SlideShare uma empresa Scribd logo
1 de 145
Active directory ds ws2008 r2
Contenido
 Modulo 1 – Introducing Active Directory Domain Services AD DS


 Modulo 2 – Secure and efficient administration of Active Directory


 Modulo 3 – Manage users


 Modulo 4 – Manage groups


 New features of AD DS 2008 R2




                                                                   2
Module 1
         Introducing Active
Directory® Domain Services
                   (AD DS)
Module Overview
 Introducing Active Directory, Identity, and Access
 Active Directory Components and Concepts
 Install Active Directory Domain Services
 Extend IDA with Active Directory Services
Information Protection in a
Nutshell


 It’s all about connecting users to the information they require
 … SECURELY!
 IDA: Identity and Access
 AAA: Authentication, Authorization, Accounting
 CIA: Confidentiality, Integrity, Availability ( & Authenticity)
Identity and Access (IDA)


 Identity: user account         Resource: Shared Folder
 Saved in an identity store     Secured with a security
  (directory database)            descriptor
 Security principal             Discretionary access control
 Represented uniquely by the
                                  list (DACL or “ACL”)
  security identifier (SID)      Access control entries (ACEs
                                  or “permissions”)
Authentication and Authorization
  A user presents credentials that   The system creates a security
  are authenticated using the        token that represents the user
  information stored with            with the user’s SID and all
  the user’s                         related group SIDs
  identity




  A resources is secured with an     The user’s security token is
  access control list (ACL):         compared with the ACL of the
  permissions that pair a SID with   resource to authorize a
  a level of access                  requested level of access
Authentication
Authentication is the process that verifies a user’s identity


Credentials: at least two components required
 • Username                                  • Secret, for example, password


Two types of authentication
 • Local (interactive) Logon –               • Remote (network) logon –
   authentication for logon to the             authentication for access to
   local computer                              resources on another computer
Access Tokens
        User’s Access Token

                User SID


                Member Group
                SIDs

                Privileges
                (“user rights”)

                Other access
                information
Security Descriptors, ACLs and
ACEs
         Security Descriptor

                 System ACL
                 (SACL)

                 Discretionary ACL
                 (DACL or “ACL”)
                  ACE
                  Trustee (SID)
                  Access Mask
                  ACE
                  Trustee (SID)
                  Access Mask
Authorization is the process that determines whether to grant or deny a user a
Authorization
requested level of access to a resource


Three components required for authorization
 • Resource                  • Access Request               • Security Token


                            System finds first ACE in the
User’s Access Token         ACL that allows or denies         Security Descriptor
                            the requested access level           System ACL
    User SID                for any SID in the user’s            (SACL)
                            token
                                                                 Discretionary ACL
    Group SID
                                                                 (DACL or “ACL”)
                                                                   ACE
    List of user                                                   Trustee (SID)
    rights                                                         Access Mask

    Other access                                                   ACE
                                                                   Trustee (SID)
    information                                                    Access Mask
Stand-alone (Workgroup)
Authentication
 The identity store is the security accounts manager (SAM) database on
  the Windows system
 No shared identity store
 Multiple user accounts
 Management of passwords is challenging
Active Directory Domains: Trusted
Identity Store
 Centralized identity store
  trusted by all domain
  members

 Centralized authentication
  service

 Hosted by a server
  performing the role of an
  Active Directory Domain
  Services (AD DS) domain
  controller
Active Directory, Identity, and
Access
 An IDA infrastructure should
    Store information about users, groups, computers and other identities


    Authenticate an identity
         Kerberos authentication used in Active Directory provides single sign-on.
          Users are authenticated only once.


    Control access


    Provide an audit trail


 Active Directory services
    Domain Services (AD DS), Lightweight Directory Services (AD LDS),
      Certificate Services (AD CS), Rights Management Services (AD RMS),
      Federation Services (AD FS)
Active Directory As a Database
 Active Directory is a database
    Each “record” is an object
       Users, groups, computers, …
    Each “field” is an attribute
      Logon name, SID, password, description, membership, …

    Identities (security principals or “accounts”)
 Services: Kerberos, DNS, replication, etc.
                      AD DS is, in the end, a database
               and the services that support or use that database
 Accessing the database
    Windows tools, user interfaces, and components
    APIs (.NET, VBScript, Windows PowerShell)
    Lightweight Directory Access Protocol (LDAP)
Organizational Units
 Containers
    Users
    Computers
 Organizational Units
    Containers that also
     support the management
     and configuration of
     objects using Group
     Policy
    Create OUs to
       Delegate administrative
        permissions
       Apply Group Policy
Policy-Based Management
 Active Directory provides a single point of management for security
  and configuration through policies
    Group Policy
       Domain password and lockout policy
      Audit policy

      Configuration

      Applied to users or computers by scoping a GPO containing
        configuration settings
    Fine-grained password and lockout policies ( new feature)
The Active Directory Data Store
 %systemroot%NTDSntds.dit
 Logical partitions
    Domain naming context
                                                    Schema
    Schema
    Configuration                                Configuration
    Global catalog (aka Partial Attribute Set)
    DNS (application partitions)                  *Domain*
 SYSVOL
    %systemroot%SYSVOL          NTDS.DIT            DNS
    Logon scripts
    Policies
                                                      PAS
Domain Controllers
 Servers that perform the AD DS role
    Host the Active Directory database (NTDS.DIT) and SYSVOL
      Replicated between domain controllers
    Kerberos Key Distribution Center (KDC) service: authentication
    Other Active Directory services
 Best practices
    Available: at least two in a domain
    Secure: Server Core, Read-only domain controllers (RODCs)
Domain
 Made up of one or more DCs
 All DCs replicate the Domain naming
  context (Domain NC)
    The domain is the context within which
     Users, Groups, Computers, and so on are
     created
    “Replication boundary”
 Trusted identity source: Any DC can
  authenticate any logon in the domain
 The domain is the maximum scope
  (boundary) for certain administrative policies
    Password
    Lockout
Replication
 Multimaster replication
    Objects and attributes in the database
    Contents of SYSVOL are replicated
 Several components work to create an efficient and robust replication
  topology and to replicate granular changes to AD
 The Configuration partition of the database stores information about
  sites, network topology, and replication
                              DC1                        DC3




                                              DC2
Sites
 An Active Directory object that represents a well-connected portion of
  your network
    Associated with subnet objects representing IP subnets
 Intrasite vs. intersite replication
    Replication within a site occurs very quickly (15-45 seconds)
    Replication between sites can be managed
 Service localization
    Log on to a DC in your site
                                                               Site B




                  Site A
Tree
 One or more domains in a single instance of AD DS that
  share contiguous DNS namespace




                                treyresearch.net


            proseware.com




                          antarctica.treyresearch.net
Forest
 A collection of one or more Active Directory domain trees
 First domain is the forest root domain
 Single configuration and schema
  replicated to all DCs in the forest
 A security and replication boundary
The Global Catalog
                                       Domain A
 Partial Attribute Set or
  Global Catalog                          PAS
 Contains every object in
  every domain in the forest

 Contains only selected
  attributes                   Domain B
                                 PAS
 A type of index

 Can be searched from any
  domain

 Very important for many
  applications
Functional Level
 Domain functional levels

 Forest functional levels

 New functionality requires that domain controllers are running a particular version of
  Windows
    Windows 2000
    Windows Server 2003
    Windows Server 2008
    Windows Server 2008 R2

 Cannot raise functional level
  while DCs are running previous
  versions of Windows

 Cannot add DCs running
  previous versions of Windows
  after raising functional level
DNS and Application Partitions
 Active Directory and DNS are tightly
  integrated

 One-to-one relationship between the DNS         Schema
  domain name and the logical domain unit
  of Active Directory                           Configuration

 Complete reliance on DNS to locate
  computers and services in the domain            Domain

 A domain controller acting as a DNS server        DNS
  can store the zone data in Active Directory
  itself—in an application partition
                                                    PAS
Trust Relationships
 Extends concept of trusted identity store to another domain
 Trusting domain (with the resource) trusts the identity store and
  authentication services of the trusted domain
 A trusted user can authenticate to, and be given access to resources in,
  the trusting domain
 Within a forest, each domain trusts all other domains
 Trust relationships can be established with external domains




                Trusted domain
                             Trusting domain
Lesson 3: Install Active Directory
Domain Services
 Install Windows Server 2008
 Server Manager and Role-Based Configuration of
  Windows Server 2008
 Prepare to Create a New Forest with Windows Server
  2008
 Install and Configure a Domain Controller
Install Windows Server 2008
 Boot with installation media (DVD)
 Follow prompts and select the operating system to
 install
Server Manager and Role-Based
Configuration of Windows Server 2008
 Windows Server 2008 has minimal footprint
 Functionality is added as roles or features
 Server Manager: role and feature configuration along
  with the common administrative snap-ins for the
  server
Prepare to Create a New Forest
with Windows Server 2008
 Domain’s DNS name (18eneroXX.com)
 Domain’s NetBIOS name (18eneroXX)
 Whether the new forest will need to support DCs running previous
  versions of Windows (affects choice of functional level)
 Details about how DNS will be implemented to support AD DS
    Default: Creating domain controller adds DNS Server role as well
 IP configuration for the DC
    IPv4 and, optionally, IPv6
 Username and password of an account in the server’s
  Administrators group. Account must have a password.
 Location for data store (ntds.dit) and SYSVOL
    Default: %systemroot% (c:windows)
Install and Configure a Domain
1Controller
   Install the Active Directory Domain Services role
  using the Server Manager

   Run the Active Directory Domain Services
2 Installation Wizard

3 Choose the deployment configuration

4 Select the additional domain controller features

   Select the location for the database, log files, and
5 SYSVOL folder

   Configure the Directory Services Restore
6 Mode Administrator Password
Install and Configure a Domain
Install and Configure a Domain
Install and Configure a Domain
Install and Configure a Domain
Install and Configure a Domain
Install and Configure a Domain
Install and Configure a Domain
Install and Configure a Domain
Install and Configure a Domain
Install and Configure a Domain
Install and Configure a Domain
Install and Configure a Domain
Install and Configure a Domain
Install and Configure a Domain
Install and Configure a Domain
Install and Configure a Domain
Install and Configure a Domain
Install and Configure a Domain
Install and Configure a Domain
Install and Configure a Domain
Install and Configure a Domain




                            54
Install and Configure a Domain




                            55
Install and Configure a Domain




                            56
Lesson 4: Extend IDA with Active
Directory Services
 Active Directory Lightweight Directory Services (AD
  LDS)
 Active Directory Certificate Services (AD CS)
 Active Directory rights Management Services (AD
  RMS)
 Active Directory Federation Services (AD FS)
Active Directory Lightweight
Directory Services (AD LDS)
 Standalone version of Active Directory
    Used to support applications that require a directory store
    Allow customization without impact to production Active Directory
 Characteristics
    A subset of AD DS functionality, sharing the same code
        Schema, Configuration, and Application partitions
        Replication
    Not dependent upon AD DS
    Can use AD DS to authenticate Windows security principals
    Can run multiple instances on a single server
Active Directory Certificate
Services (AD CS)
 Extends the concept of trust
    A certificate from a trusted certificate authority (CA) proves identity
    Trust can be extended beyond the boundaries of your enterprise, as
     long as clients trust the CA of the certificates you present

 Creates a public key infrastructure (PKI)
    Confidentiality, Integrity, Authenticity, Non-Repudiation

 Many uses
   Internal-only or external, Secure Web sites (SSL), VPN, Wireless
    authentication and encryption, Smart card authentication

 Integration with AD DS powerful, but not required
Active Directory Rights
Management Services (AD RMS)
 Ensures the integrity of information
    Traditional model: ACL defines access. No restriction on use.
    AD RMS: Ensures access is limited and defines use.
 Examples
    Limit access to specified individuals
    View e-mail but do not forward or print
    View and print document but cannot change or e-mail
 Requires
    AD RMS
         IIS, Database (SQL Server or Windows Internal Database)
    AD DS
    RMS enabled applications including Microsoft Office applications,
     Internet Explorer
Active Directory Federation
Services (AD FS)
 Extends the authority of AD DS to authenticate users
 Traditional “trust”
    Two Windows domains
    Numerous TCP ports open in firewalls
    “Everyone” from trusted domain is trusted
 AD FS uses Web services technologies to implement trust
    One AD DS/LDS directory; other side can be Active Directory or
     other platforms
    Port 443: transactions are secure and encrypted
    Rules specifying which users from trusted domain are trusted
 Uses
    Business-to-business: partnership
    Single sign-on
Module 2
Secure and Efficient
  Administration of
  Active Directory®
Module Overview
 Work with Active Directory Snap-Ins
 Custom Consoles and Least Privilege
 Find Objects in Active Directory
 Use DS Commands to Administer Active Directory
Lesson 1: Work with Active
Directory Snap-ins
 The MMC Console
 Active Directory Administration Snap-ins
 Find Active Directory Snap-ins
 Demonstration: Basic Administration with Active
 Directory Users and Computers
The MMC Console
           Show/Hide      Show/Hide
          Console Tree   Actions Pane




