Microsoft Official Course

Module 6

Designing and Implementing an Active Directory Organizational Unit Infrastructure

Module Overview
Planning the Active Directory Administrative Tasks

Delegation Model Designing the OU Structure Designing and Implementing an Active Directory Group Strategy

Lesson 1: Planning the Active Directory Administrative Tasks Delegation Model

What Is an Active Directory Administrative Tasks

Delegation Model? Typical IT Administrative Models Gathering Information on the Current Administrative Structures Gathering Information on Organizational Resources Gathering Information on Administrative Processes Considerations for Branch Office Delegation

What Is an Active Directory Administrative Tasks Delegation Model? An Active Directory administrative tasks delegation model describes: Which administrative groups (or users) Have what kind of control (read/write/create/delete) Over which objects or attributes At which level The delegation model separates administrative tasks to ensure that administrative groups have the rights they need to fulfill their tasks.

Typical IT Administrative Models Centralized:

Central Administration is responsible for all tasks

Multiple administrative entities with equal rights Infrastructure and data administration are separate Central infrastructure administration with specific delegations for branches, services, or application owners

Decentralized:

Outsourced:

Centralized with Delegation:

Gathering Information on the Current Administrative Structures Gather the following information about the current administrative structure: Organizational requirements Operational requirements Legal and regulatory compliance Expectations for the design

Gathering Information on Organizational Resources

Physical Devices

Computers Printers Scanners

Administrative Groups Who is managing

Human Resources

Users Groups Permissions required

Equally Administered Resources Who is managed

Locations and Network Topography

Physical locations (offices)

Scope of Administration What level, which objects are managed by the same group

Gathering Information on Administrative Processes

Administrative Processes

Who creates and maintains Active Directory objects How AD DS objects are managed and maintained How permissions and attributes are assigned to objects Use personalized, separate accounts for administrative tasks Grant permissions via groups only to administrative accounts groups and accounts for administrative purposes in a Put separate structure in your OU model
regular objects together if they are managed by the same Put group

Best Practices

Always assign the least required privilege

Always assign permissions at the highest possible level

Considerations for Branch Office Delegation Tasks fulfilled in branch offices may include:
Partitional user management, such as password reset or

unlocking locked accounts Group management for the groups that are relevant to the branch, such as local fileserver permissions or printer permissions User support that requires a local admin on the branch client computers Installing or reinstalling client computers Managing local server connectivity Managing local backups

Lesson 2: Designing the OU Structure

Strategies for Designing OUs

Options for Delegating Administrative Control

Designing OUs for Delegating Administrative

Control Designing OUs for Applying GPOs Considerations for Designing OU Hierarchies Protecting OUs from Accidental Deletion Demonstration: Implementing OUs

Strategies for Designing OUs

Location-based strategy Organization-based strategy

Static Delegation can be complicated

Hybrid strategy

Not static Easy to categorize

Resource-based strategy

Multi-tenancy-based strategy

Not static Easy to delegate administration

Static Easy to delegate administration Easy to include/separate new tenants

Options for Delegating Administrative Control

Users receive their token (list of SIDs) during logon

Objects have security descriptor, which describes Who (SID) Has been granted or denied Which permissions (Read, Write, Create or Delete child) On what kind of objects In which levels below When users browse the Active Directory structure,

their token is compared to the security descriptor to evaluate their access rights.

Designing OUs for Delegating Administrative Control

Object-based design

Role-based design

Delegation of permissions is based on object types, such as users, groups, and computers

Delegation of permissions is based on administrative tasks, such as password management and group administration

Designing OUs for Applying GPOs

When designing an OU structure to support the application of GPOs, consider the following:

Assign GPOs at the OU level GPOs might require OUs in addition to those that you create for administration OUs that you create for GPO requirements are commonly resource-based Objects in child OUs inherit the GPO application

Considerations for Designing OU Hierarchies

Align OU strategy to administrative requirements, not business logic

Make use of AD DS native inheritance behavior

Plan to accommodate change

Protecting OUs from Accidental Deletion

Protecting OUs is important after migrations or when earlier versions of adminstrative tools are used
Graphical Tools: Active Directory Administrative Center Active Directory Users and Computers Command line or Windows PowerShell: dsadd.exe ou .. Add-ADOrganizationalUnit default)

(creates OUs which are protected by

Set-ADOrganizationalUnit .. ProtectedFromAccidentalDeletion $true

Demonstration: Implementing OUs In this demonstration you will see how to: Create an OU Verify that the OU is protected against accidental deletion Examine the default security settings of the OU Delete a protected OU

Lesson 3: Designing and Implementing an Active Directory Group Strategy

Active Directory Groups in Windows Server 2012

Developing an Active Directory Group Naming

Strategy Strategies for Using Groups to Access Resources Considerations for Planning Group Administration Guidelines for Designing an Active Directory Group Strategy Demonstration: Creating and Managing Groups

Active Directory Groups in Windows Server 2012

AD DS groups

Security groups

Distribution groups

Group scope
Global Domain Local Universal

Contains members
Same domain Any trusted domain Any trusted domain

Grants access
Resources from all trusted domains Local domain resources only Resources from any trusted domain

Developing an Active Directory Group Naming Strategy

When developing a group-naming strategy for your organization, ensure that the naming convention:

Includes information about the groups scope and purpose, and the owner's name and description Conforms to a hierarchy of standard labels that you use in a fixed order

ACL_SalesFolders_Read

Prefix Resource Identifier Delimiter

Suffix

Strategies for Using Groups to Access Resources Group Nesting (AGDLP): Accounts Global groups Domain Local groups Permissions

Multidomain forest:

AGUDLP

Considerations for Planning Group Administration Options for group placement in AD DS include the following: Place group objects in the same OU that contains the group accounts Place group objects in the same OU where a resource exists Place all groups centrally in the same location in AD DS Place groups is separate OUs Allow group self-management Hybrid scenarios

Guidelines for Designing an Active Directory Group Strategy

Consider the following guidelines when designing groups in AD DS:

Assign permissions to groups, not to individual users Create groups based on administrative requirements Add user accounts to the group that is the most restrictive, if you have multiple groups to which you can add user accounts Be careful when using built-in groups because they have a predefined set of rights (especially avoid Account Operators) Use group nesting to simplify administration Avoid duplicate groups with the same members Use the Authenticated Users group instead of the Everyone group to grant user rights and permissions to most users Limit the number of users in the Administrators groups

Demonstration: Creating and Managing Groups In this demonstration you will see how to: Create an OU and a group Configure management of a group Add a user to the group Verify that the community group can manage itself

Lab: Designing and Implementing an Active Directory OU Infrastructure and Delegation Model
Exercise 1: Designing an Organizational Unit (OU)

Infrastructure Exercise 2: Implementing the OU Design Exercise 3: Designing and Implementing an Active Directory Permissions Model
Logon Information
Virtual machine 20413B-LON-DC1 User Name Adatum\Administrator Password Pa$$w0rd
Estimated Time: 120 minutes

Lab Scenario In the past, A. Datum Corporation has used a highly centralized approach to manage its IT infrastructure. However, because the company has expanded to other countries, this centralized approach is no longer efficient. As a result, IT management wants the AD DS design team to recommend how to change the Active Directory administration structure to meet new requirements.

Lab Review
What was your suggested OU design? What were

the reasons behind your design decisions? While the lab had you use Windows PowerShell to move user objects based on a certain attribute, can you think of other ways to do this? Bill suggested self-management for certain groups. How would you implement this? What are the benefits and what are the risks associated with this recommendation?

Module Review and Takeaways

Review Questions

Best Practice
Common Issues and Troubleshooting Tips