Managing Objects in Active Directory


Objects within the directory can be managed through the use of the ldifde and csvde utilities described earlier in this chapter, as well as through the use of the Active Directory Users and Computers MMC snap-in and the command-line utilities detailed in Table 2.1. We'll review the use of the latter two options in the next section.

Managing User Objects

One of the most well-recognized security principals in the Active Directory environment is the User object, which is used to authenticate the identity of the user, authorize or deny access to resources, and administer other security settings. This object is granted privileges and permissions, can be used to start and stop services, can be configured for rights delegation, and is generally the object most familiar to users.

The user account is given a unique name and password, and can have many other options configured to allow or restrict its access to resources located throughout the directory's scope. A proper naming scheme must include planning for uniqueness within the expected scope of the account's creation, as well as planning for later extensibility in the event of business growth.

graphics/note_icon.gif

A user account has four types of associated names : the user logon name, the preWindows 2000 logon name, the principal logon name, and the Lightweight Directory Access Protocol (LDAP) relative distinguished name.

The user logon name is up to 20 characters in length (characters beyond 20 are ignored) and can be made up of uppercase (AZ), lowercase (az), numerical (09), and symbol characters (with some symbols disallowed ). Example: dyuser

The preWindows 2000 logon name is used for NetBIOS account logons , as a single name or the single-word (NetBIOS) domain name followed by the logon name. Example: MYDOMAIN\SomeUser

The principal logon name is composed of the user logon name and the fully qualified domain name (FQDN) of the domain to which it belongs in the directory. Example: myuser@mydomain.mycorp.com

The LDAP relative distinguished name uniquely identifies an account in terms of its location in the directory. Example: CN=johnsmith,CN=Users,DC=mycorp,DC=com

The user logon name must be unique within its container. The preWindows 2000 logon name must be unique within the domain. The principal logon name must be unique within the forest. And the LDAP relative distinguished name must be unique within its container (generally an OU, such as Users in the example given).


Several user accounts are created by default in Windows Server 2003:

  • Administrator This is the predefined master administration account. It is a member of the Administrators, Domain Admins, Domain Users, and Group Policy Creator Owners groups by default. It also inherits membership in the Enterprise Admins and Schema Admins groups if it's in the root domain of a new tree. This account cannot be deleted or disabled, although it can be renamed . Renaming the Administrator account is a recommended practice, with an unprivileged disabled account of the same name created to prevent some types of attack by automated hacking tools.

  • ASPNET This account is used by the .NET Framework to run ASP.NET processes. It is a member of the Domain Users group by default, and can perform all tasks available to a normal user.

  • Guest An unprivileged account created in a disabled condition. It is a member of the Domain Guests and Guests groups by default. If you decide to use this account for any purpose, it is recommended that you change its name and create a new, disabled, unprivileged account of the same name to prevent some types of account abuse.

  • Support An account used by the Help and Support service to run processes and batch jobs. It is a member of the HelpServices and Domain Users groups by default.

Additional applications and services can create specific service and access accounts, such as the IUSR_< computername > and IWAM_< computername > accounts created by the installation of IIS. There are also three predefined pseudo-accounts used by various processes running within the Windows environment:

  • LocalSystem This account is used to run many system services that only require local logon rights.

  • LocalService This account is used to run system services that need to generate system audit events in the Security log. Some services that use this account are the Alerter, Smart Card Helper, and WebClient services.

  • NetworkService This account is used to run services that also require network access, such as the DNS Client and the Performance Logs and Alerts service.

Creating a User Object

Before creating user accounts, it's important to plan a naming scheme and a password policy that ensures unique naming and adequate security. When creating new logons that will not be used for a while, it's generally a good idea to disable the accounts to prevent some types of misuse. Even disabled accounts can be exploited in some ways, so account cleanup and deletion of old expired accounts should also be a regular part of your maintenance plan.

We discuss Group Policy settings that are used to configure password policies in Chapter 3, "Managing Access to Resources," but you should be aware of several options that will be presented during account creation:

  • User Must Change Password at Next Logon When you reset a user's password, you'll also be provided this option at that time. Changing a user's password is discussed later in this chapter. It's considered a best practice by Microsoft to require users to change their password to something different at the first logon.

  • User Cannot Change Password This setting is useful when a public, shared, or guest account is used and you want to prevent users from changing the password. This configuration is often used for thin-client and kiosk auto-logon accounts. In addition, service accounts should be configured to prevent self-modification so that a secondary administrative account must be used to change its password.

