Implementing an Organizational Unit Structure and Delegation Control

ADVANTAGE PRO Chennais Premier Networking Training Center

Content
Creating and Managing Organizational Units Delegating Administrative Control for Organizational Units Planning an Organizational Unit Strategy

ADVANTAGE PRO Chennais Premier Networking Training Center

Managing Organizational Units

The life cycle of organizational units includes four phases. Planning Deployment Maintenance Removal

ADVANTAGE PRO Chennais Premier Networking Training Center

Creating and Managing Organizational Units

Active Directory Users and Computers Directory Service Tools (Dsadd, Dsmod and Dsrm) Lightweight Directory Access Protocol Data Interchange Format Directory Exchange (Ldifide) Windows Script Host

ADVANTAGE PRO Chennais Premier Networking Training Center

Create and Manage OU using Directory Service Tools

Creating an Organizational unit: Dsadd ou Organizational Unit DN desc Description d Domain u UserName p Password

ADVANTAGE PRO Chennais Premier Networking Training Center

Modifying an Organizational Unit

Procedure Dsmod ou Organizational Unit DN desc Description d Domain u UserName p Password

ADVANTAGE PRO Chennais Premier Networking Training Center

Removing an OU
Procedure Dsrm Organizational Unit DN d Domain u UserName p Password

ADVANTAGE PRO Chennais Premier Networking Training Center

Create OU using Ldifide Tool

Create an input file Dn: OU=Sample OU,DC=nwtraders,DC=msft Changetype: add objectClass: organizational Unit. Run Ldifide to create, modify or delete OU Ldifde i k f OU List.ldf -b

ADVANTAGE PRO Chennais Premier Networking Training Center

Delegating of Administrative Privileges

The process of decentralizing management of organizational units Delegation provides:
 Administrative autonomy  Isolation of services or data

ADVANTAGE PRO Chennais Premier Networking Training Center

Administrative Tasks for OU

In an organizational unit, you can: Change the properties of a container Create and delete objects of a specific type Update properties on objects of a specific type

ADVANTAGE PRO Chennais Premier Networking Training Center

Organizational Unit Planning Process

Document the existing structure of the organization Identify areas for improvement Determine the level of administration Identify each administrator and user account in your organization and the resources that they administer

ADVANTAGE PRO Chennais Premier Networking Training Center

Implementing User, Group, and Computer Accounts

ADVANTAGE PRO Chennais Premier Networking Training Center

Content
Introduction to Accounts Creating and Managing Multiple Accounts Implementing User Principal Name Suffixes Moving Objects in Active Directory Planning a User, Group and Computer Account Strategy Planning an Active Directory Audit Strategy
ADVANTAGE PRO Chennais Premier Networking Training Center

Types of Accounts
User accounts
 Enables a single sign-on for a user  Provides access to resources

Computer Accounts
 Enables authentication and auditing of computer access to

resources

Group Accounts
 Helps simplify administration
ADVANTAGE PRO Chennais Premier Networking Training Center

Types of Groups
Distribution Groups -- Used only with e-mail application -- Not Security-enabled Security Groups -- Used to assign rights and permission to groups of users and computers -- Used most effectively when nested

ADVANTAGE PRO Chennais Premier Networking Training Center

Types of Groups

ADVANTAGE PRO Chennais Premier Networking Training Center

GROUP SCOPE

ADVANTAGE PRO Chennais Premier Networking Training Center

NESTED GROUP

ADVANTAGE PRO Chennais Premier Networking Training Center

ADVANTAGE PRO Chennais Premier Networking Training Center

CREATING GROUPS

ADVANTAGE PRO Chennais Premier Networking Training Center

MODIFYING GROUP

ADVANTAGE PRO Chennais Premier Networking Training Center

Domain Local Groups

A domain local group is a security or distribution group . This group contains universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in Forest.