                            Details
Console Tree                            Actions Pane
                             Pane
Active Directory Administration
Snap-ins
 Active Directory Users and Computers
    Manage most common day-to-day objects, including
     users, groups, computers, printers, and shared folders
 Active Directory Sites and Services
    Manage replication, network topology, and related
     services
 Active Directory Domains and Trusts
    Configure and maintain trust relationships and the
     domain and forest functional level
 Active Directory Schema
    Administer the Schema
Demonstration: Create a Custom MMC
Console for Administering Active Directory
In this demonstration, you will learn:
 How to create a custom MMC console with multiple
  snap-ins
 How to register the Active Directory Schema snap-in
   Open a command prompt as administrator, then type
    regsvr32.exe schmmgmt.dll and press Enter
 Where to save a custom console
Find Active Directory Snap-ins
 Active Directory snap-ins are installed on a domain controller
    Server Manager: Users and Computers, Sites and Services
    Administrative Tools folder
 Install the RSAT on a member client or server
    Windows Server® 2008
        Server Manager  Features  Add Feature  Remote Server
         Administration Tools
    Windows Vista® SP1, Windows 7
        Download RSAT from www.microsoft.com/downloads
        Double-click the file, then follow the instructions in the Setup Wizard.
        Control Panel  Programs And Features  Turn Windows Features On
         Or Off  Remote Server Administration Tools
        Need Activation via Control Panel
Secure Administration with Least Privilege,
Run As Administrator, and User Account Control
 Maintain at least two accounts
    A standard user account
    An account with administrative
     privileges
 Log on to your computer as a
  standard user
    Do not log on to your computer
     with administrative credentials
 Launch administrative consoles
  with Run As Administrator
   1. Right-click the console and click
     Run As Administrator
   2. Click Use another account
   3. Enter the username and
     password for your administrative
     account
Find Objects in Active Directory
 When you assign permissions to a folder or file
   Select the group or user to which permissions are assigned
 When you add members to a group
   Select the user or group that will be added as a member
 When you configure a linked attribute such as Managed By
   Select the user or group that will be displayed
    on the Managed By tab
 When you need to administer a user, group, or computer
   Perform a search to locate the object in Active Directory,
    instead of browsing for the object
Options for Locating Objects in Active Directory
Users and Computers
       Sorting: Use column    Searching: Provide
       headings in Active     the criteria for
       Directory Users and    which you want to
       Computers to find      search
       the objects based on
       the columns
Demonstration: Control the View of Objects in
Active Directory Users and Computers
In this demonstration, you will learn:
 How to add or remove columns in the details pane
 How to sort objects based on columns in the details
  pane
Demonstration: Use the Find
Command
In this demonstration, you will learn:
 How to search for objects in Active Directory using the
  Find command
Determine Where an Object is
Located
1. Ensure that Advanced Features is selected in the
     View menu of the MMC console
2.   Find the object
3.   Open its Properties dialog box
4.   Click the Object tab
5.   View the Canonical name of object
Demonstration: Use Saved Queries
In this demonstration, you will learn:
 How to create a saved query
 How to distribute a saved query
 Why saved queries are an efficient and effective tool
  for administration
Lesson 4: Use DS Commands to Administer
Active Directory
 DNs, RDNs, and CNs
 The DS Commands
 Find Objects with DSQuery
 Retrieve Object Attributes with DSGet
 Pipe NDs to Other DS Commands
 Modify Object Attributes with DSMod
 Delete an Object with DSRm
 Move an Object with DSMove
 Add an Object with DSAdd
 Administration without the GUI
DNs, RDNs, and CNs
Common Name (CN)    Distinguished Name (DN)

 cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com


      Relative Distinguished Name (RDN)


 ou=Employees,ou=User Accounts,dc=contoso,dc=com


                    Distinguished Name (DN)


   DN must be completely unique
   RDN must therefore be unique within the parent
    container
The DS Commands
 DSQuery. Performs a query based on parameters
    provided at the command line and returns a list of
    matching objects
   DSGet. Returns specified attributes of an object
   DSMod. Modifies specified attributes of an object
   DSMove. Moves an object to a new container or OU
   DSAdd. Creates an object in the directory
   DSRm. Removes an object, all objects in the subtree
    beneath a container object, or both

 DScommand /?
    For example: dsquery /?
Find Objects with DSQuery
 dsquery objectType
    objectType: user, computer, group, ou
    By default, search scope is the entire domain
    -limit switch to specify number of results
         100 is default
         0 means “return all results”

 dsquery objectType –attribute “criteria”
    attribute is objectType specific: dsquery objectType /?
    Examples for user: -name, -samid, -office, -desc
    criteria in quotes if there is a space. Wildcards (*) allowed

 dsquery objectType BaseDN
  –scope {subtree|onelevel|base}
    Specify search start and scope
Find Objects with DSQuery
Retrieve Object Attributes with
DSGet
 dsget objectType objectDN -attribute
  Common syntax for many DS commands
 dsget user "cn=Jeff Ford,ou=Employees,ou=User
  Accounts,dc=contoso,dc=com" -email

 What is the difference between DSGet and DSQuery?
Pipe DNs to Other DS Commands
       Typing DNs is difficult!
          dsget user "cn=Jeff Ford,ou=Employees,ou=User
           Accounts,dc=contoso,dc=com" –email

       DSQuery returns DNs
          dsquery user -name "Jeff Ford"
           > "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com“

       Pipe (send) the DNs from DSQuery to DSGet with |
          dsquery user -name "Jeff Ford" | dsget user –email
          Or multiple results:
           dsquery user -name "Dan*" | dsget user –email

       DSGet can return DNs from some attributes as well
          dsget group groupDN -members | dsget user -samid
Modify Object Attributes with
DSMod
 dsmod objectType "objectDN" -attribute "new value"
 dsmod user "cn=Jeff Ford,ou=Employees,ou=User
  Accounts,dc=contoso,dc=com" -dept "Information
  Technology"
 dsquery user "ou=Admins,dc=contoso,dc=com" |
  dsmod user -department "Information Technology"
Delete an Object with DSRm
 dsrm objectDN
  Note that DSRm does not take an objectType
 dsrm "cn=DESKTOP234,ou=Client
  Computers,dc=contoso,dc=com"
 dsquery computer -stalepwd 90 | dsrm
Move an Object with DSMove
 dsmove objectDN –newparent targetOUDN
  objectDN: object to be moved
  targetOUDN: target (destination) OU
 dsmove objectDN –newname newName
  objectDN: object to be moved
  newName: new name for object (used in the RDN)
Add an Object with DSAdd
 dsadd objectType objectDN -attribute "value"
  objectType: class of object to add
  objectDN: OU in which to create object
  -attribute "value": attributes to populate
       Each object class has required attributes
 dsadd ou "ou=Lab,dc=contoso,dc=com"
Administration Without the GUI
 Command Prompt
    DS commands
    csvde.exe and ldifde.exe
 LDAP, search tool
    ldp.exe
 Windows PowerShell
 Scripting
    Windows PowerShell scripts
    VBScript
Module 3
Manage Users
Module Overview
 Create and Administer User Accounts
 Configure User Object Attributes
 Automate User Account Creation
Lesson 1: Create and Administer User
Accounts
 User Account
 Demonstration: Create a User Object
 Create Users with DSAdd
 Name Attributes
 Rename a User Account
 Account Attributes
 Reset a User’s Password
 Unlock a User Account
 Disable and Enable a User Account
 Delete a User Account
 Move a User Account
Create Users with DSAdd
 dsadd user "UserDN" –samid pre-Windows 2000 logon name –pwd {
  password | * } –mustchpwd yes
    UserDN. Distinguished name of user to create
    -samid. Required for new account
        Pre-Windows 2000 logon name. The “downlevel” logon name
         that can be used in the logon format domainusername and that
         becomes %username%
    -pwd password. The desired initial password
        Asterisk (*) will prompt you to enter it at the command prompt, so
         that the plain text password is not entered with the command
    -mustchpwd { yes | no }. User must change password at next
     logon
 Lots of optional attributes, including
    -email
    -hmdir & -profile

                             Can use $username$ token to represent the
                             value of –samid; for example,
                             -profile server01users$username$profile
Name Attributes                                        CONTOSOTony.Krijnen

 User logon name (pre-Windows 2000): sAMAccountName
    Unique in domain
    20-character limit                               Tony.Krijnen@contoso.com
 User logon name: userPrincipalName (UPN)
    Name + @ + UPN suffix
    Unique in forest                                              Tony Krijnen
 Name or Full Name: cn (common name)
    Unique in OU so that the relative distinguished name (RDN) is
     unique in the OU, so that, in turn, the object’s distinguished name
     (distinguishedName attribute) is unique in the forest
 Display name: displayName                                       Krijnen, Tony
    Exchange global address list (GAL)
    Best if unique, but not technically required to be unique
Rename a User Account
 In Active Directory Users and Computers:
    1.   Right-click the user, and then click Rename.
    2.   Type the new common name (CN), and press Enter.
    3.   Type the Full Name (which maps to cn and name)
    4.   Type the First Name and Last Name.
    5.   Type the Display Name.
    6.   User Logon Name and User Logon Name (Pre-Windows 2000).
   dsmod user UserDN [-upn UPN][-fn FirstName][-mi Initial][-ln
    LastName]
    [-dn DisplayName][-email EmailAddress]
        You cannot change the user logon names or CN with DSMod
 dsmove user UserDN -newname "New CN"
Account Attributes
   Logon Hours: logonHours
   Log On To: userWorkstations
   User must change password at next logon
   User cannot change password
   Password never expires
   Account is disabled
   Store password using reversible encryption
   Smart Card is required for interactive logon
   Account is trusted for delegation
   Account expires
Reset a User’s Password
 A user forgets his or her password and attempts to log on


 In Active Directory Users and Computers, right-click the
  user object and click Reset Password


 Best practices
    Assign a temporary, unique, strong password to the user
    Select User must change password at next logon
    Communicate the password to the user in a secure manner
 dsmod user UserDN –pwd NewPassword -mustchpwd yes
Unlock a User Account
 In Active Directory Users and
  Computers, right-click the user
  object and click Properties.
  Click the Account tab, and then
  select Unlock Account.

 In the Reset Password dialog
  box, select Unlock the user’s
  account.

