SlideShare a Scribd company logo

Lecture 7 naming and structuring objects

Download as PPTX, PDF
Wiliam Ferraciolli
Wiliam Ferraciolli
1 of 26
Lecture 7: Naming & Structuring Objects Network Design & Administration
Objects in a domain… • Leaf objects are those at lowest level in ADS. • Most important are Computers and Users. • Computer Accounts and User Accounts are both Network Design & Administration necessary to let a user on a computer access a resource. • Groups are ways of organising computers or users to give all members the same permissions or rights. • Organisational Units exist mainly to allow admin 2 job to be delegated to separate groups (e.g. at different physical sites).
Object Naming • This needs planning! • Must be considered in for all names within the network i.e. the namespaces used for workstations, servers, users, groups, printers etc. Network Design & Administration • Different companies have different policies, often reflecting their local “attitude”. • The larger the organisation, the better documented the policies must be. 3
Namespace Limitations • A flat namespace means names must be unique. e.g. Unix UIDs • A tree based namespace means the same name can be reused on different branches. Network Design & Administration • Reuse of the same naming structure on different branches may be useful for similar organisational structures. (e.g. sales, marketing, accounts names for the company’s offices in different cities) 4
Naming Methods[1] • Question: What considerations need to be taken into account when coming up with naming resources within the network? • Need to consider: Network Design & Administration • What names are permitted in the namespace? • What names are not permitted in the namespace? • How are names selected? • How are collisions resolved? • When is renaming allowed? 5
Naming Methods[1] • Formulaic – e.g. all NTU student logins are N123456 • Descriptive – include facts. e.g. at NTU all lab machines are CIB<room>_<pcnum> (CIB205_13), Network Design & Administration printers are <Server>_<Location>_<Type> e.g. Panhard_CIB2nd_Konica_Col • Functional – specify roles or duties. e.g. admin, webserver01 • Thematic – e.g. picard, riker, worf, crusher 6 • No method – sometimes results from change in thematic methods.
Difficulties with Naming • Thematic names obscurity – remembering what functions are hosted on which server. • Formulaic names – if user reports a fault, do you need them to tell you which workstation they are using? Network Design & Administration • Thematic Security – if admins reserve boring names for standard machines, and name theirs specially, intruders will know which ones to avoid! • Descriptive names with unwanted longevity – names may end up lasting long after the useful information in them has gone (e.g. defunct departments). 7
User Accounts • Do not get confused between local and domain user accounts! • Local – grants user access to that particular computer only (used for Workgroups). Network Design & Administration • Domain – grants user access to resources across domain. Domain User Account = Logon Name + Password + Security Identifier (SID). • SID is used to generate security tokens for access to resources. 8
User Account Names Microsoft Linux 1 to 20 chars * No more than 32 chars (8 in NIS) Network Design & Administration Not case sensitive Case sensitive* Not “/|*+:;|+=*?<>@ Any char except : or LF * can create name up to 256 * case ignored in email chars, but cannot be used to addresses[2] log on! 9
Naming Policy • Should be sensible, documented and used! • Easily guessable names make email easier to use (since often use login names for email). • Should have standard way of resolving problems Network Design & Administration e.g. duplicates or too long. • Standard schemes e.g. • First.Last • Initial.Last 10
Passwords • Strong passwords make it harder for hackers (take longer to crack). • Do not avoid need for other security measures. • Schneier recommends very strong pw, written Network Design & Administration down and kept in wallet![3] • Password policies in AD include Complexity Requirements, Minimum and Maximum Password age, and PW history. • Default setting in AD for new user is “Change PW 11 at next logon”.
Security of Passwords • Users – make them understand consequences! Have procedures and documentation in place. • Admin – encrypted PW stored on system are liable to brute force attacks. • e.g. dictionary attacks. Network Design & Administration • In AD DS, disable (by default) Lan Manager Hash (LMHash) storage as password encryption is very weak and therefore, easy to crack. Only needed for backward compatibility to Win 95/98 and Macintosh[4]. • In Linux systems, hide encrypted PW by using etc/shadow file readable only by superuser. • MD5 encryption is can be cracked quite easily. 12
Domain User Accounts System created – can disable but not delete Network Design & Administration Default container – should really create own OU 13
Creating User accounts • Must be done by member of Enterprise Admins, Domain Admins or Account Operators groups, or by those with delegated permissions • Should really be done after created OU for User Network Design & Administration accounts, though can be moved between containers • Simplest method for creating just 1 user – Select OU, then Action|New|User or Create New User button • Have 2 pages of information to configure… • Note - Account can be disabled at this stage for use as template or for staff arriving later 14
