Module 4: Administration in Active Directory

About This Presentation

Title:

Module 4: Administration in Active Directory

Description:

... operating system behavior, desktop behavior, security ... Granting the user access to the GPO by using the Security tab in the GPO Properties dialog box ... – PowerPoint PPT presentation

Number of Views:71

Avg rating:3.0/5.0

Slides: 67

Provided by: raviac

Category:

more less

Transcript and Presenter's Notes

Title: Module 4: Administration in Active Directory

1
Module 4 Administration in Active Directory
2
Overview

Designing Active Directory to Delegate
Administrative Authority
Identifying Business Needs
Characterizing the IT Organization
Developing a Strategy for Administrative Design
Developing a Strategy for Delegation
Implementing Group Policy
Group Policy Structure
Working with Group Policy Objects
How Group Policy Settings Are Applied in Active
Directory
Modifying Group Policy Inheritance
Designing Active Directory to Support Group
Policy
Designing a Schema Policy

3
Identifying Business Needs
CEO
OrganizationalChart
Accounting
Information Technology
Human Resources
Production
AccountsPayable
AccountsReceivable
Logistics
Purchasing
Information Technology
ITInfrastructure

Documenting the Administrative Process
Level of Administration
Who Administers What
Build Flexibility Into Plan

Infrastructure
Northwest
Northeast
Southeast
Atlanta
Seattle
Charlotte
Portland
4
Characterizing the IT Organization

Centralized IT
Centralized IT with Decentralized Management
Decentralized IT
Outsourced IT

5
Developing a Strategy for Administrative Design

Designing a Hierarchy Based on Location
Designing a Hierarchy Based on Organization
Designing a Hierarchy Based on Function
Designing a Hybrid Hierarchy by Location then
Organization
Designing a Hybrid Hierarchy by Organization then
Location
Design Guidelines

6
Designing a Hierarchy Based on Location

Is Resistant to Change
Accommodates Mergers and Expansions
May Compromise Security
Takes Advantage of Network Strengths

nwtraders.msft
Domain
7
Designing a Hierarchy Based on Organization

Reflects Business Model
Is Vulnerable to Reorganizations
Maintains Departmental Autonomy
Accommodates Mergers and Expansions
May Affect Replication

Domain
8
Designing a Hierarchy Based on Function

Is Immune to Reorganizations
May Require Additional Layers
May Affect Replication

sales
hardware
project1
project2
consultants
marketing
9
Designing a Hybrid Hierarchy by Location then
Organization

Allows for Growth
Allows for Security Boundaries
Leverages Strength of Physical Network
May Require Lower Level Changes Aftera
Reorganization

asia.nwtraders.msft
Mfg
HR
recruiting
training
research
10
Designing a Hybrid Hierarchy by Organization then
Location

Allows for Security Boundaries
Allows Administration by Location
Vulnerable to Reorganizations

sales.nwtraders.msft
New England
Boston
Hartford
11
Design Guidelines

Hierarchy
Location
Organization
Function
Hybrid Hierarchy
By Location then Organization
By Organization then Location

12
Developing a Strategy for Delegation

Determining Delegation Methods
Determining Object Ownership
Creating a Strategy for Object-Based and
Task-Based Delegation
Creating a Strategy for Delegating Authority
Creating Strategies for Inheritance of
Permissions
Design Choice Guidelines

13
Determining Delegation Methods

Delegating Authority Includes
Changing Container Properties
Creating, Changing, and Deleting Child Objects
Updating Object Attributes
Creating New Users or Groups
Managing Small Groups of Users or Groups

14
Creating a Strategy for Delegating Authority
Domain-Level Delegation Affects All Objects in
the Domain
Site-Level Delegation May Affect Multiple Domains

OU-Level Delegation Can Affect Parent OU Only,
or Parent and All Child OUs
15
Creating Strategies for Inheritance of Permissions
Full Control
OU
OU
Full Control
OU
Full Control

Objects Inherit Existing Permissions
Inheritance Can Be Blocked

16
Design Guidelines

Assign Permissions at the OU Level When Possible
Avoid Assigning Permissions at Property or Task
Level
Use a Small Number of Domain Administrators
Assign Access Permissions to Groups

