Active Directory accounts are required for security for users and computers. An account contains a Security Identifier or SID to uniquely identify the account. The account also contains a password and the attributes associated with that account. This video looks at how accounts work and how they are used with security.
Security Identifier (SID)
A SID is used in security to identify a user or computer account. Short SID’s like S-1-1-0 are used in local accounts. Regardless of which computer it is used on, whether in a domain or not, a short SID like this always represents the same thing. For example, S-1-1-0 will always mean everyone on any Windows system.
Longer SID’s like S-1-5-21-1218951425-845968048-208583963-2209 are used in a domain. Since a SID provides a unique way of representing a user, attributes of the user can change. For example, the user’s first and last names are free to change at any time and do not affect which objects the SID has been used on.
When you change the attributes of a user like their name, since the account is associated with the SID rather than their name, changing these attributes will not affect security or other systems. Some changes may be noticeable; for example, the folder the user profile is stored in will be stored under their old user name after the username is changed.
If a person leaves the company, it is a common practice for the account to be disabled rather than deleted. Disabling the account preserves the SID, the security applied to that user, and any certificates associated with that user. When the user’s replacement is hired, the account can simply be enabled and renamed to the new user.
User Authentication Process
When a user logs on to a network, an access token is generated for that user. Inside the access token is the user’s SID. When this access token is presented to another system, the other system can read the user’s SID from the access token.
If the user is a member of any group, the SID for that group will also be placed inside the access token. Another system can look at this access token and also determine the group membership for that user.
Any changes made to group membership for a user will require a new token to be created. For this to occur, the user must log off and log back on again to create a new token.
User Naming Standards
Before you start creating accounts in Active Directory, your company should come up with a standard for these accounts. For user accounts, you could use first initial dot last name. Whichever standard you come up with, it should be designed to reduce the number of people that will have the same username. For example, John Doe and Jane Doe will both have the username J.Doe using the standard first initial dot last name. Since Active Directory does not support two or more users having the same usernames, one of the usernames will need to change. A lot of administrators will add a number to the end of the username to ensure that it is unique in the organization.
User Log On Standards
Active Directory supports two Log On Standards for accessing the Domain. The first dates back to Windows NT and is the form of domain \ username. The second is just like an e-mail address in the form username@domainname.
Pre Windows 2000 Logon Name
When creating a new account in Active Directory, a pre-Windows 2000 logon name will be configured that will match the username where possible. You are free to change the pre-Windows 2000 logon name but in most cases, it is best to keep it the same as the username. The pre-Windows 2000 logon name is limited to 20 characters. Very old clients like Windows NT will only use the pre-Windows 2000 logon name. Modern non-Microsoft systems should not need the pre-Windows 2000 logon, but if you are using a very old system it may require it.
“What Are Security Identifiers?” http://technet.microsoft.com/en-us/library/cc786606(WS.10).aspx
“Security Identifier” http://en.wikipedia.org/wiki/Security_Identifier
“Users Can Log On Using User Name or User Principal Name” http://support.microsoft.com/kb/243280
“SAM-Account-Name attribute" http://msdn.microsoft.com/en-us/library/ms679635.aspx
“Active Directory Maximum Limits – Scalability” http://technet.microsoft.com/en-us/library/cc756101.aspx
This video looks at how to create a new user in Active Directory and the properties that can be configured for that user. Once a user is created in Active Directory, this user can be used as a template for other users on the system. This video covers how to create a template and use it later on to create additional users.
Each user that is created has a UPN suffix assigned to them. The UPN suffix by default will be the DNS domain name. It is possible to have more than one UPN suffix defined. If multiple UPN suffixes are defined when the user is created, a UPN suffix can be chosen that is different from the domain. For example, if the domain is ITFreeTraining.local, another UPN suffix may be created called IFTraining.com. This allows the internal domain to be referenced via a DNS name that is not discoverable on the internet. This method also provides a friendlier DNS name for staff when they login.
For the properties of each user, there are a number of settings that can be configured. Listed below are the settings for a user account in Active Directory organized by the tab the setting can be found on.
This tab contains a number of fields for the user name, office location, telephone number, etc. Filling in these fields helps a user when performing searches on the network. For example, if they wanted to search for all staff in a certain office they could search based on the office field. All the fields are informational only and do not affect how the account operates.
The address tab has details about the physical location of the user. These include the street number, city, etc. All the fields are informational only and do not affect how the account operates.
For the rest for the description for this video, please refer to http://itfreetraining.com/70-640/creating-a-user
User Logon Name: This is the name that the user will use to login, e.g., DoeJ. Next to this is the UPN suffix that is associated with the user, e.g., ITFreeTraining.local. These put together can be used to login into the network, e.g. DoeJ@ITFreeTraining.local. The user can also use the NetBios domain name to login rather than the UPN suffix, e.g. ITFreeTraining\DoeJ
User Logon Name (Pre Windows 2000): This is the user name that will be used by old clients like Windows NT and some old non Microsoft systems. When possible you should keep this the same as the User Logon Name to prevent confusion. The pre Windows 2000 logon name is limited to 20 characters.
Logon Hours: The Logon Hours button allows the administrator to set when the user can be authenticated on the network. By default, if the user is logged in past the hours configured here, they will not be able to open any new connections; however, any existing connections will still be able to be used.
Log On To: The Log On To button allows you to configure which computers the user can logon to. If you have configured a kiosk account, you may want to add the kiosk computers in here to prevent that user from being used on another computer.
Unlock Account: If the user has too many wrong login attempts due to incorrect passwords, the account will be locked. To enable the account again, clear this tick box.
User Must Change Password at Next Login: When this tickbox is ticked, the user will be forced to change their password the next time they login. This should not be used for a service account as this will prevent the account from working until the password has been changed.
User Cannot Change Password: This tickbox prevents the user from changing their password. This setting is usually used for shared logins, for example, a login that was used for an internet kiosk.
Password Never Expires: This tick box prevents the password from expiring as set in the domain password policy. The domain password policy will define how long a user can have the same password before it has to be changed. This option is normally used for service accounts. A service account is often used for software like Exchange. If the password on the account were to expire, this would stop the software from working.
Store Password Using Reversible Encryption: This stores a copy of the user’s password in an attribute in the user account that can be decrypted. The encryption used and password used for encryption is widely known so it is quite easy to decrypt the password assuming that the person doing so has enough access to read the attribute in the user’s account. Some old clients may require this option but it is best not to enable it if you don’t have to do so. This option is sometimes used to migrate users from one system to another. Since the password can be decrypted, another system can use this attribute to transfer the password. It should be remembered that the password will not be stored in this attribute after this option has been ticked until the password has been changed.
Account Is Disabled: This tick box will disable the account. The account can’t be used until it is enabled again.
Smartcard Is Required for Interactive Login: This option will not allow a user to log into a computer unless a Smartcard is used.
Account Is Sensitive and Cannot Be Delegated: By default delegation is disabled in Active Directory. If it is enabled and this tick box is ticked, this user account will not b0e able to be used for delegation.
Use Kerberos DES Encryption Types for This Account: Enables DES encryption for the account. This is weaker than Kerberos but may be required for older operating systems or non Microsoft systems.
This Account Supports Kerberos AES 128bit Encryption: Allows 128bit AES encryption to be used. This requires the client and server both to support it. This does not mean that 128bit encryption will be used; it simply means that it is available to be used if required.
This Account Supports Kerberos AES 256bit Encryption: Same as above but for 256bit AES encryption.
Do Not Require Kerberos Pre-authentication: This option will remove the timestamp from the Kerberos ticket. This may be required to allow the user account to work with some non Microsoft systems. Since there is no time stamp in the Kerberos ticket, the Kerberos ticket may be able to be used in a replay attack. A replay attack is when the communication is captured and replayed again at a later date.
Account Expires: This allows you to set a date and time when the account will no longer be able to be used. If you have staff that are on short term contracts, you may want to configure this option so they cannot use the account after their contract expires. The account expires on midnight of that day. If the user is still logged in at that time, they will still be able to use the account but they will not be able to make any new connections.
Profile Path: This is the location where the user profile can be stored. This option allows the profile to become roaming. This means the profile specified will be used when the user logins to another system. This allows the user to have the same user experience when they use multiple computers. When specifying the path for the profile, %username% can be used and Windows will substitute this string for the username. Using this string allows the user account to be easily copied to another account without having to change the profile setting for each user.
Logon Script: This is the name of a script that will be run each time the user logs in. The script is stored in the NetLogon share on a Domain Controller.
Home Folder: This allows you configure a location for the user to store their documents. The location can be a share location or you can also map a drive to a share for the user.
This tab has a number of fields that can be configured for the user’s telephone numbers. These include home, pager, mobile, fax, and IP phone. There is also a notes section that can be used to put in additional information about the user. Fields on this screen are for information purposes only and do not affect how the account operates.
This tab allows more information about the user’s job title, department, and company to be added. Additional details about who they report to can be added here. The information in this tab does not affect how the account operates.
Member Of Tab
This tab lists all the groups that the user is a member of. At the bottom is an option, set primary group. When the user is a member of more than one group you can set the primary group using this option. The primary group is only used with Macintosh and UNIX based systems. Generally this option is used when creating files. Macintosh and UNIX based systems will use the primary group listed here when creating files or folders.