 Watch out for drives mapped
  with alternate credentials. A
  leading cause of account
  lockout is when the alternate
  credentials’ password changes.
Disable and Enable a User Account
 In Active Directory Users and Computers, right-click
  the user object and click Disable Account or Enable
  Account
 dsmod user UserDN –disabled {yes|no}
Delete a User Account
 In Active Directory Users and Computers, select the
  user and press Delete or right-click the user object
  and click Delete
 dsrm UserDN
 When you delete an account, you lose
    The group memberships
    The security identifier (SID)
 Common practice
    Disable the account and move it to an OU for disabled
     objects
    After a period of time, delete the account
Move a User Account
 In Active Directory Users and Computers, right-click
  the user and then click Move
  or
  drag the user object and drop it onto the destination
  OU
 dsmove UserDN –newparent TargetOUDN
Lesson 2: Configure User Object
Attributes
 Demonstration: A Tour of User Attributes
 View All Attributes
 Modify Attributes of Multiple Users
 Modify User Attributes with DSMod and DSGet
 Demonstration: Create Users with Templates
 Create Users with Templates
Demonstration: A Tour of User
Attributes
In this demonstration, you will learn:
 How to access the properties of a user
 The role of each tab in the user Properties dialog box
View All Attributes
 The Attribute Editor
 In Active Directory Users
 and Computers, click the
 View menu, then select
 Advanced Features
Modify Attributes of Multiple Users
 How to do it
    Select multiple users (for example, by using CTRL+click)
    Right-click any one of the selected users, and then click Properties
 Attributes that can be modified
    General: Description, Office, Telephone Number, Fax, Web Page, E-
       mail
      Account: UPN Suffix, Logon Hours, Computer Restrictions (logon
       workstations), all Account Options, Account Expires
      Address: Street, P.O. Box, City, State/Province, ZIP/Postal Code,
       Country/Region
      Profile: Profile Path, Logon Script, Home Folder
      Organization: Title, Department, Company, Manager
Manage User Attributes with
DSMod and DSGet
 DSMod modifies the attributes of object(s)
   dsmod user UserDN… [-parameter value …]
    UserDN …. distinguishedName of the user(s) to modify
    Parameter. Attribute to modify. dsmod user /?
        Often does not map to the same name as LDAP
         (dsmod dept vs. LDAP department)
 DSGet gets (returns) the value of attributes of object(s)
   dsget user UserDN… [-parameter …]
    dsget user /?
 DSQuery can return objects based on search criteria
  and pipe those objects to DSGet and DSMod
    dsquery user -desc "Marketing Task Force" |
     dsget user -email
Demonstration: Create Users with
Templates
In this demonstration you will learn:
 What a template user account is, and why it is useful
 How to create a template user account
 How to copy a template user account
Create Users with Templates
 General tab. No properties are copied
 Address tab. P.O. box, city, state or province,
  ZIP or postal code, and country or region
  are copied
    Note that the street address itself is not copied
 Account tab. Logon hours, logon workstations, account
  options, and account expiration
 Profile tab. Profile path, logon script, home drive, and
  home folder path
 Organization tab. Department, company, and manager
 Member Of tab. Group membership and primary group
Lesson 3: Automate User Account
Creation
 Export Users with CSVDE
 Import Users with CSVDE
 Import Users with LDIFDE
Export Users with CSVDE
                                      Export



                                      • CSVDE.exe


             filename.ldf                                    Active Directory

                                       Import
 CSV (comma-separated value, or comma-delimited text)
    Can be edited with simple text editors (Notepad) or Microsoft Office Excel®

 CSVDE.exe
    csvde -f filename -d RootDN -p SearchScope -r Filter -l
     ListOfAttributes

    RootDN. Start of export (default = domain)

    SearchScope. Scope of export (Base,OneLevel,Subtree)

    Filter. Filter within the scope (LDAP query language)

    ListOfAttributes. Use the LDAP name
Import Users with CSVDE
                                  Export



                                  • CSVDE.exe


            filename.ldf                               Active Directory

                                    Import


 CSVDE.exe
    csvde –i -f filename [-k]
    i. Import – default mode is export
    k. Continue past errors (such as Object Already Exists)
 Cannot import passwords, so users are created as disabled
 Cannot modify existing users
Import Users with LDIFDE
                                            Export



                                            • LDIFDE.exe


               filename.ldf                                     Active Directory

                                             Import


 LDAP Data Interchange Format (LDIF)
 LDIFDE.exe
     ldifde [-i] [-f filename] [-k]
     i. Import – default mode is export
     k. Continue past errors (such as Object Already Exists)
 Cannot import passwords, so users are created as disabled
 Can modify or remove existing users
Administration Without the GUI
 Command Prompt
    DS commands
    csvde.exe and ldifde.exe
 LDAP, search tool
    ldp.exe
 Windows PowerShell
 Scripting
    Windows PowerShell scripts
    VBScript
Module 4
Manage Groups
Module Overview
 Manage an Enterprise with Groups
 Administer Groups
 Best Practices for Group Management
Lesson 1: Manage an Enterprise
with Groups
   Demonstration: Create a Group Object
   Access Management Without Groups
   Groups Add Manageability
   Groups Add Scalability
   One Type of Group Is Not Enough
   Role-Based Management: Role Groups and Rule Groups
   Define Group Naming Conventions
   Group Type
   Group Scope
   Local Groups
   Global Groups
   Universal Groups
   Group Scope Possibilities Summarized
   Manage Group Membership
   Develop a Group Management Strategy (IGDLA)
   Role-Based Management and Windows Group Management
    Strategy
Access Management Without
Groups




Identity       Access Management   Resource
Groups Add Manageability




Identity       Group           Resource
           Access Management
Groups Add Scalability




Identity       Group
           Access Management
                               Resource
One Type of Group Is Not Enough




Identity   Group   Access Management   Resource
Role-Based Management: Role Groups and Rule Groups




 Identity   Role Group    Rule Group          Resource
                         Access Management
Define Group Naming Conventions
 Name properties
    Group name. cn and name of group -- unique within OU
    Group name (pre-Windows 2000). sAMAccountName of
     group -- unique in domain
    Use the same name (unique in the domain) for both properties
 Naming conventions
    Role groups. Simple, unique name, such as Sales or
     Consultants
    Management groups. For example, ACL_Sales Folders_Read
        Prefix. Management purpose of group, such as ACL
        Resource identifier. What is managed, such as Sales Folders
        Suffix. Access level, such as Read
        Delimiter. Separates name components, such as underscore (_)
Group Type
  Distribution groups

      Used only with e-mail applications
      Not security-enabled (no SID);
      cannot be given permissions



  Security groups

     Security principal with a SID;
     can be given permissions
     Can also be e-mail enabled
Group Scope
 Four group scopes
    Local
    Global
    Domain Local
    Universal
 Characteristics that distinguish each scope
    Replication. Where are the group and its membership
     stored?
    Membership. What types of objects, from which domains,
     can be members of the group?
    Availability (Scope). Where can the group be used? In what
     scopes of groups can the group be a member? Can the group
     be added to an ACL?
Local Groups
 Replication
    Defined in the security accounts manager (SAM) of a domain member or
     workgroup computer
    Membership not replicated to any other system

 Membership: Local group can include as members
    Any security principals from the domain: users (U), computers (C), global
     groups (GG), or domain local groups (DLG)
    U, C, GG from any domain in the forest
    U, C, GG from any trusted domain
    Universal groups (UG) defined in any domain in the forest

 Availability/scope
    Limited to the machine on which the group is defined; can be used for ACLs on
     the local machine only
    Cannot be a member of any other group
Domain Local Groups
 Replication
    Defined in the domain naming context
    Group and membership replicated to every DC in domain
 Membership: Domain local group can include as members
    Any security principals from the domain: U, C, GG, DLG
    U, C, GG from any domain in the forest
    U, C, GG from any trusted domain
    UG defined in any domain in the forest
 Availability/scope
    Can be on ACLs on any resource on any domain member
    Can be a member of other domain local groups or of machine local
     groups
 Well suited for defining business management rules
Global Groups
 Replication
     Defined in the domain naming context
     Group and membership is replicated to every DC in domain


 Membership: Global group can include as members
     Only security principals from the same domain: U, C, GG, DLG


 Availability/scope
     Available for use by all domain members, all other domains in the forest, and
      all trusting external domains
     Can be on ACLs on any resource on any computer in any of those domains
     Can be a member of any DLG or UG in the forest, and of any DLG in a trusting
      external domain

 Well suited for defining roles
Universal Groups
 Replication
    Defined in a single domain in the forest
    Replicated to the global catalog (forestwide)

 Membership: Universal group can include as members
    U, C, GG, and UG from any domain in the forest

 Availability/scope
    Available to every domain and domain member in the forest
    Can be on ACLs on any resource on any system in the forest
    Can be a member of other UGs or DLGs anywhere in the forest

 Useful in multidomain forests
    Defining roles that include members from multiple domains
    Defining business management rules that manage resources in multiple
     domains in the forest
Group Scope Possibilities
Summarized                            Members
                                    from Domain
                                                    Members
                                                  from Trusted
                                                                     Can be
                                                                    Assigned
                   Members from        in Same       External     Permissions to
 Group Scope       Same Domain          Forest       Domain         Resources
Local             U, C,             U, C,         U, C,          On the local
                  GG, DLG, UG       GG, UG        GG             computer only
                  and local users
Domain Local      U, C,             U, C,         U, C,          Anywhere in the
                  GG, DLG, UG       GG, UG        GG             domain
Universal         U, C,             U, C,         N/A            Anywhere in the
                  GG, UG            GG, UG                       forest
Global            U, C,             N/A           N/A            Anywhere in the
                  GG                                             domain or a
                                                                 trusted domain

 U          User
 C          Computer
 GG         Global Group
 DLG        Domain Local Group
 UG         Universal Group
Manage Group Membership
 Methods
   The group's Members tab (Add/Remove)
   The member's Member Of tab (Add/Remove)
   The member's Add to a group command (Add)

 You are always changing the member attribute
    memberOf is a backlink attribute updated by Active Directory

 Changes to membership do not take effect immediately
    Requires logon (for a user) or startup (for a computer)
    Token built with SIDs of member groups at those times
    Account for replication of membership change to the user or
     computer's domain controller
    Tip: Change group membership on a DC in the user's site
Develop a Group Management
Strategy (IGDLA)
 Identities (users or computers)
    are members of
   Global groups
    that collect members based
    on those members' roles
    which are members of
   Domain Local groups
    that provide
    management
    of some kind, such
    as management of
    resource access
    which are
   Assigned Access to a resource (for example, on an ACL)
   Multi-domain forest: IGUDLA
Role-Based Management and Windows Group Management
Strategy




                        Access Management
Identity   Role Group    Rule Group          Resource
Identity     Global     Domain Local         Access
Lesson 2: Administer Groups
 Create Groups with DSAdd
 Import Groups with CSVDE
 Import Groups with LDIFDE
 Convert Group Type and Scope
 Modify Group Membership with DSMod
 Modify Group Membership with LDIFDE
 Retrieve Group Membership with DSGet
 Copy Group Membership
 Move and Rename Groups
 Delete Groups
Lesson 3: Best Practices for Group
Management
 Best Practices for Group Documentation
 Protect Groups from Accidental Deletion
 Delegate Membership Management with the Managed
  By Tab
 Default Groups
 Special Identities
Best Practices for Group
Documentation
 Why document groups?
    Easier to find them when you need them
    Easier to understand how and when to use a group
 Establish and adhere to a strict naming convention
    Prefix, for example, helps distinguish
      APP_Budget from ACL_Budget_Edit
    Prefix helps you find the group in the Select dialog
      box
 Summarize a group's purpose with its description
    Appears in Active Directory Users and Computers
      details pane
 Detail a group's purpose in its Notes field
Protect Groups from Accidental
Deletion
1. In the Active Directory Users and Computers snap-
   in, click the View menu and make sure that
   Advanced Features is selected.
2. Open the Properties dialog box for a group.
3. On the Object tab, select the Protect Object From
   Accidental Deletion check box.
4. Click OK.
Delegate Membership Management
with the Managed By Tab
 The Managed By tab serves two
  purposes:
    Provide contact information for who
     manages the group
    Allow specified user (or group) to
     modify group membership if
     Manager Can Update Membership
     List is selected
 Tips
    Must click OK (not just Apply)
     to change the ACL on the group
    To set a group in the Name box,
     click Change, then click
     Object Types, and then click Groups
Default Groups
 Default local groups in the BUILTIN and Users containers
    Enterprise Admins, Schema Admins, Administrators, Domain
     Admins, Server Operators, Account Operators, Backup Operators,
     Print Operators
 Reference to their rights and privileges in Student Manual
    Know these rights for the certification exams
 Problems with these groups
    Highly overdelegated
        Account Operators, for example, can log on to a DC
    Protected
        Users who are members of these groups become protected and are not
         un-protected when removed
 Best practice: Keep these groups empty and create custom
  groups with the rights and privileges you require
Special Identities
 Membership is controlled by Windows:
    Cannot be viewed, edited, or added to other groups
    Can be used on ACLs
 Examples
    Anonymous Logon. Represents connections to a computer
     without a username and password
    Authenticated Users. Represents identities that have been
     authenticated, but does not include the Guest identity
    Everyone. Includes Authenticated Users and Guest (but not
     Anonymous Logon by default in Windows Server 2003/2008)
    Interactive. Users logged on locally or with Remote Desktop
    Network. Users accessing a resource over the network
Nuevas funcionalidades
 Active Directory Domain Services
    Active Directory Recycle Bin
       Permite recuperar objetos eliminados accidentalmente
       AD DS y AD LDS
       Habilitar Recyle Bin es irreversible (Deshabilitado por defecto.
        Requiere nivel funcional WS2008R2)
       Para habilitarla
          PowerShell

