Lab A: Administering MMS Objectives After completing this lab, you will be able to: ! Create an administrative point and an administrative area. ! Create and configure the security policy for an administrative area. ! Create and configure entry-specific access control. ! Use collective attributes to define organizational information for the administrative area. Lab Setup To complete this lab, you need the following: ! MMS Server installed and running ! MMS Compass installed and configured to connect to your MMS Server. Estimated time to complete this lab: 30 minutes 2 Lab A: Administering MMS BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Exercise 1 Creating a Security Policy In this exercise, you will modify the metaverse organizational unit to become an administrative point, thereby making the entire metaverse an administrative area. You will then create a security policy and add Directory Administrators to its existing permissions. Scenario Northwind Traders plans on having the administrators of each connected directory also administer the associated metadirectory data. Because of this, you need to configure security on the metaverse namespace data. Tasks Detailed Steps 1. Log on to Windows 2000, start MMS Compass, and then log on to your MMS server. a. Log on to Windows 2000 as Administrator with a password of password. b. Start MMS Compass, and then log on to your MMS server as server@server.domain.nwtraders.msft (where server is your computer name and domain is your domain name) with a password of server. 2. Create an instance of the HR tutorial management agent called HR MA. a. In the control pane of MMS Compass, click Bookmarks, click Management Agents, and then click Create New Management Agent. b. In the Create Management Agent dialog box, in the Name of the Management Agent box, type HR MA c. In the Type of the Management Agent box, click Tutorial HR (LDIF) Management Agent, and then click Create. The Configure the Management Agent dialog box appears. 3. Configure HR MA to place metaverse namespace data under the following location: ou=metaverse,dc=domain,d c=nwtraders,dc=msft (where domain is your domain name) a. In the Configure the Management Agent dialog box, on the Connected Directory Specifics tab, on the Mode and Namespace Management tab, before the existing text in the Metaverse location box, type ou=metaverse, (including the comma and no spaces) resulting in ou=metaverse,dc=domain,dc=nwtraders,dc=msft (where domain is your domain name), and then click OK. 4. Run the HR MA and populate the metadirectory with the human resources data. a. In the directory pane of MMS Compass, click HR MA, and then in the control pane, click Operate MA. b. In the Operate the Management Agent dialog box, on the Management Agent Logs tab, display the Operator’s Log tab. c. Click Run the Management Agent. The Operator's Log displays the results of the discovery and of the update of the metadirectory. d. Click OK to close the Operate the Management Agent dialog box. Lab A: Administering MMS 3 BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Tasks Detailed Steps 5. Modify the metaverse organizational unit to become an administrative point. a. At the top of the directory pane, click The Known Universe. b. In the directory pane, navigate to and select metaverse. c. In the control pane, click Administration. d. In the Entry Administration dialog box, under Directory Service Specific Entries, select the Admin Point check box, and then click OK. 6. Create a security policy called metaverse security for the administrative area and add the following permissions for Directory Administrators: • Read—Granted all attributes and entry can be seen • Modify—Granted all attributes and do not allow entry creation or entry deletion a. In the directory pane, right-click metaverse, and then click Insert. b. In the Insert Object Under dialog box, on the Administrative tab, under Type of Object To Create, click the button representing Access Control Subentry. The appropriate button is determined by pointing to a button and viewing its tool tip. c. In the Relative Name box, type metaverse security and then click Insert. d. In the This Administration Area's Security Policy dialog box, under Permission granted to, click New. In the Permission granted to list, Anyone is added and selected. e. Click Specific, and then click Select. f. In the Select dialog box, in the control pane, click Search. g. In the control pane, in the box, type Directory Administrators and then press ENTER. h. In the control pane, click Directory Administrators. The directory pane displays the Directory Administrators entry in relation to the known universe. i. Move the Select dialog box enough to view the box to the right of Specific in the This Administration Area's Security Policy dialog box. j. In the Select dialog box, drag and drop either of the Directory Administrators entries to the box to the right of Specific in the This Administration Area's Security Policy dialog box. The box to the right of Specific is filled in with the distinguished name of the entry dragged and dropped. k. Click OK to close the Select dialog box. l. In the This Administration Area's Security Policy dialog box, right- click the box to the right of Specific, click