Remote Desktop Services Profile Tab
This tab allows the administrator to set up a profile to be used when using remote desktop servers. Using a remote desktop profile like this allows the same profile to be used regardless of which remote desktop server the user connects to. If a profile location is specified in here, it will override the settings in the profile tab when the user connects to a remote desktop server.
Deny This User Permissions to Log On to Remote Desktop Session Host Server: If this option is ticked this will deny the user the ability to connect to a Remote Desktop server using Remote Desktop. If the user is an administrator and this option is ticked, it will still deny them. Windows Servers can be configured for Remote Desktop access only for server administration. When the server is in this mode, 2 administrators can connect to the server at once. If this is the case and this option is ticked, the user’s account will still be able to use Remote Desktop to access the server for administration reasons.
Remote Virtual Desktop Tab
This allows the administrator to assign a virtual Hyper-V computer to the user.
This is used with COM+. COM+ is an application framework provided by Microsoft. This setting allows you to configure a different COM+ partition to be configured for that user. This means different users can have different COM+ partitions, thus separating their data.
Network Access Permission: This setting determines if the user can use dial in or use a VPN to access the network. The default option is to use a Network Policy Server or NPS. This is the preferred option because it allows centralised control and the use of groups. The other two options are allow and deny which must be set for each user and offer no centralized management.
Verify Called ID: When the user connects to the network using a modem, this setting can hold the telephone number of the user, allowing Windows to check which phone number that user is using to dial in.
Callback Options: These options determine if Windows is allowed to call the user back when they connect to the network. Using call back allows the company to pay for the call charge rather than the user. By default the option is no callback. This can be configured to set by caller or always call back.
Assign Static IP Address: This allows a static IP address to be configured for that user so when they connect they will always get the same IP address.
Apply Static Routes: This option allows routes to be configured that will be added to the user’s routing table when they connect up.
These settings are used when connecting up using Remote Desktop to a Remote Desktop Server.
Starting Program: Allows a program to be configured to run when the user logs in, for example, a menu program that allows the user to launch other applications.
Connect Client Drives at Logon: This option will connect all the local drives on the client’s computer as mapped drives inside the Remote Desktop session.
Connect Client Printers at Logon: This will create copies of the client’s local printers in the Remote Desktop session for them to use.
Default to Main Client Printer: This will make the Remote Desktop session default printer the same as the client’s local computer.
This tab allows you to configure a number of options that will be used for the user in Remote Desktop.
End a Disconnected Session: This is the time taken for a disconnected session on the Remote Desktop Server to be ended. Until it is ended, the user will be able to reconnect to the Remote Desktop Server and access the session.
Active Session Limit: This sets a limit on how long a session can stay open on a Remote Desktop Server. This stops a user from connecting up to the server and staying logged in indefinitely.
Idle Session Limit: This setting determines how long a user setting can stay idle for.
When a Session Limit Is Reached or Connection Is Broken: This setting will determine what will happen if either of the above two options occur, that is, the session is idle for too long or the session is open too long. The session will either be disconnected or ended.
Allow Reconnection: This setting determines, once a user is disconnected, if they have to connect again from the same computer or if they are allowed to reconnect using a different computer.
Remote Control Tab
This tab refers to the remote control options used when connecting to a Remote Desktop Server.
Enable Remote Control: If ticked, allows an administrator to remote control a user’s session.
Require User’s Permission: Will determine if the user’s permission is required before remote controlling a session or not.
Published Certificates Tab
This tab will show any certificates that are associated with that user. Additional certificates can be added to the user from here as well.
Password Replication Tab
Read only Domain Controllers have the option to cache the user’s password on the Read Only Domain Controller. This tab will show any read only Domain Controllers that have this user’s password cached on that server.
Attribute Editor Tab
This tab allows the administrator to manually edit any of the attributes that are associated with that user. It is recommended that you always use the tools provided by Microsoft rather than modifying the attributes directly.
Demonstration adding a UPN Suffix
To add or modify a UPN suffix for your forest, open Active Directory Domains and Trusts from the start menu. Right click Active Directory Domains and Trusts at the top and open the properties. From here you can add and remove additional domain UPN suffixes for the forest.
Demonstration creating a new user
To create a new user in Active Directory, open Active Directory Users and Computers from administrative tools under the start menu. To create a new user, right click users and select new user. This will launch the wizard in which you can enter in the basic details for the users. In the properties for the user, there are a lot of settings that can be configured. Details about these properties are listed above.
A lot of common administration tasks are available by right clicking the user. These include copy, add to group, disable account, reset password, move, delete, and properties.
When you copy a user, a wizard will appear asking for the settings for some of the fields that will be used with the new user. The rest of the settings will be set to the same settings as the user from which you are copying.
If you need to delete a user, it is recommended that you disable the account first. When you are sure the account is no longer required, you should delete the account then.
To show advanced options, select the view menu and then select the option advanced features.
If you need to make changes to multiple users at once, select the users and open the properties. The properties that are common to all those users will be shown.
“Logon hours and other user settings” http://technet.microsoft.com/en-us/library/bb726988.aspx
“Primary group” http://technet.microsoft.com/en-us/library/bb726986.aspx
This video looks at computer accounts in Active Directory. Each time you add a computer to the domain, a computer account is created for that computer in the Active Directory database. This video looks at how these computer accounts work and how to reset a computer account if the password in the computer account becomes out of sync with the password stored on the local computer.
A computer account in Active Directory is very similar to a user account in Active Directory. Fundamentally, a computer account and a user account are made from the same attributes. Like a user account, the computer account has a password. Unlike a user account, this password is randomly generated. This password is supplied to the domain when the computer starts up which allows a secure connection to be created between the computer and the Domain Controller. This password is automatically changed after 30 days. If the computer has not connected to the domain for more than 30 days, the computer will still be able to access the domain. The password for the computer account will be changed the next time the computer connects to the domain.
Resting the computer account
Sometimes the password used on the local computer and that stored in the domain for the computer account become out of sync. When this occurs, you will receive a message, “The trust relationship between this workstation and the primary domain failed.” When this occurs, the computer will need to be re-added to the domain.
Pre-Stage Computer Accounts
A computer account is automatically created for a computer when it is added to the domain. You can also manually create the computer account in advance before the computer is added to the domain. When this is done, it is referred to as pre-stage. There are a number of reasons why you may want to pre-stage the computer account:
1) Deployment solutions like Windows Deployments Solutions (WDS) can be configured to use only pre-stage accounts. This stops computers from being deployed unless computer accounts have been created for them. This essentially puts some controls on images that are deployed using systems like WDS.
2) A pre-stage computer account ensures that the computer is put into the correct organizational unit. If you do not use a pre-staged computer account, the computer account will be created in the default location of computers. The computers OU can’t have additional group policies applied to it, so it limits how the computer can be administered. Pre-staging the computer ensures that administrators can control the computer using group policy as soon as the computer is added to the domain.
3) When a pre-stage computer account is created, permissions can be assigned on the pre-stage account. These permissions allow any user that you choose to be able to add the computer to the domain with that computer name. Normally in order to add a computer to the domain you would need user that is a member of the administrators group.
To perform administration on computer accounts inside Active Directory, open Active Directory Users and Computers from administrative tools under the start menu.
If you select a computer account, you can access the properties of the computer account by right clicking and selecting properties. The properties tab contains information about the computer like what type of computer it is, for example, a “workstation or server” or a Domain Controller with or without it being configured as a global catalog server.
To create a pre-stage computer account, open Active Directory User and Computers. Inside Active Directory User accounts, navigate to the OU that you want to create the computer account in. In the new computer dialog you can also set a user account that will be allowed to add the computer to the domain.
To add a computer to the domain, open Windows Explorer and right click on computer and select properties. From the system properties, select the option change settings and then press the button change. This will allow you to remove or add the computer to a domain.
To reset the password on a computer account, right click the computer account and select reset account. The computer will need to be removed from the domain and re-added again. When you remove the computer from the domain and place it in a work group, you do not need to reboot the computer before adding it to the domain again. Once it is added to the domain, you will need to reboot the computer to complete the process.
“User and computer accounts” http://technet.microsoft.com/en-us/library/cc759279(v=ws.10).aspx
“Resetting computer accounts in Windows” http://support.microsoft.com/kb/216393
“Machine Account Password Process” http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx
“Pre-Stage Computer Account in Windows Server 2008” http://www.pctips3000.com/pre-stage-computer-account-in-windows-server-2008
Windows allows the creation of groups which simplifies permissions assignment for users. This video looks at how to use groups in Windows and also looks at the basics of how to use role based access control, one strategy used to simplify group administrator in a domain.
Each group that is created has a security identifier or SID associated with it. This SID is added to the local access list for the resource that you are controlling access to. A group can be created that does not have a SID that is used for distribution lists. These groups are covered in the next video.
