Active Directory Training

Active Directory & Windows Server 2003
04 April 2012
Agenda
Enterprise Networks
Network Operating Systems
Microsoft Management Console
Local Users and Groups
Local Group Policy
Workgroup vs. Domain
Active Directory
Active Directory Users & Computers
NTFS Files & Folders Permissions \ Shared Resources
Enterprise Networks
During the 1980s, organizations began to install local area networks (LAN) to connect
computers in departments and workgroups. Department-level managers usually made
decisions about what type of computers and networks they wanted to install.
Eventually, organizations saw benefits in building enterprise networks that would let people
throughout the organization exchange e-mail and work together using collaborative
software. An enterprise network would connect all the isolated departmental or workgroup
networks into an intracompany network, with the potential for allowing all computer users in
a company to access any data or computing resource.
An enterprise network is both local and wide area in scope. It integrates all the systems
within an organization, whether they are Windows computers, Apple Macintoshes, UNIX
workstations, minicomputers, or mainframes.
A computer operating system (OS) is the software foundation on which the

computer applications and services run.
Similarly, a network operating system (NOS) enables communication between
multiple devices (clients) and the sharing of resources across a network.
A NOS is, generally, an operating system that runs on a network server, such as
Microsoft Windows Server, Linux or UNIX.
The function of an operating system is to control the computer hardware, software

and user interface. The OS performs these functions for a single user at a time
and, even though there can be multiple accounts stored on a computer, only one
user can be logged on at a certain time.
In contrast, a NOS supports multiple user accounts at the same time and enables
concurrent access to shared resources by multiple clients.

Windows Server 2003

Windows Server 2003 (also known as Win2K3) is a network operating system
produced by Microsoft.
There are several editions of this NOS, depending on the environment it will be
used in (Standard Edition, Enterprise Edition, Datacenter Edition, etc)
Win2K3 Server can provide a variety of services, ranging from File Server, Web
Server, to FTP Server, Application Server, Identity and Directory Services, etc.
Also, Windows Servers functionality can be enhanced by installing Microsoft

Exchange Server software, which will enable it to be an e-mail server and in
combination with Microsoft Office Outlook, provide a communication mechanism
within the corporate environment.
+
Windows Server 2003

Windows Server 2003

The Microsoft Management Console (mmc.exe) provides a common

environment for the management of various systems and resources.
MMC is actually a framework that hosts modules called snap-ins, which provide
the actual tools for managing a resource, tools that are usually found in Control
Panel.
It does not provide any management functionality. Rather, the MMC environment
provides seamless integration between different snap-ins that would otherwise be
used as standalone.
For example, you can add to MMC a snap-in called Device Manager, one called
Services and one called Disk Defragmenter.
These three tools are unrelated and would be used separately if accessed from
Control Panel, but MMC brings them together in a single easy-to-use tool.
The following slides will demonstrate how this is done.

Go to Start>Run and type mmc or mmc.exe


An empty console will open. We will need to add snap-ins to it.
Click File>Add/Remove Snap-in
Click the Add button on the next window.



Select Device Manager, click Add and you will be asked if this needs to manage
the local computer or another computer from the network. Select Local computer.
Perform the same steps for Disk Defragmenter and Services Snap-ins.
Press OK and the new console is ready for use.
You can save this console for later use

Local Users and Groups is a MMC snap-in that is used to manage user
accounts and groups that are stored locally on a single computer.
You can assign rights and permissions to a local user account or a group account
on a particular computer (and only to that computer, regardless if it is local or
remote).
By using Local Users and Groups, you can limit the ability of users or groups to
perform certain actions by assigning rights and permissions to them.
A right authorizes a user to perform certain actions on a computer, such as

shutting down the computer or accessing the Control Panel.
A permission is a rule that is associated with an object (usually a file, folder,

printer, resource, etc) and it regulates which users have access to the object and
in what manner.

