Administering Active Directory Administering W2K ServerLearning ObjectiveDefault Domain Controller PoliciesDefault Domain PoliciesCommon Objects in ADGraphic tools for managing ADCommand-line tools for managing ADDsadd user command-lineCreating OUsSlide 10Exercise 1Exercise 1 (continued)Adding objects to OUsDelegating Administrative control of OUsPlanning new User AccountsSlide 16Administering user accountsAdministering user accounts: User ProfilesSlide 19Group type and Group scopeAGLP strategyUnderstanding Universal groupsAGUP strategyBuilt-in GroupsSpecial groups1Administering Active DirectoryAdministering W2K Server(Week 9, Wednesday 3/7/2007)© Abdou Illia, Spring 20072Learning ObjectiveDefault Domain policiesCreating OUs and managing their objectsControlling access to AD objectsAdministering User accountsAdministering Group accounts3Default Domain Controller PoliciesBy default only members of the following groups could log on to the LAN user a DC computer:AdministratorsAccount OperatorsPrint OperatorsServer OperatorsBackup OperatorsBy default, members of all of the following groups could access a DC from the network:AdministratorsAuthenticated UsersEveryone4Default Domain PoliciesPassword policy:24 passwords rememberedMinimum password age: 1 dayMaximum password age: 42 daysMinimum password length: 7 charactersPassword must meet complexity requirementsAccount lockout policy:No account lockout for invalid passwords5Represents a computer on the network. Contains information about a computer that is member of the domainTypically used to represent external people. Represents an account without security permissions. You cannot logon as contactUsed to simplify management of objects. Can contain users, computers and other groupsRepresents a network printer published in AD. Is actually a pointer to a printer.Represents a user. Contains information needed for login and more.Represents a network share published in AD. Is actually a pointer to the share. MSQMA Message Queuing enables distributed applications running at different times to communicate across networks and with computers that may be offline Common Objects in ADContactGroupUserShared FolderPrinterComputer6Graphic tools for managing ADActive Directory Users and ComputersCreate/manage user acc., group acc., computer acc., OU, printers, shared folders, policy objects, etc.Active Directory Sites and ServicesActive Directory Domains and Trusts7Command-line tools for managing ADdsadd for adding objects such as:user acc., group acc., OUs, etc.dsmod for modifying objects attributesdsmove for moving objects within ADdsrm for removing objects from AD8Dsadd user command-lineSyntax:dsadd user UserDN [-samid SAMName] [-upn UPN] [-fn FirstName] [-mi Initial] [-ln LastName] [-display DisplayName] [-empid EmployeeID] [-pwd {Password | *}] [-desc Description] [-memberof Group;...] [-office Office] [-tel PhoneNumber] [-email Email] [-hometel HomePhoneNumber] [-pager PagerNumber] [-mobile CellPhoneNumber] [-fax FaxNumber] [-iptel IPPhoneNumber] [-webpg WebPage] [-title Title] [-dept Department] [-company Company] [-mgr Manager] [-hmdir HomeDirectory] [-hmdrv DriveLetter:] [-profile ProfilePath] [-loscr ScriptPath] [-mustchpwd {yes | no}] [-canchpwd {yes | no}] [-reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}] [-acctexpires NumberOfDays] [-disabled {yes | no}] [{-s Server | -d Domain}] [-u UserName] [-p {Password | *}] [-q] [{-uc | -uco | -uci}] UserDN specifies the distinguished name of the userSAMName specifies the SAM account name (e.g. jdoe)UPN specifies the user principal name (e.g. [email protected]) GroupDN specifies the distinguished names of the groups the user belongs to.9Creating OUsYou should create an OU:►To group objects that require similar administrative tasks. Example: Creating an OU for all temporary employees.► To delegate administrative control to other users.You can create an OU under a domain, under a Domain Controller object, or within another OUTo create an OU, you must have required permission to add OUs in the OU, under the domain or under the DC object.Note: By default, all members of the Administrators group have that permission10Creating OUs1) Open the Active Directory Users and Computers snap-in2) Select the domain or existing OU where you want to create the OU3) Click the Action menu. Point to New, then click Organizational Unit.4) Type the name of the new OU in the Name text box. Click OK11Exercise 1Create a new OU named LastNameOU (where LastName is your last name). The new OU should be directly under your domain (e.g. region1.newcontoso.com)Note: It might take a few minutes before the replication take place. After replication, all users who are logged onto the domain can see the new OU.12Exercise 1 (continued)Suppose that the replication takes a long time to complete. What if two OUs with the same name are created? Explain what would happen.________________________________________________________________________________________________________________________________________________________________________________________Open the Active Directory Users and Computers snap-in. Click Action/Refresh. How many OUs do you see?_________________________________________________________________________________________13Adding objects to OUs1) Open the Active Directory Users and Computers snap-in2) Select the OU you want to add the object to3) Click the Action menu. Point to New4) Click the type of object want to add.5) Enter the appropriate information in the dialog box(es) that appear(s).Add a new user and a new group to the OU you created earlier. It is up to you to choose the name of the user and the name of the group.Exercise 214Delegating Administrative control of OUs1) Open the Active Directory Users and Computers snap-in2) Select the OU for which you want to delegate control3) Click the Action menu. 4) Click Delegate Control to start the wizard5) Follow the instructions.15Planning new User AccountsYou should plan the naming conventions for user accounts.Points to consider in determining the naming conventionUnique user logon name- Domain user account names must be unique to the directory- Local user account names must be unique on the computer20 characters maximumThe field accept more than 20 uppercase/lowercase characters, but W2003 recognizes only the first