Đang tải... (xem toàn văn)
Demonstration: Configuring Active Directory Objects Using Windows Powershell. In this demonstration, you will see how to configure Active Directory Objects using Windows Powershell.[r]
(1)(2)Module Overview
• Configuring Active Directory Objects
• Strategies for Using Groups
• Automating AD DS Object Management
• Delegating Administrative Access to AD DS Objects
(3)Lesson 1: Configuring Active Directory Objects
• Types of AD DS Objects
• Demonstration: Configuring AD DS User Accounts
• AD DS Group Types
• AD DS Group Scopes
• Default AD DS Groups
• AD DS Special Identities
• Discussion: Using Default Groups and Special Identities
• Demonstration: Configuring AD DS Group Accounts
(4)Types of AD DS Objects
User accounts
• Enables a single sign-on for a user
• Provides access to resources Computer accounts
• Enables authentication and auditing of computer access to resources
Group accounts
• Helps simplify administration
InetOrgPerson
• Similar to a user account • Used for compatibility
with other directory services
Organizational Unit
• Used to group similar objects for administration
Printers
• Used to simplify the process of locating and connecting to printers
Shared folders
• Used to simplify the process of locating and
(5)Demonstration: Configuring AD DS User Accounts
(6)AD DS Group Types
Distribution groups
Used only with e-mail applications Not security-enabled
Security groups
Used to assign rights and
permissions to groups of users and computers
Used most effectively when nested
(7)Local
AD DS Group Scopes
Group members can include
In the same domain
Domain Local
In any trusted domain
Global Universal
Can be used to assign
permissions Group scope
• Universal groups, global groups, and other domain local groups from its own domain
• Accounts from any trusted domain
• Users, groups,
and computers as members from any trusted domain
• Users, groups, and computers from its own domain
In any trusted domain
• Users, groups,
and computers as members from any trusted domain
(8)Default AD DS Groups
Default groups are designed to manage shared resources and delegate specific domain-wide administrative roles
Account Operators Administrators Backup Operators Incoming Forest Trust Builders Network Configuration Operators
Performance Log Users
(9)AD DS Special Identities
Designed to provide access to resources without administrative or user interaction
Anonymous Logon Authenticated Users Batch Creator Group Creator Owner Dialup Everyone Interactive Local System Network Self Service
(10)Discussion: Using Default Groups and Special Identities
(11)Demonstration: Configuring AD DS Group Accounts
(12)Demonstration: Configuring Additional AD DS Objects
(13)Lesson 2: Strategies for Using Groups
• Options for Assigning Access to Resources
• Using Account Groups to Assign Access to Resources
• Using Account Groups and Resource Groups
(14)Options for Assigning Access to Resources
When assigning access to resources:
• Plan for the lowest level of permissions
• Keep the plan as simple as possible
• Document the plan
Options include:
• Adding user accounts to the ACL on the resource
• Adding user accounts to groups, and adding the groups to the ACL on the resource
• Adding user accounts to account groups, adding the account groups to resource groups, and
(15)Using Account Groups to Assign Access to Resources
Permissions
Permissions
Account Groups
Account Groups
User Accounts
(16)Using Account Groups and Resource Groups
Resource Groups
Resource
Groups PermissionsPermissions
Account Groups
Account Groups
User Accounts
(17)Discussion: Using Groups in a Single-Domain or Multiple-Domain Environment
(18)Lesson 3: Automating AD DS Object Management
• Tools for Automating AD DS Object Management
• Configuring AD DS Objects Using Command-Line Tools
• Managing User Objects with LDIFDE
• Managing User Objects with CSVDE
• What Is Windows Powershell?
• Windows Powershell Cmdlets
(19)Tools for Automating AD DS Object Management
Active Directory
Users and Computers Directory Service Tools
• Dsadd
• Dsmod
• Dsrm
(20)Configuring AD DS Objects Using Command-Line Tools
Command line tools:
• Dsadd
• Dsmod
• Dsrm
• Dsget
• net user
• Net group
(21)filename.ldf
Managing User Objects with LDIFDE
Active Directory import
export
(22)Managing User Objects with CSVDE
filename.csv Active Directory
import
export
(23)What Is Windows Powershell?
Windows Powershell is a scripting and command line technology that you can use to manage Active Directory and other
Windows components
Windows Powershell features include:
•Powerful single line cmdlets
•Aliases
•Variables
•Pipelining
•Scripting support
•Access to all
(24)Windows Powershell Cmdlets
Windows Powershell cmdlets all use the same syntax
Noun Verb
Date
Parameters Example
Get Get-Date
Start Service W3SVC Start-Service W3SVC
Results from one cmdlet can be pipelined to another
• Get-Service W3svc | format-list
• Get-Service | sort-object name
(25)Demonstration: Configuring Active Directory Objects Using Windows Powershell
(26)Lab A: Configuring Active Directory Objects
• Exercise 1: Configuring AD DS Objects
• Exercise 2: Implementing an AD DS Group Strategy
• Exercise 3: Automating the Management of AD DS Objects
Logon information
Virtual machines 6425A-NYC-DC1, 6425A-NYC-DC2, 6425A-NYC-CL1
User name Administrator
Password Pa$$w0rd
(27)Lab A Review
• How will the group strategies you use in your organization compare with the strategy used in this lab?