  • Password Never Expires This option should be used very sparingly and only when absolutely necessary; any account set in this manner must be reviewed for misuse because a fixed password becomes more susceptible to brute force attacks at guessing a password, which are discussed in greater detail in Chapter 7, "Maintaining Network Security." Some service accounts are configured in this way to ease administrative effort, but at the cost of reduced overall security if the password is later compromised.

  • Account Is Disabled This isn't a password setting, but one that's used to restrict some forms of account misuse. When an account is disabled, the user cannot log in again. If a user is logged in at the time this setting is configured, he remains connected until his next logoff , and only then is he unable to log in again. If a user is on an extended leave of absence, the recommended practice is to disable that user's account during the absence.

A new user account can be created using the Active Directory Users and Computers MMC snap-in, as well as through the use of the dsadd.exe utility.

graphics/note_icon.gif

The syntax of the dsadd.exe utility is provided in the Microsoft help file:

[View full width]
 
[View full width]
dsadd user UserDN [ -samid SAMName ] [ -upn UPN ] [ -fn FirstName ] [ -mi Initial ] [ -ln LastName ] [ -display DisplayName ] [ -empid EmployeeID ] [ -pwd { Password graphics/ccc.gif * }] [ -desc Description ] [ -memberof Group;... ] [ -office Office ] [ -tel PhoneNumber ] [ -email Email ] [ -hometel HomePhoneNumber ] [ -pager PagerNumber ] [ -mobile CellPhoneNumber ] [ -fax FaxNumber ] [ -iptel IPPhoneNumber ] [ -webpg WebPage ] [ -title graphics/ccc.gif Title ] [ -dept Department ] [ -company Company ] [ -mgr Manager ] [ -hmdir HomeDirectory ] [ -hmdrv graphics/ccc.gif DriveLetter : ] [ -profile ProfilePath ] [ -loscr ScriptPath ] [ -mustchpwd { yes no }] [ -canchpwd { yes no }] graphics/ccc.gif [ -reversiblepwd { yes no }] [ -pwdneverexpires { yes no }] [ -acctexpires NumberOfDays ] [ -disabled { yes no }] [{ -s Server -d Domain }] [ -u UserName ] [ -p { Password * }] [ -q ] [{ -uc -uco -uci }]

To see a listing of all the many parameters and their meanings, type the following at the command-line shell prompt:

 dsadd user /? 

To create a new domain user using the Active Directory Users and Computers MMC snap-in, perform the following steps:

  1. Select Start, Administrative Tools, Active Directory Users and Computers.

    graphics/alert_icon.gif

    If you need to create a local user account on a member server or standalone server, select the Computer Management MMC snap-in and navigate to Local Users and Groups to create local user and group accounts. Domain controllers will not have the Local Users and Groups node within this MMC.


  2. Navigate to the desired container, right-click, and select New, User from the drop-down menu.

  3. In the New Object - User dialog box, you'll be prompted to provide a first name, middle initial, and last name. The full name will be created for you using this information, although it can then be edited without affecting the original name field entries.

  4. You must enter a user logon name and select the domain in which this user account will be created, which also creates a preWindows 2000 logon name.

  5. After clicking the Next button, you will be prompted to provide a user password and to retype it in the Confirm Password box. Four options are provided as well: User Must Change Password at Next Logon, User Cannot Change Password, Password Never Expires, and Account Is Disabled.

    graphics/note_icon.gif

    The User Cannot Change Password option is useful for kiosks and other public limited logons that multiple users might need to access but not be allowed to change the logon password. The Password Never Expires option can weaken security, so it should be used sparingly and only for well- audited service accounts or unprivileged public accounts.


  6. After clicking Next, you might be presented with additional configuration options if you've installed other integrated .NET services. For example, if you have installed Microsoft's Exchange Server 2003, you'll be provided with the opportunity to create a new mailbox for the user, as shown in Figure 2.9.

    Figure 2.9. New Object - User dialog box showing Exchange mailbox setup options available due to a previously installed Exchange Server within the domain.

    graphics/02fig09.gif

  7. After completing any additional integrated configuration items, you'll be presented with a confirmation screen where you must click the Finish button to create the new account.

  8. After creating the user account, you can double-click it within the MMC to open its Properties dialog box where additional details can be configured, such as the user's description, location, Terminal Services settings, COM+ partition, group membership, dial-in permissions, and email settings.

graphics/tip_icon.gif

It's also possible to create a new user based on an existing user object by right-clicking the user account and selecting Copy, after which you'll be entered in the New Object - User dialog box, where you'll configure the details for the new account.