Local user accounts

The Users folder located in the Local Users and Groups Microsoft Management
Console (MMC) displays the default user accounts as well as the user accounts
you create. These default user accounts are created automatically when you
install a stand-alone server or member server running Windows Server 2003.
Default local groups

The Groups folder located in the Local Users and Groups Microsoft Management
Console (MMC) displays the default local groups as well as the local groups that
you create. The default local groups are automatically created when you install a
stand-alone server or a member server running Windows Server 2003. Belonging
to a local group gives a user the rights and abilities to perform various tasks on
the local computer.

Default user account Description
Administrator account The Administrator account has full control of the server and can assign user rights and
access control permissions to users as necessary. This account must be used only for
tasks that require administrative credentials. It is highly recommended that you set up
this account to use a strong password.
account is known to exist on many versions of Windows, renaming or disabling this
account will make it more difficult for malicious users to try and gain access to
The Administrator account is a member of the Administrators group on the server. The
Administrator account can never be deleted or removed from the Administrators group,
but it can be renamed or disabled. Because the Administrator it.
The Administrator account is the account you use when you first set up the server. You
use this account before you create an account for yourself.
Important
Even when the Administrator account has been disabled, it can still be used to gain
access to a computer using Safe Mode.
Guest account The Guest account is used by people who do not have an actual account on the
computer. A user whose account is disabled, but not deleted, can also use the Guest
account. The Guest account does not require a password. The Guest account is disabled
by default, but you can enable it.
You can set rights and permissions for the Guest account just like any user account. By
default, the Guest account is a member of the default Guests group, which allows a user
to log on to a server. Additional rights, as well as any permissions, must be granted to
the Guests group by a member of the Administrators group. The Guest account is
disabled by default, and it is recommended that it stay disabled.
HelpAssistant account The primary account used to establish a Remote Assistance session. This account is
(installed with a Remote created automatically when you request a Remote Assistance session and has limited
Assistance session) access to the computer. The HelpAssistant account is managed by the Remote Desktop
Help Session Manager service and will be automatically deleted if no Remote Assistance
requests are pending.

Group Description Default user rights
Administrators Members of this group have full control of the server Access this computer from the network; Adjust memory
and can assign user rights and access control quotas for a process; Allow log on locally; Allow log on
permissions to users as necessary. The Administrator through Terminal Services; Back up files and directories;
account is also a default member. When this server is Bypass traverse checking; Change the system time; Create a
joined to a domain, the Domain Admins group is pagefile; Debug programs; Force shutdown from a remote
automatically added to this group. system; Increase scheduling priority; Load and unload device
drivers; Manage auditing and security log; Modify firmware
environment variables; Perform volume maintenance tasks;
Profile single process; Profile system performance; Remove
computer from docking station; Restore files and directories;
Shut down the system; Take ownership of files or other
objects.
Guests Members of this group will have a temporary profile No default user rights.
created at log on, and when the member logs off, the
profile will be deleted. The Guest account (which is
disabled by default) is also a default member of this
group.
Power Users Members of this group can create user accounts and Access this computer from the network; Allow log on locally;
then modify and delete the accounts they have Bypass traverse checking; Change the system time; Profile
created. They can create local groups and then add or single process; Remove computer from docking station; Shut
remove users from the local groups they have created. down the system.
They can also add or remove users from the Power
Users, Users, and Guests groups. Members can create
shared resources and administer the shared resources
they have created. They cannot take ownership of files,
back up or restore directories, load or unload device
drivers, or manage security and auditing logs.
Print Operators Members of this group can manage printers and print No default user rights.
queues.
Remote Desktop Members of this group can remotely log on to a server. Allow log on through Terminal Services.
Users
Terminal Server This group contains any users who are currently logged No default user rights
Users on to the system using Terminal Server.
Users Members of this group can perform common tasks, Access this computer from the network; Allow log on locally;
such as running applications, using local and network Bypass traverse checking.
printers, and locking the server. Users cannot share
directories or create local printers.
Local Group Policy

Uses of Group Policy
In Microsoft Windows XP, you use Group Policy to define user and computer configurations
for groups of users and computers. You create a specific desktop configuration for a
particular group of users and computers by using the Group Policy Microsoft Management
Console (MMC) snap-in (gpedit.msc).
The Group Policy settings that you create are contained in a Group Policy Object (GPO).
With Group Policy, you can define the state of users' work environment once and rely on the
system to enforce the policies that you define.
The Group Policy snap-in contains the following major branches:

