Administering Active Directory Administering W2K ServerLearning ObjectiveDefault Domain Controller PoliciesDefault Domain PoliciesCommon Objects in ADGraphic tools for managing ADCommand-line tools for managing ADDsadd user command-lineCreating OUsSlide 10Exercise 1Exercise 1 (continued)Adding objects to OUsDelegating Administrative control of OUsPlanning new User AccountsSlide 16Administering user accountsAdministering user accounts: User ProfilesSlide 19Group type and Group scopeAGLP strategyUnderstanding Universal groupsAGUP strategyBuilt-in GroupsSpecial groups1Administering Active DirectoryAdministering W2K Server(Week 9, Wednesday 3/7/2007)© Abdou Illia, Spring 20072Learning ObjectiveDefault Domain policiesCreating OUs and managing their objectsControlling access to AD objectsAdministering User accountsAdministering Group accounts3Default Domain Controller PoliciesBy default only members of the following groups could log on to the LAN user a DC computer:AdministratorsAccount OperatorsPrint OperatorsServer OperatorsBackup OperatorsBy default, members of all of the following groups could access a DC from the network:AdministratorsAuthenticated UsersEveryone4Default Domain PoliciesPassword policy:24 passwords rememberedMinimum password age: 1 dayMaximum password age: 42 daysMinimum password length: 7 charactersPassword must meet complexity requirementsAccount lockout policy:No account lockout for invalid passwords5Represents a computer on the network. Contains information about a computer that is member of the domainTypically used to represent external people. Represents an account without security permissions. You cannot logon as contactUsed to simplify management of objects. Can contain users, computers and other groupsRepresents a network printer published in AD. Is actually a pointer to a printer.Represents a user. Contains information needed for login and more.Represents a network share published in AD. Is actually a pointer to the share. MSQMA Message Queuing enables distributed applications running at different times to communicate across networks and with computers that may be offline Common Objects in ADContactGroupUserShared FolderPrinterComputer6Graphic tools for managing ADActive Directory Users and ComputersCreate/manage user acc., group acc., computer acc., OU, printers, shared folders, policy objects, etc.Active Directory Sites and ServicesActive Directory Domains and Trusts7Command-line tools for managing ADdsadd for adding objects such as:user acc., group acc., OUs, etc.dsmod for modifying objects attributesdsmove for moving objects within ADdsrm for removing objects from AD8Dsadd user command-lineSyntax:dsadd user UserDN [-samid SAMName] [-upn UPN] [-fn FirstName] [-mi Initial] [-ln LastName] [-display DisplayName] [-empid EmployeeID] [-pwd {Password | *}] [-desc Description] [-memberof Group;...] [-office Office] [-tel PhoneNumber] [-email Email] [-hometel HomePhoneNumber] [-pager PagerNumber] [-mobile CellPhoneNumber] [-fax FaxNumber] [-iptel IPPhoneNumber] [-webpg WebPage] [-title Title] [-dept Department] [-company Company] [-mgr Manager] [-hmdir HomeDirectory] [-hmdrv DriveLetter:] [-profile ProfilePath] [-loscr ScriptPath] [-mustchpwd {yes | no}] [-canchpwd {yes | no}] [-reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}] [-acctexpires NumberOfDays] [-disabled {yes | no}] [{-s Server | -d Domain}] [-u UserName] [-p {Password | *}] [-q] [{-uc | -uco | -uci}] UserDN specifies the distinguished name of the userSAMName specifies the SAM account name (e.g. jdoe)UPN specifies the user principal name (e.g. [email protected]) GroupDN specifies the distinguished names of the groups the user belongs to.9Creating OUsYou should create an OU:►To group objects that require similar administrative tasks. Example: Creating an OU for all temporary employees.► To delegate administrative control to other users.You can create an OU under a domain, under a Domain Controller object, or within another OUTo create an OU, you must have required permission to add OUs in the OU, under the domain or under the DC object.Note: By default, all members of the Administrators group have that permission10Creating OUs1) Open the Active Directory Users and Computers snap-in2) Select the domain or existing OU where you want to create the OU3) Click the Action menu. Point to New, then click Organizational Unit.4) Type the name of the new OU in the Name text box. Click OK11Exercise 1Create a new OU named LastNameOU (where LastName is your last name). The new OU should be directly under your domain (e.g. region1.newcontoso.com)Note: It might take a few minutes before the replication take place. After replication, all users who are logged onto the domain can see the new OU.12Exercise 1 (continued)Suppose that the replication takes a long time to complete. What if two OUs with the same name are created? Explain what would happen.________________________________________________________________________________________________________________________________________________________________________________________Open the Active Directory Users and Computers snap-in. Click Action/Refresh. How many OUs do you see?_________________________________________________________________________________________13Adding objects to OUs1) Open the Active Directory Users and Computers snap-in2) Select the OU you want to add the object to3) Click the Action menu. Point to New4) Click the type of object want to add.5) Enter the appropriate information in the dialog box(es) that appear(s).Add a new user and a new group to the OU you created earlier. It is up to you to choose the name of the user and the name of the group.Exercise 214Delegating Administrative control of OUs1) Open the Active Directory Users and Computers snap-in2) Select the OU for which you want to delegate control3) Click the Action menu. 4) Click Delegate Control to start the wizard5) Follow the instructions.15Planning new User AccountsYou should plan the naming conventions for user accounts.Points to consider in determining the naming conventionUnique user logon name- Domain user account names must be unique to the directory- Local user account names must be unique on the computer20 characters maximumThe field accept more than 20 uppercase/lowercase characters, but W2003 recognizes only the first
View Full Document