This has the advantage of propagating additional configuration settings such as location, description, and group membership from the original template account, making it possible to set up preconfigured role-based accounts very easily after the template accounts have been established.


You can also create a new domain user through the use of the dsadd utility. To create a new user called New User with a SAMid of nuser and a password of Pa55w0rd!, to be located in the Users container within the MyDomain.MyCorp.com domain, you can execute the following within the command-line shell:

 dsadd user "CN=New User,CN=Users,DC=mydomain,DC=mycorp,DC=com"            -samid nuser -s MyServer -pwd Pa55w0rd! 

Because the distinguished name (DN) includes spaces, it is enclosed by quotation marks. This command could also be used to specify many more configuration details at the time of account creation.

When configuring a user account, several key items should be specified to better control the use of resources by the new account's logon, particularly the following:

  • Home folder The UNC path specifying the location in which the user's home file storage (the My Documents folder target location) will be located.

  • Logon script The UNC path and filename of a logon script (optional) if logon scripts are used.

  • Profile path The UNC path specifying the location to be used to store the user account's profile, which includes desktop and user interface settings and other application data.

When configuring these values, it's often desirable to be able to customize the path structure based on username or other environmental variables , including

  • %HomeDrive% The drive letter assigned to a user's home directory.

  • %HomePath% The full UNC path to the user's home directory.

  • %SystemRoot% The directory for the operating system installation, such as C:\Windows\ or C:\WinNT\ .

  • %UserName% The user account name, such as johndoe, which can be used to configure the home directory so that each user obtains her own folder within a common file store location.

On the Account tab within the properties of a user account, two buttons provide control over logon time and locations:

  • Logon Hours This button provides access to a graphical interface in which the logon permissible hours can be defined, such as only weekdays between the hours of 8 a.m. and 5 p.m., as shown in Figure 2.10.

    Figure 2.10. The graphical user interface selecting allowable logon hours for Xavior C. User.

    graphics/02fig10.gif

  • Log On To This button provides access to a dialog box allowing specification of the particular computers that can be used by the user to log on. The default setting is All Computers.

Deleting User Objects

A user account can be deleted using the Active Directory Users and Computers MMC snap-in, as well as through the use of the dsrm.exe utility.

graphics/note_icon.gif

The syntax of the dsrm.exe utility is provided in the Microsoft help file:

  dsrm   ObjectDN ...  [-  subtree  [-  exclude  ]] [-  noprompt  ] [{  -s   Server   -d   Domain  }] [  -u   UserName  ] [  -p  {  Password   *  }] [  -c  ] [  -q  ] [{  -uc   -uco   -uci  }]] 

To see a listing of all the parameters and their meanings, type the following at the command-line shell prompt:

 dsrm /? 

To delete a domain user using the Active Directory Users and Computers MMC snap-in, you should perform the following steps:

  1. Select Start, Administrative Tools, Active Directory Users and Computers.

  2. Navigate to the desired container and account, right-click to select the target account, and select Delete from the drop-down menu. It's possible to select multiple accounts for deletion at the same time by holding down the Shift or Ctrl key while performing the selection operation.

  3. You'll be prompted to confirm the deletion. If additional integrated services are present, such as Microsoft Exchange Server 2000 or later, you'll be given the chance to exclude contained objects, such as the electronic mailbox associated with the account.

You can also delete a domain user account through the use of the dsrm utility. To delete the user New User created in the previous exercise, execute the following within the command-line shell:

 dsrm user "CN=New User,CN=Users,DC=mydomain,DC=mycorp,DC=com" -s MyServer 
Managing User Objects

Two of the more common management actions you might be required to perform on user accounts are the resetting of passwords and the disabling or enabling of accounts. These actions can be performed using the Active Directory Users and Computers MMC snap-in, as well as the command-line dsmod.exe utility.

graphics/note_icon.gif

The dsmod.exe utility operates in several configurations, allowing modification to the attribute values of user accounts ( dsmod user < parameters > ), computer accounts ( dsmod computer < parameters > ), group objects ( dsmod group < parameters > ), and other object types, including contacts, OUs, and servers. It's a good idea to review the various uses of this flexible command.


graphics/note_icon.gif

The syntax of the dsmod.exe utility used for modification to user accounts is provided in the Microsoft help file:

[View full width]
 