Computer Configuration Administrators can use Computer Configuration to set
policies that are applied to computer, regardless of who logs on to the computers.
Computer Configuration typically contains sub-items for software settings, Windows
settings, and administrative templates.
User Configuration Administrators can use User Configuration to set policies that
apply to users, regardless of which computer they log on to. User Configuration
typically contains sub-items for software settings, Windows settings, and administrative
templates.
Local Group Policy

Local Group Policy


Windows has two modes of operation Workgroup and Domain. Depending on
the environment that your computer is in, you will be running in one of these two
modes. Most home and small business environments will be Workgroup, and
most mid- to large businesses will run in domain mode. There are different
features and capabilities depending on each, and each serve a purpose.
Workgroup
A workgroup is best understood as a peer-to-peer network. That is, each

computer is sustainable on its own. It has its own user list, its
own access control and its own resources. In order for a user to access resources
on another workgroup computer, that exact user must be setup on the other
computer.
In addition, workgroups offer little security outside of basic access control.
There is no centralized management and so there is a low barrier to use. By
default, Windows XP is in this mode.
Domain
A domain is a trusted group of computers that share security, access control and
have data passed down from centralized domain controllers or servers. Domain
Controllers handle all aspects of granting users permission to login. They are the
gatekeepers. In addition, most modern domains use Active Directory which
allows for an even more centralized point for software distribution, user
management and computer controls.
Active Directory stores information and settings in a central database. Active

Directory networks can vary from a small installation with a few computers, users
and printers to tens of thousands of users, many different domains and
large server farms spanning many geographical locations.
Active Directory
In Active Directory services, you organize resources in a logical structure. Grouping

resources logically enables you to find a resource by its name rather than by its physical
location. Since you group resources logically, Active Directory services make the network's
physical structure transparent to users. The logical structure is composed of objects,
organizational units, domains, trees, and forests.
Object
An object is a distinct, named set of attributes that represents a network resource.
Object attributes are characteristics of objects in the directory. For example, the attributes of
a user account might include the user's first and last names, department, and e-mail
address.
Everything that Active Directory tracks is considered an object.
Active Directory
Organizational Units
An organizational unit (OU) is a container that you use to organize objects within a
domain into logical administrative groups. An OU can contain objects such as user
accounts, groups, computers, printers, applications, file shares, and other Ous.
Active Directory
Domain
The core unit of logical structure in Active Directory directory services is the
domain (see Figure 4.3). Grouping objects into one or more domains allows your
network to reflect your company's organization.
All network objects exist within a domain, and each domain stores information
about only the objects that it contains. Access to domain objects is controlled by
access control lists (ACLs). ACLs contain the permissions associated with objects
that control which users can gain access to an object and what type of access
users can gain to the objects.
Active Directory
Tree and Forest
A tree is a grouping or hierarchical arrangement of one or more
Windows domains.
A forest is a grouping or hierarchical arrangement of one or more trees.
Since all trees in a forest do not share a common naming structure, you could use
a forest to group the various divisions of a company that do not use the same
naming scheme and that operate independently, but that need to communicate
with an entire organization.
Active Directory
Active Directory services also include a replication feature. Replication ensures that
changes to a domain controller are reflected in all domain controllers within a domain.
Each domain controller stores a complete copy of all Active Directory services information
for that domain, manages changes to that information, and replicates those changes to
other domain controllers in the same domain.
Domain controllers in a domain automatically replicate all objects in the domain to each
other. When you perform an action that causes an update to Active Directory directory
services, you are actually making the change at one of the domain controllers. The domain
controller then replicates the change to all other domain controllers within the domain.
Windows Server 2003 comes with several different tools used for managing the Active
Directory. The Active Directory management tool that you will use most often for day-to-day
management tasks is the Active Directory Users and Computers console. As the name
implies, this console is used to create, manage, and delete user and computer accounts.
You can access this console by clicking your servers Start button and navigating through
the Start menu to All Programs / Administrative Tools. The Active Directory Users and
Computers option should be near the top of the Administrative Tools menu.
Keep in mind that only domain controllers contain this option, so if you do not see the Active
Directory Users and Computers command, make sure that you are logged into a domain
controller.
Also, the option can be accessed through a MMC.exe snap-in.
The following slide shows an example of a domain hierarchy:

