Administrative
Delegation of Active Directory
Learning Goals//The goal of this lesson is to explain that cre-ating a secure Active Directory environment is a critical respon-sibility of the administrator. Point out that students will also learn the tasks of creating and working with organization units as well as delegating administrative control of resources.
Learning Objectives
Upon completion of this lesson, students will be able to: Implement Account Security
Plan an organizational unit strategy
Lesson Introduction
Explain that Microsoft Windows Server 2008 Active Directory requires that all accounts access the network through a secure password. Discuss with students the importance of having an organizational policy for user name and password creation.Explain to students that securing the administrative side of Ac-tive Directory is necessary to prevent hackers from gaining un-authorized access to the network. Describe how organization-al units are used to secure administrative resources.
Implementing Account Security
Instructors should do the following:
Explain that user account security is an important aspect of a secure network.
Point out that the network administrator will create guide-lines for the user name scheme, and it is extremely im-portant that the organization strictly follow the guidelines.
Explain that Windows Server 2008 requires that all user ac-counts be accompanied with a secure password.
Explain that a password is an alphanumeric sequence of characters that must accompany the user name to gain ac-cess to network resources.
Point out the following best practices for protecting your password:
Keep documented password in a secure location.
Do not share your password with anyone.
Do not save passwords to your computer to enable easy access.
Always use suggested standards for a strong, secure passwords.
Explain that a strong password is a password that is created with a secure combination of characters and length to make it difficult for a hacker to discover.
Point out that password-cracking is any attempt to discover another user’s password.
Explain that dictionary attacks are automated password cracking tools used to attempt every combination of a set of characters to crack a password.
Explain that strong passwords include the following charac-teristics:
Minimum of eight characters in length
Contains at least one uppercase and one lowercase letter, one numeral, and one non-alphabetic charac-ter
Differs significantly from previous passwords
Explain that securing the administrator password is critical, since a hacker with access to the administrator password can do extensive damage.
Point out that using the Run as Administrator option through a standard user account is the preferred method for performing administrative tasks and reducing risk.
Demonstrate how to use Run as from the GUI while logged in as a Windows Server 2008 member.
Demonstrate how to use Run as from the command line while logged in as a domain administrator.
Planning an Organizational Unit
Strategy
Instructors should do the following:
Explain that organizational units (OUs) can include the Ac-tive Directory objects.
Explain that OUs can be created to represent the company’s functional foundation.
Point out that organizational units are created for the fol-lowing reasons:
They represent the functional and geographical mod-el of the company and its resources.
They delegate administrative control over a contain-er’s resources to lower-level or branch office adminis-trators.
They apply consistent configurations across the or-ganization for group policy.
Explain that OUs can be nested to create a solid structure, but nesting should be done with careful planning and cau-tion.
Point out that delegating authority at the OU level will allow access only to the OU and its hierarchy.
Explain that the Delegation of Control Wizard is a simple interface to delegate permissions.
Demonstrate how to delegate administrative control of an OU through Active Directory Users and Computers.
Demonstrate how to verify and remove delegated permis-sions using Active Directory Users and Computers.
Explain that objects may be moved between OUs for admin-istrative or business purposes.
Point out that the Drag-and-Drop method or move menu options may be used in the Active Directory Users and Com-puters window.
Demonstrate how to move an object between OUs using Drag-and-Drop in the Active Directory Users and Computers window.
Demonstrate how to move an object between OUs using the move option in the Active Directory Users and Comput-ers window.
Lesson Quiz
True/False1. A default configuration of Active Directory in Windows Server 2008 allows for user accounts with no password to log on to the domain.
2. A dictionary attack is an attempt to hack a computer by try-ing all combinations of characters.
3. Organizational units are units in Active Directory that cannot be nested.
4. Organizational units are most often used in a decentralized administration model.
5. When an object is moved from one OU to another, OU per-missions that were assigned directly to the object will remain the same.
Multiple Choice
1. Which of the following should be included when configuring a strong password policy? Choose all that apply.
a) Enforce minimum password length b) Set a minimum password age c) Set password history
d) Require multiple types of characters
2. Microsoft best practices require strong passwords to have which three of the following characteristics?
a) At least six characters in length
b) Contain at least three of the following: uppercase let-ters, lowercase letlet-ters, numbers, and non-alphabetic characters
c) Differ from previously used passwords d) Not contain your username
3. Which two of the following commands allow a user logged on with a standard user account to perform administrative functions?
a) Run As Administrator (Command Line) b) Run as (GUI)
c) Run as Administrator (GUI) d) Run as (Command Line)
4. Which two of the following can be used to move objects be-tween organizational units in Active Directory?
a) Copy and paste b) Drag and drop c) Move
d) Delete and recreate
5. Which Windows Server 2008 services must be started in or-der for the Run as or Run as Administrator service to func-tion?
a) Logon service b) Run as service
c) Authentication service d) Secondary Logon service
Quiz Answers
True/False1. False. Windows Server 2008 requires that user accounts have passwords.
2. True.
3. False. OUs can be nested.
4. True.
5. True.
Multiple Choice 1. A, B, C, D 2. B, C, D 3. C, D 4. B, C 5. D
Class Projects
Lesson 6—Exercise 1Describe the components of strong password policy that meets Microsoft best practices.
Lesson 6—Project 1
Explain why an administrator would need to create and use ganizational units in Active Directory. What advantages do or-ganizational units offer that security groups do not?
Microsoft Video Resources
Windows Server 2008 Read-Only Domain Controllers—
Password Replication Policies
Read-only domain controllers (RODCs) are a new feature in Windows Server 2008, allowing domain controllers to be de-ployed in locations where security might otherwise be a con-cern (e.g., branch offices). This video provides a look at the password replication policies that are used to control creden-tials stored on RODCs.
Length: 4:58
Securing Branch Office User Accounts
In this demo you will see several ways that user accounts in a branch office can be secured. Branch offices traditionally are places of high risk for domain controllers. Placing domain con-trollers in branch offices is good for functionality and produc-tivity, but bad for security. This demo shows how you can place a domain controller in a branch office and take
measures to make branch office accounts more secure. The demo uses a combination of BitLocker, RODC, fine-grained password policies using a tool from Special Operations Soft-ware, and admin role separation to achieve this goal.
Length: 12:08