[View full width]
dsmod user UserDN ... [ -upn UPN ] [ -fn FirstName ] [ -mi Initial ] [ -ln LastName ] [ -display DisplayName ] [ -empid EmployeeID ] [ -pwd ( Password * )] [ -desc Description ] [ -office Office ] [ -tel PhoneNumber ] [ -email E-mailAddress ] [ -hometel HomePhoneNumber ] [ -pager PagerNumber ] graphics/ccc.gif [ -mobile CellPhoneNumber ] [ -fax FaxNumber ] [ -iptel IPPhoneNumber ] [ -webpg WebPage ] [ -title Title ] [ -dept Department ] [ -company Company ] [ -mgr Manager ] [ -hmdir HomeDirectory ] [ -hmdrv DriveLetter : ] [ -profile ProfilePath ] [ -loscr ScriptPath ] graphics/ccc.gif [ -mustchpwd { yes no }] [ -canchpwd { yes no }] [ -reversiblepwd { yes no }] [ -pwdneverexpires { yes no }] [ -acctexpires NumberOfDays ] [ -disabled { yes no }] [{ -s Server -d Domain }] [ -u UserName ] [ -p { Password * }] [ -c ] [ -q ] [{ -uc -uco -uci }]

To see a listing of all the many parameters and their meanings, type the following at the command-line shell prompt:

 dsmod user /? 

To modify the attributes of one or more domain user accounts using the Active Directory Users and Computers MMC snap-in, perform the following steps:

  1. Select Start, Administrative Tools, Active Directory Users and Computers.

  2. Navigate to the desired container and account, right-click to select the target account, and select Properties from the drop-down menu. It is possible to select multiple accounts for deletion at the same time by holding down the Shift or Ctrl key while performing the selection operation. When you do this, it opens a special dialog box that allows the selection of the specific attributes that will be modified across all selected accounts, as shown in Figure 2.11.

    Figure 2.11. Properties on Multiple Objects dialog box showing several common values that will be applied to all selected objects.

    graphics/02fig11.gif

  3. By clicking the Apply button, the specified changes will be made to the selected user account or accounts.

To reset the password of a domain user account using the Active Directory Users and Computers MMC snap-in, perform the following steps:

  1. Select Start, Administrative Tools, Active Directory Users and Computers. To change the password of a local user account on a member server or standalone server, select the Computer Management MMC snap-in here and navigate to Local Users and Groups.

  2. Navigate to the desired container and account, right-click to select the target account, and select Reset Password from the drop-down list of options.

  3. You're then prompted to enter the new password twice to confirm it, and presented with a check box to specify whether the user must change his password at the next logon.

  4. After clicking the OK button, the new password is immediately replicated to all other authenticating domain controllers, rather than waiting for the next replication cycle. This ensures that password changes are available immediately, regardless of the server used to authenticate the user logon.

To disable or enable a domain user account using the Active Directory Users and Computers MMC snap-in, perform the following steps:

  1. Select Start, Administrative Tools, Active Directory Users and Computers.

  2. Navigate to the desired container and account, right-click to select the target account, and select Disable Account (or Enable Account for currently disabled accounts) from the drop-down list of options.

  3. You will be notified that the account has been Disabled (or Enabled, if that is the case).

If an account has been locked out due to too many failed logon attempts for the currently configured password lockout policy settings, you'll need to unlock the account to allow the authorized user to be able to log on once more.

To unlock a domain user account using the Active Directory Users and Computers MMC snap-in, perform the following steps:

  1. Select Start, Administrative Tools, Active Directory Users and Computers.

  2. Navigate to the desired container and account, right-click to select the target account, and select Unlock Account from the drop-down list of options.

  3. You will be notified that the account has been unlocked. It's a good idea to review your security logs to determine the source of the account lockout, in the event that the lockout was not accidental. Users should also be reminded to change their passwords regularly to ensure that repeated guessing does not eventually find the correct password.

Locating User Objects

In large organizations with complex multilevel organization unit structures, it's often very difficult to locate an individual user account by browsing through the OU hierarchy. Locating accounts that conform to a particular search criteria can be performed using the Active Directory Users and Computers MMC snap-in, as well as the command-line dsquery .exe utility. Common queries can also now be saved to simplify later recurring lookups.

graphics/note_icon.gif

The syntax of the dsquery.exe utility used to locate user accounts is provided in the Microsoft help file:

[View full width]
 
[View full width]
dsquery user [{ StartNode forestroot domainroot }] [ -o { dn rdn upn samid }] [ -scope { subtree onelevel base }] [ -name Name ] [ -desc graphics/ccc.gif Description ] [ -upn UPN ] [ -samid SAMName ] [ -inactive NumberOfWeeks ] [ -stalepwd NumberOfDays ] [ -disabled ] [{ -s Server -d Domain }] [ -u UserName ] [ -p { Password * }] [ -q ] [ -r ] [ -gc ] [ -limit graphics/ccc.gif NumberOfObjects ] [{ -uc -uco -uci }]

To see a listing of all the many parameters and their meanings, type the following at the command-line shell prompt:

 dsquery user /? 