17
Overview

Designing Active Directory to Delegate
Administrative Authority
Identifying Business Needs
Characterizing the IT Organization
Developing a Strategy for Administrative Design
Developing a Strategy for Delegation
Implementing Group Policy
Group Policy Structure
Working with Group Policy Objects
How Group Policy Settings Are Applied in Active
Directory
Modifying Group Policy Inheritance
Designing Active Directory to Support Group
Policy
Designing a Schema Policy

18
Introduction to Group Policy

Group Policy Enables You to
Set centralized and decentralized policies
Ensure users have their required environments
Lower total cost of ownership by controlling user
and computer environments
Enforce corporate policies

19
Group Policy Structure

Types of Group Policy Settings
Group Policy Objects
Group Policy Settings for Computers and Users
Group Policy Objects and Active Directory
Containers

20
Types of Group Policy Settings
21
Group Policy Objects
22
Group Policy Settings for Computers and Users

Group Policy Settings for Computers
Specify operating system behavior, desktop
behavior, security settings, computer startup and
shutdown scripts, computer-assigned application
options, and application settings
Apply when the operating system initializes and
during the periodic refresh cycle
Group Policy Settings for Users
Specify operating system behavior, desktop
settings, security settings, assigned and
published application options, application
settings, folder redirection options, and user
logon and logoff scripts
Apply when users log on to the computer and
during the periodic refresh cycle

23
Group Policy Objects and Active Directory
Containers

GPO Settings Affect User and Computer Objects
Within Sites, Domains, and OUs to Which a GPO Is
Linked
You can link one GPO to multiple sites, domains,
or OUs
You can link multiple GPOs to one site, domain,
or OU
You Cannot Link GPOs to Default Active Directory
Containers

24
Working with Group Policy Objects

Creating Linked Group Policy Objects
Creating Unlinked Group Policy Objects
Linking an Existing Group Policy Object
Specifying a Domain Controller for Managing Group
Policy Objects

25
Creating Linked Group Policy Objects

To Apply Group Policy to a Container, Create a
GPO Linked to the Container
Create GPOs linked to domains and OUs by using
Active Directory Users and Computers
Create GPOs linked to sites by using Active
Directory Sites and Services

Name of linked GPO
To create a GPO
26
Creating Unlinked Group Policy Objects
27
How Group Policy Settings Are Applied in Active
Directory

Group Policy Inheritance
How Group Policy Settings Are Processed
Controlling the Processing of Group Policy
Group Policy and Slow Network Connections (Links)
Resolving Conflicts Between Group Policy Settings
Class Discussion How Group Policy Is Applied

28
Group Policy Inheritance
Windows 2000 Applies GPO Settings in a
Specific Order
Child Containers Inherit GPO Settings from Parent
Containers
29
How Group Policy Settings Are Processed

Computer settings applied
Startup scripts run

Computer starts
User logs on

User settings applied
Logon scripts run

The GetGPOList Function Executes on the Client
Computer During
Computer startup to determine which GPOs contain
computer configurations settings to be applied
User logon to determine which GPOs contain user
configurations settings to be applied

30
Controlling the Processing of Group Policy

Synchronous and Asynchronous Processing
By default, the processing of Group Policy is
synchronous
You can change the processing of Group Policy to
asynchronous by using a Group Policy setting for
both computers and users
Refreshing Group Policy at Established Intervals
of
90 minutes for computers running Windows 2000
Professional and for member servers running
Windows 2000 Server
5 minutes for domain controllers
Processing Unchanged Group Policy Settings
You can configure each client-side extension to
process all applicable Group Policy settings

31
Resolving Conflicts Between Group Policy Settings

All Group Policy Settings Apply Unless There Are
Conflicts
The Last Setting Processed Applies
When settings from different GPOs in the Active
Directory hierarchy conflict, the child container
GPO settings apply
When settings from GPOs linked to the same
container conflict, the settings for the GPO
highest in the GPO list apply
A Computer Setting Applies When It Conflicts with
a User Setting