Select All, right-click the box again, and then click Copy. m. On the Admin Area's Create, Modify or Delete Permissions tab, under Permission granted to, click New. n. Click Specific, right-click the box to the right of Specific, and then click Paste. The box displays the Directory Administrators distinguished name. o. Clear the Allow entry creation/deletion check box, and then click OK. p. Click Cancel to close the Insert Object Under dialog box. 4 Lab A: Administering MMS BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Exercise 2 Testing and Modifying the Security Policy In this exercise, you will test the security policy by creating an administrative account inside of an organizational unit that is used for security testing purposes. Log on by using the new administrative account and verify Directory Administrators have the appropriate permissions. If the permissions are not correct, you will need to modify the security policy. Scenario A security policy is in place for the data in the metaverse namespace. Test this policy to ensure Directory Administrators have read, modify, create, and delete permissions. Tasks Detailed Steps 1. Under metaverse, create an organizational unit named Security Test for testing MMS security. a. In the directory pane, right-click metaverse, and then click Insert. b. In the Insert Object Under dialog box, on the General tab, click the icon that represents an organizational unit. c. In the Relative Name box, type Security Test and then click Insert. d. Click OK to close the dialog box representing the Security Test OU. e. Click Cancel to close the Insert Object Under dialog box. 2. Under Security Test, create a user object named Test Admin with a password of password and an e-mail address of tadmin@nwtraders.msft. a. In the directory pane, expand metaverse, right-click Security Test, and then click Insert. b. In the Insert Object Under dialog box, on the General tab, in the Relative Name box, type Test Admin and then click Insert. c. Click OK to close the dialog box representing Test Admin. d. Click Cancel to close the Insert Object Under dialog box. e. In the directory pane, expand Security Test. f. Click Test Admin, and then in the control pane, click Properties. g. In the Test Admin dialog box, on the General tab, in the Email box, type tadmin@nwtraders.msft h. On the Identity tab, in the Password box, type password and then click OK. i. In the Change Password dialog box, in the Confirm New Password for userPassword, type password in the Enter the password you logged in with, type server (where server is your computer name) and then click OK. Lab A: Administering MMS 5 BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Tasks Detailed Steps 3. Make Test Admin a member of Directory Administrators. a. In the control pane, click Search. b. In the control pane, in the search box, type Directory Administrators and then press ENTER. c. In the control pane, click Directory Administrators to locate the entry in The Known Universe. d. In the directory pane, drag Test Admin and drop it onto Directory Administrators. e. In the Copy Entry dialog box, under Copy Entry Action, ensure that Create alias to this entry is selected, and then click OK. Test Admin is created under Directory Administrators in the directory pane. 4. Restart MMS Compass and log on as Test Admin. a. Close MMS Compass. b. Start MMS Compass, and then log on to your MMS server as tadmin@nwtraders.msft with a password of password. 5. Under the Security Test organizational unit, create and person named Test User. a. In the directory pane, navigate to the Security Test organizational unit. b. Right-click Security Test, and then click Insert. c. In the Insert Object Under dialog box, on the General tab, in the Relative Name box, type Test User and then click Insert. d. Click OK to close the dialog box representing Test User. Why is Test Admin, a member of the Directory Administrators group, not able to create a person object? Why was Administrator able to do it? The security policy for this administrative area grants Directory Administrators permission to read and modify all attributes but not the ability to creation or deletion permission. Although both Test Admin and Administrator are members of Directory Administrators, Administrator was able to create objects because the security policy has a specific entry for Administrator. Administrator has the ability to create and delete objects and was a closer match than Directory Administrators. 