Managing Directory Objects: Users, Groups, and Resources

1
Chapter 5

• Managing Directory Objects Users, Groups, and
  Resources

2
Objectives

• Create user objects in Active Directory and set
  values for the attributes of a user object
• Create and manipulate groups in Active Directory
  and understand the effects ofdifferent group
  scopes
• Create objects for other resources, such as
  shared folders and printers
• Organize objects in Active Directory by
  leveraging the use of organizational units (OUs)

3
Creating and Managing User Objects

• Represent real people using the network
• Most frequently changed

4
User Classes, Properties, and Schema

• cn
• InstanceType, objectCategory, and objectClass
• ObjectSID
• sAMAccountName

5
The Active Directory Users and Computers Console
6
The New Object Dialog Box for a User Object
7
The Names of a User

• User logon name (pre-Windows 2000)
• sAMAccountName attribute
• Used by down-level clients (Windows 98, 95, or
  NT)
• Format is NetBIOS name\users logon name
• User logon name
• userPrincipleName (UPN) attribute
• Preferred logon name for Windows 2000, XP
  Professional, or Server 2003
• Format is username_at_UPN suffix (usually users
  domain)

8
No GC Available During User Creation
9
Password and Security Attributes
10
Summary Page for New User Objects
11
Newly Created User
12
How the Console Interacts With Active Directory

• Uses Lightweight Directory Access Protocol (LDAP)
  to send queries and commands to the domain
  controllers (DCs)
• The wizard populates many attributes automatically

13
User Object Properties
14
Setting Additional Attributes

• General and Business Information
• Phone numbers in the general tab can have any
  format
• Only one address can be stored
• Account and Profile Settings
• Terminal Services Settings
• Dial-in Settings
• Advanced Properties

15
Advanced View of User Object Properties
16
The Telephones Tab
17
Telephone Attributes as Seen in ADSI Edit
18
The Address Tab
19
The Organization Tab
20
The Account Tab
21
The Profile Tab
22
The Member Of Tab
23
The COM Tab
24
The Environment Tab
25
The Sessions Tab
26
The Remote Control Tab
27
The Terminal Services Profile Tab
28
The Dial-in Tab
29
The Security Tab
30
The Object Tab
31
The Published Certificates Tab
32
Resetting Passwords

• The password attribute is write-only
• The password can only be reset, but not retrieved

33
Invoking the Reset Password Command
34
The Reset Password Dialog Box
35
Creating Users Programmatically

• Users can be created by scripts or programs
• Users can be created by a tool such as Microsoft
  Metadirectory Services (MMS)

36
Working With Groups

• Administrators may be responsible for thousands
  of accounts and hundreds of resources
• Assigning permissions to a group speeds up
  administration

37
Group Types

• Distribution groups
• Used to send e-mail to a group list
• Security groups
• Used to control and audit access to resources
• Security Identifier (SID) can be included in an
  access control entry (ACE) in a Discretionary
  Access Control List (DACL) for access control, or
  a System Access Control List (SACL) for auditing
• Used to filter application of Group Policy

38
Group Scopes

• Determines when a group can be nested
• Determines when it can be referenced in DACLs and
  SACLs
• Four scopes
• Local
• Domain local
• Global
• Universal

39
Domain Modes

• Mixed mode is a mix of Active Directory and
  non-Active Directory DCs
• Certain functions are only supported by Active
  Directory
• The domain can be upgraded to native mode when
  all DCs are running Windows 2000 or Windows
  Server 2003

40
Local Scope

• Used only within the context of a specific
  machine
• Often called machine local groups
• The BUILTIN group is the only machine local group
  on DCs

41
Domain Local Scope

• Can contain security principals from anywhere in
  the forest
• Can only be created in a native-mode domain

42
Group Scopes
43
Global Scope

• Can be created in both mixed-mode and native-mode
  domains
• Can contain any security principal from the same
  domain in which it was created
• Can be used in DACLs and SACLs anywhere in the
  forest, or anywhere that the domain is trusted

44
Universal Scope

• Can only be used in a native-mode domain
• Can contain security principles from any domain
  in the forest, or any trusted domain
• Can be used in a SACL or DACL anywhere in the
  forest
• All universal groups are stored in the Global
  Catalog (GC)

45
Groups As Members of Other Groups

• In mixed-mode domains, only machine local groups
  can contain other groups (and only global groups)
• In native-mode domains
• Domain local groups can contain users and
  universal and global groups from anywhere in the
  forest
• Global groups can contain users and other global
  groups from the same domain
• Universal groups can contain user accounts,
  computer accounts, global groups, and other
  universal groups from anywhere in the forest

46
Involving the New Group Command
47
New Object Dialog Box for a Group Object
48
Changing Groups

• Can change the members through the groups or the
  objects properties
• Can change the type from a security to a
  distribution group in native mode
• Can change the scope from global to universal, or
  domain local to universal in native mode

49
Properties of a Group Object
50
Member Of Tab for Administrator
51
Creating Resource Objects

• An object in the directory represents a resource
• Created separate from the directory object
• Active Directory does not check if shared folders
  exist
• Active Directory checks for the existence of a
  printer
• For new resources, some applications use existing
  classes others extend the schema

52
Creating a Shared Folder Object
53
Creating a Printer Object
54
Trying to Create a Printer Object for a
Nonexistent Printer
55
Organizing Objects in the Directory

• A large network must be well organized
• In Active Directory, information can be organized
  in a logical way

56
Organizing and Controlling OUs

• The Delegation of Control Wizard allows the
  service owner to enable each data owner to manage
  the objects in their own OU
• OUs can be used to browse the directory
• Group Policy is easily applied at the OU level

57
One Possible Browsing Structure
58
Possible OU Structure to Support Group Policy
59
Moving Object Between Domains

• Moving objects between domains requires changing
  part of the SID
• Movetree supplied with Windows Server 2003 to
  assist moving objects within the forest
• Moving users from one forest to another requires
  creating a new object and deleting the old one
• The Active Directory Migration Tool (ADMT)
  provides a mechanism to move a user between
  forests

60
Chapter Summary

• There are usually frequent changes to the objects
  contained in Active Directory
• A user object has six mandatory attributes
• Users and Computers is used to manage groups,
  users, computers, and resource objects
• You can manage properties on up to 16 property
  pages
• There are two types of groups distribution
  groups and security groups
• There are four possible scopes of groups machine
  local, domain local, global, and universal

61
Chapter Summary (continued)

• Security groups can be included in SACLs and
  DACLs
• Distribution groups are used to send e-mail to
  groups of users
• Objects should be organized in a logical way by
  the proper use of OUs
• Movetree can move objects between domains in the
  same forest
• ADMT is used to move objects between forests