2. Objects in a domain…
• Leaf objects are those at lowest level in ADS.
• Most important are Computers and Users.
• Computer Accounts and User Accounts are both
Network Design & Administration
necessary to let a user on a computer access a
resource.
• Groups are ways of organising computers or
users to give all members the same permissions
or rights.
• Organisational Units exist mainly to allow admin
2
job to be delegated to separate groups (e.g. at
different physical sites).
3. Object Naming
• This needs planning!
• Must be considered in for all names within the
network i.e. the namespaces used for
workstations, servers, users, groups, printers etc.
Network Design & Administration
• Different companies have different policies,
often reflecting their local “attitude”.
• The larger the organisation, the better
documented the policies must be.
3
4. Namespace Limitations
• A flat namespace means names must be unique.
e.g. Unix UIDs
• A tree based namespace means the same name
can be reused on different branches.
Network Design & Administration
• Reuse of the same naming structure on different
branches may be useful for similar organisational
structures. (e.g. sales, marketing, accounts
names for the company’s offices in different
cities)
4
5. Naming Methods[1]
• Question: What considerations need to be taken into account
when coming up with naming resources within the network?
• Need to consider:
Network Design & Administration
• What names are permitted in the namespace?
• What names are not permitted in the namespace?
• How are names selected?
• How are collisions resolved?
• When is renaming allowed?
5
6. Naming Methods[1]
• Formulaic – e.g. all NTU student logins are
N123456
• Descriptive – include facts. e.g. at NTU all lab
machines are CIB<room>_<pcnum> (CIB205_13),
Network Design & Administration
printers are <Server>_<Location>_<Type> e.g.
Panhard_CIB2nd_Konica_Col
• Functional – specify roles or duties. e.g. admin,
webserver01
• Thematic – e.g. picard, riker, worf, crusher
6
• No method – sometimes results from change in
thematic methods.
7. Difficulties with Naming
• Thematic names obscurity – remembering what
functions are hosted on which server.
• Formulaic names – if user reports a fault, do you need
them to tell you which workstation they are using?
Network Design & Administration
• Thematic Security – if admins reserve boring names for
standard machines, and name theirs specially, intruders
will know which ones to avoid!
• Descriptive names with unwanted longevity – names
may end up lasting long after the useful information in
them has gone (e.g. defunct departments).
7
8. User Accounts
• Do not get confused between local and domain user
accounts!
• Local – grants user access to that particular computer
only (used for Workgroups).
Network Design & Administration
• Domain – grants user access to resources across
domain.
Domain User Account = Logon Name + Password + Security Identifier (SID).
• SID is used to generate security tokens for access to
resources.
8
9. User Account Names
Microsoft Linux
1 to 20 chars * No more than 32 chars (8 in NIS)
Network Design & Administration
Not case sensitive Case sensitive*
Not “/|*+:;|+=*?<>@ Any char except : or LF
* can create name up to 256 * case ignored in email
chars, but cannot be used to addresses[2]
log on! 9
10. Naming Policy
• Should be sensible, documented and used!
• Easily guessable names make email easier to use
(since often use login names for email).
• Should have standard way of resolving problems
Network Design & Administration
e.g. duplicates or too long.
• Standard schemes e.g.
• First.Last
• Initial.Last
10
11. Passwords
• Strong passwords make it harder for hackers
(take longer to crack).
• Do not avoid need for other security measures.
• Schneier recommends very strong pw, written
Network Design & Administration
down and kept in wallet![3]
• Password policies in AD include Complexity
Requirements, Minimum and Maximum
Password age, and PW history.
• Default setting in AD for new user is “Change PW
11
at next logon”.
12. Security of Passwords
• Users – make them understand consequences! Have
procedures and documentation in place.
• Admin – encrypted PW stored on system are liable to brute
force attacks.
• e.g. dictionary attacks.
Network Design & Administration
• In AD DS, disable (by default) Lan Manager Hash (LMHash)
storage as password encryption is very weak and therefore,
easy to crack. Only needed for backward compatibility to Win
95/98 and Macintosh[4].
• In Linux systems, hide encrypted PW by using etc/shadow file
readable only by superuser.
• MD5 encryption is can be cracked quite easily. 12
13. Domain User Accounts
System created – can
disable but not delete
Network Design & Administration
Default container
– should really
create own OU
13
14. Creating User accounts
• Must be done by member of Enterprise Admins, Domain
Admins or Account Operators groups, or by those with
delegated permissions
• Should really be done after created OU for User
Network Design & Administration
accounts, though can be moved between containers
• Simplest method for creating just 1 user – Select OU,
then Action|New|User or Create New User button
• Have 2 pages of information to configure…
• Note - Account can be disabled at this stage for use as template
or for staff arriving later
14
15. Creating User Accounts:
Templates
• Object templates can be used to base newly created object on.
• First, setup a template and set all relevant details.