5. (continued) e. Click OK to close the message indicating that an error occurred processing your request due to not having the add permission. f. Click Cancel to close the Insert Object Under dialog box. 6. Modify the security policy to allow Directory Administrators to create and delete entries. a. In the directory pane, click metaverse security, in the control pane, click Actions, and then click Properties. b. In the This Administration Area's Security Policy dialog box, on the Admin Area's Create, Modify or Delete Permissions tab, in the Permission granted to box, click Directory Administrators, select the Allow entry creation/deletion check box, and then click OK. 6 Lab A: Administering MMS BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Tasks Detailed Steps 7. Under the Security Test organizational unit, create a person named Test User. a. In the directory pane, right-click Security Test, and then click Insert. b. In the Insert Object Under dialog box, on the General tab, in the Relative Name box, type Test User and then click Insert. c. Click OK to close the dialog box representing Test User. d. Click Cancel to close the Insert Object Under dialog box. 8. Configure Test User with an e-mail address of tuser@nwtraders.msft and a password of password. a. In the directory pane, expand Security Test, and then click Test User. b. In the control pane, click Properties. c. In the Test User dialog box, on the General tab, in the Email box, type tuser@nwtraders.msft d. On the Identity tab, in the Password box, type password and then click OK. e. In the Change Password dialog box, in the Confirm New Password for userPassword, type password and in the Enter the password you logged in with box, type password and then click OK. 9. Verify that a Directory Administrator can modify Test User by changing Office to 555-1234. a. In the directory pane, click Test User, and then in the control pane, click Properties. b. In the Test User dialog box, on the General tab, in the Office box, type 555-1234 and then click OK. Lab A: Administering MMS 7 BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Exercise 3 Configuring Access Control on Specific Entries In this exercise, you will place permissions on a user account that will allow that user to modify permission to its own information and Directory Administrators are allowed modify permission for all its attributes except the office telephone number. Scenario There are occasions where different permissions than the security policy need to be placed on an individual entry. Tasks Detailed Steps 1. Determine the metaverse namespace attribute name for Office and then set specific entry permissions, so that Self has modify permission for all attributes and only Self can modify the attribute associated with Office. a. In the directory pane, click Test User, and then in the control pane, click Properties. b. In the Test User dialog box, on the General tab, CTRL+right-click in the Office box. A tool tip appears displaying the attribute name of telephoneNumber for the Office field. A tool tip displays what attribute name for the Office field? The attribute name for the Office field is telephoneNumber. 1. (continued) c. Click OK to close the Test User dialog box. d. In control pane, click Access Control. e. In the This Entry's Permissions dialog box, on the Entry's Modify Permissions tab, under the Permission granted to box, click New. f. In the This Entry's Permissions dialog box, on the Entry's Modify Permissions tab, under the list box displaying all attributes, click New. g. In the Edit Attribute dialog box, in the Grant or deny permissions to attribute box, type telephoneNumber and then click OK. h. Click Denied, and then clear the Allow this user to delete this entry check box. i. Under Permissions granted to, click New, and then click Self. j. Click OK to close the This Entry's Permissions dialog box. 2. Verify that Test Administrator cannot modify Pager and can modify other attributes of Test User. a. In the directory pane, verify that Test User is selected, and then in the control pane, click Properties. b. In the Test User dialog box, on the General tab, in the Office box, replace the existing value by typing 555-9876 and in the Pager box, type 555-1111 and then click OK. 8 Lab A: Administering MMS BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Tasks Detailed Steps Did the specific permissions on an entry override the security policy? Were either values, Office or Pager, successfully modified? Yes, the specific permissions on the entry took precedence over the security policy. Office was not modified; and Pager was modified. 2. (continued) c. Click OK to close the message indicating that an error occurred processing your request due to no modification permission on attribute telephoneNumber. d. Verify that Test User is selected, and then in the control pane, click Properties. e. Verify that Office was not changed and the value still is 555-1234. f. Verify that Pager was modified to 555-1111, and then click OK. 3. Restart MMS Compass and log on as Test User and verify that you do not have permission to create or delete entries, and do have permission to modify Office and Pager for Test User. a. Close MMS Compass. b. Start MMS Compass, and then log on to your MMS server as tuser@nwtraders.msft with a password of password. c. In the directory pane, navigate to and right-click Security Test, and then click Insert. d. In the Insert Object Under dialog box, on the General tab, in the Relative Name box, type Secret Admin and then click Insert. e. Click OK to close the dialog box representing Secret Admin, and then click OK to close the message indicating that an error occurred processing your request due to no add permission. f. Click Cancel to close the Insert Object Under dialog box. g. Navigate to and right-click Test Admin, point to Delete, click Delete selected entries, click Yes to confirm the deletion, and then click OK to close the message indicating that an error occurred processing your request due to no delete permission. h. Click Test User, and then in the control pane, click Properties. i. In the Test User dialog box, on the General tab, in the Office box, type 555-2222 and in the Pager box type 555-3333 and then click OK. j. Verify that Test User is selected, and then in the control pane, click Properties. k. Verify that Office was changed to 555-2222, and that the Pager was changed to 555-3333, and then click OK. Lab A: Administering MMS 9 BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Tasks Detailed Steps Was Test User able to create or delete objects? Was Test User able to modify Office and Pager for its own entry? No, Test User was not able to create or delete objects. Yes, Test User was able to modify Office and Pager for its own entry. 