          Ldp.exe

       Se pueden recuperar objetos hoja y objetos padre como
        contenedores o UO
       180 días en Recicle Bin y 180 tombstoned

                   Windows Server 2008 R2                          149
Nuevas funcionalidades
 Active Directory Domain Services
  Active Directory Administrative Center
    Reemplazar herramientas
      AD Users and Computers
      AD Sites and Services
      AD Domains and Trusts
    Construido sobre PowerShell 2.0
    Enumera actividades y tareas habituales de gestión como:
      Tareas de mantenimiento
      Backup
      Gestión de usuarios
      Diagnóstico

                  Windows Server 2008 R2                        150
Nuevas funcionalidades
 Active Directory Domain Services
  Offline Domain Join
    Añadir el equipo al dominio sin necesidad de conexión de red con
     el dominio
    Djoin.exe
      Servidor: djoin /PROVISION /DOMAIN midominio.local /MACHINE
       equipo/SAVEFILE c:fichero
      Cliente:djoin /REQUESTODJ /LOADFILE c: /WINDOWSPATH
       %SystemRoot%
    El equipo se añade al dominio en el primer inicio de sesión
     después de la instalación del SO.
    No requiere reiniciar el equipo.
    Disponible únicamente para Windows 7 y WS 2008 R2
                  Windows Server 2008 R2                           151
Nuevas funcionalidades
 Active Directory Domain Services
    Managed Service Accounts
        Evitar que aplicaciones o servicios dejen de estar activos debido a
         aspectos relacionados con la autenticación.
            Bloqueos de cuentas
            Cuentas deshabilitadas

        Facilita y mejora la gestión de las cuentas usadas para este fin
        Sin contraseña
            New-ADServiceAccount -Name NOMBRE_CUENTA -Path “cn=Managed
             Service Accounts, dc=DOMINIO, dc=DOMINIO”

        Con contraseña
            New-ADServiceAccount NOMBRE_CUENTA -AccountPassword
             (ConvertTo-SecureString -AsPlainText “CONTRASEÑA” -Force) -Enabled
             $true -Path “cn=Managed Service Accounts, dc=DOMINIO,
             dc=DOMINIO”
                       Windows Server 2008 R2                                  152
Nuevas funcionalidades
 Active Directory Domain Services
   Active Directory Best Practices Analyzer. BPA
      Identifica desviaciones sobre las mejores prácticas y comportamientos inesperados
       de: Windows 2000, Server 2003, Server 2008 y Server 2008 R2
      Utiliza PowerShell para recopilar datos
      Está disponible para los siguientes roles
         AD DS
         AD CS
         DNS
         TS
      Disponible para los siguientes ediciones
         Standard, Enterprise, Datacenter




                        Windows Server 2008 R2                                    153
Nuevas funcionalidades
 Active Directory Domain Services
    Authentication Mechanism Assurance
         Otorga a los usuarios membresía adicional en su access token en función del método
          utilizado para realizar el inicio de sesión.

         Requiere Windows Server 2008 R2 y una infraestructura de autenticación basada en
          certificados.

         Permite controlar
             Acceso a recursos
                Archivos
                Ficheros
                Impresoras


         Usa políticas de certificado que son mapeadas a grupos de seguridad.

         Uso típico: SmartCard con certificado asociado

         No habilitada por defecto.

                           Windows Server 2008 R2                                      154
Nuevas funcionalidades
 Active Directory Domain Services
    Active Directory Management Pack
       Habilita monitoreo proactivo de
         Disponibilidad

         Rendimiento

       Detecta estados de equipos y software en función de
        definiciones de estado.
       Disponible para WS 2008, WS 2008 R1 y SCOM 2007.




                  Windows Server 2008 R2                      155
Nuevas funcionalidades
 Active Directory Domain Services
    Active Directory Bridgehead Server Selection
        Bridgehead es un DC que realiza las funciones de ruta
         primaria de la replicación de datos de AD entre sites.
        KCC dinámicamente selecciona un DC de cada site para
         realizar la comunicación intersite.
        Bridgehead permite seleccionarlo manualmente.
        Se pueden seleccionar múltiples preferred bridgehead por site,
         pero solo uno estará activo al mismo tiempo.




                    Windows Server 2008 R2                        156

Mais conteúdo relacionado

Mais procurados

Introduction_of_ADDS
Introduction_of_ADDSIntroduction_of_ADDS
Introduction_of_ADDSHarsh Sethi
 
Domain Controller Critical Services
Domain Controller Critical ServicesDomain Controller Critical Services
Domain Controller Critical ServicesJani Sabtriady
 
Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directorythebigredhemi
 
What is active directory
What is active directoryWhat is active directory
What is active directoryAdeel Khurram
 
Windows Server 2008 Active Directory Guide
Windows Server 2008 Active Directory GuideWindows Server 2008 Active Directory Guide
Windows Server 2008 Active Directory Guidewebhostingguy
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directorythoms1i
 
Active Directory Proposal
Active Directory ProposalActive Directory Proposal
Active Directory ProposalMJ Ferdous
 
Activedirecotryfundamentals
ActivedirecotryfundamentalsActivedirecotryfundamentals
ActivedirecotryfundamentalsShekhar Singh
 
Active directory
Active directory Active directory
Active directory deshvikas
 
MCSA 70-410 5 introduction to active directory and basic installation
MCSA 70-410 5 introduction to active directory and basic installationMCSA 70-410 5 introduction to active directory and basic installation
MCSA 70-410 5 introduction to active directory and basic installationTarek Amer
 
Active directory
Active directoryActive directory
Active directoryMuuluu
 
Windows Server 2008 Active Directory
Windows Server 2008 Active DirectoryWindows Server 2008 Active Directory
Windows Server 2008 Active Directoryanilinvns
 
1.2 active directory
1.2 active directory1.2 active directory
1.2 active directoryMuuluu
 
200308 Active Directory Security
200308 Active Directory Security200308 Active Directory Security
200308 Active Directory SecurityArmando Leon
 
Centralizing users’ authentication at Active Directory level 
Centralizing users’ authentication at Active Directory level Centralizing users’ authentication at Active Directory level 
Centralizing users’ authentication at Active Directory level Hossein Sarshar
 

Mais procurados (20)

Active Directory
Active DirectoryActive Directory
Active Directory
 
Introduction_of_ADDS
Introduction_of_ADDSIntroduction_of_ADDS
Introduction_of_ADDS
 
Domain Controller Critical Services
Domain Controller Critical ServicesDomain Controller Critical Services
Domain Controller Critical Services
 
Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directory
 
What is active directory
What is active directoryWhat is active directory
What is active directory
 
Windows Server 2008 Active Directory Guide
Windows Server 2008 Active Directory GuideWindows Server 2008 Active Directory Guide
Windows Server 2008 Active Directory Guide
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directory
 
Active Directory Proposal
Active Directory ProposalActive Directory Proposal
Active Directory Proposal
 
Activedirecotryfundamentals
ActivedirecotryfundamentalsActivedirecotryfundamentals
Activedirecotryfundamentals
 
Active Directory Training
Active Directory TrainingActive Directory Training
Active Directory Training
 
Active directory
Active directory Active directory
Active directory
 
MCSA 70-410 5 introduction to active directory and basic installation
MCSA 70-410 5 introduction to active directory and basic installationMCSA 70-410 5 introduction to active directory and basic installation
MCSA 70-410 5 introduction to active directory and basic installation
 
Active directory
Active directoryActive directory
Active directory
 
Mcts chapter 4
Mcts chapter 4Mcts chapter 4
Mcts chapter 4
 
Windows Server 2008 Active Directory
Windows Server 2008 Active DirectoryWindows Server 2008 Active Directory
Windows Server 2008 Active Directory
 
1.2 active directory
1.2 active directory1.2 active directory
1.2 active directory
 
70 640 Lesson05 Ppt 041009
70 640 Lesson05 Ppt 04100970 640 Lesson05 Ppt 041009
70 640 Lesson05 Ppt 041009
 
Final domain control policy
Final domain control policy  Final domain control policy
Final domain control policy
 
200308 Active Directory Security
200308 Active Directory Security200308 Active Directory Security
200308 Active Directory Security
 
Centralizing users’ authentication at Active Directory level 
Centralizing users’ authentication at Active Directory level Centralizing users’ authentication at Active Directory level 
Centralizing users’ authentication at Active Directory level 
 

Destaque

WP7 HUB_Introducción a Visual Studio
WP7 HUB_Introducción a Visual StudioWP7 HUB_Introducción a Visual Studio
WP7 HUB_Introducción a Visual StudioMICTT Palma
 
Introducción a web matrix
Introducción a web matrixIntroducción a web matrix
Introducción a web matrixMICTT Palma
 
Mejores practicas en_diseno_de_directorio_activo_en_windows_server_2003
Mejores practicas en_diseno_de_directorio_activo_en_windows_server_2003Mejores practicas en_diseno_de_directorio_activo_en_windows_server_2003
Mejores practicas en_diseno_de_directorio_activo_en_windows_server_2003Cristian Sauterel Durán
 
Snv 1ère méd (nov 2011 latiri)
Snv 1ère méd (nov 2011 latiri)Snv 1ère méd (nov 2011 latiri)
Snv 1ère méd (nov 2011 latiri)rhouma_placebo
 
Active directory installation windows 2003 1
Active directory installation windows 2003 1Active directory installation windows 2003 1
Active directory installation windows 2003 1tameemyousaf
 
Firewall
FirewallFirewall
FirewallMuuluu
 
Presentacion Microsoft Office 365
Presentacion Microsoft Office 365Presentacion Microsoft Office 365
Presentacion Microsoft Office 365MICProductivity
 
Build Your Own 3D Scanner: Introduction
Build Your Own 3D Scanner: IntroductionBuild Your Own 3D Scanner: Introduction
Build Your Own 3D Scanner: IntroductionDouglas Lanman
 
Capes vegetaux-t-jean
Capes vegetaux-t-jeanCapes vegetaux-t-jean
Capes vegetaux-t-jeanbonneaug8
 
Science Experiments on Tablets
Science Experiments on TabletsScience Experiments on Tablets
Science Experiments on TabletsMonica Burns
 

Destaque (16)

WP7 HUB_Introducción a Visual Studio
WP7 HUB_Introducción a Visual StudioWP7 HUB_Introducción a Visual Studio
WP7 HUB_Introducción a Visual Studio
 
04232015094601
0423201509460104232015094601
04232015094601
 
Introducción a web matrix
Introducción a web matrixIntroducción a web matrix
Introducción a web matrix
 
Mejores practicas en_diseno_de_directorio_activo_en_windows_server_2003
Mejores practicas en_diseno_de_directorio_activo_en_windows_server_2003Mejores practicas en_diseno_de_directorio_activo_en_windows_server_2003
Mejores practicas en_diseno_de_directorio_activo_en_windows_server_2003
 
Snv 1ère méd (nov 2011 latiri)
Snv 1ère méd (nov 2011 latiri)Snv 1ère méd (nov 2011 latiri)
Snv 1ère méd (nov 2011 latiri)
 
Active directory installation windows 2003 1
Active directory installation windows 2003 1Active directory installation windows 2003 1
Active directory installation windows 2003 1
 
2194 A 08
2194 A 082194 A 08
2194 A 08
 
2194 A 02
2194 A 022194 A 02
2194 A 02
 
Firewall
FirewallFirewall
Firewall
 
Presentacion Microsoft Office 365
Presentacion Microsoft Office 365Presentacion Microsoft Office 365
Presentacion Microsoft Office 365
 
Build Your Own 3D Scanner: Introduction
Build Your Own 3D Scanner: IntroductionBuild Your Own 3D Scanner: Introduction
Build Your Own 3D Scanner: Introduction
 
Capes vegetaux-t-jean
Capes vegetaux-t-jeanCapes vegetaux-t-jean
Capes vegetaux-t-jean
 
Science Experiments on Tablets
Science Experiments on TabletsScience Experiments on Tablets
Science Experiments on Tablets
 
Reconstruction 3 D
Reconstruction 3 DReconstruction 3 D
Reconstruction 3 D
 
Administracion de Sistemas
Administracion de SistemasAdministracion de Sistemas
Administracion de Sistemas
 
