Beruflich Dokumente
Kultur Dokumente
Module 6
Module Overview
Planning the Active Directory Administrative Tasks
Delegation Model Designing the OU Structure Designing and Implementing an Active Directory Group Strategy
Delegation Model? Typical IT Administrative Models Gathering Information on the Current Administrative Structures Gathering Information on Organizational Resources Gathering Information on Administrative Processes Considerations for Branch Office Delegation
What Is an Active Directory Administrative Tasks Delegation Model? An Active Directory administrative tasks delegation model describes: Which administrative groups (or users) Have what kind of control (read/write/create/delete) Over which objects or attributes At which level The delegation model separates administrative tasks to ensure that administrative groups have the rights they need to fulfill their tasks.
Decentralized:
Outsourced:
Gathering Information on the Current Administrative Structures Gather the following information about the current administrative structure: Organizational requirements Operational requirements Legal and regulatory compliance Expectations for the design
Physical Devices
Human Resources
Scope of Administration What level, which objects are managed by the same group
Administrative Processes
Who creates and maintains Active Directory objects How AD DS objects are managed and maintained How permissions and attributes are assigned to objects Use personalized, separate accounts for administrative tasks Grant permissions via groups only to administrative accounts groups and accounts for administrative purposes in a Put separate structure in your OU model
regular objects together if they are managed by the same Put group
Best Practices
Considerations for Branch Office Delegation Tasks fulfilled in branch offices may include:
Partitional user management, such as password reset or
unlocking locked accounts Group management for the groups that are relevant to the branch, such as local fileserver permissions or printer permissions User support that requires a local admin on the branch client computers Installing or reinstalling client computers Managing local server connectivity Managing local backups
Control Designing OUs for Applying GPOs Considerations for Designing OU Hierarchies Protecting OUs from Accidental Deletion Demonstration: Implementing OUs
Hybrid strategy
Resource-based strategy
Multi-tenancy-based strategy
Objects have security descriptor, which describes Who (SID) Has been granted or denied Which permissions (Read, Write, Create or Delete child) On what kind of objects In which levels below When users browse the Active Directory structure,
their token is compared to the security descriptor to evaluate their access rights.
Object-based design
Role-based design
Delegation of permissions is based on object types, such as users, groups, and computers
Delegation of permissions is based on administrative tasks, such as password management and group administration
When designing an OU structure to support the application of GPOs, consider the following:
Assign GPOs at the OU level GPOs might require OUs in addition to those that you create for administration OUs that you create for GPO requirements are commonly resource-based Objects in child OUs inherit the GPO application
Demonstration: Implementing OUs In this demonstration you will see how to: Create an OU Verify that the OU is protected against accidental deletion Examine the default security settings of the OU Delete a protected OU
Strategy Strategies for Using Groups to Access Resources Considerations for Planning Group Administration Guidelines for Designing an Active Directory Group Strategy Demonstration: Creating and Managing Groups
Security groups
Distribution groups
Group scope
Global Domain Local Universal
Contains members
Same domain Any trusted domain Any trusted domain
Grants access
Resources from all trusted domains Local domain resources only Resources from any trusted domain
Includes information about the groups scope and purpose, and the owner's name and description Conforms to a hierarchy of standard labels that you use in a fixed order
ACL_SalesFolders_Read
Suffix
Strategies for Using Groups to Access Resources Group Nesting (AGDLP): Accounts Global groups Domain Local groups Permissions
Multidomain forest:
AGUDLP
Considerations for Planning Group Administration Options for group placement in AD DS include the following: Place group objects in the same OU that contains the group accounts Place group objects in the same OU where a resource exists Place all groups centrally in the same location in AD DS Place groups is separate OUs Allow group self-management Hybrid scenarios
Assign permissions to groups, not to individual users Create groups based on administrative requirements Add user accounts to the group that is the most restrictive, if you have multiple groups to which you can add user accounts Be careful when using built-in groups because they have a predefined set of rights (especially avoid Account Operators) Use group nesting to simplify administration Avoid duplicate groups with the same members Use the Authenticated Users group instead of the Everyone group to grant user rights and permissions to most users Limit the number of users in the Administrators groups
Demonstration: Creating and Managing Groups In this demonstration you will see how to: Create an OU and a group Configure management of a group Add a user to the group Verify that the community group can manage itself
Lab: Designing and Implementing an Active Directory OU Infrastructure and Delegation Model
Exercise 1: Designing an Organizational Unit (OU)
Infrastructure Exercise 2: Implementing the OU Design Exercise 3: Designing and Implementing an Active Directory Permissions Model
Logon Information
Virtual machine 20413B-LON-DC1 User Name Adatum\Administrator Password Pa$$w0rd
Estimated Time: 120 minutes
Lab Scenario In the past, A. Datum Corporation has used a highly centralized approach to manage its IT infrastructure. However, because the company has expanded to other countries, this centralized approach is no longer efficient. As a result, IT management wants the AD DS design team to recommend how to change the Active Directory administration structure to meet new requirements.
Lab Review
What was your suggested OU design? What were
the reasons behind your design decisions? While the lab had you use Windows PowerShell to move user objects based on a certain attribute, can you think of other ways to do this? Bill suggested self-management for certain groups. How would you implement this? What are the benefits and what are the risks associated with this recommendation?
Best Practice
Common Issues and Troubleshooting Tips