Domain Controller
Domain
OU
Search Objects in AD

USERS
Select Users, Contacts and Groups as type of the Object to find and select also
the Domain. Type the Name or the User ID and click Find Now
(You can type only a part of the Name or User ID)
Right Click the needed user and choose the needed action. These actions are
different from one organization to another according to the level of permission
required by the HelpDesk. The most important are: Rename, Delete, Reset
Password, Move and Properties.
Rename: you can rename the Full Name, First Name, Last Name, Display Name
and User Logon Name.
Delete: this option will permanently remove the user from the System. A
confirmation dialog box will be displayed. If requested, you may choose not to
delete the Exchange Mailbox of this object.
Reset Password: resets the password of the User. You can Expire the password
by selecting the box User must change the password at next logon. This option
will force the user to change this temporary password at next logon.
Move: use this option if requested to move an user from one OU to another.
Selecting the Move option, the organization structure will be displayed. Browse to
the needed OU.

Properties: this option will display the properties of the object. Another way to
open the Properties of the account is to double click it in AD. According to the
Permission Level of the HelpDesk you will be able to view the tabs in the
Properties window. General TAB: contains information about the object:
Properties
TABS
Address TAB: contains address information.

Account TAB: contains information about the account: Logon Name, Logon Hours, Log On To
(computers), Account Options and Account Expiration Date. If the account is not locked out, then the
option is grayed out.

Profile TAB: contains information about the User Profile and Home Folder. The Logon Script is a series
of instructions that a workstation follows every time this user logs on. These instructions are held on the
server in a 'script' file, which is a batch file that workstations can access and run.
You may set the Home Folder of this user which will be mapped in My Computer when the user logs on.
Telephones TAB: contains telephone information.

Organization TAB: contains information about the Title, Department, Company

and Manager.
Email Addresses TAB: used to set up primary and secondary SMTPs and the
SIP address (for Office Communicator)

Exchange General TAB: contains information about the Mailbox Store and the Alias (used to find the user in the
Global Address List in Outlook). Also General Settings for the mailbox (Delivery Restrictions, Delivery Options and
Storage Limits)
Delivery Restriction:
set the Sending / Receiving message size (in KB).
set restrictions for the received messages.
Delivery Options:
set for another user to Send on behalf him / her.
forward emails to another user or DL with the option to keep the forwarded messages
in the inbox.
set the Recipient limits.
Storage Limits:
Set the mailbox limit in KB.

Exchange Advanced TAB: you can Hide / Unhide from Outlook Global Address List (GAL). Also the mailbox
Rights can be set (Add / Remove other users permission to use the mailbox)

Exchange Features TAB: Outlook Mobile Access (OMA) and Outlook Web Access (OWA):
OMA use the mailbox from the Mobile Phone (example: iPhone)
OWA enables the user to access the mailbox from outside Organizations Network, using only the
internet connection.

Member Of TAB: The Security Groups and Distribution Lists (DL) where the user is member of:
Being member of a Security Group allows this user to have access to the folders and resources where
the Group has.
Being member of a Distribution List allows this user to receive in Outlook all the emails sent to this
Distribution List.
Dial-in TAB: set the VPN permission (be able to connect to the Organizations Network from outside using a
laptop from Home, Airports, Home) and set VPN options.

Object TAB: displays information about the OU where the user is created in AD, when the user has been created
and when it was last modified.

Security Groups and Distribution Lists
Select Users, Contacts and Groups as type of the Object to find and select also the Domain.
Type the Name of the group and click Find Now
(You can type only a part of the groups Name)
Right Click the needed Group and choose the needed action. These actions are different
from one organization to another according to the level of permission required by the
HelpDesk. The most important are: Rename, Delete, Move and Properties.
Rename: modify the groups name.
Move: moves the group in a different OU.
Delete: Deletes the group.