When you place one group inside another group, it is called nesting. Nesting also allows two or more groups to be placed in the same group. This essentially means that administration could be divided between two or more administrators. When administration is separated like this it is often referred to as granular control because each administrator has administrative control over a small part of the whole effects of that group that contains the other groups
Using nesting, you could create groups for the users in New York, Washington and London. Using nesting you could create a group called All_Users in which the groups for each location could be put in. Nesting can also be broken down further. For example you could divide New York users into two groups called NY_Sales and NY_Marketing. These two groups could be placed in NY_Users and this group placed in All_Users. If you wanted to create a group for All_Sales users, you could place all the sales groups from each location in this group. Notice using nesting like this means that a new user only needs to be put into the one group. Once in this group, membership of the other groups like the All_Users and All_Sales group through nesting is also achieved, allowing simple administration.
Role based access control
Role based access control is a strategy of group management generally used in large enterprises. This approach is generally used in companies with more than 500 employees. The approach involves not adding the user or users directly to the resource. In order to grant access, another group is created and assigned permissions to the resource. For example, if you had a share called general you would create two groups called general_share_modify and general_share_read. These would be assigned to the general share and given the required access.
In order to give users access to a resource, groups containing users are added to the groups based on the roles in the organization. For example, if all sales users need modify access, the sales group would be added to general_share_modify. If the marketing group needed read access, the marketing group containing all the marketing users would be added to group general_share_read. If a user were to change departments, for example, from sales to marketing, the user’s account would simply be removed from the sales group and added to the marketing group. When assigning roles to a user, or removing roles, the resource never needs to be modified.
“MCTS 70-640 Configuring Windows Server 2008 Active Directory” Microsoft Press, pg 141-144
“Active Directory Users, Computers, and Groups” http://technet.microsoft.com/en-us/library/bb727067.aspx
“Role-based access control“ http://en.wikipedia.org/wiki/Role-based_access_control
This video looks at the different group types available in Active Directory. These include Local, Domain Local, Global, and Universal. The video also covers membership requirements which can be used in each of the different groups and converting between different groups. Finally, this video looks at distribution vs security groups.
Any group in Active Directory can be created as either a distribution group or a security group. Distribution groups do not have a SID (Security Identifier) associated with them. For this reason distribution groups can’t be used for security. That is, a distribution group cannot be used to assign permissions to files or objects. Distribution groups are mainly used with e-mail programs like Exchange to send e-mails to groups of people. Since there is no SID associated with the group, when you make a user a member of a distribution group, this does not affect the size of the security token for that user. A security token is created when the user logs in and contains their SID and any SID’s for any security groups of which they are a member.
A security group has a SID and thus can be used for assigning permissions to files or objects. A security group can also be used as a distribution group in e-mail software like Exchange. Thus, the difference between a security group and a distribution group is simply that a security group is security enabled whereas a distribution group is not. If you are not sure which group to create, create a security group since it can do everything a distribution group can do and can also be used in security related operations.
Local groups exist only on the computer on which they were created. A local group can have as a member any user or computer account as well as any other type of valid group.
Domain Local Group
Domain Local groups can only be used in the domain in which they were created. A Domain Local group allows membership from any other group as well as any user or computer. Domain Local groups from other domains cannot be used as members because they are limited in their use outside of the domain in which they were created. Universal groups can only be used as members when the Universal group exists in the same forest as the Domain Local group.
Global groups have the most restrictive membership requirements, only allowing users, computers, and other Global groups from the same domain to be used as members. However, Global groups can be used as members of any other group, including other forest and external domains. This means a Global group has the most restrictive membership requirements of all the groups but is the most flexible when being used as members of other groups.
The Universal group is replicated via the global catalog server. For this reason, it is available to any domain in the forest but not to other forests or external domains. Since the Universal group is available forest wide, it does not allow Domain Local groups to be members even when the Universal group has been created in the same domain as the Domain Local group.
Summary of Groups’ Membership
1) Users and computers can go into any group in any domain and any forest or external domain if the group supports it.
2) Local and Domain Local groups allow the same membership requirements.
3) Universal, Domain Local and Local groups have the least strict membership requirements allowing any valid group with appropriate scope to be a member.
4) Global groups can contain only users, computers and other Global groups from the same domain only.
5) Global groups can be used everywhere, any domain, forest or external domain.
6) Universal groups are available only in the same forest since they are replicated using the global catalog. Since they are forest wide, Domain Local groups can’t be members since the Domain Local scope is limited to the domain in which they were created.
Converting Between Groups
At any time, a group can be converted from one group to another. If a group is changed from a security to a distribution group, this will disable any permissions that were assigned using that group. Permissions can allow or deny a user from accessing a resource and thus changing a group from security to distribution can allow or deny a user access to a resource. Changing a group from a distribution to a security group simply allows that group to be used with security.
Changing a group from Domain Local, Global, or Universal to any other type of group is supported. If you attempt to change a Domain Local to a Global group or vice versa this will fail. In order to achieve this, you need to change the group to a Universal group first. As long as the group meets the membership requirements for the new group, it will be converted. When changing group scopes, consider what would happen if the group was being used on a resource outside the domain. A change to the group scope could make that group no longer valid in that domain and security will no longer be applied in that domain using that group.
To create new groups in Active Directory, run “Active Directory Users and Computers” and right click on the OU that you want to create the group in and select new group.
To add a user, computer or another group to a group, right click the object that you want to add to the group and select add to group and then enter in the group that you want to add the object to.
To change a group to a different type, right click the group and open the properties. On the “General” tab select which group type and scope that you want and press o.k. If there is a problem changing the group, Windows will display an error message.
To check membership of a group, open the properties of the group and select the “Members” tab. You can also see which other groups have this group as a member by selecting the tab, “Members of.” This will only show groups used in the same domain or Universal group since Universal groups’ membership can be obtained using the global catalog server.
At any time a group can be renamed by right clicking on it and selecting rename. There is also an option for pre-Windows 2000 name. It is a good idea to make sure this name, where possible, is the same as the group name.
“MCTS 70-640 Configuring Windows Server 2008 Active Directory” pg 145-152
“Active Directory Users, Computers, and Groups“ http://technet.microsoft.com/en-us/library/bb727067.aspx
Default local groups exist locally on a Windows computer and available only on that computer. This video looks at the local groups that are created by default on every Windows 7 and Windows Server 2008 operating system.
Power Users 3:26
Backup Operators 5:32
Remote Desktop Users 5:53
Offer Remote Assistance Helpers 6:24
Network Configuration Operators 7:05
Performance Monitor Users 7:28
Performance Log Users 7:56
Distributed COM Users 9:17
Cartographic Operators 09:39
Any user added to this group has full control over that computer. By default, the administrator will have access to everything, for example all files and folders. If an administrator has been denied access they can take ownership of the object in question and give themselves permissions to the object.
This group is designed for the general user. It allows them to run software and change settings that relate to them.
The power users group was introduced in Windows XP to give the user more access than the user group but less than an administrator. In Windows Vista this group was removed and in Windows 7 it was added again. In Windows 7, the Power Users group does not provide any access other than user access and is included only for legacy reasons. If you want to give this group the same permissions as Windows XP, you can apply a security template as explained below. This security template should only be applied as a last resort. The process is not reversible and may not function as expected with newer software.
To apply the security template to the Power Users Group
1. Open mmc and add the snap-in Configuration and Security Analysis
2. Right click Security Configuration and Analysis and select open database
3. Enter a new database name or open an existing database
4. When prompted open c:\windows\inf\puwk.inf. If not prompted, right click Security Configuration and Analysis and select open template
5. Right click Security Configuration and Analysis and select configure computer now
The guest group gives the user the ability to login and run software. Any changes that are made by that user, for example changing the wallpaper, will be lost when the user logs off. The guest account is usually used for computers that are set up as kiosks. In this case, you want the user to have access to run software and make changes if they need to, but when the next user uses the computer, you want to ensure that the new user gets the default settings and not the modified settings.
This group allows the user to access any file on the system for the purpose of backing and restoring. It does not give them full control over files and folders, for example, they cannot change the NTFS permissions on the file.
Remote Desktop Users
A user that is added to this group is allowed to access that computer using remote desktop. This is assuming that remote desktop is enabled and allowed through the firewall. Administrators do not need to be added to this group to connect to the computer using Remote Desktop. Assuming remote desktop is enabled and allowed through the firewall, an administrator without being a member of this group will be able to use remote desktop to access the computer.
Offer Remote Assistance Helpers
Remote assistance allows a user to request help from another user. Using remote assistance, the other user can see the desktop and even take control if allowed. In order for this to occur, the user wanting help must create an invitation which is opened by the other user. If a user is a member of this group, they can offer their help to a user on that computer without having to wait for an invitation to be created and sent to them. Regardless of whether a user is in this group or not, the user on that computer can also reject any remote assistance connections that come into the computer. Being a member of this group essentially means you can offer unsolicited help (Help not asked for) rather than only being able to offer solicited help. (Help that was asked for)
Network Configuration Operators
Members of this group can make changes to network adapter settings on the computer. For example, they can change the IP configuration on an adapter and renew or release DHCP configuration on that adapter.
Performance Monitor Users
This allows the user to monitor performance of the computer using software like Performance Monitor. This includes monitoring the computer remotely assuming it has been enabled and allowed through the firewall. Members of this group can also use data collector sets that were created by another user but cannot create a new data collector set.
Performance Log Users
This group has all the same rights as performance monitors users but can also create data collector sets.