To locate one or more domain user accounts using the Find function within the Active Directory Users and Computers MMC snap-in, you should perform the following steps:

  1. Select Start, Administrative Tools, Active Directory Users and Computers.

  2. Navigate to the desired container, right-click to select the target container, and select Find from the drop-down menu.

  3. Users, groups, and computers can be searched using Name or Description criteria. More advanced searches can be performed that allow for the location of accounts with a matching attribute value or values, or those with integrated service settings, such as Microsoft's Exchange Server. The use of the asterisk ( * ) defines a wildcard search.

  4. After specifying the appropriate criteria, click the Find Now button to enact the search.

  5. The resulting matched items will be displayed, as shown in Figure 2.12. These accounts can then be modified by right-clicking on them and selecting the options from the drop-down menu as if viewed in the full interface.

    Figure 2.12. The results of a Find query on the Workgroup OU and its subordinate OUs with a Description field matching the wildcard specification Work*Lead .

    graphics/02fig12.gif

Windows Server 2003 adds a new feature to the Active Directory Users and Computers MMC snap-in in which saved queries can be stored for later reuse. This new folder tops the MMC's listing of containers, and new queries can be added by the following steps:

  1. Select Start, Administrative Tools, Active Directory Users and Computers.

  2. Navigate to the Saved Queries folder, right-click on the container, and select New, Query from the options provided.

  3. You must provide a unique name for the new query, along with an optional description if desired. You can then navigate to the root container for the query, select whether the query will include subcontainers within the root container, and click the Define Query button.

  4. You can then select the type of records to be included in the new query from the options provided:

    • Users, Contacts, and Groups

    • Computers

    • Printers

    • Shared Folders

    • Organizational Units

    • Custom Search

    • Exchange Recipients (if Exchange is installed)

    • Remote Installation Servers

    • Common Queries

    • Remote Installation Clients

  5. After selecting the type of records, you'll be presented with a tabbed dialog box with the available search options for the selected type.

  6. After selecting the desired search criteria, click the OK button to return to the New Query interface. (If you edit an existing query later, the same interface is used, as shown in Figure 2.13.)

    Figure 2.13. A saved query specifying criteria for accounts in the Workgroup OU container and all subcontainers.

    graphics/02fig13.gif

  7. Click the OK button to save the new query. To access the query on later occasions, all you have to do is highlight the target query and the results of the search will be displayed for access.

Managing Computer Objects

Computer account objects are managed using many of the same methods as for user account objects. Command-line utilities such as dsmod and dsquery have computer-specific uses, and the now-familiar Active Directory Users and Computers MMC snap-in carries all the same functionality for the creation and manipulation of computer objects.

One way to add a new computer to the directory is to select the Join This Computer to a Domain option during setup. This process adds the computer account to the default Computers container, where it can then be moved to the desired location. If an account is precreated within the directory, the newly joined computer will join in its destination container.

To precreate a new computer account using the Active Directory Users and Computers MMC snap-in, perform the following steps:

  1. Select Start, Administrative Tools, Active Directory Users and Computers.

  2. Navigate to the desired target container, right-click, and select New, Computer from the options provided.

  3. You're presented with the New Object - Computer dialog box where a computer name can be entered, causing a pre-Windows 2000 computer name to be automatically generated. You also have the ability to select the user or group that will be allowed to join a computer with the newly created name. Additional options can be selected to assign the computer as a preWindows 2000 computer or as a backup domain controller.

  4. After clicking Next, you select whether the computer is a managed system with a pre-existing GUID that can then be entered in the dialog box.

  5. After clicking Next and then Finish, the new account is created.

  6. After creation, right-click on the account and select Properties to open its properties dialog box for additional configuration.

As with user accounts, you can enable and disable computer accounts to prevent users from logging in on the specified system. By right-clicking on a system and selecting Manage, you can open the Computer Management utility with a focus directed at the computer to be managed.

Organizing Objects

In large organizations, it isn't reasonable to leave all account objects in their default container locations. Applying privileges and permissions is also time-consuming when performed on each account individually. Fortunately, Windows Server 2003 manages both problems through structured containers (called organizational units [OU]s) and groups (through which member accounts inherit access rights and restrictions). Organizational unit membership can be used to assign GPO settings, whereas group membership is used to convey access rights or restrictions over distributed resources.