Creating User Accounts: Templates • Object templates can be used to base newly created object on. • First, setup a template and set all relevant details. • This can either be an existing account or, • One specifically for copying (but not a special account type) Network Design & Administration • Make sure templates password has been set and the account is disabled. • To create a new user account based on template: • Action | Copy will bring up a wizard. • This will copy some of the user accounts properties but not the User Login name. • New account will have a new SID. 15
Creating User Accounts: Importing from a CSV file • Can add multiple users by using csvde.exe (CSV Directory Exchange) to import from a file. • First, create a comma-separated-value (CSV) text file of the user information to be imported. • Use, csvde.exe to import in to AD DS. Network Design & Administration Syntax: Input into ADDS: csvde –i –f <input file name> -k Dump ADDS database to CSV: scvde –f <output file name> File format example: objectClass, sAMAcctName, dn user, KentC, “CN=Clark Kent, OU=reporters, DC=DailyPlanet, DC=com” user, LaneL, “CN=Lois Lane, OU=reporters, DC=DailyPlanet, DC=com” 16
Creating User Accounts: Powershell • We will cover Powershell in a lot more detail in a future lecture. • Can use existing command line tool (dsadd) in a script. Syntax: dsadd <user> <UserDN> [parameters] Network Design & Administration Example: dsadd user “cn=Clark Kent, OU=reporters, DC=dailyplanet, DC=com” –ln Kent –fn Clark –upn clark.kent@dailyplanet.com • Or, use a Powershell cmdlet: Syntax : new-aduser <user name> [parameters] 17 Example: new-aduser “Clark Kent”
Groups • Used to ease burden of administering resources to users. • By clustering users based on their shared needs, work can be reduced, clarified and made less error-prone. • For example, if the Sales Department contains 15 people, Network Design & Administration consider difference in administration workload if they all need access to 5 resources. Solution: use a group to manage required workload 18
Active Directory Groups • Groups and Group Policy not directly related but a Group Policy can affect a Group. ( will see more on group policies in later sessions) • A group is not restricted by the structure of the Network Design & Administration AD DS tree. • Groups are generally used to cluster resources and users. 19
Creating New Groups • As with Users, Groups can be maintained using the Active Directory Users and Computers snap-in. • To add new groups, need to have elevated rights (i.e. members of Enterprise Admins, Domain Admins, Account Operators or those who have been explicitly granted the right) Network Design & Administration • Once the group has been created, can then add new members via the properties dialogue, or via Powershell. Examples: 1. dsadd group <groupDN> [parameters] –scope l|g|u e.g. dsadd group “cn=copyeditors , ou=personnel, dc=dailyplanet, dc=com” –scope g 20 2. New-ADGroup <group name> -groupscope domainlocal | global | universal e.g. New-ADGroup “copyeditors” –groupscope global
Computer Objects • A logical representation in Active Directory Domain Services of a physical object. • Authorises that physical device as a legitimate member of a domain. Network Design & Administration • Has a name, location and who is allowed to manage it. • Inherits group policy settings from its containers. e.g. domain, site or OU. • During user login, computer object interacts with the Domain controller to check the domain. If OK, then user authorisation occurs. 21
Adding a Computer to a Domain • First create the computer object in AD DS. • Then join computer to the domain. • (the computer object can be created as part of the domain-joining process) Network Design & Administration • To create a computer object, user must have appropriate permissions for the container in which the object will be located :– • Administrators can create objects anywhere in the domain. • Account Operators can create objects in the Computers container (and OU’s they create). 22
Creating Computer Objects – AD DS Users and Computers • Use the Active Directory Users and Computers console. Network Design & Administration 23
Creating Computer Objects - Powershell 1. Use dsadd.exe Syntax: dsadd computer <computerDN> [parameters] Example: Network Design & Administration dsadd computer “cn=webserver1, cn=computers, dc=dailyplanet, dc=com” 2. Use Powershell cmdlet (New-ADComputer) Syntax: New-ADComputer <computer name> Example: New-ADComputer “webserver1” 24 (inserts new computer into the Computers container by default)
Joining Computers to a Domain • Must occur at the computer and be performed by local admin group member. • Use system properties dialogue box. Network Design & Administration • Either specify a name that already exists (but has not yet been associated with a machine). • Or specify new name for computer object to be created on the fly. 25
Next Time & References • Group Scope • How, why, what to assign to groups • Access control Network Design & Administration *1+ “The Practice of System and Network Administration”, Limoncelli, Chapter 8. [2] RFC 822 section 3.4.7 (1982) [3] http://www.schneier.com/blog/archives/2005/06/write_down_your.html [4] http://support.microsoft.com/kb/299656 26