Properties: this option will display the properties of the group. Another way to
open the Properties of the group is to double click it in AD. According to the
Permission Level of the HelpDesk you will be able to view the tabs in the
Properties window. General TAB: contains information about the group: name,
description, scope and type
Members TAB: members of this group will have the groups access to resources.
You can Add / Remove objects. Adding an object to the Members of the group is
the same as adding the group in the Member Of tab of the object.

Member Of TAB: The Security Groups and Distribution Lists (DL) where the
group is member of:

Managed By TAB: set the Manager (Owner) of the group. In case of Distribution Lists,
checking the box for Manager can update membership list enables the manager to Add /
Remove members directly from Outlook.
Object TAB: displays information about the OU where the group/DL is created in
AD, when it has been created and when it was last modified.

Computers
Select Computers as type of the Object to find and select also the Domain. Type
the Name of the computer and click Find Now
(You can type only a part of the computers Name)
Right Click the needed Computer and choose the needed action. These actions
are different from one organization to another according to the level of permission
required by the HelpDesk. The most important are: Delete, Disable / Enable
Account, Move and Properties.

Delete: permanently deletes the Computer.
Disable / Enable allows you to Disable an enabled computer or to Enable a disabled

computer.
Move: move the computer from an OU to another.
Properties: displays the properties of the Computer, where you can set the Description,
the Manager, see the Object information.
Exchange System Manager

It is advised to assign permissions to Security Groups and then add the users to
the membership of the groups. This way the network will not slow down.
What is a corporate network environment?
Define a Network Operating System vs. Client Operating System\Workstation
Windows Server 2003 \ Exchange Server basics
Computer Management Console (mmc.exe)
Local Users & Groups
Local Group Policy
What is a Domain Controller?
What is Active Directory?

Active Directory components \ structure
Objects and Containers in AD
Active Directory Users & Computers (ADUC)
Exchange System Manager

70
2012 Stefanini Proprietary and Confidential

Active Directory Training

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Active Directory Training

Încărcat de

Drepturi de autor:

Formate disponibile

Active Directory & Windows Server 2003

Network Operating Systems

A computer operating system (OS) is the software foundation on which the

The function of an operating system is to control the computer hardware, software

Network Operating Systems

Windows Server 2003

Also, Windows Servers functionality can be enhanced by installing Microsoft

Windows Server 2003

Windows Server 2003

Microsoft Management Console

The Microsoft Management Console (mmc.exe) provides a common

The following slides will demonstrate how this is done.

Microsoft Management Console

Go to Start>Run and type mmc or mmc.exe

Microsoft Management Console

Microsoft Management Console

Click File>Add/Remove Snap-in

Click the Add button on the next window.

Microsoft Management Console

Microsoft Management Console

Microsoft Management Console

Microsoft Management Console

You can save this console for later use

Local Users and Groups

A right authorizes a user to perform certain actions on a computer, such as

A permission is a rule that is associated with an object (usually a file, folder,

Local Users and Groups

Local Users and Groups

Local user accounts

Default local groups

Local Users and Groups

Local Users and Groups

Local Group Policy

The Group Policy snap-in contains the following major branches:

Local Group Policy

Local Group Policy

Workgroup vs. Domain

A workgroup is best understood as a peer-to-peer network. That is, each

Workgroup vs. Domain

Active Directory stores information and settings in a central database. Active

In Active Directory services, you organize resources in a logical structure. Grouping

Active Directory Users & Computers

The following slide shows an example of a domain hierarchy:

Active Directory Users & Computers

Active Directory Users & Computers

Active Directory Users & Computers

Active Directory Users & Computers

Active Directory Users & Computers

Active Directory Users & Computers

Active Directory Users & Computers

Active Directory Users & Computers

Active Directory Users & Computers

Address TAB: contains address information.

Active Directory Users & Computers

Active Directory Users & Computers

Active Directory Users & Computers

Telephones TAB: contains telephone information.

Active Directory Users & Computers

Organization TAB: contains information about the Title, Department, Company

Active Directory Users & Computers

Active Directory Users & Computers

Active Directory Users & Computers

set restrictions for the received messages.