Using Organizational Units

The grouping of accounts into a structured hierarchy of containers and subcontainers (called organization units) makes it easier to manage very large numbers of account objects collected into logical groupings. By organizing the accounts along organizational lines, administrative control can be easily delegated in a restrictive manner, with administrators over a container sharing control over all subcontainers therein. A structured OU design allows local administrators to have access rights over only those elements under their control, which means that even a large organization could potentially use a single domain while still allowing for distributed administrative control.

It is possible to create a new OU using dsadd.exe as well as through the use of the Active Directory Users and Computers MMC snap-in. To create a new OU using the Active Directory Users and Computers MMC snap-in, perform the following steps:

  1. Select Start, Administrative Tools, Active Directory Users and Computers.

  2. Navigate to the desired OU parent container or the domain container and select New, Organizational Unit from the options provided. OUs cannot be created in the default Computers and Users containers, so the option is not provided when attempted there.

  3. You are prompted to enter the name for the new OU and then to click OK to create the new OU.

  4. After creation, select one or more OUs and right-click to access the Properties option in the drop-down menu. Doing so allows modification to the description and location information for the OU, along with the ability to configure security, management, COM+ partition, and Group Policy settings that apply to the objects within the OU and its subcontainers.

OUs can be placed within other OUs to create a structured container space in which accounts can be properly grouped along business or administrative lines. Objects can exist only within a single OU, and their LDAP relative distinguished name is derived from this location.

By configuring the Security settings, you can control what administrative rights are granted over objects within the OU, as shown in Figure 2.14.

Figure 2.14. Security settings for the Workgroup Leads group over the WrkGrp1 organizational unit.

graphics/02fig14.gif

Using Groups

Unlike OUs, which are used to group objects into a structured set of containers where each object can be located in only a single OU, groups provide access rights and restrictions for member accounts and members of member groups. Through inheritance, member accounts can be granted additional privileges and access rights to distributed resources, or can be restricted from accessing the same. We discuss specific permissions in greater detail in Chapter 7, "Maintaining Network Security."

graphics/note_icon.gif

An account can be a member of multiple groups, each providing its own set of access rights and restrictions, with the final set of permissions and rights for the account being the aggregate of all inherited settings. Obviously, planning is key to providing access based on role or organizational needs while avoiding conflicts that might provide greater access than is desired or restrict necessary access.


The following two forms of groups are present in Windows 2000 and later forms of Active Directory:

  • Distribution These groups are used for email distribution lists when an integrated electronic mail service such as Exchange is present. They cannot be used to assign users rights and permissions.

  • Security Security groups are used to assign user rights (which define what members can do within the group's assigned scope) and permissions (which are used to access resources within the domain or forest). Security groups can also be used to restrict as well as grant permissions.

Groups are also assigned one of three possible scopes, which limit the extent to which rights are assigned by group membership:

  • Universal These groups are used to grant access to resources that span multiple domains. They are not available in Windows 2000 trees in Mixed mode, only in Windows 2000 Native mode and Windows 2003 directory implementations . Universal groups can include accounts, Global groups, and other Universal groups from any domain in the forest. Members of these groups should not change often because all changes will be replicated throughout the forest. Universal groups can be used to assign permissions over resources located in any domain.

  • Global These groups are used to manage accounts that require regular changes and upkeep. In Windows 2000 Mixed mode, Global groups can contain only accounts from the same domain. In Windows 2000 Native mode and Windows 2003 directories, they can contain accounts and other Global groups from the same domain. Global groups can be used to assign permissions over resources location in any domain.

  • Domain Local Domain Local groups are used to assign permissions over resources located only in their own domain. They can contain accounts, Global, and Universal groups from any domain, as well as other Domain Local groups from their own domain. Member servers and standalone servers also have Local groups, which are limited to providing access to resources on the local system and which cannot be added to domain and greater scoped groups.

A number of groups are created by default in the Built-In and Users containers. Groups created by default in the Built-In container include

  • Account Operators Members can create, modify, and delete computer and user accounts, with the exception of administrators, domain admins, and domain controllers.

  • Administrators Members have full control over the domain. The Administrator account, Domain Admins, and Enterprise Admins are members by default.

  • Backup Operators Members can log in to, shut down, and back up the files from any system in the domain, including domain controllers.

  • Guests Members are not granted rights by default. The Guest account and Domain Guests group are members by default.