Recommended

Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Wiliam Ferraciolli
 
Lecture 9 further permissions
Lecture 9 further permissionsLecture 9 further permissions
Lecture 9 further permissionsWiliam Ferraciolli
 
Domain Services for Windows: Best Practices for Windows Interoperability
Domain Services for Windows: Best Practices for Windows InteroperabilityDomain Services for Windows: Best Practices for Windows Interoperability
Domain Services for Windows: Best Practices for Windows InteroperabilityNovell
 
Life without the Novell Client
Life without the Novell ClientLife without the Novell Client
Life without the Novell ClientNovell
 
70-410 Practice Test
70-410 Practice Test70-410 Practice Test
70-410 Practice Testwrailebo
 
Apos week 1 4
Apos week 1 4Apos week 1 4
Apos week 1 4alixafar
 
Software
SoftwareSoftware
SoftwareChinthaKaluarachchi
 
Lecture 4 client workstations
Lecture 4 client workstationsLecture 4 client workstations
Lecture 4 client workstationsWiliam Ferraciolli
 

Recommended

Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Wiliam Ferraciolli
 
Lecture 9 further permissions
Lecture 9 further permissionsLecture 9 further permissions
Lecture 9 further permissionsWiliam Ferraciolli
 
Domain Services for Windows: Best Practices for Windows Interoperability
Domain Services for Windows: Best Practices for Windows InteroperabilityDomain Services for Windows: Best Practices for Windows Interoperability
Domain Services for Windows: Best Practices for Windows InteroperabilityNovell
 
Life without the Novell Client
Life without the Novell ClientLife without the Novell Client
Life without the Novell ClientNovell
 
70-410 Practice Test
70-410 Practice Test70-410 Practice Test
70-410 Practice Testwrailebo
 
Apos week 1 4
Apos week 1 4Apos week 1 4
Apos week 1 4alixafar
 
Software
SoftwareSoftware
SoftwareChinthaKaluarachchi
 
Lecture 4 client workstations
Lecture 4 client workstationsLecture 4 client workstations
Lecture 4 client workstationsWiliam Ferraciolli
 
Database Administration & Management - 01
Database Administration & Management - 01Database Administration & Management - 01
Database Administration & Management - 01FaisalMashood
 
Discovering Computers: Chapter 10
Discovering Computers: Chapter 10Discovering Computers: Chapter 10
Discovering Computers: Chapter 10Anna Stirling
 
Novell Filr
Novell FilrNovell Filr
Novell FilrNovell Nederland
 
Custom Development with Novell Teaming
Custom Development with Novell TeamingCustom Development with Novell Teaming
Custom Development with Novell TeamingNovell
 
DBA Basics guide
DBA Basics guideDBA Basics guide
DBA Basics guideazoznasser1
 
Discovering Computers: Chapter 08
Discovering Computers: Chapter 08Discovering Computers: Chapter 08
Discovering Computers: Chapter 08Anna Stirling
 