This group is used by IIS. The idea being permissions and access required by IIS can be isolated to this group. In other words, the rights and permissions that are needed to run IIS can be gained by using this group. Since this is a local group, if you copy IIS files from one computer to another, they will have the same access on the other computer since this group will exist on the other computer. You would normally not need to add users to this group.
Used by the replicator service on a domain controller. You should not need to add users to this group. In Windows Vista there was a service called DFS replication which may have used this group. In Windows 7, this service does not exist so this group is not used in Windows 7.
Distributed Com Users
This is a Microsoft Technology that allows for distributed network components. It may also be referred to as DCom. Users in this group can start, activate, and use DCom Objects.
Members of this group can perform specialized cryptographic operations. Normal operations like encryption files and using VPN do not require the user to be a member of this group. This group is only required in very special circumstances so it is unlikely you will ever need to add users to this group.
To access basic user settings, open the control panel, select user accounts and then select user accounts again. To change user account settings, select the bottom option “manage user accounts”. Select the user that you want and press the button properties. Once open, select the group membership tab and this will allow you to select which group you want the user to be a member of. You can only select one group here so you are more than likely going to want to use the tools described below instead. Depending on which version of Windows you are running and which service pack you have, the options may be different.
To access Local Users and Groups Snap-in you can type in lusrmgr.msc from the start menu. You can also launch Local Users and Groups by opening the control panel and selecting user accounts and then select user accounts again and finally select the advanced option. From this interface you can right click a group and select add to group to add a user or group to that group.
To make changes to users and computer, you can also open computer management from the start menu and select local users and groups under system tools.
“Default local groups” http://technet.microsoft.com/en-us/library/cc771990.aspx
“Understanding Built-In User and Group Accounts in IIS 7“ Understanding Built-In User and Group Accounts in IIS 7
“Crypto Operators security group“ Crypto Operators security group
“Offering Remote Assistance” http://technet.microsoft.com/en-us/library/cc505914.aspx
“List of features removed in Windows 7” http://en.wikipedia.org/wiki/List_of_features_removed_in_Windows_7
This video looks at the unique built-in groups available only to Domain Controllers and locally on Windows Server 2008. Please see the previous video Default Local Groups for the rest of the built-in groups.
Groups covered in this video
Server Operators 03:58
Account Operators 05:01
Print Operators 06:18
Terminal Server Licenses Servers 07:25
Incoming Forest Trust Builders 07:57
Certificate Services DCom Access 09:03
Windows Authorization Access Group 09:38
Pre-Windows 2000 Compatible Access 10:25
DC Promotion Process
If you attempt to edit the local users and groups on a Domain Controller (this can be done using lusrmgr.msc from the start menu) you will find the local accounts database on the computer will be disabled. The local groups on a Domain Controller have been moved to Active Directory and can be found in the OU Builtin. If you use one of these groups, the change will affect all Domain Controllers.
This group allows members to login to Domain Controllers, start and stop services on the Domain Controllers, perform backup and restore operations, format disks, create shares, and shut down and restart Domain Controllers. This group has no default members and does not give the user access to any other servers that are not domain controllers. This group is aimed at someone who is performing maintenance on Domain Controllers. For this reason, members cannot perform Active Directory administration.
Members of this group can perform Active Directory administration such as create new users and groups. Although it is not required for Active Directory administration, members of this group can login to a Domain Controller. Once logged in, they can only perform Active Directory Administration: they cannot perform other tasks on the Domain Controller like rebooting. It should be remembered that account operators are not administrators in the domain, and thus some Active Directory administration cannot be done due to security reasons. This includes making changes to the Domain Controllers OU, changing members of the Domain/Enterprise Administrations group, or changing properties for any user that is an administrator.
Members of this group can manage printers on Domain Controllers and printer objects in Active Directory. In order to manage printers on a Domain Controller, member of this group can also login to a Domain Controller. Allthough they don not have the rights to perform day to day administration on the Domain Controller, members of this group can shut down the Domain Controller.
Terminal Server Licenses Servers
Inside an Active Directory user account is information stored about terminal server licenses. The terminal services licensing server needs to access this information. In order to only give this server the minimum required access to Active Directory to get this information, you can add the computer account of the licensing server to this group.
Incoming Forest Trust Builders
To create a trust between two domains, normally an administrator in each domain will create and approve the trust. If you place a user from another domain in this group, they will be able to create an incoming trust from another domain to that domain without an administrator in the other domain having to create or approve the trust.
Certificate Services DCom Access
This group exists on both Domain Controllers and member servers. If users that use DCom need access to certificates, they need to be added to this group.
Windows Authorization Access Group
In the user account in Active Directory there is a computed token. This is a computed version of the same security token that is created when a user logs in. You only need to add users to this group for special software that requires this access.
Pre-Windows 2000 Compatible Access
Members of this group are allowed read access to users and group in the domain. This group should only be used if you have Windows NT computers in your domain.
“MCTS 70-640 Configuring Windows Server 2008 Active Directory” Microsoft Press, pg. 177-179
“Default groups” http://technet.microsoft.com/en-us/library/cc756898(v=ws.10).aspx
“Terminal Services Per User Client Access License Tracking and Reporting“ http://technet.microsoft.com/en-us/library/cc775281(v=ws.10).aspx
“An overview of groups used by Active Directory Certificate Services” An overview of groups used by Active Directory Certificate Services
This video looks at the groups created in Active Directory that are available to all computers in your domain.
Enterprise Admins 00:46
Schema Admins 01:33
Domain Admins 02:12
Domain Users 02:58
Domain Guests 03:32
Domain Computers 04:40
Domain Controllers 05:09
Read-only Domain Controllers 05:35
Enterprise Read-Only Domain Controllers 06:13
Allowed RODC Password Replication Group 06:48
Denied RODC Password Replication Group 07:43
DHCP Administrators 09:24
DHCP Users 10:29
Group Policy Creator Owners 10:51
Cert Publishers 11:10
RAS and IAS Servers 11:30
This group is the most powerful group in Active Directory. It is automatically made a member of the Domain Administrators group for all domains in the forest thus giving members of this group administrator’s rights on all domains in the forest. This group also has additional rights forest wide like changing forest wide information and adding/removing domains from the forest.
This is the only group that can make changes to the schema. The schema defines the active directory database. This group only exists in the root domain of the forest.
The domain admins group has administrator’s rights to all users and computers in the domain including domain controllers. When a computer is added to the domain, this group is added to the local administrators group on that computer.
Members of this group can login in to workstations, run applications and change computer settings that relate to them. This group is automatically added to the local users group on a computer when it is added to the domain.
This group has no rights or permissions in the domain. It is not added to the local guest on any computer when they are added to the domain and thus does not have any rights on any computers in the domain. For this reason, a user that is added to this group will not be able to login to any computers in the domain unless they are a member of another group that grants them this right.
This group contains all the computers in the domain expect domain controllers. When you add a computer to the domain, the computer account for that computer automatically gets added to this group.
This group contains all the computer accounts for all the domain controllers in the domain except for domain controllers that are in read-only domain controllers. When a server is promoted to a domain controller, if the computer account is in the domain computers group, it will be moved in the domain controllers group.
Read-only Domain Controllers
This group contains all the read-only domain controllers in your domain. This group does not contain writeable domain controllers or computer accounts.
Enterprise Read-Only Domain Controllers
This group exists only in the root of the forest. It has no members by default, even if you add read only domain controllers to the root domain, the computer account for these read only domain controllers does not get added to this group.
Allowed RODC Password Replication Group
Members of this group will have their password cached on the read-only domain controller when they are authenticated using this read-only domain controller. Remember that the password attribute is not normally replicated to a read-only domain controller. This means that if they attempt to authenticate off the read-only domain controller during a network outage they will still be able to authenticate from the read-only domain controller even though a writeable domain controller is not available.
Denied RODC Password Replication Group
If a user account is a member of this group, their user password will not be cached on a read-only domain controller. Passwords will not be cached on a read-only domain controller if it has be configured. If a user is a member of this group and password caching has been configured their password will not be cached. Deny always overrides allow.
Members of this group can perform basic DNS administration on DNS servers in the domain including starting and stopping the DNS service. If the DNS records are stored in Active Directory, they may not be able to modify these DNS records as this would require additional access.
Some clients may not have enough access to due to legacy permissions to perform dynamic updates for clients. This is the case with Windows Server 2000. If you have a DHCP server running Windows Server 2000, add the computer account for this server in this group to provide additional access for the DHCP server to perform dynamic updates for DNS records.
Members of this group can perform DHCP administration on your DHCP server. This includes changing DHCP records on the server. If the DHCP server creates a dynamic DNS record n a DNS server, being a member of this group does not give you permission to this DNS record even though the DHCP server created it. Members of this group cannot authorize a DHCP server in Active Directory. In order to do this, the user needs to be a member of the domain administrator group.
Members of this group can login into the DHCP server and read the record on the DHCP server. They cannot make changes to DHCP records.
Group Policy Creator Owners
This group allows members to make changes to group policy in the domain. The domain administrator is automatically added to this group.
Members of this group can publish certificates in Active Directory for users and computers. The certificate can be a generated from an internal certificate authority or a certificate that has been purchased from an external certificate authority.
RAS and IAS Servers
Certain remote access properties are stored in Active Directory. Members of this group are able to read these properties for the user.