Les végétaux
Les végétauxLes végétaux
Les végétaux
 

Semelhante a Active directory ds ws2008 r2

Cram Class - Lesson 1
Cram Class - Lesson 1Cram Class - Lesson 1
Cram Class - Lesson 1AlexsCloud
 
Windows Server 2008 - Active Directory Components
Windows Server 2008 - Active Directory ComponentsWindows Server 2008 - Active Directory Components
Windows Server 2008 - Active Directory ComponentsAndré Braga
 
Active-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptxActive-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptxMeriemBalhaddad
 
Material modulo02 asf6501(6425-b_01)
Material   modulo02 asf6501(6425-b_01)Material   modulo02 asf6501(6425-b_01)
Material modulo02 asf6501(6425-b_01)JSantanderQ
 
Active directory domain service
Active directory domain serviceActive directory domain service
Active directory domain serviceFestus Oriaku
 
In Depth: AWS Shared Security Model
In Depth: AWS Shared Security ModelIn Depth: AWS Shared Security Model
In Depth: AWS Shared Security ModelAmazon Web Services
 
Microsoft Active Directory.pptx
Microsoft Active Directory.pptxMicrosoft Active Directory.pptx
Microsoft Active Directory.pptxmasbulosoke
 
16h30 aws gru security deck
16h30   aws gru security deck16h30   aws gru security deck
16h30 aws gru security deckinfolive
 
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...Amazon Web Services
 
ukoug2008-oracle-activedirectory-wi-131847.ppt
ukoug2008-oracle-activedirectory-wi-131847.pptukoug2008-oracle-activedirectory-wi-131847.ppt
ukoug2008-oracle-activedirectory-wi-131847.pptMartinCarrozzo
 
IBM Spectrum Scale Authentication for File Access - Deep Dive
IBM Spectrum Scale Authentication for File Access - Deep DiveIBM Spectrum Scale Authentication for File Access - Deep Dive
IBM Spectrum Scale Authentication for File Access - Deep DiveShradha Nayak Thakare
 
Security and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 Australia
Security and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 AustraliaSecurity and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 Australia
Security and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 AustraliaAmazon Web Services
 
KoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloud
KoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloudKoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloud
KoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloudTobias Koprowski
 
DBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseDBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseSinanPetrusToma
 
DB2 Security Model
DB2 Security ModelDB2 Security Model
DB2 Security ModeluniqueYGB
 
02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptx02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptxAdiWidyanto2
 

Semelhante a Active directory ds ws2008 r2 (20)

6425 c 01
6425 c 016425 c 01
6425 c 01
 
Cram Class - Lesson 1
Cram Class - Lesson 1Cram Class - Lesson 1
Cram Class - Lesson 1
 
Windows Server 2008 - Active Directory Components
Windows Server 2008 - Active Directory ComponentsWindows Server 2008 - Active Directory Components
Windows Server 2008 - Active Directory Components
 
Active-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptxActive-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptx
 
Material modulo02 asf6501(6425-b_01)
Material   modulo02 asf6501(6425-b_01)Material   modulo02 asf6501(6425-b_01)
Material modulo02 asf6501(6425-b_01)
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
 
Active directory domain service
Active directory domain serviceActive directory domain service
Active directory domain service
 
In Depth: AWS Shared Security Model
In Depth: AWS Shared Security ModelIn Depth: AWS Shared Security Model
In Depth: AWS Shared Security Model
 
Microsoft Active Directory.pptx
Microsoft Active Directory.pptxMicrosoft Active Directory.pptx
Microsoft Active Directory.pptx
 
16h30 aws gru security deck
16h30   aws gru security deck16h30   aws gru security deck
16h30 aws gru security deck
 
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWS
 
ukoug2008-oracle-activedirectory-wi-131847.ppt
ukoug2008-oracle-activedirectory-wi-131847.pptukoug2008-oracle-activedirectory-wi-131847.ppt
ukoug2008-oracle-activedirectory-wi-131847.ppt
 
IBM Spectrum Scale Authentication for File Access - Deep Dive
IBM Spectrum Scale Authentication for File Access - Deep DiveIBM Spectrum Scale Authentication for File Access - Deep Dive
IBM Spectrum Scale Authentication for File Access - Deep Dive
 
Security and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 Australia
Security and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 AustraliaSecurity and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 Australia
Security and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 Australia
 
Sql server basics
Sql server basicsSql server basics
Sql server basics
 
KoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloud
KoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloudKoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloud
KoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloud
 
DBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous DatabaseDBA Tasks in Oracle Autonomous Database
DBA Tasks in Oracle Autonomous Database
 
DB2 Security Model
DB2 Security ModelDB2 Security Model
DB2 Security Model
 
02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptx02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptx
 

Mais de MICTT Palma

Sharepoint 2010. Novedades y Mejoras.
Sharepoint 2010. Novedades y Mejoras.Sharepoint 2010. Novedades y Mejoras.
Sharepoint 2010. Novedades y Mejoras.MICTT Palma
 
¿Qué es la nube?
¿Qué es la nube?¿Qué es la nube?
¿Qué es la nube?MICTT Palma
 
Introduction to wcf solutions
Introduction to wcf solutionsIntroduction to wcf solutions
Introduction to wcf solutionsMICTT Palma
 
WP7 HUB_XNA overview
WP7 HUB_XNA overviewWP7 HUB_XNA overview
WP7 HUB_XNA overviewMICTT Palma
 
WP7 HUB_Consuming Data Services
WP7 HUB_Consuming Data ServicesWP7 HUB_Consuming Data Services
WP7 HUB_Consuming Data ServicesMICTT Palma
 
WP7 HUB_Creando aplicaciones de Windows Phone
WP7 HUB_Creando aplicaciones de Windows PhoneWP7 HUB_Creando aplicaciones de Windows Phone
WP7 HUB_Creando aplicaciones de Windows PhoneMICTT Palma
 
WP7 HUB_Diseño del interfaz con Silverlight
WP7 HUB_Diseño del interfaz con SilverlightWP7 HUB_Diseño del interfaz con Silverlight
WP7 HUB_Diseño del interfaz con SilverlightMICTT Palma
 
WP7 HUB_Platform overview
WP7 HUB_Platform overviewWP7 HUB_Platform overview
WP7 HUB_Platform overviewMICTT Palma
 
WP7 HUB_Introducción a Silverlight
WP7 HUB_Introducción a SilverlightWP7 HUB_Introducción a Silverlight
WP7 HUB_Introducción a SilverlightMICTT Palma
 
WP7 HUB_Overview and application platform
WP7 HUB_Overview and application platformWP7 HUB_Overview and application platform
WP7 HUB_Overview and application platformMICTT Palma
 
WP7 HUB_Marketplace
WP7 HUB_MarketplaceWP7 HUB_Marketplace
WP7 HUB_MarketplaceMICTT Palma
 
WP7 HUB_Launch event WP7
WP7 HUB_Launch event WP7WP7 HUB_Launch event WP7
WP7 HUB_Launch event WP7MICTT Palma
 
WP7 HUB_Launch event Windows Azure
WP7 HUB_Launch event Windows AzureWP7 HUB_Launch event Windows Azure
WP7 HUB_Launch event Windows AzureMICTT Palma
 
WP7 HUB_Launch event introduction
WP7 HUB_Launch event introductionWP7 HUB_Launch event introduction
WP7 HUB_Launch event introductionMICTT Palma
 
Presentacion share point 2010
Presentacion share point 2010Presentacion share point 2010
Presentacion share point 2010MICTT Palma
 
Seminario Photosynth y Microsoft Tag's MICTT
Seminario Photosynth y Microsoft Tag's MICTTSeminario Photosynth y Microsoft Tag's MICTT
Seminario Photosynth y Microsoft Tag's MICTTMICTT Palma
 
Windows azure: Introducción a la Nube y HoL de Azure MICTT
Windows azure: Introducción a la Nube y HoL de Azure MICTTWindows azure: Introducción a la Nube y HoL de Azure MICTT
Windows azure: Introducción a la Nube y HoL de Azure MICTTMICTT Palma
 

Mais de MICTT Palma (20)

Office 365
Office 365Office 365
Office 365
 
Sharepoint 2010. Novedades y Mejoras.
Sharepoint 2010. Novedades y Mejoras.Sharepoint 2010. Novedades y Mejoras.
Sharepoint 2010. Novedades y Mejoras.
 
¿Qué es la nube?
¿Qué es la nube?¿Qué es la nube?
¿Qué es la nube?
 
Introduction to wcf solutions
Introduction to wcf solutionsIntroduction to wcf solutions
Introduction to wcf solutions
 
Ie9 + html5
Ie9 + html5Ie9 + html5
Ie9 + html5
 
WP7 HUB_XNA overview
WP7 HUB_XNA overviewWP7 HUB_XNA overview
WP7 HUB_XNA overview
 
WP7 HUB_Consuming Data Services
WP7 HUB_Consuming Data ServicesWP7 HUB_Consuming Data Services
WP7 HUB_Consuming Data Services
 
WP7 HUB_Creando aplicaciones de Windows Phone
WP7 HUB_Creando aplicaciones de Windows PhoneWP7 HUB_Creando aplicaciones de Windows Phone
WP7 HUB_Creando aplicaciones de Windows Phone
 
WP7 HUB_Diseño del interfaz con Silverlight
WP7 HUB_Diseño del interfaz con SilverlightWP7 HUB_Diseño del interfaz con Silverlight
WP7 HUB_Diseño del interfaz con Silverlight
 
WP7 HUB_Platform overview
WP7 HUB_Platform overviewWP7 HUB_Platform overview
WP7 HUB_Platform overview
 
WP7 HUB_Introducción a Silverlight
WP7 HUB_Introducción a SilverlightWP7 HUB_Introducción a Silverlight
WP7 HUB_Introducción a Silverlight
 
WP7 HUB_Overview and application platform
WP7 HUB_Overview and application platformWP7 HUB_Overview and application platform
WP7 HUB_Overview and application platform
 
WP7 HUB_Marketplace
WP7 HUB_MarketplaceWP7 HUB_Marketplace
WP7 HUB_Marketplace
 
WP7 HUB_XNA
WP7 HUB_XNAWP7 HUB_XNA
WP7 HUB_XNA
 
WP7 HUB_Launch event WP7
WP7 HUB_Launch event WP7WP7 HUB_Launch event WP7
WP7 HUB_Launch event WP7
 
WP7 HUB_Launch event Windows Azure
WP7 HUB_Launch event Windows AzureWP7 HUB_Launch event Windows Azure
WP7 HUB_Launch event Windows Azure
 
WP7 HUB_Launch event introduction
WP7 HUB_Launch event introductionWP7 HUB_Launch event introduction
WP7 HUB_Launch event introduction
 
Presentacion share point 2010
Presentacion share point 2010Presentacion share point 2010
Presentacion share point 2010
 
Seminario Photosynth y Microsoft Tag's MICTT
Seminario Photosynth y Microsoft Tag's MICTTSeminario Photosynth y Microsoft Tag's MICTT
Seminario Photosynth y Microsoft Tag's MICTT
 
Windows azure: Introducción a la Nube y HoL de Azure MICTT
Windows azure: Introducción a la Nube y HoL de Azure MICTTWindows azure: Introducción a la Nube y HoL de Azure MICTT
Windows azure: Introducción a la Nube y HoL de Azure MICTT
 

Último

Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideIEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideHironori Washizaki
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimizationarrow10202532yuvraj
 
Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Juan Carlos Gonzalez
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 

Último (20)

Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideIEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization
 
Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 

Active directory ds ws2008 r2

  • 2. Contenido  Modulo 1 – Introducing Active Directory Domain Services AD DS  Modulo 2 – Secure and efficient administration of Active Directory  Modulo 3 – Manage users  Modulo 4 – Manage groups  New features of AD DS 2008 R2 2
  • 3. Module 1 Introducing Active Directory® Domain Services (AD DS)
  • 4. Module Overview  Introducing Active Directory, Identity, and Access  Active Directory Components and Concepts  Install Active Directory Domain Services  Extend IDA with Active Directory Services
  • 5. Information Protection in a Nutshell  It’s all about connecting users to the information they require … SECURELY!  IDA: Identity and Access  AAA: Authentication, Authorization, Accounting  CIA: Confidentiality, Integrity, Availability ( & Authenticity)
  • 6. Identity and Access (IDA)  Identity: user account  Resource: Shared Folder  Saved in an identity store  Secured with a security (directory database) descriptor  Security principal  Discretionary access control  Represented uniquely by the list (DACL or “ACL”) security identifier (SID)  Access control entries (ACEs or “permissions”)
  • 7. Authentication and Authorization A user presents credentials that The system creates a security are authenticated using the token that represents the user information stored with with the user’s SID and all the user’s related group SIDs identity A resources is secured with an The user’s security token is access control list (ACL): compared with the ACL of the permissions that pair a SID with resource to authorize a a level of access requested level of access
  • 8. Authentication Authentication is the process that verifies a user’s identity Credentials: at least two components required • Username • Secret, for example, password Two types of authentication • Local (interactive) Logon – • Remote (network) logon – authentication for logon to the authentication for access to local computer resources on another computer
  • 9. Access Tokens User’s Access Token User SID Member Group SIDs Privileges (“user rights”) Other access information
  • 10. Security Descriptors, ACLs and ACEs Security Descriptor System ACL (SACL) Discretionary ACL (DACL or “ACL”) ACE Trustee (SID) Access Mask ACE Trustee (SID) Access Mask
  • 11. Authorization is the process that determines whether to grant or deny a user a Authorization requested level of access to a resource Three components required for authorization • Resource • Access Request • Security Token System finds first ACE in the User’s Access Token ACL that allows or denies Security Descriptor the requested access level System ACL User SID for any SID in the user’s (SACL) token Discretionary ACL Group SID (DACL or “ACL”) ACE List of user Trustee (SID) rights Access Mask Other access ACE Trustee (SID) information Access Mask
  • 12. Stand-alone (Workgroup) Authentication  The identity store is the security accounts manager (SAM) database on the Windows system  No shared identity store  Multiple user accounts  Management of passwords is challenging
  • 13. Active Directory Domains: Trusted Identity Store  Centralized identity store trusted by all domain members  Centralized authentication service  Hosted by a server performing the role of an Active Directory Domain Services (AD DS) domain controller
  • 14. Active Directory, Identity, and Access  An IDA infrastructure should  Store information about users, groups, computers and other identities  Authenticate an identity  Kerberos authentication used in Active Directory provides single sign-on. Users are authenticated only once.  Control access  Provide an audit trail  Active Directory services  Domain Services (AD DS), Lightweight Directory Services (AD LDS), Certificate Services (AD CS), Rights Management Services (AD RMS), Federation Services (AD FS)
  • 15. Active Directory As a Database  Active Directory is a database  Each “record” is an object  Users, groups, computers, …  Each “field” is an attribute  Logon name, SID, password, description, membership, …  Identities (security principals or “accounts”)  Services: Kerberos, DNS, replication, etc. AD DS is, in the end, a database and the services that support or use that database  Accessing the database  Windows tools, user interfaces, and components  APIs (.NET, VBScript, Windows PowerShell)  Lightweight Directory Access Protocol (LDAP)
  • 16. Organizational Units  Containers  Users  Computers  Organizational Units  Containers that also support the management and configuration of objects using Group Policy  Create OUs to  Delegate administrative permissions  Apply Group Policy
  • 17. Policy-Based Management  Active Directory provides a single point of management for security and configuration through policies  Group Policy  Domain password and lockout policy  Audit policy  Configuration  Applied to users or computers by scoping a GPO containing configuration settings  Fine-grained password and lockout policies ( new feature)
  • 18. The Active Directory Data Store  %systemroot%NTDSntds.dit  Logical partitions  Domain naming context Schema  Schema  Configuration Configuration  Global catalog (aka Partial Attribute Set)  DNS (application partitions) *Domain*  SYSVOL  %systemroot%SYSVOL NTDS.DIT DNS  Logon scripts  Policies PAS
  • 19. Domain Controllers  Servers that perform the AD DS role  Host the Active Directory database (NTDS.DIT) and SYSVOL  Replicated between domain controllers  Kerberos Key Distribution Center (KDC) service: authentication  Other Active Directory services  Best practices  Available: at least two in a domain  Secure: Server Core, Read-only domain controllers (RODCs)
  • 20. Domain  Made up of one or more DCs  All DCs replicate the Domain naming context (Domain NC)  The domain is the context within which Users, Groups, Computers, and so on are created  “Replication boundary”  Trusted identity source: Any DC can authenticate any logon in the domain  The domain is the maximum scope (boundary) for certain administrative policies  Password  Lockout
  • 21. Replication  Multimaster replication  Objects and attributes in the database  Contents of SYSVOL are replicated  Several components work to create an efficient and robust replication topology and to replicate granular changes to AD  The Configuration partition of the database stores information about sites, network topology, and replication DC1 DC3 DC2
  • 22. Sites  An Active Directory object that represents a well-connected portion of your network  Associated with subnet objects representing IP subnets  Intrasite vs. intersite replication  Replication within a site occurs very quickly (15-45 seconds)  Replication between sites can be managed  Service localization  Log on to a DC in your site Site B Site A
  • 23. Tree  One or more domains in a single instance of AD DS that share contiguous DNS namespace treyresearch.net proseware.com antarctica.treyresearch.net
  • 24. Forest  A collection of one or more Active Directory domain trees  First domain is the forest root domain  Single configuration and schema replicated to all DCs in the forest  A security and replication boundary
  • 25. The Global Catalog Domain A  Partial Attribute Set or Global Catalog PAS  Contains every object in every domain in the forest  Contains only selected attributes Domain B PAS  A type of index  Can be searched from any domain  Very important for many applications
  • 26. Functional Level  Domain functional levels  Forest functional levels  New functionality requires that domain controllers are running a particular version of Windows  Windows 2000  Windows Server 2003  Windows Server 2008  Windows Server 2008 R2  Cannot raise functional level while DCs are running previous versions of Windows  Cannot add DCs running previous versions of Windows after raising functional level
  • 27. DNS and Application Partitions  Active Directory and DNS are tightly integrated  One-to-one relationship between the DNS Schema domain name and the logical domain unit of Active Directory Configuration  Complete reliance on DNS to locate computers and services in the domain Domain  A domain controller acting as a DNS server DNS can store the zone data in Active Directory itself—in an application partition PAS
  • 28. Trust Relationships  Extends concept of trusted identity store to another domain  Trusting domain (with the resource) trusts the identity store and authentication services of the trusted domain  A trusted user can authenticate to, and be given access to resources in, the trusting domain  Within a forest, each domain trusts all other domains  Trust relationships can be established with external domains Trusted domain Trusting domain
  • 29. Lesson 3: Install Active Directory Domain Services  Install Windows Server 2008  Server Manager and Role-Based Configuration of Windows Server 2008  Prepare to Create a New Forest with Windows Server 2008  Install and Configure a Domain Controller
  • 30. Install Windows Server 2008  Boot with installation media (DVD)  Follow prompts and select the operating system to install
  • 31. Server Manager and Role-Based Configuration of Windows Server 2008  Windows Server 2008 has minimal footprint  Functionality is added as roles or features  Server Manager: role and feature configuration along with the common administrative snap-ins for the server
  • 32. Prepare to Create a New Forest with Windows Server 2008  Domain’s DNS name (18eneroXX.com)  Domain’s NetBIOS name (18eneroXX)  Whether the new forest will need to support DCs running previous versions of Windows (affects choice of functional level)  Details about how DNS will be implemented to support AD DS  Default: Creating domain controller adds DNS Server role as well  IP configuration for the DC  IPv4 and, optionally, IPv6  Username and password of an account in the server’s Administrators group. Account must have a password.  Location for data store (ntds.dit) and SYSVOL  Default: %systemroot% (c:windows)
  • 33. Install and Configure a Domain 1Controller Install the Active Directory Domain Services role using the Server Manager Run the Active Directory Domain Services 2 Installation Wizard 3 Choose the deployment configuration 4 Select the additional domain controller features Select the location for the database, log files, and 5 SYSVOL folder Configure the Directory Services Restore 6 Mode Administrator Password
  • 54. Install and Configure a Domain 54
  • 55. Install and Configure a Domain 55
  • 56. Install and Configure a Domain 56
  • 57. Lesson 4: Extend IDA with Active Directory Services  Active Directory Lightweight Directory Services (AD LDS)  Active Directory Certificate Services (AD CS)  Active Directory rights Management Services (AD RMS)  Active Directory Federation Services (AD FS)
  • 58. Active Directory Lightweight Directory Services (AD LDS)  Standalone version of Active Directory  Used to support applications that require a directory store  Allow customization without impact to production Active Directory  Characteristics  A subset of AD DS functionality, sharing the same code  Schema, Configuration, and Application partitions  Replication  Not dependent upon AD DS  Can use AD DS to authenticate Windows security principals  Can run multiple instances on a single server
  • 59. Active Directory Certificate Services (AD CS)  Extends the concept of trust  A certificate from a trusted certificate authority (CA) proves identity  Trust can be extended beyond the boundaries of your enterprise, as long as clients trust the CA of the certificates you present  Creates a public key infrastructure (PKI)  Confidentiality, Integrity, Authenticity, Non-Repudiation  Many uses  Internal-only or external, Secure Web sites (SSL), VPN, Wireless authentication and encryption, Smart card authentication  Integration with AD DS powerful, but not required
  • 60. Active Directory Rights Management Services (AD RMS)  Ensures the integrity of information  Traditional model: ACL defines access. No restriction on use.  AD RMS: Ensures access is limited and defines use.  Examples  Limit access to specified individuals  View e-mail but do not forward or print  View and print document but cannot change or e-mail  Requires  AD RMS  IIS, Database (SQL Server or Windows Internal Database)  AD DS  RMS enabled applications including Microsoft Office applications, Internet Explorer
  • 61. Active Directory Federation Services (AD FS)  Extends the authority of AD DS to authenticate users  Traditional “trust”  Two Windows domains  Numerous TCP ports open in firewalls  “Everyone” from trusted domain is trusted  AD FS uses Web services technologies to implement trust  One AD DS/LDS directory; other side can be Active Directory or other platforms  Port 443: transactions are secure and encrypted  Rules specifying which users from trusted domain are trusted  Uses  Business-to-business: partnership  Single sign-on
  • 62. Module 2 Secure and Efficient Administration of Active Directory®
  • 63. Module Overview  Work with Active Directory Snap-Ins  Custom Consoles and Least Privilege  Find Objects in Active Directory  Use DS Commands to Administer Active Directory
  • 64. Lesson 1: Work with Active Directory Snap-ins  The MMC Console  Active Directory Administration Snap-ins  Find Active Directory Snap-ins  Demonstration: Basic Administration with Active Directory Users and Computers
  • 65. The MMC Console Show/Hide Show/Hide Console Tree Actions Pane Details Console Tree Actions Pane Pane
  • 66. Active Directory Administration Snap-ins  Active Directory Users and Computers  Manage most common day-to-day objects, including users, groups, computers, printers, and shared folders  Active Directory Sites and Services  Manage replication, network topology, and related services  Active Directory Domains and Trusts  Configure and maintain trust relationships and the domain and forest functional level  Active Directory Schema  Administer the Schema