Windows Server 2003 Administration
Windows Server 2003 AdministrationWindows Server 2003 Administration
Windows Server 2003 AdministrationLearnItFirst.com
 
Mcts chapter 3
Mcts chapter 3Mcts chapter 3
Mcts chapter 3Sadegh Nakhjavani
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the networkWiliam Ferraciolli
 
Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the networkWiliam Ferraciolli
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and servicesWiliam Ferraciolli
 
Lecture 8 permissions
Lecture 8 permissionsLecture 8 permissions
Lecture 8 permissionsWiliam Ferraciolli
 
Chapter14 Windows Server 2003 Security Features
Chapter14 Windows Server 2003 Security FeaturesChapter14 Windows Server 2003 Security Features
Chapter14 Windows Server 2003 Security FeaturesRaja Waseem Akhtar
 
SQL Server on Linux - march 2017
SQL Server on Linux - march 2017SQL Server on Linux - march 2017
SQL Server on Linux - march 2017Sorin Peste
 
Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experienceWiliam Ferraciolli
 
Windows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainWindows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainNapoleon NV
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environmentDavid Rowe
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
DDive - Franziska Tanner client upgrade options
DDive - Franziska Tanner client upgrade optionsDDive - Franziska Tanner client upgrade options
DDive - Franziska Tanner client upgrade optionsDominopoint - Italian Lotus User Group
 
Secure active directory in one day without spending a single dollar
Secure active directory in one day without spending a single dollarSecure active directory in one day without spending a single dollar
Secure active directory in one day without spending a single dollarDavid Rowe
 
Net essentials6e ch9
Net essentials6e ch9Net essentials6e ch9
Net essentials6e ch9APSU
 
Net essentials6e ch9
Net essentials6e ch9Net essentials6e ch9
Net essentials6e ch9APSU
 

More Related Content

What's hot

Database Administration & Management - 01
Database Administration & Management - 01Database Administration & Management - 01
Database Administration & Management - 01FaisalMashood
 
Discovering Computers: Chapter 10
Discovering Computers: Chapter 10Discovering Computers: Chapter 10
Discovering Computers: Chapter 10Anna Stirling
 
Custom Development with Novell Teaming
Custom Development with Novell TeamingCustom Development with Novell Teaming
Custom Development with Novell TeamingNovell
 
DBA Basics guide
DBA Basics guideDBA Basics guide
DBA Basics guideazoznasser1
 
Discovering Computers: Chapter 08
Discovering Computers: Chapter 08Discovering Computers: Chapter 08
Discovering Computers: Chapter 08Anna Stirling
 
Windows Server 2003 Administration
Windows Server 2003 AdministrationWindows Server 2003 Administration
Windows Server 2003 AdministrationLearnItFirst.com
 

What's hot (8)

Database Administration & Management - 01
Database Administration & Management - 01Database Administration & Management - 01
Database Administration & Management - 01
 
Discovering Computers: Chapter 10
Discovering Computers: Chapter 10Discovering Computers: Chapter 10
Discovering Computers: Chapter 10
 
Novell Filr
Novell FilrNovell Filr
Novell Filr
 
Custom Development with Novell Teaming
Custom Development with Novell TeamingCustom Development with Novell Teaming
Custom Development with Novell Teaming
 
DBA Basics guide
DBA Basics guideDBA Basics guide
DBA Basics guide
 
Discovering Computers: Chapter 08
Discovering Computers: Chapter 08Discovering Computers: Chapter 08
Discovering Computers: Chapter 08
 
Windows Server 2003 Administration
Windows Server 2003 AdministrationWindows Server 2003 Administration
Windows Server 2003 Administration
 
Mcts chapter 3
Mcts chapter 3Mcts chapter 3
Mcts chapter 3
 

Viewers also liked

Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the networkWiliam Ferraciolli
 
Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the networkWiliam Ferraciolli
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and servicesWiliam Ferraciolli
 
Chapter14 Windows Server 2003 Security Features
Chapter14 Windows Server 2003 Security FeaturesChapter14 Windows Server 2003 Security Features
Chapter14 Windows Server 2003 Security FeaturesRaja Waseem Akhtar
 
