11Administering Active DirectoryAdministering W2K Server(Week 9, Wednesday 3/7/2007)© Abdou Illia, Spring 20072Learning Objective Default Domain policies Creating OUs and managing their objects Controlling access to AD objects Administering User accounts Administering Group accounts3Default Domain Controller Policies By default only members of the following groups could log on to the LAN user a DC computer: Administrators Account Operators Print Operators Server Operators Backup Operators By default, members of all of the following groups could access a DC from the network: Administrators Authenticated Users Everyone24Default Domain Policies Password policy: 24 passwords remembered Minimum password age: 1 day Maximum password age: 42 days Minimum password length: 7 characters Password must meet complexity requirementsAccount lockout policy: No account lockout for invalid passwords5Represents a network share published in AD. Is actually a pointer to the share.A Message Queuing enables distributed applications running at different times to communicate across networks and with computers that may be offline MSQMRepresents a user. Contains information needed for login and more.Represents a network printer published in AD. Is actually a pointer to a printer.Used to simplify management of objects. Can contain users, computers and other groupsTypically used to represent external people. Represents an account without security permissions. You cannot logon as contactRepresents a computer on the network. Contains information about a computer that is member of the domainCommon Objects in ADContactGroupUserShared FolderPrinterComputer6Graphic tools for managing AD Active Directory Users and Computers Create/manage user acc., group acc., computer acc., OU, printers, shared folders, policy objects, etc.Active Directory Sites and Services Active Directory Domains and Trusts37Command-line tools for managing AD dsadd for adding objects such as: user acc., group acc., OUs, etc.dsmod for modifying objects attributes dsmove for moving objects within AD dsrm for removing objects from AD8Dsadd user command-line Syntax:dsadd user UserDN [-samid SAMName] [-upn UPN] [-fn FirstName] [-miInitial] [-ln LastName] [-display DisplayName] [-empid EmployeeID] [-pwd{Password | *}] [-desc Description] [-memberof Group;...] [-office Office] [-telPhoneNumber] [-email Email] [-hometel HomePhoneNumber] [-pagerPagerNumber] [-mobile CellPhoneNumber] [-fax FaxNumber] [-iptelIPPhoneNumber] [-webpg WebPage] [-title Title] [-dept Department] [-company Company] [-mgr Manager] [-hmdir HomeDirectory] [-hmdrvDriveLetter:] [-profile ProfilePath] [-loscr ScriptPath] [-mustchpwd {yes | no}] [-canchpwd {yes | no}] [-reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}] [-acctexpires NumberOfDays] [-disabled {yes | no}] [{-s Server | -dDomain}] [-u UserName] [-p {Password | *}] [-q] [{-uc | -uco | -uci}]  UserDN specifies the distinguished name of the user SAMName specifies the SAM account name (e.g. jdoe) UPN specifies the user principal name (e.g. [email protected])  GroupDN specifies the distinguished names of the groups the user belongs to.9Creating OUs You should create an OU:► To group objects that require similar administrative tasks. Example: Creating an OU for all temporary employees.► To delegate administrative control to other users. You can create an OU under a domain, under a Domain Controller object, or within another OU To create an OU, you must have required permission to add OUs in the OU, under the domain or under the DC object.Note: By default, all members of the Administrators group have that permission410Creating OUs1) Open the Active Directory Users and Computers snap-in2) Select the domain or existing OU where you want to create the OU3) Click the Action menu. Point to New, then click Organizational Unit.4) Type the name of the new OU in the Name text box. Click OK11Exercise 1 Create a new OU named LastNameOU (where LastName is your last name). The new OU should be directly under your domain (e.g. region1.newcontoso.com)Note: It might take a few minutes before the replication take place. After replication, all users who are logged onto the domain can see the new OU.12Exercise 1 (continued) Suppose that the replication takes a long time to complete. What if two OUs with the same name are created? Explain what would happen.________________________________________________________________________________________________________________________________________________________________________________________ Open the Active Directory Users and Computers snap-in. Click Action/Refresh. How many OUs do you see?_________________________________________________________________________________________513Adding objects to OUs1) Open the Active Directory Users and Computers snap-in2) Select the OU you want to add the object to3) Click the Action menu. Point to New4) Click the type of object want to add.5) Enter the appropriate information in the dialog box(es) that appear(s).Add a new user and a new group to the OU you created earlier. It is up to you to choose the name of the user and the name of the group.Exercise 214Delegating Administrative control of OUs1) Open the Active Directory Users and Computers snap-in2) Select the OU for which you want to delegate control3) Click the Action menu. 4) Click Delegate Control to start the wizard5) Follow the instructions.15Planning new User Accounts You should plan the naming conventions for user accounts.Points to consider in determining the naming conventionInvalid characters are: / \ [ ] : ; | = , + * ? < > @ “Invalid charactersThe field accept more than 20 uppercase/lowercase characters, but W2003 recognizes only the first 20.20 characters maximum- Domain user account names must be unique to the directory- Local user account names must be unique on the computerUnique user logon name616Planning new User Accounts You should, also, plan Account options, such as logon hours, computers from which users can logon, and account expiration.By default, users can logon to the domain by using any computer in the domain. For security, you can restrict users to logging on only from their own computers.Computers from which users can logonBy default W2003 allows users to access 24/7. You can determine the logon days/hours.Logon hours17Administering