Saturday, December 8, 2007

Administering Active Directory

Locating Active Directory Objects

Active Directory stores information about objects on the network. Each object is a distinct, named set of attributes that represents a specific network entity. Active Directory is designed to provide information to queries about directory objects from both users and programs. In this lesson you will learn how to use Find (located in the Active Directory Users and Computers console) to locate Active Directory objects.

After this lesson, you will be able to

  • Identify the types of Active Directory objects
  • Use Find to locate any type of Active Directory object

Delegating Administrative Control of Active Directory Objects

In this lesson you will learn that you can delegate administrative control of objects to individuals so that they can perform administrative tasks on the objects. You will learn how to use the Delegation Of Control Wizard to delegate control of objects and the guidelines for delegating control.

After this lesson, you will be able to

  • Delegate administrative control of OUs and objects

Estimated lesson time: 20 minutes

Guidelines for Delegating Control

You delegate administrative control of objects by assigning permissions to the object to allow users or groups of users to administer the objects. An administrator can delegate the following types of control:

  • Assign a user the permissions to change properties on a particular container
  • Assign a user the permissions to create, modify, or delete objects of a specific type in a specific OU or container
  • Assign a user the permissions to modify specific properties on objects of a specific type in a specific OU or container

Because tracking permissions at the OU or container level is easier than tracking permissions on objects or object attributes, the most common method of delegating administrative control is to assign permissions at the OU or container level. Assigning permissions at the OU or container level allows you to delegate administrative control for the objects that are contained in the OU or container. Use the Delegation Of Control Wizard to assign permissions at the OU or container level.

For example, you can delegate administrative control by assigning Full Control for an OU to the appropriate manager, only within his or her area of responsibility. By delegating control of the OU to the manager, you can decentralize administrative operations and issues. This reduces your administration time and costs by distributing administrative control closer to its point of service.

  • Performing an Authoritative Restore

    An authoritative restore occurs after a nonauthoritative restore and designates the entire directory, a subtree, or individual objects to be recognized as authoritative with respect to replica domain controllers in the forest. The NTDSUTIL utility allows you to mark objects as authoritative so that they are propagated through replication, thereby updating existing copies of those objects throughout the forest.

  • To authoritatively restore Active Directory

    1. Perform a nonauthoritative restore as described previously.

    2. Restart the computer.

    3. During the phase of startup where the operating system is normally selected, press F8.

    4. On the Windows 2000 Advanced Startup Options Menu, select Directory Services Restore Mode and press Enter. This ensures that the domain controller is offline and is not connected to the network.

    5. Select Windows 2000 Server.

    6. Log on as Administrator.



    • Estimated lesson time: 15 minutes

    Understanding Common Active Directory Objects

    Adding new resources to your network creates new Active Directory objects that represent these resources. You should be familiar with some of the common Active Directory objects. Table 11.1 describes the most common object types that you can add to Active Directory.

    Controlling Access to Active Directory Objects

    Windows 2000 uses an object-based security model to implement access control for all Active Directory objects. This security model is similar to the one that Windows 2000 uses to implement Microsoft Windows NT file system (NTFS) security. Every Active Directory object has a security descriptor that defines who has the permissions to gain access to the object and what type of access is allowed. Windows 2000 uses these security descriptors to control access to objects. This lesson explains how to set permissions for Active Directory objects.

    After this lesson, you will be able to

    • Set permissions on Active Directory objects to control user access

    Estimated lesson time: 20 minutes

    Understanding Active Directory Permissions

    Active Directory permissions provide security for resources by allowing you to control who can gain access to individual objects or object attributes and the type of access that you will allow.

    Active Directory Security

    Use Active Directory permissions to determine who has the permissions to gain access to the object and what type of access is allowed. An administrator or the object owner must assign permissions to the object before users can gain access to the object. Windows 2000 stores a list of user access permissions, called the access control list (ACL), for every Active Directory object. The ACL for an object lists who can access the object and the specific actions that each user can perform on the object.

    You can use permissions to assign administrative privileges to a specific user or group for an OU, a hierarchy of OUs, or a single object, without assigning administrative permissions for controlling other Active Directory objects.

    Publishing Resources in Active Directory

    As an administrator, you need to be able to provide secure and selective publication of network resources to network users and make it easy for users to find information. The directory stores this information for rapid retrieval and integrates Windows 2000 security mechanisms to control access. This lesson explains how to publish resources in Active Directory.

    After this lesson, you will be able to

    • Publish shared folders
    • Publish printers
    • Publish network services

    Estimated lesson time: 10 minutes

    Publishing Resources in Active Directory

    Resources that can be published in the directory include objects such as users, computers, printers, folders, files, and network services.

    Publishing Users and Computers

    User and computer accounts are added to the directory using the Active Directory Users and Computers console. Information about the accounts that is useful for other network users is published automatically. Other information, such as account security information, is made available only to certain administrator groups.

    Publishing Shared Resources

    Publishing information about shared resources such as printers, folders, and files makes it easy for users to find these resources on the network. Windows 2000 network printers are automatically published in the directory when installed. Information about Windows NT printers and shared folders can be published in the directory using the Active Directory Users and Computers console.

    Moving Active Directory Objects

    You move objects from one location to another when organizational or administrative functions change—for example, when an employee moves from one department to another. This lesson shows you how to move Active Directory objects within and between domains.

    After this lesson, you will be able to

    • Move objects within a domain
    • Move objects between domains
    • Move workstations or member servers between domains
    • Move domain controllers between sites

    Estimated lesson time: 20 minutes

    Moving Objects

    In the logical environment, you can move objects within and between domains in Active Directory. In the physical environment, you can move domain controllers between sites.

    Moving Objects Within a Domain

    To reduce administrative overhead, you can move objects with identical security requirements into an OU or container within a domain. You can then assign access permissions to the OU or container and all objects in it.

  • To move objects within a domain

    1. In Active Directory Users and Computers, select the object to move, then from the Action menu, click Move.

    2. In the Move dialog box (see Figure 11.6), select the OU or container to which you want the object to move, then click OK.
    • Posted by at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)