SQL Server on Linux - march 2017
SQL Server on Linux - march 2017SQL Server on Linux - march 2017
SQL Server on Linux - march 2017Sorin Peste
 

Viewers also liked (6)

Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the network
 
Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the network
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and services
 
Lecture 8 permissions
Lecture 8 permissionsLecture 8 permissions
Lecture 8 permissions
 
Chapter14 Windows Server 2003 Security Features
Chapter14 Windows Server 2003 Security FeaturesChapter14 Windows Server 2003 Security Features
Chapter14 Windows Server 2003 Security Features
 
SQL Server on Linux - march 2017
SQL Server on Linux - march 2017SQL Server on Linux - march 2017
SQL Server on Linux - march 2017
 

Similar to Lecture 7 naming and structuring objects

Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experienceWiliam Ferraciolli
 
Windows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainWindows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainNapoleon NV
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environmentDavid Rowe
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
Secure active directory in one day without spending a single dollar
Secure active directory in one day without spending a single dollarSecure active directory in one day without spending a single dollar
Secure active directory in one day without spending a single dollarDavid Rowe
 
Net essentials6e ch9
Net essentials6e ch9Net essentials6e ch9
Net essentials6e ch9APSU
 
Net essentials6e ch9
Net essentials6e ch9Net essentials6e ch9
Net essentials6e ch9APSU
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot
 
Directory Services Nma Unit-1
Directory Services Nma Unit-1Directory Services Nma Unit-1
Directory Services Nma Unit-1GPAPassedStudents
 
IBM Lotus Notes Client Management Done Right – Beginning to End
IBM Lotus Notes Client Management Done Right – Beginning to EndIBM Lotus Notes Client Management Done Right – Beginning to End
IBM Lotus Notes Client Management Done Right – Beginning to Endpanagenda
 
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
Protecting Windows Passwords and Preventing Windows Computer / Password AttacksProtecting Windows Passwords and Preventing Windows Computer / Password Attacks
Protecting Windows Passwords and Preventing Windows Computer / Password AttacksZoho Corporation
 
Uklug 2011 client management
Uklug 2011 client managementUklug 2011 client management
Uklug 2011 client managementdominion
 

Similar to Lecture 7 naming and structuring objects (20)

Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experience
 
Windows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainWindows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory Domain
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environment
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
DDive - Franziska Tanner client upgrade options
DDive - Franziska Tanner client upgrade optionsDDive - Franziska Tanner client upgrade options
DDive - Franziska Tanner client upgrade options
 
Secure active directory in one day without spending a single dollar
Secure active directory in one day without spending a single dollarSecure active directory in one day without spending a single dollar
Secure active directory in one day without spending a single dollar
 
Net essentials6e ch9
Net essentials6e ch9Net essentials6e ch9
Net essentials6e ch9
 
Net essentials6e ch9
Net essentials6e ch9Net essentials6e ch9
Net essentials6e ch9
 
Mcts chapter 5
Mcts chapter 5Mcts chapter 5
Mcts chapter 5
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
 
Chapter Two.pptx
Chapter Two.pptxChapter Two.pptx
Chapter Two.pptx
 
Red Hart Linux
Red Hart LinuxRed Hart Linux
Red Hart Linux
 
Directory Services Nma Unit-1
Directory Services Nma Unit-1Directory Services Nma Unit-1
Directory Services Nma Unit-1
 
IBM Lotus Notes Client Management Done Right – Beginning to End
IBM Lotus Notes Client Management Done Right – Beginning to EndIBM Lotus Notes Client Management Done Right – Beginning to End
IBM Lotus Notes Client Management Done Right – Beginning to End
 
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
Protecting Windows Passwords and Preventing Windows Computer / Password AttacksProtecting Windows Passwords and Preventing Windows Computer / Password Attacks
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
 
Network operating system
Network operating systemNetwork operating system
Network operating system
 
