- Shopping Bag ( 0 items )
Many Windows 2000 administrators are struggling with Active Directory and need a comprehensive book on the subject
The first completely updated book on Active Directory to hit the market
Active Directory Services dramatically changes the way IT professionals design, plan, configure and administer their Windows NT networks. The primary benefits of Active Directory Services are its extensibility, scalability, and ease of management as compared to prior generations of Windows NT. This directory provides readers with updated coverage of everything they will need to succeed.
As stated earlier, OUs are containers within a domain that can nest within each other to develop a hierarchy. They are used for group policy and for the delegation of administrative authority. One thing you must understand about an OU is that it is not a security principal. What this means is that you cannot apply access rights to the OU so that the users, groups, resources, other containers, and objects would inherit them. An OU is merely a container with no other capabilities. However, if you use OUs for group policy, then the group policies will flow down the tree structure that the OUs build. In addition, you can use the OUs to decentralize your administration without requiring a separate domain. An Active Directory user does not always have to navigate the OU hierarchy to locate services and information, so the optimal structure for OUs should reflect the boundaries needed for applying group policy or for delegating authority. It is a good rule of thumb to keep the OU names short enough to remember.
OU Objects in Active Directory
OUs are container objects within Active Directory. When you look at OUs in the Active Directory Users and Computers MMC, you can look at their properties, which include the Group Policies applied to them. OUs contain other objects, such as user account objects or other OUs. Policies can be applied to OUs, and those policies can be inherited by sub-OUs. Using the OU hierarchy, you can produce a granular system for managing the desktop environment, security, and a user’s network experience.
Group Policy and OUs
Group policy settings are applied to users and computers in order to manage the desktop configuration. A specific policy is applied to a site, domain, and/or an OU as needed. The group policy can be filtered to control access; otherwise it is inherited by child containers. Group policies will affect users’ login time when they are in a nested OU that has multiple group policies. Longer names for OUs will also affect processing at login time. See Chapter 13, “Intellimirror,” for information on how to apply group policies.
The legacy Windows NT delegation of administration did not offer much in the way of flexibility:
Delegating administration is more powerful and flexible in Windows 2000 than it was in earlier versions of NT. Using the flexibility of Active Directory, delegation of administrative responsibility can be applied at the OU level. The Administrator can assign administrative rights for each object ’s attribute, and whether that control can be inherited. The result is that the appropriate Administrators are granted the appropriate control of their assigned users and published resources. If an Administrator delegates Full Control to another user, then that user is able to delegate administrative authority to others. Otherwise, the delegation of administration is completed by selecting the authority level over each object class and the ability to modify specific attributes. The process is fairly simple:
Windows 2000 even supplies a Delegation of Control Wizard in the Active Directory Users and Computers Microsoft Management Console (MMC) utility (which can be found in the Administrative Tools folder under Programs in the Start menu). This makes the process even easier to execute. The following steps must be taken to use the Delegation of Control Wizard (see Figure 5.10) in order to delegate Full Control to another Administrator for a single OU (the OU is also called a folder in the wizard).
After completing this exercise, there is a way to verify that the changes are applied. In the Active Directory Users and Computers window, select the View menu and then the Advanced Features option. You can then right-click the OU for which you delegated control, then select Properties. On the Security page, click Advanced. The Permissions tab will show you the additional permissions created for the group. If you double-click the group, you will see that it has been granted full rights to all of that OU and any OUs within it.
Another way to verify that the group has been granted access correctly is to log on as a user account that is a member of that group. Then start the Active Directory Users and Computers Wizard and try creating a new group.
There are some challenges with delegating administration. For many with experience in other directory services, the most difficult problem with delegating administration for a container is with somehow losing the delegated Administrator’s password—whether the Administrator has forgotten it, or left the company, or some other mishap has occurred. For this reason, it is a good practice always to have a master administrative account that is granted access to every container, even if it is intended to be completely cut off. The account should be set aside in a secure place for disaster recovery purposes only.
Configuring and Implementing
Controlling Who Can Reset Passwords
One of the most common problems users run into is that they forget their password. Usually this happens the day after they were required to change their password. Only certain Administrators can access that type of user control in legacy environments, so this capability typically is retained by a high-level IT group. In a large organization, it can become a huge headache!
Active Directory can be an aspirin for this particular headache, if an organization has a group such as a Help Desk that is connected to the network. In this case, Active Directory allows the delegation of only the password resetting right. The Help Desk would have no other rights to the directory and could handle the password resets immediately.
To delegate this specific right, create a group for the Help Desk. Then follow the Delegation of Control process up to the Predefined Delegations window in step 10. Here you would select the Delegate one or more of the predefined delegations, and from the check-box list, select only Reset passwords on users accounts. It is a simple matter of finishing the wizard after that.
|Chapter 1||Introduction to Active Directory|
|Chapter 2||Assessing Your Environment|
|Chapter 3||Active Directory for Windows 2000 JumpStart Tutorial|
|Chapter 4||DNS and Naming Strategies|
|Chapter 5||Designing the Basic Structure|
|Chapter 6||Designing a Site Structure|
|Chapter 7||Designing: A Case Study|
|Chapter 8||Migrating from NT 3.51 or NT 4 to Active Directory|
|Chapter 9||Implementing a Domain|
|Chapter 10||Building Trees and Forests|
|Chapter 11||Implementing Sites|
|Chapter 12||Implementing Active Directory: A Case Study|
|Chapter 15||Modifying the Schema|
|Chapter 16||Using Active Directory: A Case Study|
|Chapter 17||Plugging into Active Directory|
|Chapter 18||Disaster Recovery for Active Directory|