|1| Chapter 11, Administering Active Directory
|2| Chapter 11, Lesson 1
Locating Active Directory Objects
|3| 1. Overview
A. Active Directory stores information about objects on the network.
B. Each object is a distinct, named set of attributes that represents a specific network entity.
C. Active Directory is designed to provide information to queries about directory objects from both users and programs.
2. Understanding Common Active Directory Objects
|4| A. Common object types and their contents
1. User account: Information that allows a user to log on to Windows 2000; many optional fields
2. Contact: Information about a person with a connection to the organization; many optional fields
3. Group: Collection of user accounts, groups, or computers used to simplify administration
4. Shared folder: A pointer to the shared folder on a computer; contains the address of certain data rather than the data itself
Note Shared folders and printers exist in the registry of a computer. When a shared folder is published in Active Directory, an object is created that contains a pointer to the shared folder.
5. Printer: Pointer to a printer on a computer; must manually publish a printer on a computer that is not in Active Directory
6. Computer: Information about a computer that is a member of the domain
7. Domain controllers: Information about a domain controller
8. Organizational unit (OU): Contains other objects, including other OUs; used to organize Active Directory objects
|5| 3. Using Find
|6| A. Overview
1. Locating Active Directory objects begins by opening the Active Directory Users and Computers console, located in the Administrative Tools folder, right-clicking a domain or container in the console tree, and then clicking Find.
2. The Find dialog box provides options that allow the global catalog to be searched for Active Directory objects.
3. The Find dialog box helps create an LDAP query that will be executed against the directory or a specific OU.
4. The global catalog contains a partial replica of the entire directory, so it stores information about every object in a domain tree or forest.
5. Because the global catalog contains a partial replica of the entire directory, users can find information regardless of which domain in the tree or forest contains the data.
6. Active Directory automatically generates the contents of the global catalog from the domains that make up the directory.
B. Options in the Find dialog box
1. Find
a. List of object types that can be searched
b. Includes users, contacts, groups, computers, printers, shared folders, OUs, and custom search
c. Custom search builds the LDAP query or allows users to enter their own LDAP query based on the parameters they enter.
2. In
a. List of locations that can be searched
b. Includes the entire Active Directory, a specific domain, or an OU
3. Browse
a. A button that allows the selection of the path for the search
4. Advanced
a. A context-sensitive tab in which the search criteria to locate the object needed is defined
b. Provides an array of choices when users, contacts, groups, computers, printers, shared folders, or OUs are searched
c. Requires manual typing of the query when custom search is selected
5. Field
a. A context-sensitive list of the attributes that can be searched, based on the object type selected
b. Located in the Advanced tab
6. Condition
a. A context-sensitive list of the methods available to further define the search for an attribute
b. Located in the Advanced tab
7. Value
a. A box that allows entry of the value for the condition of the field (attribute) being used to search the Directory
b. Located in the Advanced tab
c. Requires that a value be entered for an object’s attribute before that attribute can be used to search for the object
8. Search Criteria
a. A box that lists each search criteria defined
b. A search criterion is defined by using the Field list, Condition list, and Value box, and then clicking Add.
c. A search criteria is removed by selecting the criteria and then clicking Remove.
d. Adding or removing search criteria narrows or widens the search, respectively.
9. Find Now
a. A button used to begin a search after search criteria are defined
10. Stop
a. A button used to stop a search
b. Items found up to the point of stopping the search are displayed.
11. Clear All
a. A button used to clear the specified search criteria
12. Results
a. A box that opens at the bottom of the Find window
b. Displays the results of the search after Find Now is clicked
|7| Chapter 11, Lesson 2
Controlling Access to Active Directory Objects
|8| 1. Overview
A. Windows 2000 uses an object-based security model to implement access control for all Active Directory objects.
B. This security model is similar to the one that Windows 2000 uses to implement NTFS.
C. Every Active Directory object has a security descriptor that defines who has the permissions to gain access to the object and what type of access is allowed.
D. Windows 2000 uses these security descriptors to control access to objects.
2. Understanding Active Directory Permissions
|9| A. Active Directory security
1. Permissions provide security for resources by controlling who can gain access to individual objects or object attributes and the type of access allowed.
2. An administrator or the object owner must assign permissions to the object before users can gain access to the object.
3. An access control list (ACL) is a stored list of user access permissions for every Active Directory object.
4. The ACL for an object lists who can access the object and the specific actions that each user can perform on the object.
5. Permissions assign administrative privileges to a specific user or group for an OU, a hierarchy of OUs, or a single object without assigning administrative permissions for controlling other Active Directory objects.
|10| B. Object permissions
1. The object type determines which permissions can be selected.
2. Permissions vary for different object types.
3. A user can be a member of multiple groups, each with different permissions that provide different levels of access to objects.
4. When assigning a permission to a user for access to an object, and that user is a member of a group that is assigned a different permission, the user’s effective permissions are the combination of the user and group permissions.
5. Permissions can be allowed or denied.
6. Denied permissions take precedence over any permissions that are otherwise allowed for user accounts and groups.
7. Permissions should be denied only when it is absolutely necessary to deny permission to a specific user who is a member of a group with allowed permissions.