Drupal intro
Drupal introDrupal intro
Drupal intro
 
IBM Lotus Notes 360
IBM Lotus Notes 360IBM Lotus Notes 360
IBM Lotus Notes 360
 
Drupal intro
Drupal introDrupal intro
Drupal intro
 
Uklug 2011 client management
Uklug 2011 client managementUklug 2011 client management
Uklug 2011 client management
 

More from Wiliam Ferraciolli

Lecture 5&6 corporate architecture
Lecture 5&6 corporate architectureLecture 5&6 corporate architecture
Lecture 5&6 corporate architectureWiliam Ferraciolli
 
Lecture 2 servers and services
Lecture 2 servers and servicesLecture 2 servers and services
Lecture 2 servers and servicesWiliam Ferraciolli
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingLecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingWiliam Ferraciolli
 

More from Wiliam Ferraciolli (18)

Lecture 5&6 corporate architecture
Lecture 5&6 corporate architectureLecture 5&6 corporate architecture
Lecture 5&6 corporate architecture
 
Lecture 2 servers and services
Lecture 2 servers and servicesLecture 2 servers and services
Lecture 2 servers and services
 
Lecture 1 introduction
Lecture 1 introductionLecture 1 introduction
Lecture 1 introduction
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingLecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scripting
 
Isys20261 lecture 14
Isys20261 lecture 14Isys20261 lecture 14
Isys20261 lecture 14
 
Isys20261 lecture 12
Isys20261 lecture 12Isys20261 lecture 12
Isys20261 lecture 12
 
Isys20261 lecture 11
Isys20261 lecture 11Isys20261 lecture 11
Isys20261 lecture 11
 
Isys20261 lecture 10
Isys20261 lecture 10Isys20261 lecture 10
Isys20261 lecture 10
 
Isys20261 lecture 09
Isys20261 lecture 09Isys20261 lecture 09
Isys20261 lecture 09
 
Isys20261 lecture 08
Isys20261 lecture 08Isys20261 lecture 08
Isys20261 lecture 08
 
Isys20261 lecture 07
Isys20261 lecture 07Isys20261 lecture 07
Isys20261 lecture 07
 
Isys20261 lecture 06
Isys20261 lecture 06Isys20261 lecture 06
Isys20261 lecture 06
 
Isys20261 lecture 05
Isys20261 lecture 05Isys20261 lecture 05
Isys20261 lecture 05
 
Isys20261 lecture 04
Isys20261 lecture 04Isys20261 lecture 04
Isys20261 lecture 04
 
Isys20261 lecture 03
Isys20261 lecture 03Isys20261 lecture 03
Isys20261 lecture 03
 
Isys20261 lecture 02
Isys20261 lecture 02Isys20261 lecture 02
Isys20261 lecture 02
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01
 
Isys20261 lecture 13
Isys20261 lecture 13Isys20261 lecture 13
Isys20261 lecture 13
 

