Shulou(Shulou.com)06/02 Report--

Windows_learn 002 user Management and Group Policy

Content overview

Management of domain users and groups

Users and groups

User login name

Add user tools

Using groups in the active Directory

Why use groups?

Global Group Global Group Rules

Domain Local Group Domain Local Group Rules

Universal Group Universal Group Rules

Policy for using groups in a domain

Use the group's policy

Group Policy Planning and deployment

Group Policy Planning and creation

Tools for Group Policy objects

Management of domain users and groups

Overview

Manage domain user accounts

Add multiple user accounts

Domain group account

Guidelines for the use of groups

Users and groups

Create a unique login for each user account

Create multiple users using batch processing

Group users to manage shared resources on the network (simplify the number of authorizations)

When you create a model for a hierarchical structure, you embed groups into other groups to reduce administrative tasks

User login name

User principal name

1. User principal name prefix

two。 User principal name suffix

User login name

1. Users must select a domain when logging in

Principle of uniqueness of user login name

1. The full name must be unique in the container where the user account is created.

two。 The user primary name must be unique in the forest

3. User login must be unique in the domain

Add user tools

AD users and computers

Directory service tool

Dsadd

Dsmod

Dsrm

Csvde and Ldifde tools (suitable for adding users in bulk)

Windows script host

Using groups in the active Directory

Introduce the groups of the active directory

Use Global Group

Use domain local groups

Use universal groups

Why use groups?

1. Use groups to simplify the allocation of permissions

two。 A user can belong to multiple groups

3. Groups can be nested between groups

4. Adding and removing users in a group does not cause fragmentation

Group Typ

Security groups: assigning permissions NTFS

Distribution groups: sending messages in groups

Scope

Local domain group

Global group

Universal group

Global Group Global Group Rules

Membership includes user accounts and global groups from the same domain

Members belonging to global groups can be generic and domain local groups in any domain, as well as global group members in the same domain

Scope global groups are visible in the domain and all trust domains

All domains in the scope of the forest

Global groups are used to

Mainly used to organize objects, will not be used for authorization

Domain Local Group Domain Local Group Rules

Membership can include user account global groups and general groups for any domain in the forest, as well as domain local groups for the same domain.

Members belong to domain local groups can be domain local groups in the same domain

Scope Local Group is visible only in its own domain

Permission scope domain the domain in which the local group is located

Universal Group Universal Group Rules

Membership can include users and accounts from any domain in the forest, global groups and other general groups

Members belong to domain local and general group members that can be in any domain

Scope generic group is visible in all domains in the forest

Scope of permissions all domains of the forest

Policy for using groups in a domain

Use global and domain local groups

AGGDLP

1. Add domain user account to global group User Accounts-- > Global Group

2. (optional) add one global group to another global group Global Group-- > Global Group

3. Add a global group to a domain local group Global Group-- > Domain Local group

4. Assign the appropriate permissions to the corresponding domain local group Domain Local group

AGUDLP

1. Add user account to global group User-- > Global Group

two。 Nest one global group into another global group Global Group-- > Global groups

3. Nesting global groups into common groups Global Group-- > Universal Group

4. Add the common group as the domain local group created by the resource Universal Group-- > Domain Local Group

5. Assign the appropriate permissions of the users in the group to the domain local group Permissions-- > Domain Local Group

Use the group's policy

Add users responsible for daily work to the global group

Create global groups for access to shared resources

Add the global groups that need to access these resources to the appropriate domain local group

Use universal groups to access resources from multiple domains

Use generic when the membership of a general group is relatively stable

Group Policy Planning and deployment

The focus of this chapter

What is an organizational unit?

Planning organization unit

Management organizational unit

A member of a management organizational unit

Delegated control

Organizational Unit and delegated Control

Organizational Unit (Organizational Unit)

Objects that appear after 2000 play an important role in the logical architecture of the AD domain

What is an organizational unit?

In the era of Windows NT, the Domain was the smallest unit to organize and manage the network.

If different departments have different security requirements and management methods, this often leads to the division of the whole company.

Into multiple domains. However, this multi-domain architecture will increase the burden in terms of management and cost.

In order to solve this kind of problem, Microsoft has added the object of organizational unit to the AD domain, which makes the whole

Domain planning and management is more flexible and can give full play to the advantages of hierarchical responsibility and authorization management.

An organizational unit is a container.

An object that can contain other objects is called a Container. Since an organizational unit is a container, it can also contain it.

It's the object.

It can contain the following nine objects:

Users, computers, groups, printers, shared folders

Contact person, organizational unit, InetOrgPerson, MSMQ routing alias

But remember one thing-units can only contain objects in the same domain, not objects in other domains.

Differences between organizational units and groups

When they first come into contact with an organizational unit, many users will confuse it with a "group", although both are applied to the logic of the AD domain.

In the architecture, but there are the following differences in use:

A user can belong to multiple groups, but only to one organizational unit.

Organizational units can contain groups, but groups cannot contain organizational units.

Permissions for network resources, such as folders or printers, can be granted to groups, but not to organizational units.

Planning organization unit

How to plan the structure of organizational units is a challenging task. However, there is no definite rule, Lord.

It depends on the actual needs of the enterprise.

Here are several common planning models:

Based on geographical location (China, France, Norway)

Based on function (sales, marketing, consulting)

Based on organization (manufacturing, engineer, researcher)

Hybrid based exampl

Organization (location)

Function (organization)

Location (function)

Delegated control

To put it simply, the so-called delegation control (Delegation) is authorization! System administrators can use it to transfer routine management workers

To delegate to a specific object to carry out, in order to lighten one's burden.

There are three main points that should be noted when performing delegate control:

Scope of delegation: how much scope (site, domain, or organizational unit) is delegated

Delegated to: whom to delegate

Delegated content: delegate how much authority to go out.

Give delegated users a tool to operate on their own

Run the mmc file in the domain control to add a management unit-- "just add the corresponding unit."

After adding, click the corresponding OU to be managed, and right-click to create a window from here.

New Task Panel

Group Policy Planning and creation

Group Policy runs on Windows Server 2008, Windows Vista, Windows Server 2003, and

Active Directory-based user and computer settings change and configuration management are enabled on Windows XP computers.

In addition to defining configurations for users and computer groups using Group Policy, you can configure a number of server-specific operations

And security settings so that Group Policy helps manage server computers.

Group Policy component

Group Policy Object GPO

Contains Group Policy settings

Stores content in two locations

Group Policy Container

Stored in Active Directory

Provides version information

Group Policy Template

Stored in shared SYSVOL folder

Provides Group Policy settings

Tools for Group Policy objects

Default Group Policy tool

Active Directory users and computers

Domain and organizational Unit Group Policy objects

Active Directory sites and services

Site Group Policy object

Local security policy

Local computer security settings

Additional tool

Group policy management

Domain, organizational unit, and site group policy object

After the group policy is configured, you need to Link to OU before it can take effect.

The application order of group policy is from high to low.

Sub-OU policy

Parent OU policy

Domain policy

Site policy

Local policy

When will group policy be applied?

Computer starts

Computer settings applied

Startup scripts on

User logs on

User settings applied

Logon scripts run

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.