Documente Academic
Documente Profesional
Documente Cultură
04 April 2012
Active Directory & Windows Server 2003
Agenda
Enterprise Networks
Network Operating Systems
Microsoft Management Console
Local Users and Groups
Local Group Policy
Workgroup vs. Domain
Active Directory
Active Directory Users & Computers
NTFS Files & Folders Permissions \ Shared Resources
Active Directory & Windows Server 2003
Enterprise Networks
During the 1980s, organizations began to install local area networks (LAN) to connect
computers in departments and workgroups. Department-level managers usually made
decisions about what type of computers and networks they wanted to install.
Eventually, organizations saw benefits in building enterprise networks that would let people
throughout the organization exchange e-mail and work together using collaborative
software. An enterprise network would connect all the isolated departmental or workgroup
networks into an intracompany network, with the potential for allowing all computer users in
a company to access any data or computing resource.
An enterprise network is both local and wide area in scope. It integrates all the systems
within an organization, whether they are Windows computers, Apple Macintoshes, UNIX
workstations, minicomputers, or mainframes.
Active Directory & Windows Server 2003
A NOS is, generally, an operating system that runs on a network server, such as
Microsoft Windows Server, Linux or UNIX.
In contrast, a NOS supports multiple user accounts at the same time and enables
concurrent access to shared resources by multiple clients.
Active Directory & Windows Server 2003
Win2K3 Server can provide a variety of services, ranging from File Server, Web
Server, to FTP Server, Application Server, Identity and Directory Services, etc.
+
Active Directory & Windows Server 2003
MMC is actually a framework that hosts modules called snap-ins, which provide
the actual tools for managing a resource, tools that are usually found in Control
Panel.
It does not provide any management functionality. Rather, the MMC environment
provides seamless integration between different snap-ins that would otherwise be
used as standalone.
For example, you can add to MMC a snap-in called Device Manager, one called
Services and one called Disk Defragmenter.
These three tools are unrelated and would be used separately if accessed from
Control Panel, but MMC brings them together in a single easy-to-use tool.
Perform the same steps for Disk Defragmenter and Services Snap-ins.
Press OK and the new console is ready for use.
Active Directory & Windows Server 2003
Local Users and Groups is a MMC snap-in that is used to manage user
accounts and groups that are stored locally on a single computer.
You can assign rights and permissions to a local user account or a group account
on a particular computer (and only to that computer, regardless if it is local or
remote).
By using Local Users and Groups, you can limit the ability of users or groups to
perform certain actions by assigning rights and permissions to them.
Administrator account The Administrator account has full control of the server and can assign user rights and
access control permissions to users as necessary. This account must be used only for
tasks that require administrative credentials. It is highly recommended that you set up
this account to use a strong password.
account is known to exist on many versions of Windows, renaming or disabling this
account will make it more difficult for malicious users to try and gain access to
The Administrator account is a member of the Administrators group on the server. The
Administrator account can never be deleted or removed from the Administrators group,
but it can be renamed or disabled. Because the Administrator it.
The Administrator account is the account you use when you first set up the server. You
use this account before you create an account for yourself.
Important
Even when the Administrator account has been disabled, it can still be used to gain
access to a computer using Safe Mode.
Guest account The Guest account is used by people who do not have an actual account on the
computer. A user whose account is disabled, but not deleted, can also use the Guest
account. The Guest account does not require a password. The Guest account is disabled
by default, but you can enable it.
You can set rights and permissions for the Guest account just like any user account. By
default, the Guest account is a member of the default Guests group, which allows a user
to log on to a server. Additional rights, as well as any permissions, must be granted to
the Guests group by a member of the Administrators group. The Guest account is
disabled by default, and it is recommended that it stay disabled.
HelpAssistant account The primary account used to establish a Remote Assistance session. This account is
(installed with a Remote created automatically when you request a Remote Assistance session and has limited
Assistance session) access to the computer. The HelpAssistant account is managed by the Remote Desktop
Help Session Manager service and will be automatically deleted if no Remote Assistance
requests are pending.
Active Directory & Windows Server 2003
Workgroup
Domain
A domain is a trusted group of computers that share security, access control and
have data passed down from centralized domain controllers or servers. Domain
Controllers handle all aspects of granting users permission to login. They are the
gatekeepers. In addition, most modern domains use Active Directory which
allows for an even more centralized point for software distribution, user
management and computer controls.
Active Directory
Active Directory
Organizational Units
An organizational unit (OU) is a container that you use to organize objects within a
domain into logical administrative groups. An OU can contain objects such as user
accounts, groups, computers, printers, applications, file shares, and other Ous.
Active Directory & Windows Server 2003
Active Directory
Domain
The core unit of logical structure in Active Directory directory services is the
domain (see Figure 4.3). Grouping objects into one or more domains allows your
network to reflect your company's organization.
All network objects exist within a domain, and each domain stores information
about only the objects that it contains. Access to domain objects is controlled by
access control lists (ACLs). ACLs contain the permissions associated with objects
that control which users can gain access to an object and what type of access
users can gain to the objects.