Lecture 7 naming and structuring objects

  • 1. Lecture 7: Naming & Structuring Objects Network Design & Administration
  • 2. Objects in a domain… • Leaf objects are those at lowest level in ADS. • Most important are Computers and Users. • Computer Accounts and User Accounts are both Network Design & Administration necessary to let a user on a computer access a resource. • Groups are ways of organising computers or users to give all members the same permissions or rights. • Organisational Units exist mainly to allow admin 2 job to be delegated to separate groups (e.g. at different physical sites).
  • 3. Object Naming • This needs planning! • Must be considered in for all names within the network i.e. the namespaces used for workstations, servers, users, groups, printers etc. Network Design & Administration • Different companies have different policies, often reflecting their local “attitude”. • The larger the organisation, the better documented the policies must be. 3
  • 4. Namespace Limitations • A flat namespace means names must be unique. e.g. Unix UIDs • A tree based namespace means the same name can be reused on different branches. Network Design & Administration • Reuse of the same naming structure on different branches may be useful for similar organisational structures. (e.g. sales, marketing, accounts names for the company’s offices in different cities) 4
  • 5. Naming Methods[1] • Question: What considerations need to be taken into account when coming up with naming resources within the network? • Need to consider: Network Design & Administration • What names are permitted in the namespace? • What names are not permitted in the namespace? • How are names selected? • How are collisions resolved? • When is renaming allowed? 5
  • 6. Naming Methods[1] • Formulaic – e.g. all NTU student logins are N123456 • Descriptive – include facts. e.g. at NTU all lab machines are CIB<room>_<pcnum> (CIB205_13), Network Design & Administration printers are <Server>_<Location>_<Type> e.g. Panhard_CIB2nd_Konica_Col • Functional – specify roles or duties. e.g. admin, webserver01 • Thematic – e.g. picard, riker, worf, crusher 6 • No method – sometimes results from change in thematic methods.
  • 7. Difficulties with Naming • Thematic names obscurity – remembering what functions are hosted on which server. • Formulaic names – if user reports a fault, do you need them to tell you which workstation they are using? Network Design & Administration • Thematic Security – if admins reserve boring names for standard machines, and name theirs specially, intruders will know which ones to avoid! • Descriptive names with unwanted longevity – names may end up lasting long after the useful information in them has gone (e.g. defunct departments). 7
  • 8. User Accounts • Do not get confused between local and domain user accounts! • Local – grants user access to that particular computer only (used for Workgroups). Network Design & Administration • Domain – grants user access to resources across domain. Domain User Account = Logon Name + Password + Security Identifier (SID). • SID is used to generate security tokens for access to resources. 8
  • 9. User Account Names Microsoft Linux 1 to 20 chars * No more than 32 chars (8 in NIS) Network Design & Administration Not case sensitive Case sensitive* Not “/|*+:;|+=*?<>@ Any char except : or LF * can create name up to 256 * case ignored in email chars, but cannot be used to addresses[2] log on! 9
  • 10. Naming Policy • Should be sensible, documented and used! • Easily guessable names make email easier to use (since often use login names for email). • Should have standard way of resolving problems Network Design & Administration e.g. duplicates or too long. • Standard schemes e.g. • First.Last • Initial.Last 10
  • 11. Passwords • Strong passwords make it harder for hackers (take longer to crack). • Do not avoid need for other security measures. • Schneier recommends very strong pw, written Network Design & Administration down and kept in wallet![3] • Password policies in AD include Complexity Requirements, Minimum and Maximum Password age, and PW history. • Default setting in AD for new user is “Change PW 11 at next logon”.
  • 12. Security of Passwords • Users – make them understand consequences! Have procedures and documentation in place. • Admin – encrypted PW stored on system are liable to brute force attacks. • e.g. dictionary attacks. Network Design & Administration • In AD DS, disable (by default) Lan Manager Hash (LMHash) storage as password encryption is very weak and therefore, easy to crack. Only needed for backward compatibility to Win 95/98 and Macintosh[4]. • In Linux systems, hide encrypted PW by using etc/shadow file readable only by superuser. • MD5 encryption is can be cracked quite easily. 12
  • 13. Domain User Accounts System created – can disable but not delete Network Design & Administration Default container – should really create own OU 13
  • 14. Creating User accounts • Must be done by member of Enterprise Admins, Domain Admins or Account Operators groups, or by those with delegated permissions • Should really be done after created OU for User Network Design & Administration accounts, though can be moved between containers • Simplest method for creating just 1 user – Select OU, then Action|New|User or Create New User button • Have 2 pages of information to configure… • Note - Account can be disabled at this stage for use as template or for staff arriving later 14