• Which of the options for automating AD DS object
(28)Lesson 4: Delegating Administrative Access to AD DS Objects
• Active Directory Object Permissions
• Demonstration: Active Directory Domain Services Object Permission Inheritance
• What Are Effective Permissions?
• What Is Delegation of Control?
• Discussion: Scenarios for Delegating Control
(29)Active Directory Object Permissions Active Directory permissions:
• Include standard permissions and special permissions:
Standard permissions are the most frequently
assigned permissions
Special permissions provide a finer degree of
control for assigning access to objects
• Can be allowed, implicitly denied, or explicitly denied
(30)Demonstration: Active Directory Domain Services Object Permission Inheritance
(31)What Are Effective Permissions?
Effective permissions are the actual permissions that are granted to the specified user or group:
• Permissions are cumulative, including permissions assigned to the user account and the group account
• Explicitly deny permissions override allow permissions
• Explicitly allow permissions override explicit deny permissions
• Object owners can always change permissions
Object owners can always change permissions
(32)What Is Delegation of Control? Domain OU1 OU2 Admin2 Admin2 Admin1 Admin1 Admin3 Admin3 OU3
Assigns the responsibility of managing Active Directory objects to another user or group
• Delegated administration:
Eases administration by
distributing routine administrative tasks
Provides users or groups more
control over local network resources
Eliminates the need for multiple
(33)Discussion: Scenarios for Delegating Control
• What are the benefits of delegating administrative permissions?
(34)Demonstration: Configuring Delegation of Control
(35)Lesson 5: Configuring AD DS Trusts
• What Are AD DS Trusts?
• AD DS Trust Options
• How Trusts Work Within a Forest
• How Trusts Work Between Forests
• Demonstration: Configuring Trusts
• What Are Universal Principal Names?
• What Are the Selective Authentication Settings?
(36)What Are AD DS Trusts?
Provide a mechanism for users to gain access to resources in another domain
Trust characteristics:
• Transitive – the trust relationship extends beyond a two-domain trust to include other trusted domains
• Trust direction – the trust direction defines the account domain and the resource domain
(37)AD DS Trust Options Forest (root) Tree/Root Trust Tree/Root
Trust Forest Trust
Forest Trust Shortcut Trust Shortcut Trust External Trust External Trust Kerberos Realm Realm Trust Realm Trust Domain D Forest 1 Domain B Domain A Domain E Domain F Forest (root)
Domain P Domain Q
(38)How Trusts Work Within a Forest
Tree One
Tree Two
Domain 1 Tree Root
Domain
Forest Root Domain
Domain 2
Domain C Domain A
(39)How Trusts Work Between Forests WoodgroveBank. com contoso.com Forest trust Global
catalog catalogGlobal
Seattle
EMEA.WoodgroveBank.com NA.Contoso.com
Vancouver
2
2 44
6 6 1 1 3 3 5 5 7 7 8 8 9 9
(40)Demonstration: Configuring Trusts
(41)What Are User Principal Names?
• The domain suffix can be the user’s home domain,
any other domain in the forest, or a custom domain name
• Additional UPN domain suffixes can be added
• UPNs must be unique in a forest
UPN suffixes can be used for routing authentication requests between trusted forests:
• UPN suffix routing is automatically disabled if the same UPN suffix is used in both forests
• You can manually enable or disable name suffix routing across trusts
(42)What Are the Selective Authentication Settings? Selective authentication:
• Limits which computers can be accessed by users from a trusted domain, and which users in the trusted domain can access the computer
• Configured on the security descriptor of the computer object located in Active Directory
To configure selective authentication:
• Configure the forest or external trust to use
selective rather than domain wide authentication
(43)Demonstration: Configuring Advanced Trust Settings
(44)Lab B: Configuring Active Directory Delegation and Trusts
• Exercise 1: Delegating Control of AD DS Objects
• Exercise 2: Configuring AD DS Trusts
Logon information
Virtual machines
6425A-VAN-DC1, 6425A-NYC-DC2 6425A-NYC-SVR1
User name Administrator
Password Pa$$w0rd
(45)Lab B Review
• After the trusts are configured as described in the lab, what resources will users in Woodgrove Bank be able to access in the NorthwindTraders.com domain?
• How would you configure a forest trust with another
(46)Module Review and Takeaways
• Review questions
• Considerations for configuring Active Directory objects
(47)Beta Feedback Tool
• Beta feedback tool helps:
Collect student roster information, module feedback, and
course evaluations
Identify and sort the changes that students request, thereby
facilitating a quick team triage
Save data to a database in SQL Server that you can later
query
(48)Beta Feedback
• Overall flow of module:
Which topics did you think flowed smoothly from topic to
topic?
Was something taught out of order?
• Pacing:
Were you able to keep up? Are there any places where the
pace felt too slow?
Were you able to process what the instructor said before
moving on to next topic?
Did you have ample time to reflect on what you learned? Did
you have time to formulate and ask questions?
• Learner activities:
Which demos helped you learn the most? Why you think
that is?
Did the lab help you synthesize the content in the module?
Did it help you to understand how you can use this knowledge in your work environment?
Were there any discussion questions or reflection questions