70-640 - Chapter 7
OU Naming Considerations
* Keep the names and descriptions simple * Pay attention to limitations - The max length for the name of an OU is 64 characters * Pay attention to the hierarchical consistency
Fields not copied over from a user template:
* Name * Logon Name * Password * Email * Phone Numbers * Description * Office * Web Page
Benefits of OUs
* OUs are the smallest unit to which you can assign directory permissions * You can easily change the OU structure * The OU structure can support many different levels of hierarchy * Child objects can inherit OU settings * You can set Group Policy settings on OUs * You can easily delegate the administration of OUs and objects within them to the appropriate users and groups
Some admin tasks allowed by AD Admin Center:
* Reset passwords * Create new objects * Delete objects * Move objects * Perform global searches * Configure properties for AD objects
Tools used to perform bulk imports of user accounts:
* ldifde.exe - Imports from line-delimited files. Allows and admin to export and import data * csvde.exe - Performs the same export functions as ldifde.exe, but uses a comma-seperated file format. Does not allow admins to modify or delete objects. Only supports adding to AD.
Creating and Publishing a Printer
1. Click Start ? Devices And Printers ? Add A Printer. This starts the Add Printer Wizard. 2. In the Choose A Local Or Network Printer page, select Add A Local Printer. This should automatically take you to the next page. If it does not, Click Next. 3. In the Choose A Printer Port page, select Use An Existing Port. From the drop - down list beside that option, make sure LPT1: (Printer Port) is selected. Click Next. 4. On the Install The Printer Driver page, select Generic for the manufacturer, and for the printer, highlight Generic / Text Only. Click Next. 5. On the Type A Printer Name page, type Text Printer . Uncheck the Set As The Default Printer box and then click Next. 6. The Installing Printer screen appears. After the system is ?nished, the Printer Sharing page appears. Make sure the box labeled " Share this printer so that others on your network can ?nd and use it " is selected, and accept the default share name of Text Printer. 7. In the Location section, type Building 203, and in the Comment section, add the following comment: This is a text - only Printer. Click Next. 8. On the You've Successfully Added Text Printer page, click Finish. 9. Next, you need to verify that the printer will be listed in Active Directory. Right - click the Text Printer icon and select Printer Properties. 10. Select the Sharing tab, and ensure that the List In The Directory box is checked. Note that you can also add additional printer drivers for other operating systems using this tab. Click OK to accept the settings.
Creating and Publishing a Shared Folder
1. Create a new folder in the root directory of your C: partition, and name it Test Share . 2. Right - click the Test Share. Choose Share With ? Speci?c People. 3. In the File Sharing dialog box, enter the names of users you want to share this folder with. In the upper box, enter Everyone ; then click Add. Note that Everyone appears in the lower box. Click in the Permission Level column next to Everyone and choose Read/Write from the pop - up menu. Then click Share. 4. You ' ll see a message that your folder has been shared. Click Done. 5. Open the Active Directory Users and Computers tool. Expand the current domain, and right - click the RD OU. Select New ? Shared Folder. 6. In the New Object - Shared Folder dialog box, type Shared Folder Test for the name of the folder. Then type the UNC path to the share (for example, \\server1\Test Share). Click OK to create the share.
AGDLP (or AGLP)
A = Accounts (Create your user accounts) G = Global groups (Put user accounts into global groups.) DL = Domain local groups (Put global groups into domain local groups.) P = Permissions (Assign permissions like Deny or Apply on the domain local group)
AGUDLP (or AULP)
A = Accounts (Create your user accounts) G = Global groups (Put user accounts into global groups.) U = Universal groups (Put global groups into universal groups.) DL = Domain local groups (Put universal groups into domain local groups.) P = Permissions (Assign permissions like Deny or Apply on the domain local group)
Organizational Unit (OU)
A logical group of AD objects. Server as containers within which other AD objects can be created, but do not form part of the DNS namespace. Can contain the following types of AD objects: * Users * Groups * Computers * Shared Folder Objects * Contacts * Printers * InetOrgPerson objects * MSMQ Queue Aliases * Other OUs
Managed Service Accounts
A new Windows Server 2008 R2 OU. Service accounts are accounts created to run speci?c services like Exchange and SQL Server. Having a Managed Service Accounts OU allows you to better control the service accounts and thus allows for better service account security.
OU Deletion Protection
A nice feature when creating an OU is the ability to protect the OU from being accidently deleted. When creating an OU, you can check the check box "Protect Container From Accidental Deletion". To now delete the OU, you must go into the advanced properties of the OU and uncheck the box.