“Default groups” http://technet.microsoft.com/en-us/library/cc756898(v=ws.10).aspx
“MCTS 70-640 Configuring Windows Server 2008 Active Directory” Microsoft Press, pg. 177
“Administering the Password Replication Policy “ http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy(v=ws.10).aspx
“How to configure DNS dynamic update in Windows 2000 “ http://support.microsoft.com/?id=317590
“DCHP Group” http://technet.microsoft.com/en-us/library/cc737716(v=ws.10).aspx
This video looks at the special identities that exist in Windows. Special identities work a lot like groups, but unlike a group, the membership of a special identity cannot be modified. Membership of special identities is determined by the way the user was authenticated or the type of connection.
Special Identities covered in this video
Anonymous Logon 01:56
Authenticated Users 02:34
The above special identities exist on all editions of Windows. The scope of the special identity is the local computer only. When you copy a file from one computer to another computer, any permissions that are configured using special identities are retained. Even though the scope of the special identity is limited to the local computer, Windows can achieve this retention because special identities always use the same Sid or security Identifier. For example, the everyone special identity is always S-1-1-0.
Allows access without a username and password.
When a connection is made and no username and password is given, this is classed as anonymous access. Anonymous access in Windows will generally be disabled by default and needs to be enabled. Remember this before configuring a file on a share with anonymous access.
This includes any user authenticated locally or via a domain controller. The user can be in the current forest or in an external domain separated by a forest. The only account that is not included in this group is the local guest account.
Includes authenticated users and the local built-in guest account.
Before Windows Server 2003, the everyone special identity also included anonymous logon.
This is when the user is physically in front of the computer or connected to the computer using remote desktop.
Any user that accesses the computer via a network connection.
“MCTS 70-640 Configuring Windows Server 2008 Active Directory” Microsoft Press, pg 179-180
AGDLP is a role based strategy that is designed to provide flexible resource management using groups. This video looks at how you can effectively use AGDLP in your company to mange permissions to your resources. Since AGDLP is designed for larger networks, it is generally used in networks that have more than 500 users. AGDLP can be used in multiple domain environments but is generally used in a single domain environment.
Advantages of AGDLP
Since AGDLP is a role base strategy for applying permissions, as a user changes their role in an organization, it is easy to change the permissions associated to that user by making them members of the appropriate groups. Since the users are being put into groups at the role level, this means that the administrator does not require knowledge of how the permissions were applied to the resource. Lastly, by looking at the users in the groups, you can quickly determine who has access to which resources in your domain.
ADDLP stands for the following.
A for Accounts.
G for Global Group.
DL for Domain Local Group.
P for Permissions.
The basic way to use AGDLP is as follows:
Accounts go into Global Groups; Global Groups go into Domain Local Groups; Domain Local Groups are than applied to Permissions.
The advantage to using each group is as follows:
Global Groups allow users from the same domain to be members. This means that when using multiple domains, you can be assured that only users and computers and other Global Groups from that domain are members. This means you can force administration to be divided up between domains. If you do not use Global Groups you could never be sure if an administrator from a domain is only adding users from that domain.
Domain Local Groups can only be used in the domain that the group was created in. This helps with auditing. If the group could be used in other domains, you could never be sure that the group had been applied to resources outside your domain.
AGDLP can be used in a single forest, single domain environment and also a multi domain environment. It provides a framework, but the administrator is free to decide themselves how best to implement group strategy given their business environment.
“Selecting a Resource Authorization Method” Selecting a Resource Authorization Method
This video looks at role based Strategy for Active Directory called AGUDLP. AGUDLP can be used in multiple domain environments to provide distributed control between different domain administrators while still being able to provide access to resources at the forest level.
What AGUDLP standards for
G Global Groups
U Universal Groups
DL Domain Local Groups
Advantages of AGUDLP
Allows administration to be divided up between different administrators in the forest. Administrators can have control at the forest level or control can be separated at the domain or resources level.
Since AGUDLP is a role base strategy, when a user changes their role, for example promoted or transferred, access can quickly and easily be changed.
AGUDLP also allows easy auditing. By looking in the group it can quickly be determined who has access to which resources.
Why each group is used
Global groups only contain users, computers, and other global groups from the same domain. Using a global group allows the administrator to divide up control between different domains. For example, if you wanted a sales group that had all sales users from all domains in the forest, you would first create a global group for the sales users in each domain. This allows the domain administrators in each domain to be responsible for keeping this group up to date.
Universal groups allow users, computers, global groups and other universal groups to be members. Because of this, they can have the global groups from all the other domains to be members of this group. For example, a universal group could have as members the sales group from all the other domains. Universal groups are available forest wide and thus are replicated using the global catalog server. For this reason, you will want to reduce replication as much as possible in the forest. Replication will only occur when membership of the universal group has changed. Since the universal group contains global groups, the membership of the global groups can change without affecting the membership of the universal group. The only time the universal group would need to be replicated is when a global group is added or removed from the universal group.
Domain Local Group
The domain local group is applied to the resources as a permission. Domain local groups can only be used in the domain that they were created in. By using domain local groups, a local domain administrator can simply add the domain local group to the resources and configure the appropriate permissions. This administrator may not have access to change the membership of the other groups, which means that they do not have control over which users go into the group. This does not affect their ability to use the group on local resources. This means that by using a domain local group, the scope of the group can be limited to use for that domain only and also be delegated out to other administrators. At this level, it is easy to add or remove the universal group to any domain local group as required, making changing access very quick and flexible.
Universal groups are stored on a Domain Controller that has been made a global catalog server. If a user is a member of a universal group, and a global catalog server is not available, the user will not be able to login. In some cases you may have only a few users at a site and do not wish to deploy a global catalog server due to the extra replication this will cause. This video looks at how you can use universal group membership caching to allow users to authenticate from a Domain Controller when a global catalog server is not available.
When a user authenticates from a Domain Controller, a security token is created for that user that contains all the groups that the user is a member of. If the user is a member of universal group, then a global catalog server must be contacted in order to obtain this membership. If no global catalog server is available, and universal group membership caching is not enabled, the following occurs: The user will be able to login locally on their computer if their user has been cached on the computer. This may be the case if they were the last person to login to that computer. This will allow the user local access, but when they attempt to connect to a computer, for example a file share on a server, the computer will double check the user. This is done to ensure the user has not been locked out or disabled. If no global catalog server is available to the computer that the user is trying to connect to, the user will be denied access.
How Universal Group Membership Caching works
When a user authenticates from the domain controller, the domain controller will contact a global catalog server in order to determine the universal group membership for that user. This information, once obtained, is stored on the Domain Controller forever. To make sure the cache is keep up to date, the cache is updated from a global catalog server every 8 hours.
How to enable Universal Group Membership caching (UGMC)
UGMC can only be enabled at the site level, so once enabled, all Domain Controllers in that site that are not global catalog servers will start caching universal group membership. To enable UGMC, do the following:
1) Open Active Directory Sites and Services
2) Open the site that you want to enable UGMC.
3) Open the properties for NTDS site Settings. These settings should not be confused with NTDS Settings that are found under the Domain Controller.
4) From the properties tick the option “Enable Universal Group Membership Caching.”
5) If you wish, you can also select the option “refresh cache from”. This will allow you to select which site you want the Domain Controller to refresh its cache from. If this is not configured, the Domain Controller will update its universal groups caching from the closest domain controller.
“MCTS 70-640 Configuring Windows Server 2008 Active Directory” pg 524-525
“Cache universal group memberships” http://technet.microsoft.com/en-us/library/cc775528(v=ws.10).aspx
Active Directory allows you to create contacts to hold information about 3rd parties like their phone numbers and e-mail addresses. This kind of information can also be added to a user account, however creating a contact to hold this information means that contacts cannot be used to login like a user can and thus is less of a security concern.
Security Identifier (SID)
The fundamental difference between a user account and contact is a contact does not have a security identifier or SID. A SID is used with security in Windows. Any time that you assign permissions to objects or files the SID is required. Since a contact does not have a SID, by design it cannot be used with security. Also since a contact does not have a SID it cannot be used to login.
Benefits of Active Directory Contacts
Having contacts for your organization stored in Active Directory means that any users can perform searches for this information. Since the contact data is stored in the Active Directory database, this means that data is stored once and thus is also easy to update. Without a centralized system like this, individual users would store multiple copies of the same data making it hard to update when changes occur.
Windows 7 Contacts
Windows supports contacts that can be stored on the local Windows computer. This was first introduced in Windows Vista. The contact data is stored in an XML file which means that it can also be used by non Microsoft software. Windows 7 does not come with any software that uses contacts. Contacts in Windows 7 are there for back compatibility only. The main use of contacts in Windows Vista would most likely be Windows Mail which is no longer included in Windows 7. Microsoft offer a free e-mail software called Windows Live Mail that can be download from the Microsoft web site. This software does not support contacts, but any existing contacts can be imported.
Creating a contact in Active Directory
To create a contact, open Active Directory Users and Computers.
Right click where you want to create the contact and select new contact.
Complete the wizard in order to create the contact.
To configure additional options and properties for the contact, right click the contact and open the properties.
Even though contacts cannot be used with security, a contact can also be a member of group. Software like Exchange can utilize these contacts.