  • 67. Demonstration: Create a Custom MMC Console for Administering Active Directory In this demonstration, you will learn:  How to create a custom MMC console with multiple snap-ins  How to register the Active Directory Schema snap-in  Open a command prompt as administrator, then type regsvr32.exe schmmgmt.dll and press Enter  Where to save a custom console
  • 68. Find Active Directory Snap-ins  Active Directory snap-ins are installed on a domain controller  Server Manager: Users and Computers, Sites and Services  Administrative Tools folder  Install the RSAT on a member client or server  Windows Server® 2008  Server Manager  Features  Add Feature  Remote Server Administration Tools  Windows Vista® SP1, Windows 7  Download RSAT from www.microsoft.com/downloads  Double-click the file, then follow the instructions in the Setup Wizard.  Control Panel  Programs And Features  Turn Windows Features On Or Off  Remote Server Administration Tools  Need Activation via Control Panel
  • 69. Secure Administration with Least Privilege, Run As Administrator, and User Account Control  Maintain at least two accounts  A standard user account  An account with administrative privileges  Log on to your computer as a standard user  Do not log on to your computer with administrative credentials  Launch administrative consoles with Run As Administrator 1. Right-click the console and click Run As Administrator 2. Click Use another account 3. Enter the username and password for your administrative account
  • 70. Find Objects in Active Directory  When you assign permissions to a folder or file  Select the group or user to which permissions are assigned  When you add members to a group  Select the user or group that will be added as a member  When you configure a linked attribute such as Managed By  Select the user or group that will be displayed on the Managed By tab  When you need to administer a user, group, or computer  Perform a search to locate the object in Active Directory, instead of browsing for the object
  • 71. Options for Locating Objects in Active Directory Users and Computers Sorting: Use column Searching: Provide headings in Active the criteria for Directory Users and which you want to Computers to find search the objects based on the columns
  • 72. Demonstration: Control the View of Objects in Active Directory Users and Computers In this demonstration, you will learn:  How to add or remove columns in the details pane  How to sort objects based on columns in the details pane
  • 73. Demonstration: Use the Find Command In this demonstration, you will learn:  How to search for objects in Active Directory using the Find command
  • 74. Determine Where an Object is Located 1. Ensure that Advanced Features is selected in the View menu of the MMC console 2. Find the object 3. Open its Properties dialog box 4. Click the Object tab 5. View the Canonical name of object
  • 75. Demonstration: Use Saved Queries In this demonstration, you will learn:  How to create a saved query  How to distribute a saved query  Why saved queries are an efficient and effective tool for administration
  • 76. Lesson 4: Use DS Commands to Administer Active Directory  DNs, RDNs, and CNs  The DS Commands  Find Objects with DSQuery  Retrieve Object Attributes with DSGet  Pipe NDs to Other DS Commands  Modify Object Attributes with DSMod  Delete an Object with DSRm  Move an Object with DSMove  Add an Object with DSAdd  Administration without the GUI
  • 77. DNs, RDNs, and CNs Common Name (CN) Distinguished Name (DN) cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com Relative Distinguished Name (RDN) ou=Employees,ou=User Accounts,dc=contoso,dc=com Distinguished Name (DN)  DN must be completely unique  RDN must therefore be unique within the parent container
  • 78. The DS Commands  DSQuery. Performs a query based on parameters provided at the command line and returns a list of matching objects  DSGet. Returns specified attributes of an object  DSMod. Modifies specified attributes of an object  DSMove. Moves an object to a new container or OU  DSAdd. Creates an object in the directory  DSRm. Removes an object, all objects in the subtree beneath a container object, or both  DScommand /? For example: dsquery /?
  • 79. Find Objects with DSQuery  dsquery objectType  objectType: user, computer, group, ou  By default, search scope is the entire domain  -limit switch to specify number of results  100 is default  0 means “return all results”  dsquery objectType –attribute “criteria”  attribute is objectType specific: dsquery objectType /?  Examples for user: -name, -samid, -office, -desc  criteria in quotes if there is a space. Wildcards (*) allowed  dsquery objectType BaseDN –scope {subtree|onelevel|base}  Specify search start and scope
  • 80. Find Objects with DSQuery
  • 81. Retrieve Object Attributes with DSGet  dsget objectType objectDN -attribute  Common syntax for many DS commands  dsget user "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com" -email  What is the difference between DSGet and DSQuery?
  • 82. Pipe DNs to Other DS Commands  Typing DNs is difficult!  dsget user "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com" –email  DSQuery returns DNs  dsquery user -name "Jeff Ford" > "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com“  Pipe (send) the DNs from DSQuery to DSGet with |  dsquery user -name "Jeff Ford" | dsget user –email  Or multiple results: dsquery user -name "Dan*" | dsget user –email  DSGet can return DNs from some attributes as well  dsget group groupDN -members | dsget user -samid
  • 83. Modify Object Attributes with DSMod  dsmod objectType "objectDN" -attribute "new value"  dsmod user "cn=Jeff Ford,ou=Employees,ou=User Accounts,dc=contoso,dc=com" -dept "Information Technology"  dsquery user "ou=Admins,dc=contoso,dc=com" | dsmod user -department "Information Technology"
  • 84. Delete an Object with DSRm  dsrm objectDN  Note that DSRm does not take an objectType  dsrm "cn=DESKTOP234,ou=Client Computers,dc=contoso,dc=com"  dsquery computer -stalepwd 90 | dsrm
  • 85. Move an Object with DSMove  dsmove objectDN –newparent targetOUDN  objectDN: object to be moved  targetOUDN: target (destination) OU  dsmove objectDN –newname newName  objectDN: object to be moved  newName: new name for object (used in the RDN)
  • 86. Add an Object with DSAdd  dsadd objectType objectDN -attribute "value"  objectType: class of object to add  objectDN: OU in which to create object  -attribute "value": attributes to populate  Each object class has required attributes  dsadd ou "ou=Lab,dc=contoso,dc=com"
  • 87. Administration Without the GUI  Command Prompt  DS commands  csvde.exe and ldifde.exe  LDAP, search tool  ldp.exe  Windows PowerShell  Scripting  Windows PowerShell scripts  VBScript
  • 89. Module Overview  Create and Administer User Accounts  Configure User Object Attributes  Automate User Account Creation
  • 90. Lesson 1: Create and Administer User Accounts  User Account  Demonstration: Create a User Object  Create Users with DSAdd  Name Attributes  Rename a User Account  Account Attributes  Reset a User’s Password  Unlock a User Account  Disable and Enable a User Account  Delete a User Account  Move a User Account
  • 91. Create Users with DSAdd  dsadd user "UserDN" –samid pre-Windows 2000 logon name –pwd { password | * } –mustchpwd yes  UserDN. Distinguished name of user to create  -samid. Required for new account  Pre-Windows 2000 logon name. The “downlevel” logon name that can be used in the logon format domainusername and that becomes %username%  -pwd password. The desired initial password  Asterisk (*) will prompt you to enter it at the command prompt, so that the plain text password is not entered with the command  -mustchpwd { yes | no }. User must change password at next logon  Lots of optional attributes, including  -email  -hmdir & -profile Can use $username$ token to represent the value of –samid; for example, -profile server01users$username$profile
  • 92. Name Attributes CONTOSOTony.Krijnen  User logon name (pre-Windows 2000): sAMAccountName  Unique in domain  20-character limit Tony.Krijnen@contoso.com  User logon name: userPrincipalName (UPN)  Name + @ + UPN suffix  Unique in forest Tony Krijnen  Name or Full Name: cn (common name)  Unique in OU so that the relative distinguished name (RDN) is unique in the OU, so that, in turn, the object’s distinguished name (distinguishedName attribute) is unique in the forest  Display name: displayName Krijnen, Tony  Exchange global address list (GAL)  Best if unique, but not technically required to be unique
  • 93. Rename a User Account  In Active Directory Users and Computers: 1. Right-click the user, and then click Rename. 2. Type the new common name (CN), and press Enter. 3. Type the Full Name (which maps to cn and name) 4. Type the First Name and Last Name. 5. Type the Display Name. 6. User Logon Name and User Logon Name (Pre-Windows 2000).  dsmod user UserDN [-upn UPN][-fn FirstName][-mi Initial][-ln LastName] [-dn DisplayName][-email EmailAddress]  You cannot change the user logon names or CN with DSMod  dsmove user UserDN -newname "New CN"
  • 94. Account Attributes  Logon Hours: logonHours  Log On To: userWorkstations  User must change password at next logon  User cannot change password  Password never expires  Account is disabled  Store password using reversible encryption  Smart Card is required for interactive logon  Account is trusted for delegation  Account expires
  • 95. Reset a User’s Password  A user forgets his or her password and attempts to log on  In Active Directory Users and Computers, right-click the user object and click Reset Password  Best practices  Assign a temporary, unique, strong password to the user  Select User must change password at next logon  Communicate the password to the user in a secure manner  dsmod user UserDN –pwd NewPassword -mustchpwd yes
  • 96. Unlock a User Account  In Active Directory Users and Computers, right-click the user object and click Properties. Click the Account tab, and then select Unlock Account.  In the Reset Password dialog box, select Unlock the user’s account.  Watch out for drives mapped with alternate credentials. A leading cause of account lockout is when the alternate credentials’ password changes.
  • 97. Disable and Enable a User Account  In Active Directory Users and Computers, right-click the user object and click Disable Account or Enable Account  dsmod user UserDN –disabled {yes|no}
  • 98. Delete a User Account  In Active Directory Users and Computers, select the user and press Delete or right-click the user object and click Delete  dsrm UserDN  When you delete an account, you lose  The group memberships  The security identifier (SID)  Common practice  Disable the account and move it to an OU for disabled objects  After a period of time, delete the account
  • 99. Move a User Account  In Active Directory Users and Computers, right-click the user and then click Move or drag the user object and drop it onto the destination OU  dsmove UserDN –newparent TargetOUDN
  • 100. Lesson 2: Configure User Object Attributes  Demonstration: A Tour of User Attributes  View All Attributes  Modify Attributes of Multiple Users  Modify User Attributes with DSMod and DSGet  Demonstration: Create Users with Templates  Create Users with Templates
  • 101. Demonstration: A Tour of User Attributes In this demonstration, you will learn:  How to access the properties of a user  The role of each tab in the user Properties dialog box
  • 102. View All Attributes  The Attribute Editor  In Active Directory Users and Computers, click the View menu, then select Advanced Features
  • 103. Modify Attributes of Multiple Users  How to do it  Select multiple users (for example, by using CTRL+click)  Right-click any one of the selected users, and then click Properties  Attributes that can be modified  General: Description, Office, Telephone Number, Fax, Web Page, E- mail  Account: UPN Suffix, Logon Hours, Computer Restrictions (logon workstations), all Account Options, Account Expires  Address: Street, P.O. Box, City, State/Province, ZIP/Postal Code, Country/Region  Profile: Profile Path, Logon Script, Home Folder  Organization: Title, Department, Company, Manager
  • 104. Manage User Attributes with DSMod and DSGet  DSMod modifies the attributes of object(s) dsmod user UserDN… [-parameter value …]  UserDN …. distinguishedName of the user(s) to modify  Parameter. Attribute to modify. dsmod user /?  Often does not map to the same name as LDAP (dsmod dept vs. LDAP department)  DSGet gets (returns) the value of attributes of object(s) dsget user UserDN… [-parameter …]  dsget user /?  DSQuery can return objects based on search criteria and pipe those objects to DSGet and DSMod  dsquery user -desc "Marketing Task Force" | dsget user -email
  • 105. Demonstration: Create Users with Templates In this demonstration you will learn:  What a template user account is, and why it is useful  How to create a template user account  How to copy a template user account
  • 106. Create Users with Templates  General tab. No properties are copied  Address tab. P.O. box, city, state or province, ZIP or postal code, and country or region are copied  Note that the street address itself is not copied  Account tab. Logon hours, logon workstations, account options, and account expiration  Profile tab. Profile path, logon script, home drive, and home folder path  Organization tab. Department, company, and manager  Member Of tab. Group membership and primary group
  • 107. Lesson 3: Automate User Account Creation  Export Users with CSVDE  Import Users with CSVDE  Import Users with LDIFDE
  • 108. Export Users with CSVDE Export • CSVDE.exe filename.ldf Active Directory Import  CSV (comma-separated value, or comma-delimited text)  Can be edited with simple text editors (Notepad) or Microsoft Office Excel®  CSVDE.exe  csvde -f filename -d RootDN -p SearchScope -r Filter -l ListOfAttributes  RootDN. Start of export (default = domain)  SearchScope. Scope of export (Base,OneLevel,Subtree)  Filter. Filter within the scope (LDAP query language)  ListOfAttributes. Use the LDAP name
