Docstoc

Security overview

Document Sample
Security overview Powered By Docstoc
					Any Questions?
   Chapter 4 Group Accounts
• Create and manage groups
• Create and modify groups by using the
  Microsoft Active Directory Users And
  Computers MMC snap-in
• Identify and modify the scope of a group
• Manage group membership
• Create and modify groups by using
  automation
                                        Pg 4-1
   Chapter 4 Group Accounts
• Lesson 1: Understanding Group Types
  and Scopes
• Lesson 2: Managing Group Accounts
• Lesson 3: Using Automation to Manage
  Group Accounts



                                     Pg 4-1
          Chapter 4 Lesson 1
 Understanding Group Types and Scopes
• Identify the two types of groups and their
  proper use
• Identify the three types of group scope and
  their proper use
• Understand the difference between groups
  and identities


                                        Pg 4-3
          Domain Functional Level

• Windows 2000 mixed For supporting Microsoft
  Windows NT 4, Windows 2000, and Windows
  Server 2003 domain controllers
• Windows 2000 native For supporting Windows
  2000 and Windows Server 2003 domain
  controllers
• Windows Server 2003 interim For supporting
  Windows NT 4 and Windows Server 2003
  domain controllers
• Windows Server 2003 For supporting Windows
  Server 2003 domain controllers
                                         Pg 4-3
               Group Scope

• How permissions are assigned
  – Domain Local
  – Domain Global
  – Universal




                                 Pg 4-4
            Local groups
– Machine local groups on individual machines
– Backward compatible with NT4
– Not used on Domain Controllers
– Can include members from any domain
– Only sets permissions for that machine




                                         Pg 4-4
             Domain Local groups
• Primarily for Domain Local resources
   – Exist in all mixed, interim, and native functional level domains
     and forests.
   – Are available domainwide only in Windows 2000 native or
     Windows Server 2003 domain functional level domains. Domain
     local groups function as a local group on the domain controllers
     while the domain is in mixed or interim domain functional level.
   – Can include members from any domain in the forest, from
     trusted domains in other forests, and from trusted down-level
     domains.
   – Have domain wide scope in Windows 2000 native and Windows
     Server 2003 domain functional level domains and can be used to
     grant resource permission on any computer running Windows
     Server 2003 within, but not beyond, the domain in which the
     group exists.

                                                              Pg 4-4
               Universal Groups

• Grant resources in all trusted domains
  – Remember trees and forests?
• Only for Security
• Universal groups can include members from any
  domain in the forest.
• In domains configured at the Windows 2000
  native or Windows Server 2003 domain
  functional level, you can grant universal groups
  permissions in any domain, including domains in
  other forests with which a trust exists.
                                             Pg 4-5
Group Scope




              Pg 4-6
                    Group Conversion

• In windows 2003 and 2000 native you can
  change scope
• You can also use dsmod
   – dsmod group “CN=Finance,OU=Groups,DC=contoso,DC=com” -scope u

• Cannot change if it would violate group membership
  rules
• Can also convert type from security to distribution




                                                                 Pg 4-8
                 Special Identities

• Cannot be created or modified
• Can be used to set permissions




                                      Pg 4-8
Special Identities




                     Pg 4-8
Any Questions?
          Chapter 4 Lesson 2
        Managing Group Accounts
• Create a group
• Modify the membership of a group
• Find the domain groups to which a user
  belongs




                                       Pg 4-12
          Creating a Security Group

• Active Directory Users and Computers
  MMC
• Security Groups
  – Used to specify permissions in an ACL
     • Domain Local or Global in Scope
• Distribution Groups
  – Only for e-mail
  – Can create Universal
                                            Pg 4-12
       Modifying Group Membership

• Add or remove members
  – Using the search functionality
    • Find all
    • Filter to be more specific




                                     Pg 4-12
Any Questions?
             Chapter 4 Lesson 3
  Using Automation to Manage Group Accounts

• Import security principals with Ldifde
• Export security principals with Ldifde
• Use the Dsadd and Dsmod commands to
  create and modify groups




                                        Pg 4-15
                 Real World

• Accessing the data that already exists
• Export in usable format
  – CSVDE.EXE
  – LDIFDE.EXE




                                           Pg 4-15
                   CSVDE

• Can import or export details from a flat
  .csv file




                                             Pg 4-15
                   LDIFDE

• Uses lightwieght directory Access
  protocol (LDAP)
  – Common format for many directory services




                                          Pg 4-15
               Command Line

•   DSADD
•   DSGET
•   DSMOD
•   DSMOVE
•   DSRM
•   VBSCRIPT


                              Pg 4-15

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:2/11/2012
language:
pages:23