  • Incoming Forest Trust Builders This group is present only in the root domain of a forest. Members can create a one-way incoming trust to another forest to provide access to resources in the other forest.

  • Network Configuration Operators Members can make changes to TCP/IP settings on any system in the domain, including domain controllers.

  • Performance Monitor Users Members can monitor performance counters locally and remotely on any computer in the domain, including domain controllers.

  • Performance Log Users Members can manage performance logs, counters, and alerts on any computer in the domain, including domain controllers.

  • PreWindows 2000 Compatible Access Members have Read access over all accounts and groups in the domain. The Everyone special identity is a member of this group by default.

  • Print Operators Members can create, delete, share, and manage printers and print queues, as well as log on and shut down any computer in the domain, including domain controllers.

  • Remote Desktop Users Members can remotely log onto any computer in the domain, including domain controllers.

  • Replicator This group is used by domain and file replication services and should not be assigned any new members.

  • Server Operators Members can log on to, shut down, and manage the local resources and services on any server computer in the domain, including domain controllers.

  • Users The default group to which domain users, authenticated users, and the Interactive special identity are assigned. Members can make use of domain resources.

Default groups in the Users container include the following:

  • Cert Publishers Members can publish security certificates for accounts.

  • DnsAdmins Present only if DNS is installed. Members can administer the DNS service.

  • DnsUpdateProxy Present only if DNS is installed. Members can perform dynamic DNS updates for other accounts.

  • Domain Admins Members have full rights over all resources in the domain and are members of the Administrators group on each computer in the domain. The Administrator account is a member of this group by default.

  • Domain Computers Automatically includes all computers joined to a domain and should not be assigned any new members manually.

  • Domain Controllers Automatically includes all domain controller computers joined to a domain and should not be assigned any new members manually.

  • Domain Guests Members have no rights assigned by default.

  • Domain Users Automatically includes all user accounts in a domain and should not be assigned any new members manually.

  • Enterprise Admins This group is present only in the root domain of a forest. Members have full control over all domains in a forest and inherit membership in the Administrators group on all domain controllers. The root domain's Administrator account is a member by default.

  • Group Policy Creator Owner Members of this group can create, delete, and modify Group Policy settings within the domain. The Administrator account is a member by default.

  • IIS_WPG Present only if IIS is installed. Used by the worker processes serving namespaces within IIS 6.0.

  • RAS and IAS Servers Member servers can access the dial-up and remote access properties on user account objects.

  • Schema Admins This group is present only in the root domain of a forest. Members can modify the Active Directory schema for a forest. The root domain's Administrator account is a member by default.

The following local groups might also be present:

  • DHCP Administrators Present only if the DHCP Server service is installed. Members can administer the DHCP service and its configuration.

  • DHCP Users Present only if the DHCP Server service is installed. Members can view the DHCP service settings and its configuration.

  • HelpServicesGroup Members can be granted any desired standard rights and permissions granted to support staff accounts and the Remote Assistance group.

  • Power Users Members of this group can fully administer local resources and accounts, except for members of the Adminstrators group. Power users cannot take ownership or backup files by default.

  • WINS Users Present only if the WINS service is installed. Members are able to view WINS database information.

Windows 2000 and later operating system variants include several special identities that can be used like groups to grant or deny access rights and permissions, though their membership cannot be changed manually. They are as follows :

  • Anonymous Logon Members automatically include anyone who accesses resources without using an authenticated logon and password.

  • Authenticated Users Members automatically include anyone who accesses resources through a logon process.

  • Batch Members automatically include all processes and accounts that access resources through a batch job.

  • Creator Group Members are inherited by sharing group membership with the account that created the resource.

  • Creator Owner The account that created a particular resource.

  • Dial-Up Members automatically include anyone who accesses resources through a dial-up connection.

  • Enterprise Domain Controllers Members automatically include any domain controller computers with enterprise-wide roles.

  • Everyone Members automatically include all accounts that log on to the network, even if from another domain.

  • Interactive Members automatically include any users logged in to a computer and accessing a particular local resource.

  • Network Members automatically include any users accessing a particular resource over the network.

  • Proxy Members automatically include any users accessing a particular resource through a proxy agent or delegate.

  • Restricted Members automatically include users with restricted access rights (nonpower users on member servers, for example).

  • Self An object referencing itself.

  • Service A service referencing itself.

  • System The operating system referencing itself.