  • 109. Import Users with CSVDE Export • CSVDE.exe filename.ldf Active Directory Import  CSVDE.exe  csvde –i -f filename [-k]  i. Import – default mode is export  k. Continue past errors (such as Object Already Exists)  Cannot import passwords, so users are created as disabled  Cannot modify existing users
  • 110. Import Users with LDIFDE Export • LDIFDE.exe filename.ldf Active Directory Import  LDAP Data Interchange Format (LDIF)  LDIFDE.exe  ldifde [-i] [-f filename] [-k]  i. Import – default mode is export  k. Continue past errors (such as Object Already Exists)  Cannot import passwords, so users are created as disabled  Can modify or remove existing users
  • 111. Administration Without the GUI  Command Prompt  DS commands  csvde.exe and ldifde.exe  LDAP, search tool  ldp.exe  Windows PowerShell  Scripting  Windows PowerShell scripts  VBScript
  • 113. Module Overview  Manage an Enterprise with Groups  Administer Groups  Best Practices for Group Management
  • 114. Lesson 1: Manage an Enterprise with Groups  Demonstration: Create a Group Object  Access Management Without Groups  Groups Add Manageability  Groups Add Scalability  One Type of Group Is Not Enough  Role-Based Management: Role Groups and Rule Groups  Define Group Naming Conventions  Group Type  Group Scope  Local Groups  Global Groups  Universal Groups  Group Scope Possibilities Summarized  Manage Group Membership  Develop a Group Management Strategy (IGDLA)  Role-Based Management and Windows Group Management Strategy
  • 115. Access Management Without Groups Identity Access Management Resource
  • 116. Groups Add Manageability Identity Group Resource Access Management
  • 117. Groups Add Scalability Identity Group Access Management Resource
  • 118. One Type of Group Is Not Enough Identity Group Access Management Resource
  • 119. Role-Based Management: Role Groups and Rule Groups Identity Role Group Rule Group Resource Access Management
  • 120. Define Group Naming Conventions  Name properties  Group name. cn and name of group -- unique within OU  Group name (pre-Windows 2000). sAMAccountName of group -- unique in domain  Use the same name (unique in the domain) for both properties  Naming conventions  Role groups. Simple, unique name, such as Sales or Consultants  Management groups. For example, ACL_Sales Folders_Read  Prefix. Management purpose of group, such as ACL  Resource identifier. What is managed, such as Sales Folders  Suffix. Access level, such as Read  Delimiter. Separates name components, such as underscore (_)
  • 121. Group Type Distribution groups Used only with e-mail applications Not security-enabled (no SID); cannot be given permissions Security groups Security principal with a SID; can be given permissions Can also be e-mail enabled
  • 122. Group Scope  Four group scopes  Local  Global  Domain Local  Universal  Characteristics that distinguish each scope  Replication. Where are the group and its membership stored?  Membership. What types of objects, from which domains, can be members of the group?  Availability (Scope). Where can the group be used? In what scopes of groups can the group be a member? Can the group be added to an ACL?
  • 123. Local Groups  Replication  Defined in the security accounts manager (SAM) of a domain member or workgroup computer  Membership not replicated to any other system  Membership: Local group can include as members  Any security principals from the domain: users (U), computers (C), global groups (GG), or domain local groups (DLG)  U, C, GG from any domain in the forest  U, C, GG from any trusted domain  Universal groups (UG) defined in any domain in the forest  Availability/scope  Limited to the machine on which the group is defined; can be used for ACLs on the local machine only  Cannot be a member of any other group
  • 124. Domain Local Groups  Replication  Defined in the domain naming context  Group and membership replicated to every DC in domain  Membership: Domain local group can include as members  Any security principals from the domain: U, C, GG, DLG  U, C, GG from any domain in the forest  U, C, GG from any trusted domain  UG defined in any domain in the forest  Availability/scope  Can be on ACLs on any resource on any domain member  Can be a member of other domain local groups or of machine local groups  Well suited for defining business management rules
  • 125. Global Groups  Replication  Defined in the domain naming context  Group and membership is replicated to every DC in domain  Membership: Global group can include as members  Only security principals from the same domain: U, C, GG, DLG  Availability/scope  Available for use by all domain members, all other domains in the forest, and all trusting external domains  Can be on ACLs on any resource on any computer in any of those domains  Can be a member of any DLG or UG in the forest, and of any DLG in a trusting external domain  Well suited for defining roles
  • 126. Universal Groups  Replication  Defined in a single domain in the forest  Replicated to the global catalog (forestwide)  Membership: Universal group can include as members  U, C, GG, and UG from any domain in the forest  Availability/scope  Available to every domain and domain member in the forest  Can be on ACLs on any resource on any system in the forest  Can be a member of other UGs or DLGs anywhere in the forest  Useful in multidomain forests  Defining roles that include members from multiple domains  Defining business management rules that manage resources in multiple domains in the forest
  • 127. Group Scope Possibilities Summarized Members from Domain Members from Trusted Can be Assigned Members from in Same External Permissions to Group Scope Same Domain Forest Domain Resources Local U, C, U, C, U, C, On the local GG, DLG, UG GG, UG GG computer only and local users Domain Local U, C, U, C, U, C, Anywhere in the GG, DLG, UG GG, UG GG domain Universal U, C, U, C, N/A Anywhere in the GG, UG GG, UG forest Global U, C, N/A N/A Anywhere in the GG domain or a trusted domain U User C Computer GG Global Group DLG Domain Local Group UG Universal Group
  • 128. Manage Group Membership  Methods  The group's Members tab (Add/Remove)  The member's Member Of tab (Add/Remove)  The member's Add to a group command (Add)  You are always changing the member attribute  memberOf is a backlink attribute updated by Active Directory  Changes to membership do not take effect immediately  Requires logon (for a user) or startup (for a computer)  Token built with SIDs of member groups at those times  Account for replication of membership change to the user or computer's domain controller  Tip: Change group membership on a DC in the user's site
  • 129. Develop a Group Management Strategy (IGDLA)  Identities (users or computers) are members of  Global groups that collect members based on those members' roles which are members of  Domain Local groups that provide management of some kind, such as management of resource access which are  Assigned Access to a resource (for example, on an ACL)  Multi-domain forest: IGUDLA
  • 130. Role-Based Management and Windows Group Management Strategy Access Management Identity Role Group Rule Group Resource Identity Global Domain Local Access
  • 131. Lesson 2: Administer Groups  Create Groups with DSAdd  Import Groups with CSVDE  Import Groups with LDIFDE  Convert Group Type and Scope  Modify Group Membership with DSMod  Modify Group Membership with LDIFDE  Retrieve Group Membership with DSGet  Copy Group Membership  Move and Rename Groups  Delete Groups
  • 132. Lesson 3: Best Practices for Group Management  Best Practices for Group Documentation  Protect Groups from Accidental Deletion  Delegate Membership Management with the Managed By Tab  Default Groups  Special Identities
  • 133. Best Practices for Group Documentation  Why document groups?  Easier to find them when you need them  Easier to understand how and when to use a group  Establish and adhere to a strict naming convention  Prefix, for example, helps distinguish APP_Budget from ACL_Budget_Edit  Prefix helps you find the group in the Select dialog box  Summarize a group's purpose with its description  Appears in Active Directory Users and Computers details pane  Detail a group's purpose in its Notes field
  • 134. Protect Groups from Accidental Deletion 1. In the Active Directory Users and Computers snap- in, click the View menu and make sure that Advanced Features is selected. 2. Open the Properties dialog box for a group. 3. On the Object tab, select the Protect Object From Accidental Deletion check box. 4. Click OK.
  • 135. Delegate Membership Management with the Managed By Tab  The Managed By tab serves two purposes:  Provide contact information for who manages the group  Allow specified user (or group) to modify group membership if Manager Can Update Membership List is selected  Tips  Must click OK (not just Apply) to change the ACL on the group  To set a group in the Name box, click Change, then click Object Types, and then click Groups
  • 136. Default Groups  Default local groups in the BUILTIN and Users containers  Enterprise Admins, Schema Admins, Administrators, Domain Admins, Server Operators, Account Operators, Backup Operators, Print Operators  Reference to their rights and privileges in Student Manual  Know these rights for the certification exams  Problems with these groups  Highly overdelegated  Account Operators, for example, can log on to a DC  Protected  Users who are members of these groups become protected and are not un-protected when removed  Best practice: Keep these groups empty and create custom groups with the rights and privileges you require
  • 137. Special Identities  Membership is controlled by Windows:  Cannot be viewed, edited, or added to other groups  Can be used on ACLs  Examples  Anonymous Logon. Represents connections to a computer without a username and password  Authenticated Users. Represents identities that have been authenticated, but does not include the Guest identity  Everyone. Includes Authenticated Users and Guest (but not Anonymous Logon by default in Windows Server 2003/2008)  Interactive. Users logged on locally or with Remote Desktop  Network. Users accessing a resource over the network
  • 138. Nuevas funcionalidades  Active Directory Domain Services  Active Directory Recycle Bin  Permite recuperar objetos eliminados accidentalmente  AD DS y AD LDS  Habilitar Recyle Bin es irreversible (Deshabilitado por defecto. Requiere nivel funcional WS2008R2)  Para habilitarla  PowerShell  Ldp.exe  Se pueden recuperar objetos hoja y objetos padre como contenedores o UO  180 días en Recicle Bin y 180 tombstoned Windows Server 2008 R2 149
  • 139. Nuevas funcionalidades  Active Directory Domain Services  Active Directory Administrative Center  Reemplazar herramientas  AD Users and Computers  AD Sites and Services  AD Domains and Trusts  Construido sobre PowerShell 2.0  Enumera actividades y tareas habituales de gestión como:  Tareas de mantenimiento  Backup  Gestión de usuarios  Diagnóstico Windows Server 2008 R2 150
  • 140. Nuevas funcionalidades  Active Directory Domain Services  Offline Domain Join  Añadir el equipo al dominio sin necesidad de conexión de red con el dominio  Djoin.exe  Servidor: djoin /PROVISION /DOMAIN midominio.local /MACHINE equipo/SAVEFILE c:fichero  Cliente:djoin /REQUESTODJ /LOADFILE c: /WINDOWSPATH %SystemRoot%  El equipo se añade al dominio en el primer inicio de sesión después de la instalación del SO.  No requiere reiniciar el equipo.  Disponible únicamente para Windows 7 y WS 2008 R2 Windows Server 2008 R2 151
  • 141. Nuevas funcionalidades  Active Directory Domain Services  Managed Service Accounts  Evitar que aplicaciones o servicios dejen de estar activos debido a aspectos relacionados con la autenticación.  Bloqueos de cuentas  Cuentas deshabilitadas  Facilita y mejora la gestión de las cuentas usadas para este fin  Sin contraseña  New-ADServiceAccount -Name NOMBRE_CUENTA -Path “cn=Managed Service Accounts, dc=DOMINIO, dc=DOMINIO”  Con contraseña  New-ADServiceAccount NOMBRE_CUENTA -AccountPassword (ConvertTo-SecureString -AsPlainText “CONTRASEÑA” -Force) -Enabled $true -Path “cn=Managed Service Accounts, dc=DOMINIO, dc=DOMINIO” Windows Server 2008 R2 152
  • 142. Nuevas funcionalidades  Active Directory Domain Services  Active Directory Best Practices Analyzer. BPA  Identifica desviaciones sobre las mejores prácticas y comportamientos inesperados de: Windows 2000, Server 2003, Server 2008 y Server 2008 R2  Utiliza PowerShell para recopilar datos  Está disponible para los siguientes roles  AD DS  AD CS  DNS  TS  Disponible para los siguientes ediciones  Standard, Enterprise, Datacenter Windows Server 2008 R2 153
  • 143. Nuevas funcionalidades  Active Directory Domain Services  Authentication Mechanism Assurance  Otorga a los usuarios membresía adicional en su access token en función del método utilizado para realizar el inicio de sesión.  Requiere Windows Server 2008 R2 y una infraestructura de autenticación basada en certificados.  Permite controlar  Acceso a recursos  Archivos  Ficheros  Impresoras  Usa políticas de certificado que son mapeadas a grupos de seguridad.  Uso típico: SmartCard con certificado asociado  No habilitada por defecto. Windows Server 2008 R2 154
  • 144. Nuevas funcionalidades  Active Directory Domain Services  Active Directory Management Pack  Habilita monitoreo proactivo de  Disponibilidad  Rendimiento  Detecta estados de equipos y software en función de definiciones de estado.  Disponible para WS 2008, WS 2008 R1 y SCOM 2007. Windows Server 2008 R2 155
  • 145. Nuevas funcionalidades  Active Directory Domain Services  Active Directory Bridgehead Server Selection  Bridgehead es un DC que realiza las funciones de ruta primaria de la replicación de datos de AD entre sites.  KCC dinámicamente selecciona un DC de cada site para realizar la comunicación intersite.  Bridgehead permite seleccionarlo manualmente.  Se pueden seleccionar múltiples preferred bridgehead por site, pero solo uno estará activo al mismo tiempo. Windows Server 2008 R2 156