Active Directory Migration Tool v3.2
Allows an administrator to migrate users, groups, and computers from a Microsoft Server 2003 domain to a Windows Server 2008 R2 Active Directory domain. Admins can also use the tool to migrate users, groups, and computers between AD domains in different forests and between domains in the same forest.
MSMQ Queue Alias
An Active Directory object for the MSMQ - Custom - Recipient class type. The MSMQ (Microsoft Message Queuing) Queue Alias object associates an Active Directory path and a user - de?ned alias with a public, private, or direct single - element format name. This allows a queue alias to be used to reference a queue that might not be listed in Active Directory Domain Services (AD DS).
InetOrgPerson
An Active Directory object that de?nes attributes of users in Lightweight Directory Access Protocol (LDAP) and X.500 directories.
Domain Local Groups
Domain local groups are groups that remain in the domain in which they were created. You use these groups to grant permissions within a single domain. For example, if you create a domain local group named HPLaser, you cannot use that group in any other domain, and it has to reside in the domain in which you create it. You can create domain local groups in domain Mixed or Native modes.
Foreign Security Principals
Foreign security principals are any objects to which security can be assigned and that are not part of the current domain. Security principals are Active Directory objects to which permissions can be applied, and they can be used to manage permissions in Active Directory.
Global Group
Global groups can contain other groups and accounts from the domain in which the group is created. In addition, you can give them permissions in any domain in the forest. Global groups can be created in domain Mixed or Native modes.
Access Control Entries (ACEs)
Grant specific administrative rights on objects in a container to a user or group.
Offline Domain Join of a Computer
Of?ine domain join gives administrators the ability to preprovision computer accounts in the domain to prepare operating systems for deployments. Computers, at startup, can then join the domain without the need to contact a domain controller. Benefits: * No additional network traffic for AD state changes * No additional network traffic for computer state changes to the DC * Changes for both the AD state and computer state can be completed at different times.
Built-In
The Built-In container includes all of the standard groups that are installed by default when you promote a domain controller.
Publishing AD Objects
The act of making an AD object available. The two main publishable objects are Printer objects and Shared Folder objects.
Repadmin
This command allows administrators to diagnose AD replication problems between DCs.
Ldifde
This command allows you to Import and export data from Active Directory. The data is stored as LDAP Data Interchange Format (LDIF).
Dsadd
This command allows you to add object to the AD DS directory
Csvde
This command allows you to import and export data from Active Directory. The data gets stored in a comma - separated value (CSV) format.
Dsmod
This command allows you to modify an AD DS object.
Dsmove
This command allows you to move an object in an AD domain from its current OU to a new OU within the same forest
Dsquery
This command allows you to query AD DS
Dsacls
This command allows you to see and change permissions in the access control list (ACL) for objects in AD DS.
Dsmgmt
This command gives an administrator management utilities for Active Directory Lightweight Directory Services (AD LDS).
Dcpromo
This command initiates the Active Directory Installation Wizard and adds or removes the Active Directory Domain Services (AD DS).
Dsdbutil
This command provides database utilities for AD Lightweight Directory Services (AD LDS)
Dsrm
This command removes an object from the AD DS directory.
DSamain
This command shows the AD data stored in either a snapshot or a backup as if it were in a Lightweight Directory Access Protocol (LDAP) server.
Dsget
This command shows the properties of an object in the AD DS directory.
LostAndFound folder
This folder in ADUC Advanced feature contains any files that may not have been replicated properly between domain controllers. You should check this folder periodically for any files so that you can decide whether you need to move them or copy them to other locations.
Ntdsutil
This is one of the most important commands for AD. It allows you to do maintenance on the AD database.
Dcdiag
This troubleshooting command checks the state of your domain controllers in your forest and sends back a report of any problems.
Universal Groups
Universal groups can include other groups and accounts from any domain in the domain tree or forest. You can give universal groups permissions in any domain in the domain tree or forest. You can create universal groups only if you are in a domain Native mode.
User Principal Name (UPN)
When you log into a domain, your logon name looks like an email address (i.e., [email protected] ): this is called your user principal name (UPN). A UPN is the username, along with the @ sign, followed by the domain name. At the time that the user account is created, the UPN suf?x is generated by default. The UPS is created as userName@DomainName, but an admin can alter or change the default UPN.
OU Delegation Control
You can delegate control only at the OU level and not at the object level within the OU