10 Lab A: Administering MMS BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Exercise 4 Configuring Access to the Security Policy In this exercise, you will verify that a user cannot change the security policy. You will then hide the subentry itself by placing permissions on the security policy subentry that will override the security policy for the administrative area for only that entry. You will prevent non-administrators from seeing the subentry in the directory tree and yet allow Directory Administrators to read, modify, and delete the subentry. Scenario As it is not desirable for non-administrators to view or modify the security policy subentry, you need to configure the access control settings such that Directory Administrators can view and modify the security policy subentry while a non-administrator cannot see this entry. The permissions for the administrative area cannot be affected. Tasks Detailed Steps 1. As Test User, change the security policy to grant modify, create, and delete permission for Test User. a. In the directory pane, click metaverse security, and then in the control pane, click Properties. b. In the This Administration Area's Security Policy dialog box, on the Admin Area's Create, Modify or Delete Permissions tab, under Permission granted to, click New. c. Click Specific, and then click Select. d. In the Select dialog box, click Search. e. In the control pane, in the search box, type Test User and then press ENTER. f. Move the Select dialog box enough to view the box to the right of Specific in the This Administration Area's Security Policy dialog box. g. In the Select dialog box, drag and drop Test User entry to the box to the right of Specific in the This Administration Area's Security Policy dialog box. h. Click OK to close the Select dialog box, and then click OK to close This Administration Area's Security Policy dialog box. Was there any permission errors encountered when the security policy was changed? No. [...]... subentry by restarting MMS Compass and logging on as Test User and viewing the directory tree a Close MMS Compass b Start MMS Compass, and then log on to your MMS server as tuser@nwtraders.msft with a password of password c In the directory pane, navigate to and expand metaverse Restart MMS Compass and log on as Administrator a Close MMS Compass b Start MMS Compass, and then log on to your MMS server as server@server.domain.nwtraders.msft... permissions on this entry and the changes were discarded 2 3 4 (continued) g Click OK to close This Administration Area's Security Policy dialog box Restart MMS Compass, log on as Administrator a Close MMS Compass b Start MMS Compass, and then log on to your MMS server as server@server.domain.nwtraders.msft with a password of server Change permissions such that users cannot see the security subentry and Directory... box to the right of Specific in the This Entry's Permissions dialog box h Click OK to close the Select dialog box BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 12 Lab A: Administering MMS Tasks Detailed Steps X (continued) i Using steps b through h as a guide, on the Entry’s Modify Permissions tab, grant modify and delete permissions to Directory Administrators j On the Entry's.. .Lab A: Administering MMS Tasks 11 Detailed Steps Verify that Test User now has object creation permission and that the security policy was successfully modified a In the directory pane, right-click Security Test,... server as server@server.domain.nwtraders.msft with a password of server The metaverse security entry is not displayed BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Lab A: Administering MMS 13 Exercise 5 Creating Collective Attributes In this exercise, for all the entries in the metaverse, you will use collective attributes for the organization and fax number Scenario All of... In the Test User dialog box, on the Organizational Info tab, verify that Office Fax displays 555-3438, and that Org Name displays Northwind Traders, and then click OK Close MMS Compass, and then log off of Windows 2000 a Close MMS Compass, and then close any open windows b Log off of Windows 2000 Create a collective attribute subentry for the metaverse administrative point named metaverse collectives . configured to connect to your MMS Server. Estimated time to complete this lab: 30 minutes 2 Lab A: Administering MMS BETA MATERIALS FOR MICROSOFT. Lab A: Administering MMS Objectives After completing this lab, you will be able to: ! Create an administrative