Active Directory & Windows Server 2003
Active Directory
Tree and Forest
A tree is a grouping or hierarchical arrangement of one or more
Windows domains.
A forest is a grouping or hierarchical arrangement of one or more trees.
Since all trees in a forest do not share a common naming structure, you could use
a forest to group the various divisions of a company that do not use the same
naming scheme and that operate independently, but that need to communicate
with an entire organization.
Active Directory & Windows Server 2003
Active Directory
Active Directory services also include a replication feature. Replication ensures that
changes to a domain controller are reflected in all domain controllers within a domain.
Each domain controller stores a complete copy of all Active Directory services information
for that domain, manages changes to that information, and replicates those changes to
other domain controllers in the same domain.
Domain controllers in a domain automatically replicate all objects in the domain to each
other. When you perform an action that causes an update to Active Directory directory
services, you are actually making the change at one of the domain controllers. The domain
controller then replicates the change to all other domain controllers within the domain.
Active Directory & Windows Server 2003
Windows Server 2003 comes with several different tools used for managing the Active
Directory. The Active Directory management tool that you will use most often for day-to-day
management tasks is the Active Directory Users and Computers console. As the name
implies, this console is used to create, manage, and delete user and computer accounts.
You can access this console by clicking your servers Start button and navigating through
the Start menu to All Programs / Administrative Tools. The Active Directory Users and
Computers option should be near the top of the Administrative Tools menu.
Keep in mind that only domain controllers contain this option, so if you do not see the Active
Directory Users and Computers command, make sure that you are logged into a domain
controller.
Also, the option can be accessed through a MMC.exe snap-in.
Domain Controller
Domain
OU
Active Directory & Windows Server 2003
Search Objects in AD
Active Directory & Windows Server 2003
Right Click the needed user and choose the needed action. These actions are
different from one organization to another according to the level of permission
required by the HelpDesk. The most important are: Rename, Delete, Reset
Password, Move and Properties.
Active Directory & Windows Server 2003
Rename: you can rename the Full Name, First Name, Last Name, Display Name
and User Logon Name.
Active Directory & Windows Server 2003
Delete: this option will permanently remove the user from the System. A
confirmation dialog box will be displayed. If requested, you may choose not to
delete the Exchange Mailbox of this object.
Active Directory & Windows Server 2003
Reset Password: resets the password of the User. You can Expire the password
by selecting the box User must change the password at next logon. This option
will force the user to change this temporary password at next logon.
Active Directory & Windows Server 2003
Move: use this option if requested to move an user from one OU to another.
Selecting the Move option, the organization structure will be displayed. Browse to
the needed OU.
Active Directory & Windows Server 2003
Properties
TABS
Active Directory & Windows Server 2003
Account TAB: contains information about the account: Logon Name, Logon Hours, Log On To
(computers), Account Options and Account Expiration Date. If the account is not locked out, then the
option is grayed out.
Active Directory & Windows Server 2003
Email Addresses TAB: used to set up primary and secondary SMTPs and the
SIP address (for Office Communicator)
Active Directory & Windows Server 2003
Delivery Restriction:
set the Sending / Receiving message size (in KB).
Delivery Options:
set for another user to Send on behalf him / her.
forward emails to another user or DL with the option to keep the forwarded messages
in the inbox.
Storage Limits:
Set the mailbox limit in KB.
Active Directory & Windows Server 2003
Being member of a Security Group allows this user to have access to the folders and resources where
the Group has.
Being member of a Distribution List allows this user to receive in Outlook all the emails sent to this
Distribution List.
Active Directory & Windows Server 2003
Dial-in TAB: set the VPN permission (be able to connect to the Organizations Network from outside using a
laptop from Home, Airports, Home) and set VPN options.
Active Directory & Windows Server 2003
Right Click the needed Group and choose the needed action. These actions are different
from one organization to another according to the level of permission required by the
HelpDesk. The most important are: Rename, Delete, Move and Properties.
Active Directory & Windows Server 2003
Properties: this option will display the properties of the group. Another way to
open the Properties of the group is to double click it in AD. According to the
Permission Level of the HelpDesk you will be able to view the tabs in the
Properties window. General TAB: contains information about the group: name,
description, scope and type
Active Directory & Windows Server 2003
Members TAB: members of this group will have the groups access to resources.
You can Add / Remove objects. Adding an object to the Members of the group is
the same as adding the group in the Member Of tab of the object.
Active Directory & Windows Server 2003
Object TAB: displays information about the OU where the group/DL is created in
AD, when it has been created and when it was last modified.
Active Directory & Windows Server 2003
Right Click the needed Computer and choose the needed action. These actions
are different from one organization to another according to the level of permission
required by the HelpDesk. The most important are: Delete, Disable / Enable
Account, Move and Properties.
Active Directory & Windows Server 2003
Properties: displays the properties of the Computer, where you can set the Description,
the Manager, see the Object information.
Active Directory & Windows Server 2003
It is advised to assign permissions to Security Groups and then add the users to
the membership of the groups. This way the network will not slow down.
Active Directory & Windows Server 2003