ADVANTAGE PRO Chennais Premier Networking Training Center

Domain Local Groups

When to use:
 When you want to assign access permission to resources that

are located in the same domain in which you create the domain local group
 You can add all global groups that must share the same

resources to the appropriate domain local group

ADVANTAGE PRO Chennais Premier Networking Training Center

Global Groups
A global group is a security or distribution group that can contain users, groups and computers as members from its own domain. You can grant rights and permissions to global security groups for resources in any domain in the forest.

ADVANTAGE PRO Chennais Premier Networking Training Center

Global Groups
When to use:
 Global groups are visible throughout the forest, do not create

them for the purpose of allowing users access to domainspecific resources.

 Use global groups to organize users or groups of users.  A domain local group is more appropriate to control user

access to resources within a single domain.

ADVANTAGE PRO Chennais Premier Networking Training Center

Universal Groups
A universal group is a security or distribution group that can contain users, groups, and computers as members from any domain in its forest. Universal security groups can be granted rights and permissions on resources in any domain in the forest.

ADVANTAGE PRO Chennais Premier Networking Training Center

Universal Groups
When to use:
 Use universal groups when you want to nest global groups.  You can assign permissions to related resources in multiple

domains.
 A Windows server 2003 domain must be in Windows 2000

native mode or Windows server 2003 mode to use universal security groups
 You can use in Windows 2003 domain that is in Windows

2000 mixed mode or higher.

ADVANTAGE PRO Chennais Premier Networking Training Center

Tools for Creating and Managing Multiple Accounts

Active Directory Users and Computers Directory Service Tools Csvde and Ldifide Tools Windows Script Host

ADVANTAGE PRO Chennais Premier Networking Training Center

Active Directory Users and Computers

Active Directory Users and Computer is an MMC snap-in that you can use to manage user, computer, and group accounts. Use this snap-in when the number of accounts you are managing is small.

ADVANTAGE PRO Chennais Premier Networking Training Center

Directory Service Tools

You can use the command-line tools Dsadd, Dsmod and Dsrm to manage user, computer, and group accounts in Active Directory. You must specify the type of object that you want to create, modify or delete.

ADVANTAGE PRO Chennais Premier Networking Training Center

Csvde and Ldifide Tools

Csvde Tool
 The Csvde command-line tool uses a comma-delimited text

file, also known as a comma-sperated value format (Cdvde format) as input to create multiple accounts in Active Directory.
 Use Csvde format to add user objects and other types of

objects to Active Directory.

 Before importing a Csvde file, ensure that the file is properly

formatted.

ADVANTAGE PRO Chennais Premier Networking Training Center

Csvde and Ldifide Tools

Ldifde Tool  Uses a line-separated value format to create, modify and delete objects in Active Directory.  The file consists of a series of records that are sperated by a blank line.  Most database applications can create test files that can be imported in one of these formats.

ADVANTAGE PRO Chennais Premier Networking Training Center

Windows Script Host

By using Scripts you can create, modify and delete Active Directory Objects. Use scripts, to change the values of attributes for multiple Active Directory objects.

ADVANTAGE PRO Chennais Premier Networking Training Center

Create Accounts Using the Csvde Tool

Procedure: Create the Csvde file for importing
-- The attribute line.
# It specifies the name of each attribute that to define for new user accounts. # Attributes can be in any order, but it should be separated by commas Sample Code:

Dn,objectClass,SAMaccountName,userPrinicipalName, displayName,userAccountControl
ADVANTAGE PRO Chennais Premier Networking Training Center

Create Accounts Using the Csvde Tool

-- User Account Line
# The import file contains a line that specifies the value for each attribute in the attribute line. # The attribute values must follow the sequence of the attribute line. # If a value is missing for an attribute, leave it blank, but include all of the commas. # If a value contains commas, include the value in quotation marks.

Sample Code: cn=SuzanFine,ou=HumanResources,dc=asia,dc=contoso, dc=msft,user,suzanf,suzanf@contoso.msft,Suzan Fine,514

ADVANTAGE PRO Chennais Premier Networking Training Center

Create Accounts Using the Csvde Tool

Attribute Value DN(distinguished name) cn=Suzan Fine,ou=HumanResources,dc=asia, dc=contoso,dc=msft (path to OU that contains user account object class user sAMAccountName suzanf userPrincipalName suzanf@contoso.msft displayName Suzan Fine userAccountControl 514 (value 514 disables the user account, and value 512 enables the user account.