“Windows 7 Inside Out” Microsoft Press, pg 276
“Windows Contacts” http://en.wikipedia.org/wiki/Windows_Contacts
“Is Windows Contacts integrated with Windows Live Mail in Windows 7?” http://answers.microsoft.com/en-us/windows/forum/windows_7-networking/is-windows-contacts-integrated-with-windows-live/640d77c1-5dd3-4a59-888c-07556ee695a5
“Looking for Windows Mail?” http://windows.microsoft.com/en-us/windows7/looking-for-windows-mail
Protected Admin is essentially a term used to describe the administrator account being protected using User Account Control. This video looks at how User Account Control is used in Windows Server to protect the administrator’s account.
User Account Control
User Account Control was first added in Windows Vista and Windows Server 2008. It addresses an issue that was common practice in Windows XP where a user would create an administrator account and use it for day to day activity. On most computer systems, the extra rights that an administrator account provides are only used for a small amount of time. For example, if you need to install software on the computer you would need administrator access to install the software, however to run the software it is unlikely that you would require administrator access. User Account Control essentially divides the administrator account into two,a user part and an administrator part. For normal activity the user part of the administrator account is used. When administrator access is required, the administrator part of the user is used.
To force an application to run with administrator rights, right click the application and select the option “run as administrator”.
“User Account Control” http://en.wikipedia.org/wiki/User_Account_Control
A service account is a user account that is created to isolate a service or application. This video looks at how to create and use service accounts in your organization.
What is a service account
A service account is user account that has been created to run a particular piece of software or service.
Principle of least privilege
The principle of least privilege is giving the user only the minimum required amount of access. For example, if a user only requires access to certain files than they should only have access to those files. If the user only requires access to certain servers or workstations, they should only have access to those. The advantage of this is that it minimises the amount of damage that can be done if the user account was to become comprised. When used with service accounts, one service account should be created for each service or application. If the same service account is shared between services and applications, and this service account was to stop working (for example the account became locked) all software using this service account would be effected.
Using the same user account for multiple services
Some administrators will choose to run multiple services and applications using the same user account. To ensure that there are no problems running their software, some administrators will use a user account that has Domain Administrator access. If you use the same user account for multiple pieces of software, and the user account was to fail for any reason, all the software using that service account would also be affected. Also if the account was to become compromised, this service account could be used to access resources on the network. The more access the service account has the more potential damage that it could do. The service account could prevent applications and services using it from running by simply changing the password of the account.
Service Account Lockout
When the password for a service account is changed, the password must be updated in all locations that use the service account. A user account can become locked after to many wrong password attempts. When the service account is used in multiple locations and the password is not updated in all locations, the old password will still be used. After Windows Server 2003 with Service Pack 1, Active Directory will check the last two passwords used. If there is a match, the service account will not be locked.
Service account expires
It should be noted that if a service account password was to expire, this will prevent the user account from being able to be used until the password for the user account has been changed.
The following procedure can be used to create a service account.
Run Active Directory Users and Computers.
Right click the OU where you want the user to be created.
When prompted, ensure user must change password at next logon is not ticked. This will prevent the service account from being used until the password has been changed.
To prevent the password for the service account from expiring, tick the tick box password never expires. To maintain high security, when ticking this option, the password for the user account should be changed at regular interval.
For additional security for your service account, you can create a domain group and place the service account in that group. Once service account has been added to this group, you can remove all other group membership. This will ensure the service account does not have any permissions, not even Domain User permissions unless they are allocated to the service account.
To give the service account access to a particular service, type lusrmgr.msc in the start menu to edit the local users and groups. Add the service account to the local groups as required.
To the change the password that is being used for a service account, open services from the start menu. Open the properties for the service you want to change the password for and change the password on the log on tab.
A service account is a user account that is created to run a particular service or software. To prevent an outage of the service if the password expires, you can configure the user account password not to expire. This will also mean that the administrator will need to remember to change the password at regular intervals to ensure good security. In line with the principle of least privilege, a service account should be given the minimum amount of rights it needs to operate.
“Create a Service Account” http://technet.microsoft.com/en-us-library/cc739458(v=ws.10).aspx
“principle of least privilege” http://en.wikipedia.org/wiki/Principle_of_least_privilege
“managed service accounts” http://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx
“Account Lockout and Password Concepts” http://technet.microsoft.com/en-us/library/cc780271(v=ws.10).aspx
“Securing Critical and Service Accounts” http://technet.microsoft.com/en-us/library/cc875826
This video looks at some of the new features in Windows Server 2008 R2 and Windows 7 that can automate the management of service accounts. If your application supports it, using managed service accounts means that the password of the service account is automatically changed periodically without any interaction from the administrator.
What is a service account
A service account is a user account that is created to run a particular service or software. In order to have good security, a service account should be created for each service/application that is on your network. On large networks this will mean a lot of service accounts and the management of these service accounts can become difficult, thus this is where Managed Service Accounts can help.
A computer account is like a user account in that it has a password. The difference is that the password for a computer account is automatically updated by Windows with no interaction from the user. Managed Service Accounts uses the same process to manage the password for a Managed Service Account.
Refer here for information about computer accounts http://itfreetraining.com/70-640/computer-accounts
Managed Service Accounts Passwords
The password that is associated with a Managed Service Account (MSA) is automatically changed every 30 days. It is a random string of 120 characters so it offers better security than standard passwords even if the standard password uses upper and lower case letters combined with non alphanumeric characters. Unless of course the administrator wants to use their own 120 character password which is difficult for an administrator to work with. Like a computer account, the Managed Service Account is bound to one computer and thus cannot be used on a computer that it was not designed to work with. This provides additional security.
In order to start using Managed Service Accounts you need to meet a few requirements.
Domain Functional Level: This needs to be Windows Server 2008 R2 or above.
Forest Functional Level: Does not require any particular forest level.
Schema changes: The schema needs to be up to date. Run ADPrep /ForestPrep to update the schema to the latest version using a Windows Server 2008 R2 DVD or above.
Client: The Managed Service Account can only be used on Windows Server 2008 R2 or Windows 7.
Software components: .Net Frame work 3.5 and Active Directory module for Windows Powershell are required for Managed Service Accounts.
Not all software will work with a Managed Service Accounts. Managed Service Accounts do not allow the software to interact with the Desktop. Thus a Managed Service Account cannot be used to login and cannot be used to display GUI based Windows. Listed below are common software and if they can use a Managed Service Account.
Exchange: Yes, but the Managed Service Account cannot be used for sending e-mail.
IIS: Yes, can be used with application pools.
SQL Server: Some people have got Managed Service Accounts to work with SQL but Microsoft does not support it.
Task Scheduler: No
AD LDS: Yes, Active Directory Light Weight Service works with a Managed Service Account, however a special procedure does need to be followed in order to get it to work.
To install the required software components, open server manger and select add features. Ensure the following are installed
.Net Framework 3.5.1 Features
Active Directory module for Windows PowerShell found under Remote Server Administration Tools, Role Administration Tools, AD DS and AD LDS Tools
To create the Managed Service Account do the following
New-ADServiceAccount –name <Name of service Account> -enable ($True or $False)
ADComptuerServiceAccount -Identity <Computer Name> –ServiceAccount <Service Account name>
On the client run the following
Install-ADServiceAccount -Identity <Service Account Name>
Configure Managed Service Account in IIS
Open IIS Manager
Expand down to Application Pools
Right click the pool you want and advanced settings
Select the property Identity
Enter the username for the Managed Service Account making sure it ends with a $
Leave the password blank. This will be managed by Windows and is not required.
“Service accounts step-by-step guide” http://technet.microsoft.com/en-us/library/dd548356.aspx
“Managed Service Accounts Frequently Asked Questions (FAQ)” http://technet.microsoft.com/en-us/library/ff641729(v=ws.10).aspx
Normally a Domain Controller needs to be available in order to add a computer to the domain. With Windows 7 and Windows Server 2008 R2 comes a new tool called Offline Domain Join. This allows a computer to be added to the domain without a Domain Controller being available. This video looks at different ways Offline Domain Join can be used.
In the simplest case Offline Domain Join can be used to join a computer to a domain without a domain controller. For example, if a new site was being set up and the networking at the new site had not been installed as yet.
No networking installed
Offline Domain Join can also be used to join a computer to a domain that does not have networking installed as yet. In some cases a reboot may be required before networking is working. This is often the case with virtual computers. With Offline Domain Join you can join the computer to the domain before any network drivers are installed on the computer.
Offline Domain Join can also be used with an unattend.txt file. An unattend.txt file is used with automated installs of Windows. The file contains the answer to the setup questions as well as any other required customizations. Using Offline Domain Join like this means you could automate the complete install of Windows 7 using a script including having it added to the domain.
Limited network connectivity
In some cases the network between two locations may only be available at certain times. For example, in a secure environment replication between the main network and the secure network may happen rarely. If the secure network has a writeable Domain Controller then a computer can be added to the Domain at any time. If the secure network only has a read only Domain Controller, a computer cannot be added to the domain unless a writeable Domain Controller is contactable. Using Offline Domain Join, the computer can be added to the Active Directory database ahead of time and replicated to the secure network. Since the read only Domain Controller contains data for the new computer, the computer will be able to be added to the domain using Offline Domain Join even though a writeable Domain Controller is not available.