32
Modifying Group Policy Inheritance

Enabling Block Inheritance
Enabling No Override
Filtering Group Policy Settings
Class Discussion Changing Group Policy
Inheritance

33
Enabling Block Inheritance

Block Inheritance
Stops inheritance of all GPOs from all parent
containers
Cannot selectively choose which GPOs are blocked
Cannot stop No Override

34
Enabling No Override

No Override
Overrides Block Inheritance and GPO conflicts
Should be set high in the Active Directory tree
Is applicable to links and not to GPOs
Enforces corporate-wide rules

Domain
Production
Sales
Domain GPO settings apply
35
Filtering Group Policy Settings

Filter Group Policy Settings by
Explicitly denying the Apply Group Policy
permission
Omitting an explicit Apply Group Policy
permission

36
Delegating Administrative Control of Group Policy

Enable a User to Manage Group Policy Links for a
Site, Domain, or OU by
Assigning the user read and write permissions to
the gPLink and gPOptions attributes of the site,
domain, or OU
Using the Delegation of Control wizard
Enable a User or Group to Create GPOs by
Adding the user or group to the Group Policy
Creator Owners group
Enable a User to Edit GPOs by
Assigning the user read and write permissions to
the GPO
Making the user a member of either Domain Admins,
Enterprise Admins, or GPO Creator Owners groups
Granting the user access to the GPO by using the
Security tab in the GPO Properties dialog box

37
Group Policy Troubleshooting Tools

Windows 2000 Support Tools for Group Policy
Troubleshooting
Netdiag.exe
Replmon.exe
Windows 2000 Resource Kit Tools for Group Policy
Troubleshooting
Gpotool.exe
Gpresult.exe

38
Best Practices
Limit the Use of Blocking, No Override, and
Filtering of GPOs
Limit the Number of GPOs That Affect Any Computer
or User
Group Related Settings in a Single GPO
Delegate Administrative Control of a GPO to One
or Two Users
Avoid Linking GPOs to a Site with Multiple
Domains
Plan and Test GPOs Before You Implement Them
39
Overview

Designing Active Directory to Delegate
Administrative Authority
Identifying Business Needs
Characterizing the IT Organization
Developing a Strategy for Administrative Design
Developing a Strategy for Delegation
Implementing Group Policy
Group Policy Structure
Working with Group Policy Objects
How Group Policy Settings Are Applied in Active
Directory
Modifying Group Policy Inheritance
Designing Active Directory to Support Group
Policy
Designing a Schema Policy

40
Identifying Business Needs

Group Policy Is Applied
Frequently in Highly Managed IT Networks
Infrequently in Minimally Managed IT Networks
Group Policy Is Used to
Enforce Security
Create Common Configurations
Simplify Computer Build Process
Limit Distribution of Applications

41
Applying Group Policy in Active Directory

Applying Group Policy at the Site Level
Applying Group Policy at the Domain Level
Applying Group Policy at the OU Level
Design Guidelines

42
Applying Group Policy at the Site Level
Domains
Site

Single Site GPOs Affect All Domains Within the
Site
Site Level GPOs Can Cross Domain Boundaries

43
Applying Group Policy at the Domain Level
Multiple Domains
Single Domain
Parent Domain
Child Domain

In Single Domain, GPOs Affect Entire Domain and
Cannot Be Delegated
In Multiple Domains, Domain Level GPOs Do Not
Affect Other Domains Unless Linked

44
Applying Group Policy at the OU Level
GPO Linked to Parent OUs
OU

At OU Level, GPOs Are Inherited from Parent to
Child OU

OU
OU
OU
OU
Same Group Policy Inherited from GPO of Parent OU
OU Specifically Created for Group Policy
45
Design Guidelines

Create As Few GPOs As Possible
Map Each GPO to a Single Site, Domain, or OU
Container
Avoid Linking GPOs Between Domains
Minimize the Number of GPOs Applied to a User or
Computer

46
Planning for Group Policy

Designing Group Policy to Meet Administrative
Needs
Prioritizing Application of Group Policy Objects
Filtering Group Policy Objects
Group Policy Inheritance and Blocking
Optimizing Group Policy Performance
Testing and Documenting the Group Policy Plan
Design Guidelines