  • 15. Creating User Accounts: Templates • Object templates can be used to base newly created object on. • First, setup a template and set all relevant details. • This can either be an existing account or, • One specifically for copying (but not a special account type) Network Design & Administration • Make sure templates password has been set and the account is disabled. • To create a new user account based on template: • Action | Copy will bring up a wizard. • This will copy some of the user accounts properties but not the User Login name. • New account will have a new SID. 15
  • 16. Creating User Accounts: Importing from a CSV file • Can add multiple users by using csvde.exe (CSV Directory Exchange) to import from a file. • First, create a comma-separated-value (CSV) text file of the user information to be imported. • Use, csvde.exe to import in to AD DS. Network Design & Administration Syntax: Input into ADDS: csvde –i –f <input file name> -k Dump ADDS database to CSV: scvde –f <output file name> File format example: objectClass, sAMAcctName, dn user, KentC, “CN=Clark Kent, OU=reporters, DC=DailyPlanet, DC=com” user, LaneL, “CN=Lois Lane, OU=reporters, DC=DailyPlanet, DC=com” 16
  • 17. Creating User Accounts: Powershell • We will cover Powershell in a lot more detail in a future lecture. • Can use existing command line tool (dsadd) in a script. Syntax: dsadd <user> <UserDN> [parameters] Network Design & Administration Example: dsadd user “cn=Clark Kent, OU=reporters, DC=dailyplanet, DC=com” –ln Kent –fn Clark –upn clark.kent@dailyplanet.com • Or, use a Powershell cmdlet: Syntax : new-aduser <user name> [parameters] 17 Example: new-aduser “Clark Kent”
  • 18. Groups • Used to ease burden of administering resources to users. • By clustering users based on their shared needs, work can be reduced, clarified and made less error-prone. • For example, if the Sales Department contains 15 people, Network Design & Administration consider difference in administration workload if they all need access to 5 resources. Solution: use a group to manage required workload 18
  • 19. Active Directory Groups • Groups and Group Policy not directly related but a Group Policy can affect a Group. ( will see more on group policies in later sessions) • A group is not restricted by the structure of the Network Design & Administration AD DS tree. • Groups are generally used to cluster resources and users. 19
  • 20. Creating New Groups • As with Users, Groups can be maintained using the Active Directory Users and Computers snap-in. • To add new groups, need to have elevated rights (i.e. members of Enterprise Admins, Domain Admins, Account Operators or those who have been explicitly granted the right) Network Design & Administration • Once the group has been created, can then add new members via the properties dialogue, or via Powershell. Examples: 1. dsadd group <groupDN> [parameters] –scope l|g|u e.g. dsadd group “cn=copyeditors , ou=personnel, dc=dailyplanet, dc=com” –scope g 20 2. New-ADGroup <group name> -groupscope domainlocal | global | universal e.g. New-ADGroup “copyeditors” –groupscope global
  • 21. Computer Objects • A logical representation in Active Directory Domain Services of a physical object. • Authorises that physical device as a legitimate member of a domain. Network Design & Administration • Has a name, location and who is allowed to manage it. • Inherits group policy settings from its containers. e.g. domain, site or OU. • During user login, computer object interacts with the Domain controller to check the domain. If OK, then user authorisation occurs. 21
  • 22. Adding a Computer to a Domain • First create the computer object in AD DS. • Then join computer to the domain. • (the computer object can be created as part of the domain-joining process) Network Design & Administration • To create a computer object, user must have appropriate permissions for the container in which the object will be located :– • Administrators can create objects anywhere in the domain. • Account Operators can create objects in the Computers container (and OU’s they create). 22
  • 23. Creating Computer Objects – AD DS Users and Computers • Use the Active Directory Users and Computers console. Network Design & Administration 23
  • 24. Creating Computer Objects - Powershell 1. Use dsadd.exe Syntax: dsadd computer <computerDN> [parameters] Example: Network Design & Administration dsadd computer “cn=webserver1, cn=computers, dc=dailyplanet, dc=com” 2. Use Powershell cmdlet (New-ADComputer) Syntax: New-ADComputer <computer name> Example: New-ADComputer “webserver1” 24 (inserts new computer into the Computers container by default)
  • 25. Joining Computers to a Domain • Must occur at the computer and be performed by local admin group member. • Use system properties dialogue box. Network Design & Administration • Either specify a name that already exists (but has not yet been associated with a machine). • Or specify new name for computer object to be created on the fly. 25
  • 26. Next Time & References • Group Scope • How, why, what to assign to groups • Access control Network Design & Administration *1+ “The Practice of System and Network Administration”, Limoncelli, Chapter 8. [2] RFC 822 section 3.4.7 (1982) [3] http://www.schneier.com/blog/archives/2005/06/write_down_your.html [4] http://support.microsoft.com/kb/299656 26