  • Terminal Server Users Members automatically include all users logging in through Terminal Services connections.

graphics/note_icon.gif

Because membership in some groups can be used to leverage additional administrative rights, it's important to restrict membership in the Account Operators, Administrators, Backup Operators, Domain Admins, Enterprise Admins, Power Users, Print Operators, and Server Operators groups.


To create a new group using the Active Directory Users and Computers MMC snap-in, perform the following steps:

  1. Select Start, Administrative Tools, Active Directory Users and Computers.

  2. Navigate to the desired target container, right-click and select New, Group from the drop-down options.

  3. You are prompted to enter a name for the new group, which will automatically generate a preWindows 2000 name for the group as well. You will be provided with the options for the group scope and group type, as shown in Figure 2.15.

    Figure 2.15. New Object - Group dialog box creating the 'My New Group' Global Security group.

    graphics/02fig15.gif

  4. After clicking the Next button, you're presented with the option to perform other configuration tasks for integrated services, such as Exchange email aliasing. After all such tasks, click Finish to create the new group, which will have no members by default.

  5. After creation, right-clicking on a group and selecting its Properties allows manipulation of its members as well as its own membership in other groups using the Member Of tab.

To view and manipulate the membership of a particular user or computer account, you can use the Member Of tab within the properties of the account in the Active Directory Users and Computers MMC snap-in. In addition, the dsget.exe utility can be used to view the current membership of an object.

graphics/note_icon.gif

The syntax of the dsget.exe utility used for review of the group membership of user accounts is provided in the Microsoft help file:

[View full width]
 
[View full width]
dsget user UserDN ... [- dn ] [- samid ] [- sid ] [- upn ] [- fn ] [- mi ] [- ln ] [- display ] [- empid ] graphics/ccc.gif [- desc ] [- office ] [- tel ] [- email ] [- hometel ] [- pager ] [- mobile ] [- fax ] [- iptel ] [- webpg ] graphics/ccc.gif [- title ] [- dept ] [- company ] [- mgr ] [- hmdir ] [- hmdrv ] [- profile ] [- loscr ] [- mustchpwd ] graphics/ccc.gif [- canchpwd ] [- pwdneverexpires ] [- disabled ] [- acctexpires ] [- reversiblepwd ] [{- uc - uco - uci }] [- part PartitionDN [- qlimit ] [- qused ]] dsget user UserDN [- memberof ] [- expand ] [{- uc - uco - uci }]

To see a listing of all the parameters and their meanings, type the following at the command-line shell prompt:

 dsget user /? 

Groups can be used to assign a great many permissions and access rights throughout an Active Directory forest. You should be familiar with the user account Logon rights for Windows Server 2003:

  • Access This Computer from the Network Grants access to resources located on the system over the network.

  • Allow Logon Locally Grants access to log on through the local console.

  • Allow Logon Through Terminal Services Grants access to establish Terminal Service sessions.

  • Log On as a Batch Job Grants access to log on through batch jobs or scripts.

  • Log On as a Service Grants access to log on as a service or start up a service.

  • Deny Access to the Computer from the Network Specifies which accounts and groups cannot access resources over the network.

  • Deny Logon as Batch Job Restricts logon through batch jobs or scripts.

  • Deny Logon As Service Restricts service logon rights.

  • Deny Logon Locally Specifies which accounts and groups cannot log on through the local console.

  • Deny Logon Through Terminal Services Specifies which accounts and groups cannot establish Terminal Service sessions.

You should also be at least somewhat familiar with the available privileges that can be granted in Windows Server 2003:

  • Act as part of the operating system

  • Add workstations to a domain

  • Adjust memory quotas for a process

  • Back up files and directories

  • Bypass traverse checking

  • Change the system time

  • Create a pagefile

  • Create a token object

  • Create permanent shared objects

  • Debug programs

  • Enable computer and user accounts to be trusted for delegation

  • Force shutdown from a remote system

  • Generate security audits

  • Impersonate a client after authentication

  • Increase scheduling priority

  • Load and unload device drivers

  • Lock pages in memory

  • Manage auditing and security log

  • Modify firmware environment values

  • Profile a single process

  • Profile system performance

  • Remove computer from docking station

  • Replace a process level token

  • Restore files and directories

  • Shut down the system

  • Synchronize directory service data

  • Take ownership of files or other objects



MCSA.MCSE Managing and Maintaining a Windows Server 2003 Environment Exam Cram 2
MCSA/MCSE Managing and Maintaining a Windows Server 2003 Environment Exam Cram 2 (Exam Cram 70-292)
ISBN: 0789730111
EAN: 2147483647
Year: 2006
Pages: 132

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net