An object is a distinct, named set of attributes or characteristics that represent a network resource. Common objects used within Active Directory are computers, users, groups, and printers. Attributes have values that define the specific object. For example, a user could have the first name John, the last name Smith, and the login name jsmith, all of which identify the user.
When working with objects, administrators use the names of the objects, such as usernames.
However, Active Directory objects are assigned a 128-bit unique number called a globally unique identifier (GUID), sometimes referred to as a security identifier (SID), to uniquely identify an object. Therefore, if a user changes his or her name, you can change his or her username yet he or she will still be able to access all objects and have all of the rights he or she had previously because these are assigned to the GUID.
CERTIFICATION READY Why is it important to define users within Active Directory?
3.1
c05EssentialServices.indd Page 145 12/10/10 8:39:35 PM user-f391
c05EssentialServices.indd Page 145 12/10/10 8:39:35 PM user-f391 /Users/user-f391/Desktop/24_09_10/JWCL339/New File/Users/user-f391/Desktop/24_09_10/JWCL339/New File
146 | Lesson 5
GUIDs also provide some security. In particular, if a user is deleted, you cannot create a new user account with the same username and expect to have access to all of the objects and rights the previous user had access to. Thus, if you decide to let someone go within your organization but you plan to replace that person, you can disable the account, hire the new person, rename the user account, change the password, and re-enable the account so that the new person can access all resources and have all of the rights that the previous user had.
The schema of Active Directory defines the format of each object and the attributes or fields within each object. The default schema contains definitions of commonly used objects, such as user accounts, computers, printers, and groups. For example, the schema defines that a user account has the user’s first name, last name, and telephone number.
To allow Active Directory to be flexible so that it can support other applications, you can extend the schema to include additional attributes. For example, you could add badge number or employee identification number to the user object. Indeed, when you install some applications, such as Microsoft Exchange, they will extend the schema, usually by adding additional attributes or fields so that the schema can support the application.
LOOKING AT USERS
A user account enables a user to log on to a computer and domain. As a result, it can be used to prove the identity of a user, and this identity information can then be used to determine what the user can access and what kind of authorization he or she has. It can also be used for auditing so that if there is a security problem in which something was accessed or deleted, the person who accessed or deleted the object can be determined.
On today’s Windows networks, there are two types of user accounts:
• Local user accounts
• Domain user accounts
A user account allows users to log on and access resources on the computer in which the account was created. The local user account is stored in the Security Account Manager (SAM) database on the local computer. The only Windows computer that does not have a SAM database is the domain controller. The administrator local user account is the only account that is both created and enabled by default in Windows. Although this account cannot be deleted, it can be renamed.
The only other account created (but not enabled) by default is the guest account. This account was created for the occasional user who needs access to network resources on a low-security network. Use of the guest account is not recommended, and this account is disabled by default.
A domain user account is stored on the domain controller and allows you to gain access to resources within the domain, assuming you have been granted permissions to access those objects. The administrator domain user account is the only account that is created and enabled by default in Windows when you first create a domain. Although the administrator domain user account cannot be deleted, it can be renamed.
When you create a domain user account, you must supply a first name, last name, and user logon name. The user logon name must be unique within the domain. See Figure 5-9. After the user account is created, you can then open the user account properties and configure a person’s username, logon hours, telephone numbers, and addresses; which computers the user can log on to; what groups the person is a member of, and so on. You can also specify whether a password expires, whether the password can be changed, and whether the account
c05EssentialServices.indd Page 146 12/10/10 8:39:35 PM user-f391
c05EssentialServices.indd Page 146 12/10/10 8:39:35 PM user-f391 /Users/user-f391/Desktop/24_09_10/JWCL339/New File/Users/user-f391/Desktop/24_09_10/JWCL339/New File
Essential Services | 147
is disabled. Last, in the Profile tab, you can define the user’s home directory, logon script, and profile path. See Figure 5-10.
Figure 5-9
User Account in Active Directory
Figure 5-10 Profile tab
Associated with a user account is the user profile, which is a collection of folders and data that store the user’s current desktop environment and application settings. A user profile also records all network connections that are established so that when a user logs on to a computer, it will remember the mapped drives to shared folders. Thus, when a user logs on to
c05EssentialServices.indd Page 147 12/10/10 8:39:35 PM user-f391
c05EssentialServices.indd Page 147 12/10/10 8:39:35 PM user-f391 /Users/user-f391/Desktop/24_09_10/JWCL339/New File/Users/user-f391/Desktop/24_09_10/JWCL339/New File
148 | Lesson 5
a particular computer, he or she will get the same desktop environment he or she previously had on the computer.
By default, the user profiles for Windows XP and Windows Server 2003 are stored in the C:
\Documents and Settings folder under the individual’s username. For example, if jsmith logs in, his or her user profile folder would be C:\Documents and Settings\jsmith. For Windows Vista, Windows 7, and Windows Server 2008, user profiles are stored in the C:\Users folder.
In each user’s folder, some of the available folders include Desktop, My Documents, Start Menu, and Favorites. See Figure 5-11. So, when jsmith directly accesses his or her Desktop or My Documents, jsmith is really accessing C:\Documents and Settings\jsmith\desktop or C:\Documents and Settings\jsmith\my documents.
Figure 5-11 A user’s profile folder
There are three types of user profiles:
• Local user profile: This type of profile is stored on the local hard drive of the computer the user is logging on to. Thus, if the user logs on to a different computer, he or she will get the default settings for that computer.
• Roaming user profile: This type of profile is created and stored on a shared folder on a server over the network. Therefore, no matter what computer the user logs on to within the domain, he or she will have the same settings.
• Mandatory user profile: This type of profile is used as a roaming profile in which the settings can be changed but, when the user logs on again, all settings are reset back to their default values.
LOOKING AT COMPUTERS
Like user accounts, Windows computer accounts provide a means for authenticating and auditing a computer’s access to a Windows network and access to domain resources. Each Windows computer to which you want to grant access must have a unique computer account.
See Figure 5-12. A computer account can also be used for auditing purposes, specifying what system was used when something was accessed.
c05EssentialServices.indd Page 148 12/10/10 8:39:36 PM user-f391
c05EssentialServices.indd Page 148 12/10/10 8:39:36 PM user-f391 /Users/user-f391/Desktop/24_09_10/JWCL339/New File/Users/user-f391/Desktop/24_09_10/JWCL339/New File
Essential Services | 149
A group is used to group users and computers together so that when you assign rights and permissions, you assign them to the entire group rather than to each user individually. Users and computers can be members of multiple groups, and in some instances, a group can be assigned to another group.
COMPARING GROUP TYPES
In Windows Active Directory, there are there are two types of groups: security and distribu-tion. A security group is used to assign rights and permissions and gain access to network resources. It can also be used as a distribution group. A distribution group is used only for nonsecurity functions, such as distributing email, and it cannot be used to assign rights and permissions. See Figure 5-13.
COMPARING GROUP SCOPES
Any group, whether a security group or a distribution group, is characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest. The three group scopes (also described in Table 5-2) are as follows:
• Domain local group: A domain local group contains global groups and universal groups, even though it can also contain user accounts and other domain local groups.
It is usually in the domain with the resource to which you want to assign permissions or rights.
Figure 5-12 Computer account