accounts. Local user accounts reside on a local computer and are not replicated to other computers by Active Directory. Domain user accounts are created and stored in Active Directory and replicated to all domain controllers within a domain. Built-in user accounts are automatically created when the operating system is installed and when a member server is promoted to a domain controller.

SummarySummary

You Learned (cont.)

The Administrator account is a built-in domain account that serves as the primary supervisory account in Windows Server 2008. It can be renamed, but it cannot be deleted. The Guest account is a built-in account used to assign temporary access to resources. It can be renamed, but it cannot be deleted. This account is disabled by default, and the password can be left blank.

SummarySummary

You Learned (cont.)

Windows Server 2008 group options include two types: security and distribution, and three scopes: domain local, global, and universal.

Domain local groups are placed on the ACL of resources and assigned permissions. They typically contain global groups in their membership list.

SummarySummary

You Learned (cont.)

Global groups are used to organize domain users according to their resource access needs. Global groups are placed in the membership list of domain local groups, which are then assigned the desired permissions to resources.

SummarySummary

You Learned (cont.)

Universal groups are used to provide access to resources anywhere in the forest. Their membership lists can contain global groups and users from any domain. Changes to universal group membership lists are replicated to all global catalog servers throughout the forest.

SummarySummary

You Learned (cont.)

The recommended permission assignment strategy places users needing access permissions in a global group, the global group in a universal group, and the universal group in a domain local group and then assigns permissions to the domain local group.

SummarySummary

You Learned (cont.)

Group nesting is the process of placing group accounts in the membership of other group accounts for the purpose of simplifying permission assignments.

Multiple users and groups can be created in Active Directory by using several methods. Windows Server 2008 offers the ability to use batch files, CSVDE, LDIFDE, and WSH to accomplish your administrative goals.