Add a computer to the domain without a username and password
Offline Domain Join can also be used to add a computer to the domain without the use of a username and password. All that is needed is the file Offline Domain Join generates. This file is considered to have sensitive information so should only be given to people who are trusted.
Offline Domain Join can only be used to join computers to the network that are Windows 7 or Windows Server 2008 R2. It will attempt to contact a Domain Controller that is Windows Sever 2008 R2, however it can also use Domain Controllers before Windows Server 2008 R2. If there is a problem using a non Windows Server 2008 R2 Domain Controller, the parameter /DownLevel can be added to force the use of an earlier Domain Controller. In order to use Offline Domain Controller, the forest and domain level do not need to be raised.
The first step is to create the computer account in Active Directory that will be used later. This is done with the following command.
DJoin /Provision /Domain <Domain> /Machine <ComptuerName> /SaveFile <FileName>
This can be run on any Windows Server 2008 R2 or Windows 7 computer that has access to a writeable domain controller. The output file that is generated will need to be transferred to the computer that will be added later to the domain.
The following command need to be run on the computer that you want to add to the domain.
DJoin /RequestODJ /LoadFile <FileName> /WindowsPath <WindowsPath>
“MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition” pg 217-221
“Offline Domain Join (Djoin.exe) Step-by-Step Guide” http://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step(v=ws.10).aspx
Organizational Units (OU) allow you to divide up objects in Active Directory into different locations, the same way that you would organize files into folders on your hard disk. Since OU’s cannot be used directly in security, a shadow group can be created with the object inside that OU. This shadow group can be used in security. This videos looks at how to create OU’s and use shadow groups.
Like the folders on your hard disk, Organizational Units allows Active Directory objects to be organized into separate folders. Most administrators will create an OU hierarchy that matches their company layout. A common layout out is geographical, department and than computers. Group Policy is applied to Organizational Units and thus places users and computers into separate OU’s can be beneficial when using Group Policy.
A shadow group is a regular Active Directory group that contains the objects under an Organizational Unit. Since a shadow group is a regular group it can be used for security, for example it can be used to assign NTFS permissions in a folder. A Shadow group effectively bridges the gap between not being able to use a OU with security. A shadow group needs to be manually updated or updates performed using a script. There is no automated method in Windows to do this.
An example script to keep shadow groups up to date can be found in Administration Resource Kit: Productivity Solutions for IT Professionals by Dan Holme (Microsoft Press, 2008).
None Microsoft version
When you promote your first Domain Controller and thus create your Active Directory environment, a number of OU’s are created automatically. These default OU cannot be deleted. Also these OU’s can’t have Group Policy applied to them expect for the Domain Controllers OU which can have Group Policy applied to it.
Builtin: When a server is promoted to a Domain Controller it local user database is no longer accessible. To make up for this, any users accounts that exist in Builtin are shared between all Domain Controllers.
Users: This is the default location for user accounts when a location is given. In most case, when creating a new user the administrator will decide which OU the user account will be created in.
Computers: This is the default location for computer accounts. When a computer is added to the Domain, the computer account for this computer is placed in this OU. Since Group Policy cannot be applied to this OU, and administrator will normal move computer accounts of the Computer OU to another OU.
Domain Controllers: This OU contains all the computer accounts for the Domain Controllers in your domain. Unlike the other OU’s, Group Policy can be applied to this OU. By default, the Default Domain Controller Group Policy is applied to this OU.
To perform administration of your OU’s this can be done using the Active Directory Users and Computers tools.
To create an OU, right click where you want it created, select new and than select new Organizational Unit.
When creating the Organizational Unit, you have the option to protect the container from accidental deletion.
In the properties of the OU, there are a lot of settings that can be configured. In a lot of case the information is informational only but does help.
What is an Organizational unit?
An organizational unit is effectively a container for storing Active Directory objects.
What is the difference between an OU and a group?
An OU is essentially used for Group Policy and delegation besides providing an infrastructure to sort and organize objects in Active Directory. Since an Active Directory object can only exist in one location at one time, OU’s are limited to what they can achieve.
A group is contains objects from anywhere in the domain. The main different is that a group can contain an object that is used in anther group. For example, a user that travels between New York and Washington Offices could not be a member of a multiple OU’s, however they could be a member of two groups called New_York_Users and Washington_users. With this extra flexibility that groups offer, group can be applied to resources like NTFS permissions which OU’s cannot.
“MCTS 70-640 Configuring Windows Server 2008 Active Directory” pg 11 46-48
“Organizational Units“ http://technet.microsoft.com/en-us/library/cc978003.aspx
“Organizational Unit“ http://en.wikipedia.org/wiki/Organizational_Unit
Delegation of control allows a user to have permission to perform administration actions on a selection of users. This video looks at how to achieve this using delegation of control wizard and what the wizard changes in order to provide this access.
Delegation of control
Although there is almost an endless amount of options in the Delegation wizard, the most common one use for administrators are to do with users and groups. Used correctly, you could give a user permissions to perform user administration of a particular OU rather than giving them access to perform administration for all users in the domain.
To use the delegation wizard, first open Active Directory Users and Computers.
Right click the OU you want to perform delegation on and select the option Delegate Control.
In the wizard select the users that you want to administration to be delegated to. It is recommended to create a group as if you want to remove or add additional users later it is a simple matter of changing the members in the group.
When asked in the wizard, choose which tasks to want to delegate to that user or users when prompted.
If you open the properties for the OU and select the security tab, you can see the permissions that have been assigned to the OU.
The delegation wizard effectively changes the permissions on the OU. The administrator could have change the permissions in the OU manually. If they want to reverse the changes done by the wizard modify the permissions for the OU and remove any permissions assigned by the delegation wizard.
This videos looks at 5 Active Directory command lines tools that can be used in scripts to speed up administration in your domain. Using these command line tools, the administrator can add, modify, delete and retrieve information about any object in Active Directory.
This video will look at all the Command line tools shown above. Even thought each command line tool performs a different function, you will start to see that the parameters used in different tools are simpler.
A lot of the commands ask for a parameter called distinguished name. The distinguished name uniquely identifies an object in Active Directory. The same way a full filename and path would identify a file on a hard disk. The Distinguished Name identifies the Active Directory object using the following syntax.
CN Common Name
OU Organizational Unit Name
DC Domain Component
An example of a distinguished name is as follows
The DSAdd command allows objects to be created in Active Directory. The parameter supported by the command are computer, contact, group, OU, user and quota.
DSAdd user “cn=Simth,cn=users,dc=ITFreeTraining,dc=local” –fn John –ln Simth –pwd P@ssw0rd –mustchpwd yes
DSAdd computer “cn=pc1,cn=computers,dc=ITFreeTraining,dc=local”
DSAdd group “cn=GSales,ou=Users,ou=New York,dc=ITFreeTraining,dc=local” –scope g
This command gets information about an object in Active Directory. The command requires the type of object to be retrieve to be given. This can be computer, contact, group, OU, server, user, subnet, site, quote and partition. Following this is the Distinguished Name of the object. After this you need to indicate what information you want to retrieve, for example to retrieve the description for the object you would add -desc
DSGet user “cn=John Doe,ou=Users,ou=New York,dc=ITFreeTraining,dc=local” –fn –ln -email
DSMos allows individual attributes of Active Directory objects to be modified. This command support the following parameters computer, contact, group, OU, server, user, quote and partition.
dsmod user “cn=Simth,cn=users,dc=ITFreeTraining,dc=local” -pwd P@ssw0rd2 -mustchpwd
This command deletes and object in Active Directory. Unlike the other commands, the type of object does not need to be given in the command line. The command support additional parameters like –NoPrompt will remove the prompt asking you to procedure before deleting the object.
dsrm “OU=Testing,dc=ITFreeTraining,dc=local“ –subtree -c
This command queries the Active Directory database for objects. It supports the following parameters computer, contact, group, ou, site, server, user, quote, partition and LDAP queries.
dsquery ou DC=ITFreeTraining,DC=Local
“MCTS 70-640 Configuring Windows Server 2008 Active Directory” pg 88-89
If you need to import or export many users at once, the tools CSVDE and LDIFDE can be used to perform these functions. This videos looks at how to export and import Active Directory users using these tools.
Bulk User Creation
Tools like CSVDE and LDIFDE are often used in the creation of new users. Since CSVDE uses CSV files, these files are easy to create in software like excel or the CSV files created using scripts. This means tools like these can be used with other systems. For example, in a school, a list of users could be exported from the enrollment system. This list could be as the input file to create the user in Active Directory assuming it is the correct format. CSVDE and LDIFDE are also used when migration between different directories. For example, the tools could be used to export users in a domain and then import them in another domain.
CSVDE vs LDIFDE
The main difference between the tools is the data file that they use. CSVDE uses the comma-delimited format. This type of file separates data in the file by the use of commas. Excel support CSV files and thus these files can easily be modified or created using Excel.
LDIDFE uses Lightweight Directory Access Protocol Data Interchange Format. This format is an open format that is used by some non-Microsoft directory services. Using this format may allow exporting of objects from a non-Microsoft system so they can be imported into Active Directory. This allows migration to occur between systems that may not have been possible otherwise.