47
Designing Group Policy to Meet Administrative
Needs
Strategy
Delegate the Right to Create New GPOs Throughout
Active Directory
Delegate the Right to Modify an Existing GPO
Delegate the Right to Link GPOs to a Site,
Domain, or OU
48
Filtering Group Policy Objects
Roanoke OU
Users
__Apply Group Policy to Roanoke Admins
DENY
Filtering Prevents Group Policy from Being Applied
49
Group Policy Inheritance and Blocking
GPO Linked to Parent OU
OU
OU
OU
Inheritance Blocked
OU
OU
OU
When Blocked, GPO Does Not Apply to Child OU
50
Optimizing Group Policy Performance

Optimize Group Policy Performance Over Slow
Connections by Adjusting
Slow Link Processing
Periodic Refresh Processing
Client Side Extensions

51
Testing and Documenting the Group Policy Plan

When Testing Group Policy
Use an Off-Line Test Environment
Test During Off-Peak Hours if Testing Environment
Is Not Available
When Documenting Group Policy
List Name of GPO
List Site, Domain, or OU Where Applied
List Individual Settings
List Special Settings

52
Design Guidelines

Disable Unused Parts of a GPO
Reduce Need for Filtering By Creating Additional
OUs
Use the Block Policy Inheritance and No Override
Features Sparingly

53
Overview

Designing Active Directory to Delegate
Administrative Authority
Identifying Business Needs
Characterizing the IT Organization
Developing a Strategy for Administrative Design
Developing a Strategy for Delegation
Implementing Group Policy
Group Policy Structure
Working with Group Policy Objects
How Group Policy Settings Are Applied in Active
Directory
Modifying Group Policy Inheritance
Designing Active Directory to Support Group
Policy
Designing a Schema Policy

54
Identifying Business Needs

Primary Reasons for Schema Modification
Enabling Schema to Address Business Needs
Installing Directory-Enabled Applications

55
Schema Fundamentals

Schema Components
Modifying the Schema
Obtaining and Extending Object Identifiers
Deactivating Schema Components

56
Schema Components
Attribute-Schema Objects Examples
Class-SchemaObjects Examples
Class Definition includes
Attribute Definition includes
Object Name Object Identifier May Contain
Attributes Must Contain Attributes
Object Name Object Identifier Syntax Optional
Range Limits
Computers
Some possible User Class Attributes
List of Attributes
accountExpires badPasswordTime mail name
accountExpires badPasswordTime mail cAConnect dhcp
Type eFSPolicy fromServer governsID Name
Users
Servers
57
Modifying the Schema

Schema Modification Occurs When You
Use the Active Directory Schema to create,
modify, or deactivate classes or attributes
Write scripts to automate schema modification
Install software applications that add classes
or attributes
To Control Membership of Schema Admins Group
Control Membership of Local Admins, Domain
Admins, and Enterprise Admins Groups

58
Obtaining and Extending Object Identifiers

Object Identifiers
Unique identifiers for class and object
attributes
Obtained from an ISO issuing authority
Extend to accommodate your enterprise
Object Identifier Format, 1.2.840.x.w.y.z
1.2.840, issuing authority
x.w.y.z for extension

59
Deactivating Schema Components

Classes and Attributes Are Not Deleted, but
Deactivated.
Classes and Attributes Can Be Reactivated

60
Implications of Modifying the Schema

Schema Modification Can Impact
Validity of Existing Objects
Replication Latency
Network Performance During Replication

61
Planning for Schema Modification

Deciding when to Modify the Schema
Planning for Directory-Enabled Applications
Anticipating Microsoft Exchange 2000
Testing Schema Modifications
Developing a Schema Modification Policy
Design Guidelines

62
Deciding when to Modify the Schema
Situation
Suggested Solutions
No existing class meets needs
Create a new class
Existing class needs attributes but otherwise
meets needs
Create new attributes, derive a new child class,
or create an auxiliary class
Need a new set of unique attributes, but not a
new class
Create auxiliary class
Existing classes or attributes no longer needed
Deactivate existing class or attribute
63
Planning for Directory-Enabled Applications