Lab 5-1: Designing Security Groups and User Rights
Lab Objectives
This lab prepares you to design security groups and user rights assignments by meeting the following objectives:
- Determine the correct group type and group scope for a required group
- Determine a methodology to use for group creation
- Determine where to apply user rights in Active Directory for a given scenario
About This Lab
This lab looks at the design of security groups for an n-tiered client server deployment for Contoso Ltd. (where n represents the number of levels). The client/server deployment will involve clients and servers spread among Contoso's four domains.
Before You Begin
Make sure that you've completed reading the chapter material before starting the lab. For information on designing your administrative structure, pay close attention to the sections where the design decisions were applied throughout the chapter.
Scenario: Contoso Ltd.
Contoso Ltd., an international magazine sales company, wants to develop a methodology for creating security groups and deploying user rights in their organization. You've been asked to assist with designing the necessary user rights and security groups for the deployment of a new Human Resources application.
The Human Resources Application
The new Human Resources (HR) application is an Active Directory–integrated application that uses an n-tiered client/server model for the storage of Human Resources-related information.
The Human Resources application must be able to categorize its users into one of four categories. Each location has users who could be placed into one of four categories of application users. A user must be placed into only one of the available categories. The four categories of user access for the Human Resources application are defined in the following table:
| Category | Access Level |
|---|---|
| Application Managers | Must have full control of all areas of the application to manage and configure the application. |
| HR Manager | Must be able to grant access to the Human Resources application and determine the level of access to the application. Can assign any level of access except Application Manager. |
| HR Department | Able to modify content in Human Resources-related documents and databases. |
| Employee | Able to view all Human Resources public documents, including job postings, weekly bulletins, and United Way campaign information. |
Being an n-tiered application, the application takes advantage of the Windows 2000 capability to use Kerberos delegation. This allows the Human Resources application service account to process queries at the security level of the user running the application, rather than at the system account's permissions level.
To allow impersonation, the Human Resources application service account must be able to log on as a service and act as part of the operating system. This service account is used on all servers involved in the Human Resources application deployment. It isn't used at the client computers running the front-end application.
Deployment of the Human Resources Application Servers
The application servers that support the Human Resources application are spread among the Seattle, Lima, and London offices, as shown in Figure 5.9.
Figure 5.9 Application server distribution for the Human Resources application
In Seattle all job postings are stored on the server called HRSeattle. When a query on job postings is made, the request is redirected to the HRSeattle server without the knowledge of the user running the Human Resources application.
In Lima a server has been configured that stores common Human Resources reports. The reports are physically located on the HRLima server, but this is accessible from the Web server in London through a virtual directory running available in Internet Information Services (IIS). The company is concerned about access times for the Human Resources reports because of to the slow 56 K WAN link between London and Lima, as shown in Figure 5.10.
Figure 5.10 Wide Area Network for Contoso Ltd.
In London two servers are deployed for the Human Resources application. The HRLondon server contains most of the application data used by the Human Resources application. When a client queries the HRLondon server, the query will return only a response set that's allowed by the credentials. When Kerberos delegation is used, all queries are run in the security context of the calling user.
Exercise 1: Designing Security Groups
This exercise looks at designing the security groups required for Contoso's Human Resources application deployment. Answers to these questions can be found in the appendix.
- What factors would make you choose an A-G-DL-P methodology for creating groups for Contoso's Human Resources application?
- If you use A-G-U-DL-P to define security for the HR application, what must you do to reduce WAN replication?
- Assuming that you use A-G-DL-P as your security group methodology, in the following table define all global groups that you must create for the Human Resources application. Use existing groups if possible.
Category Global Group(s) Membership Application Managers HR Managers HR Department Employees - Assuming that you use A-G-DL-P as your security group methodology, in the following table define all domain local groups that must be defined at the London domain. Include the membership of each group and where the domain local group will be used.
Domain Local Group Membership Where Deployed - Assuming that you use A-G-DL-P as your security group methodology, in the following table define all domain local groups that must be defined at the Lima domain. Include the membership of each group and where the domain local group will be used.
Domain Local Group Membership Where Deployed - Assuming that you use A-G-DL-P as your security group methodology, in the following table define all domain local groups that must be defined at the Seattle domain. Include the membership of each group and where the domain local group will be used.
Domain Local Group Membership Where Deployed - If you used A-G-U-DL-P, which additional group memberships would you need to define?
- If universal groups are deployed, what can you do to reduce the amount of WAN traffic related to global catalog replication?
Answers
Exercise 2: Designing User Rights
The Human Resources application requires a service account that will be used at all application servers involved in running the HR application. Answers to these questions can be found in the appendix.
- What must you ensure when you choose the name of the Human Resources service account?
- In which domain would you create the service account to prevent administrators at regional offices from modifying the service account's properties?
- Does the decision on which domain to create the service account in affect the usage of the service account?
- Assuming that all Human Resources application servers are installed as nondomain controllers, what Active Directory design must you use to apply the service account user rights?
- What user rights must you apply to the Human Resources application service account?
Answers
EAN: 2147483647
Pages: 172
- Chapter I e-Search: A Conceptual Framework of Online Consumer Behavior
- Chapter IV How Consumers Think About Interactive Aspects of Web Advertising
- Chapter V Consumer Complaint Behavior in the Online Environment
- Chapter XI User Satisfaction with Web Portals: An Empirical Study
- Chapter XVI Turning Web Surfers into Loyal Customers: Cognitive Lock-In Through Interface Design and Web Site Usability
- Key #1: Delight Your Customers with Speed and Quality
- Key #3: Work Together for Maximum Gain
- Key #4: Base Decisions on Data and Facts
- Making Improvements That Last: An Illustrated Guide to DMAIC and the Lean Six Sigma Toolkit
- The Experience of Making Improvements: What Its Like to Work on Lean Six Sigma Projects