CSVDE vs LDIFDE parameters
The parameters for CSVDE and LDIFDE are mostly the same. For a full list see the technet articles in the references section.
This specifies the data is coming from a file given in the filename.
This switches the utility to import mode, other data is exported.
This will continue processing even if an error occurs. For example, if you are creating users and a user already exists, the processing will stop and give you an error indicating the user already exists. The –k parameter will continue processing even when errors occur.
“MCTS 70-640 Configuring Windows Server 2008 Active Directory” pg 90 – 92
“LDAP Data Interchange Format” http://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format
This video provides an introduction to PowerShell, how to use it and the advantages of PowerShell over the Command Line. PowerShell is a replacement for the command prompt and thus the future. There are a lot more features in PowerShell than the command prompt, meaning better results can be achieved once you learn how to use it.
Command Prompt vs PowerShell
The command prompt was developed from the MS Dos prompt first released in the early 80’s. For this reason, it was based on the technology at the time and thus is limited in what it can achieve on modern hardware and operating systems. The command prompt processes commands one after the other which is often referred to as batch processing. PowerShell in comparison is task based. PowerShell can integrate with other technologies like .Net and can be interfaced directly like a programming language. The command prompt is not able to do this.
A CmdLet pronounced as a “command let” performs a single action. CmdLets follow the format verb noun. The verb indicates what action the CmdLet will perform, e.g. “set” would set a value. The noun indicates what the CmdLet will operate on. For example, by just looking at the CmdLet “Get-Random” name alone, you would know that is gets a random number.
Commands used in demonstration
Write-Host “Hello World”
echo “Hello World”
$objUser=[ADSI]”LDAP://CN=John Doe,OU=Users,OU=New York,DC=ITFreeTraining.local,DC=local”
$objUser=[ADSI]"LDAP://CN=John Doe,OU=Users,OU=New York,DC=ITFreeTraining,DC=local"
$objUser.put(“DisplayName”, “John Doe”)
“MCTS 70-640 Configuring Windows Server 2008 Active Directory” pg 98-108
“Windows PowerShell” http://en.wikipedia.org/wiki/Windows_PowerShell
VBScript is a powerful scripting tool that can automate tasks in Active Directory. This video provides an introduction to what can be achieved using VBScript.
VBScript was released back in 1996 and thus is supported in all operating systems since Windows 95. In the older operating systems it is available as an additional download, with the newer operating systems it comes pre-installed. VBScript is based on Visual Basic so those that have programmed in Visual Basic should not have any problems writing scripts of VBScript. VBScript has also been included in applications like Internet Explorer and Office. With the popularly of VBScript and the amount of time it has been available, there are a lot of examples of VBScripts available.
VBScript vs PowerShell
PowerShell was designed to replace VBScript addressing some of the limitations of VBScript. PowerShell requires .Net 2.0 to operate and thus can only be used on Windows XP and up. The big difference with VBScript and PowerShell is that PowerShell has a shell like the command prompt does. This means that individual commands can be run, unlike VBScript where the whole script needs to be run at once.
The following VBScript can be used to create a user in Active Directory
set objOU=GetObject("LDAP://OU=Users,OU=New York,DC=ITFreeTraining,DC=Local")
set objUser=ObjOU.Create("user","CN=John Doe")
objUser.put "sAMAccountName","John Doe"
Visual Basic Scripts can be run from the command line or by double clicking on them. If you run them by double clicking them, a dialog box is created each time a message is outputted. If you want this output to go to the command line, you can run cscript followed by the filename of the script that you want to run. Cscript is used to run scripts and will have the output directed to the command prompt rather than a dialog box for each message.
“MCTS 70-640 Configuring Windows Server 2008 Active Directory” pg 108 – 110
ADMT is used to quickly move objects around in your forest. It is used during migrations or when you need to move users between domains during restructures or job changes. This video looks at how to install and use ADMT.
Before installing ADMT, it is worth downloading the ADMT guide (see link below). The guide will show you which installs are supported. If you download the latest version of ADMT or SQL express you may have install problems and need to implement a workaround. Reading this guide will tell you which combination of software will work.
Although possible, it is not recommended to install ADMT on a Domain Controller. The install itself may not work correctly and a workaround many need to be implemented in order to get ADMT to work correctly.
This is when objects are being moved/copied between domains in different forests. The forest can be connected by any valid trust.
This is when the objects are being moved/copied between domains that are in the same forest.
A Sid is a unique number that every object in Active Directory has. When ADMT moves an object it essentially creates a new object in the target domain with the same properties. When a user is moved or copied, the user will have a different Sid than the old user. Because the new user has a different Sid, it will not be able to access any of the resources the old Sid had. Sid history allows Sid’s for the old user to be stored with the new user. This essentially allows the new user to access resources that were assigned using the old Sid’s.
In this demonstration ADMT 3.2 will be installed on Windows Server 2008 R2 with SQL Express 2008 SP1 providing the database support. We could not get SQL Express 2012 to work in this configuration and the ADMT guide recommended SQL Express 2008 SP1 to be used. If you run different version and have installation errors, search the Microsoft web site for the error. This may give you a workaround to get that configuration to work.
Once ADMT is installed, it is matter of running the required wizard depending on what you want to migrate. When migrating groups, ADMT can be configured to put the user in the same groups that they had in the old domain. In order for this to work, the new domain needs to have those groups created with the same name as the old domain.
If you want to migrate passwords between domains, you will need the Password Export Server to be installed in the other domain. Since the ADMT does not check the password policy of the new domain, the user will be asked to change their password when they login to the new domain.
“MCTS 70-640 Configuring Windows Server 2008 Active Directory” pg 573 – 576
“Active Directory Migration Tool (ADMT) Guide” http://www.microsoft.com/en-au/download/details.aspx?id=19188
“Active Directory Migration Tool (ADMT) Guide “ http://www.microsoft.com/en-au/download/details.aspx?id=19188
Using Remote Server Administration Tools (RSAT) allow server/client administration to be performed from client operating system like Windows. This video looks at using Windows 7 to perform these functions and using the MMC to customize your favor tools under the one interface.
Download the pdf handout for this video from http://ITFreeTraining.com/Handouts/70-640/Part2/RSATSnapIns.pdf
Remote Server Administration Tools (RSAT)
RSAT is not installed by default on the Windows client. The RSAT install can be downloaded from the Microsoft web site. RSAT not available for Windows XP, however the predecessor Administration Tools Pack (AdminPak) is available. This does not have all the same tools as RSAT does, but does allow you to perform some basic administration for Windows XP.
Windows 8 http://www.microsoft.com/en-us/download/details.aspx?id=28972
Windows 7 http://www.microsoft.com/en-us/download/details.aspx?id=7887
Windows Vista http://www.microsoft.com/en-us/download/details.aspx?id=21090
Windows Vista x64 http://www.microsoft.com/en-us/download/details.aspx?id=18787
Windows XP http://www.microsoft.com/en-us/download/details.aspx?id=16770
Microsoft Management Console (MMC)
All the administration tools in Windows use the same standardized frame. This means any combination of tools can be combined together in the one interface. Microsoft provides the Microsoft Management Console or MMC to perform this task. Using the MMC you can add any tool under the same interface. For this reason, administrative tools are often referred to as snap-ins in reference to them being able to be added to the MMC.
RSAT first needs to be download from the Microsoft Web site. The install is quiet simple, setup does not give you any options other than accepting the license.
Before you can use any of the tools they need to be added. This can be done by opening the control panel, selecting programs and then Programs and features. From program and features, select the option Turn Windows features on or off.
The admin tools are found under Remote Server Administration Tools. To enable a tool or tools, it is a matter of going through all the options and ticking the administrative tools that you want to use.
Once the tools have been added, these will be available under administrative tools under the start menu.
MMC can be run from the start menu using MMC.
One MMC is running, additional snap-ins can be added by selecting file Add/Remove snap-in.
Once you have the MMC configured the way you want, the MMC can be saved and used again later.
The snap-in can be saved in different modes. Before saving the MMC console, select file menu and then select options.
Author mode: Allow any changes to be made by all users.
User mode – full access: Prevent changes to MMC console, add/removing snap-ins etc, but all snap-in features can be accessed.
User mode – limited access, multiple window: Allows different snap-ins to be opened in separate Windows under the same MMC console.
User mode – limited access, single window: Does not allow additional Windows in the MMC console.
A Windows Server will not allow remote management to be performed by default. To enable remote management, open server manager and tick the option “Configure Server Manager Remote Management”.
“MCTS 70-640 Configuring Windows Server 2008 Active Directory” Microsoft Press, pg 38-40
“Remote Server Administration Tools for Windows 7” http://technet.microsoft.com/en-us/library/ee449475(v=ws.10)
“What Are the Remote Server Administration Tools?” http://technet.microsoft.com/en-us/library/ee449470(WS.10).aspx
“Remote Server Administration Tools” http://social.technet.microsoft.com/wiki/contents/articles/2202.remote-server-administration-tools-rsat-for-windows-vista-windows-7-windows-8-release-preview-windows-server-2008-windows-server-2008-r2-and-windows-server-2012-dsforum2wiki.aspx
“Windows Server 2003 Administration Tools Pack” http://www.microsoft.com/en-us/download/details.aspx?id=16770