Note Always ensure that all objects have at least one user with the Full Control permission. Failure to do so might result in some objects being inaccessible to the person using the Active Directory Users and Computers console, even an administrator, unless object ownership is changed.
|11| C. Standard permissions and special permissions
1. Overview
a. Both standard permissions and special permissions can be set on objects.
b. Standard permissions are the most frequently assigned permissions and are composed of special permissions.
c. Special permissions provide a finer degree of control for assigning access to objects.
|12| 2. Standard object permissions and the type of access allowed
a. Full Control: Change permissions and take ownership, plus perform the tasks allowed by all other standard permissions
b. Read: View objects and object attributes, the object owner, and Active Directory permissions
c. Write: Change object attributes
d. Create All Child Objects: Add any type of child object to an OU
e. Delete All Child Objects: Remove any type of object from an OU
|13| 3. Assigning Active Directory Permissions
|14| A. Overview
1. The Active Directory Users and Computers console is used to set standard permissions for objects and attributes of objects.
2. The Security tab of the Properties dialog box for the object is used to assign permissions.
3. The Properties dialog box is different for each object type.
4. When the check boxes under Permissions are shaded, the object has inherited permissions from the parent object.
5. To prevent an object from inheriting permissions from a parent folder, clear the Allow Inheritable Permissions From Parent To Propagate To This Object check box.
6. Special permissions are accessible through the Advanced button.
Note Select Advanced Features on the View menu to access the Security tab and assign standard permissions for an object.
B. To assign standard permissions for an object
1. In Active Directory Users and Computers, on the View menu, ensure that Advanced Features is selected.
2. Select an object, click Properties on the Action menu, and then click the Security tab in the Properties dialog box for the object.
3. To assign standard permissions:
a. To add a new permission, click Add, click the user account or group to which to assign permissions, click Add, and then click OK.
b. To change an existing permission, click the user account or group.
4. Under Permissions, select the Allow check box or the Deny check box for each permission to be added or removed.
C. To view special permissions
1. In the Security tab in the Properties dialog box for the object, click Advanced.
|15| 2. In the Access Control Settings For dialog box for the object, in the Permissions tab, click the entry to view in the Permissions Entries list, and then click View/Edit.
|16| 3. In the Permission Entry For dialog box for the object, view the special permissions on the appropriate tab:
a. Object tab: View special object permissions assigned to the user or group
b. Properties tab: View user or group read and write access to specific object properties.
Note Avoid assigning permissions for specific properties of objects, because this can complicate system administration. Errors can result, such as Active Directory objects not being visible, thereby preventing users from completing tasks.
|17| 4. Using Permissions Inheritance
|18| A. Similar to file and folder permissions inheritance
B. Minimizes the number of times permissions need to be assigned for objects
C. When permissions are assigned, applying the permissions to child objects propagate the permissions to all the child objects for a parent object.
D. Shaded check boxes indicate which permissions are inherited.
|19| E. Permissions for a given object can be propagated to all child objects.
F. Permissions inheritance can be prevented.
G. When copying previously inherited permissions, the permissions for that object start out exactly the same as those inherited from the current parent object.
H. Any permissions for the parent object that are modified after blocking inheritance no longer apply.
I. When previously inherited permissions are removed, Windows 2000 removes existing permissions and assigns no additional permissions to the object; permissions must then be assigned for the object.
|20| 5. Preventing Permissions Inheritance
A. Overview
1. Permissions inheritance can be prevented so that a child object does not inherit permissions from its parent object.
2. Clearing the Allow Inheritable Permissions From Parent To Propagate To This Object check box, located on the Security tab in the Properties dialog box, prevents permissions inheritance.
3. Only the permissions that are explicitly assigned to the object apply.
|21| B. Actions allowed by Windows 2000 when permissions inheritance is prevented
1. Copy previously inherited permissions to the object.
a. The new explicit permissions for the object are a copy of the permissions that it previously inherited from its parent object.
b. Any changes can be made to the permissions, as needed.
2. Remove previously inherited permissions from the object.
a. Windows 2000 removes any previously inherited permissions.
b. No permissions exist for the object.
c. Any permissions can be assigned for the object, as needed.
|22| Chapter 11, Lesson 3
Publishing Resources in Active Directory
|23| 1. Overview
A. Administrators need to be able to provide secure and selective publication of network resources to network users and make it easy for users to find information.
B. The directory stores this information for rapid retrieval and integrates Windows 2000 security mechanisms to control access.
|24| 2. Resources
A. Computers
B. Printers
C. Folders
D. Files
E. Network services
|25| 3. Users and Computers
A. User and computer accounts are added to the directory using the Active Directory Users and Computers console.
B. Information about the accounts that is useful for other network users is published automatically.
C. Information, such as account security information, is made available only to certain administrator groups.
|26| 4. Shared Resources
A. Overview
1. Publishing information about shared resources, such as printers, folders, and files, makes it easy for users to find these resources on the network.
2. Windows 2000 network printers are automatically published in the directory when installed.
3. Information about Windows NT printers and shared folders can be published in the directory using the Active Directory Users and Computers console.
B. To publish a shared folder
1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users And Computers
2. In the console tree, double-click the domain node
3. Right-click the container in which to add the shared folder, point to New, and click Shared Folder
4. In the New Object-Shared Folder dialog box, type the name of the folder in the Name box
5. In the Network Path box, type the UNC name (\\server\share\) that is to be published in the directory, and then click OK
6. The shared folder appears in the directory in the container selected.
C. To publish a Windows NT printer
Note The Windows NT printer must be installed before publishing in Active Directory. To install a Windows NT printer, click Start, point to Settings, and then click Printers.
1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users And Computers
2. In the console tree, double-click the domain node
3. In the console tree, right-click the container in which to publish the printer, point to New, and then click Printer