Chapter 2: Managing OUs and Active Directory Accounts Flashcards
2.1 Work with organizational units 2.2 Manage user accounts 2.3 Manage group accounts 2.4 Work with computer accounts 2.5 Automate account management
Benefits of using OUs
Create hierarchical structures to allow easy resource access
Delegation of administrative authority
Able to change OU structure easily
Grouping users and computers for assigning administrative and security policies
Hiding AD objects
Delegation of Control
A person with higher security privileges assigns authority to a person of lesser security privileges to perform certain tasks for them
Commonly delegated tasks:
Create, delete, and manage user accounts, passwords, and groups
Manage group policy links
Generate Resultant Set of Policy (Planning or Logging)
Can delegated control be seen in an OUs properties?
How do you see it?
By default, the OU’s properties don’t show that a user has been delegated control. To verify who has been delegated control, you must view the OU’s permissions
Security Principals that can be assigned to an object (3)
Users, groups, computers
AD object’s security descriptor
An AD objects security descriptor is the security settings of three components:
Discretionary access control list (DACL)
Object owner
System access control list (SACL)
Object permissions (5)
Read
Write
Create all child objects
Delete all child objects
Full control
Permission inheritance
Permission inheritance defines how permissions are transmitted from a parent object to a child object
(All objects in AD are child objects of the domain)
Default settings in AD Users and Computers hide some system folders, these are… (5)
Displayed by enabling the Advanced Features option from the View menu
LostAndFound
Program Data
System
NTDS Quotas
TPM (Trusted Platform Module) Devices
User accounts have two main functions
Provide a method for user authentication to the network (log in to use)
Provide detailed information about the user
built-in Administrator account (3)
Has full access to all aspects of a computer
Can be renamed or disabled but not deleted
Default administrator should be renamed and given a strong password
Domain administrator account
The domain administrator account in the forest root domain has full access to all aspects of the forest
built-in Guest account
Is disabled by default
Can have a blank password
Has limited access to a computer or domain
Can access any resource which the Everyone group has permission for
What commands can you use to disable an account? (3)
Powershell cmdlets:
Enable-ADAccount
Disable-ADAccount
dsmod user
Group Types
Security - the man AD objects administrators use to manage network resource access and grant rights to users
Distribution - For sending mass emails
Group Scope
Group scope determines the reach of a group’s application in a domain or forest
Group Scope options (4)
Domain local - domain local groups in the same domain
Global - Global groups in the same domain
Universal - Universal groups from any domain in the forest
local (for groups created in the SAM database of a computer)
SAM database
The Security Accounts Manager (SAM) database
AGGUDLP
Accounts are made members of
Global groups, which when necessary are nested in other
Global groups, which are made members of
Universal groups, which are then made members of
Doman Local groups, which are assigned
Permissions to resources
A global group
A global group used to group users from the same domain with similar access or rights requirements
A universal group
A universal group can contain users from any domain in the forest and be assigned permission to resources in any domain in the forest
A local group
A local group is created in the local SAM database on a member server or workstation or a stand-alone computer
Automating Account Management
Account Management can be automated in AD using command-line programs for simple repetitive tasks, or batch files for lengthy and cumbersome tasks
Batch file
A batch file is a text file with .bat extension that can take arguments to replace variables in a command to automate lengthy and cumbersome account management tasks
What are ADAC and ADUC?
Active Directory Administrative Center and Active Directory Users and Computers are tools for creating and maintaining user accounts
What are user templates and what are they used for?
User templates are templates for creating users who have common attributes, such as group memberships
Two methods for automating account management are?
You can automate account management using command-line tools or PowerShell cmdlets