• This can either be an existing account or,
• One specifically for copying (but not a special account type)
Network Design & Administration
• Make sure templates password has been set and the account is
disabled.
• To create a new user account based on template:
• Action | Copy will bring up a wizard.
• This will copy some of the user accounts properties but not the
User Login name.
• New account will have a new SID.
15
16. Creating User Accounts:
Importing from a CSV file
• Can add multiple users by using csvde.exe (CSV Directory Exchange)
to import from a file.
• First, create a comma-separated-value (CSV) text file of the user
information to be imported.
• Use, csvde.exe to import in to AD DS.
Network Design & Administration
Syntax:
Input into ADDS: csvde –i –f <input file name> -k
Dump ADDS database to CSV: scvde –f <output file name>
File format example:
objectClass, sAMAcctName, dn
user, KentC, “CN=Clark Kent, OU=reporters, DC=DailyPlanet, DC=com”
user, LaneL, “CN=Lois Lane, OU=reporters, DC=DailyPlanet, DC=com” 16
17. Creating User Accounts:
Powershell
• We will cover Powershell in a lot more detail in a future lecture.
• Can use existing command line tool (dsadd) in a script.
Syntax:
dsadd <user> <UserDN> [parameters]
Network Design & Administration
Example:
dsadd user “cn=Clark Kent, OU=reporters, DC=dailyplanet,
DC=com” –ln Kent –fn Clark –upn clark.kent@dailyplanet.com
• Or, use a Powershell cmdlet:
Syntax :
new-aduser <user name> [parameters]
17
Example:
new-aduser “Clark Kent”
18. Groups
• Used to ease burden of administering resources to users.
• By clustering users based on their shared needs, work can be
reduced, clarified and made less error-prone.
• For example, if the Sales Department contains 15 people,
Network Design & Administration
consider difference in administration workload if they all need
access to 5 resources.
Solution: use a group to
manage required workload 18
19. Active Directory Groups
• Groups and Group Policy not directly related but
a Group Policy can affect a Group. ( will see more
on group policies in later sessions)
• A group is not restricted by the structure of the
Network Design & Administration
AD DS tree.
• Groups are generally used to cluster resources
and users.
19
20. Creating New Groups
• As with Users, Groups can be maintained using the Active Directory
Users and Computers snap-in.
• To add new groups, need to have elevated rights (i.e. members of
Enterprise Admins, Domain Admins, Account Operators or those
who have been explicitly granted the right)
Network Design & Administration
• Once the group has been created, can then add new members via
the properties dialogue, or via Powershell.
Examples:
1. dsadd group <groupDN> [parameters] –scope l|g|u
e.g. dsadd group “cn=copyeditors , ou=personnel, dc=dailyplanet,
dc=com” –scope g
20
2. New-ADGroup <group name> -groupscope domainlocal | global | universal
e.g. New-ADGroup “copyeditors” –groupscope global
21. Computer Objects
• A logical representation in Active Directory Domain
Services of a physical object.
• Authorises that physical device as a legitimate member
of a domain.
Network Design & Administration
• Has a name, location and who is allowed to manage it.
• Inherits group policy settings from its containers. e.g.
domain, site or OU.
• During user login, computer object interacts with the
Domain controller to check the domain. If OK, then user
authorisation occurs.
21
22. Adding a Computer to a
Domain
• First create the computer object in AD DS.
• Then join computer to the domain.
• (the computer object can be created as part of the
domain-joining process)
Network Design & Administration
• To create a computer object, user must have appropriate
permissions for the container in which the object will be
located :–
• Administrators can create objects anywhere in the
domain.
• Account Operators can create objects in the
Computers container (and OU’s they create). 22
23. Creating Computer Objects –
AD DS Users and Computers
• Use the Active Directory Users and Computers console.
Network Design & Administration
23
24. Creating Computer Objects -
Powershell
1. Use dsadd.exe
Syntax:
dsadd computer <computerDN> [parameters]
Example:
Network Design & Administration
dsadd computer “cn=webserver1, cn=computers, dc=dailyplanet,
dc=com”
2. Use Powershell cmdlet (New-ADComputer)
Syntax:
New-ADComputer <computer name>
Example:
New-ADComputer “webserver1”
24
(inserts new computer into the Computers container by default)
25. Joining Computers to a Domain
• Must occur at the computer and be performed by local admin
group member.
• Use system properties
dialogue box.
Network Design & Administration
• Either specify a name
that already exists (but
has not yet been
associated with a
machine).
• Or specify new name
for computer object to
be created on the fly.
25
26. Next Time & References
• Group Scope
• How, why, what to assign to groups
• Access control
Network Design & Administration
*1+ “The Practice of System and Network Administration”, Limoncelli, Chapter 8.
[2] RFC 822 section 3.4.7 (1982)
[3] http://www.schneier.com/blog/archives/2005/06/write_down_your.html
[4] http://support.microsoft.com/kb/299656
26