ADVANTAGE PRO Chennais Premier Networking Training Center

Create Accounts Using the Csvde Tool

Run csvde command by typing the following command at the command prompt: Csvde i f filename b Username Domain Password Where i indicates importing a file to Active Directory f indicates next parameter of the file that are importing b sets the command to run as username,domain and password
ADVANTAGE PRO Chennais Premier Networking Training Center

Create and Manage Accounts using Ldifde Tool

Procedure: Prepare the Ldifide file for importing
-- Ldifide file contains a record that consists of a sequence of lines that describe either an entry for a user account. -- Any line that begins with a pound-sign(#) is a comment line is ignored when you run the Ldifide file. -- If a value is missing for an attribute, it must be represented as Attribute Description : FILL SEP

ADVANTAGE PRO Chennais Premier Networking Training Center

Create and Manage Accounts using Ldifde Tool

Sample Code: Create Shyam dn: cn=Shyam,ou=Human Resources,dc=test1,dc=com Changetype: Add objectClass: user SAMaccountName: shyam userPrinicipalName:shyam@test1.com displayName:shyam userAccountControl: 512
ADVANTAGE PRO Chennais Premier Networking Training Center

Create and Manage Accounts using Ldifde Tool

Run the ldifde command to import the file and create multiple user accounts in Active Directory In Command Prompt type: ldifide i k f filename b UserName Domain Password Where i indicates importing a file to Active Directory f indicates next parameter of the file that are importing b sets the command to run as username,domain and password -k ignores errors during an import operation and continues processing
ADVANTAGE PRO Chennais Premier Networking Training Center

Create and Manage Accounts using Windows Script Host

Procedure Use Note to create a text file with a .vbs extension.
-- Connect to the container in which you want to create the Active Directory object by specifying the Lightweight Directory Access Protocol (LDAP) query.

Set objou=Get object(LDAP://ou=Human Resources,dc=test1,dc=com)

ADVANTAGE PRO Chennais Premier Networking Training Center

Create and Manage Accounts using Windows Script Host

-- Create the Active Directory object and specify the object class and the object name Set objUser=objou.Create(User, cn=Marry) -- Set the properties of the Active Directory Object. objUser.PutsAMAccountName,Marry -- Write the information to the Active Directory database objUser.Set Info

Run the script at command prompt: wscript.exe filename

ADVANTAGE PRO Chennais Premier Networking Training Center

Changing Value using Windows Script Host

Procedure Connect to the object that the property will be changed
Set objUser=Get Object(LDAP://cn=Mary,ou=Test, dc=test1,dc=com)

Set the new value of the property-for example, the room number of an employee who has moved to a new office
objUser.Putphysical Delivery Office Name,Room 4358
ADVANTAGE PRO Chennais Premier Networking Training Center

Changing Value using Windows Script Host

Write the change to Active Directory.
objUser.SetInfo

Save the file with the extension .vbs Execute the command in command prompt
wscript.exe filename

ADVANTAGE PRO Chennais Premier Networking Training Center

User Principal Name

A logon name that is used only for logging on to a Windows Server 2003 network. There are two parts to a User Principal Name, which are separated by @ sign The UPN Prefix before the sign The UPN Suffix after the sign

ADVANTAGE PRO Chennais Premier Networking Training Center

SID
Is a list of all SIDs that were assigned to a user account Provides migrated user account with continuity of access to resources

ADVANTAGE PRO Chennais Premier Networking Training Center

Implications of Moving Objects

Within a Domain
 No change to SID or GUID

Within a Forest
 New SID  SID History  Same GUID

Across Forests
 New SID  SID History  New GUID

ADVANTAGE PRO Chennais Premier Networking Training Center

ADVANTAGE PRO Chennais Premier Networking Training Center