The following are the best practices for implementing folder redirection:
Allow the system to create the folders If you create the folders yourself, they may not have the correct permissions set.
Use fully qualified UNC paths, for example: \\servername\sharename Although paths like C:\Foldername can be used, it is not advisable because the path might not exist on the target computer.
When you install Active Directory on your network, it becomes the main database for finding resources in your organization. The resources in your network are represented by Active Directory objects. You should be familiar with the common Active Directory objects listed in Table 9-1.
The information that allows a user to log on to Microsoft Windows Server 2003, such as user logon name.
The information about a person who has a connection to the organization.
A collection of user accounts, computers, or other groups that you can create and use to simplify administration.
A pointer to a shared folder on a computer. A pointer contains the address of certain data, rather than the data itself. When you publish a shared folder or printer in Active Directory, you are creating an object that contains a pointer to the shared folder or printer.
A pointer to a printer on a computer. Windows Server 2003 automatically adds printers that you create on domain computers to Active Directory. A printer on a computer that is not in Active Directory must be manually published.
The information about a computer that is a member of the domain.
The information about a domain controller including an optional description, its Domain Name System (DNS) name, its preMicrosoft Windows 2000 name, the version of the operating system loaded on the domain controller, the location, and who is responsible for managing the domain controller.
Contains other objects, including other OUs. Used to organize Active Directory objects.
Objects are either container objects or leaf objects. A container object stores other objects and occupies a specific level in a subtree hierarchy. A leaf object does not store other objects and occupies the endpoint of a subtree. When you attempt to locate objects in Active Directory, you enter criteria for the system to use in the search. These criteria must be previously included in the properties for the object when the object is created. This is why it is a best practice to complete all attributes that are important to your organization when you create Active Directory objects. The more attributes you include, the greater the flexibility when you search for objects.
A security or distribution group often used to assign permissions to related resources in multiple domains. You can use a universal group to assign permissions to gain access to resources that are located in any domain in the forest. In domains with the domain functional level set to Windows 2000 mixed, universal groups are not available. In domains with the domain functional level set to Windows 2000 native or Windows Server 2003, universal groups can contain user accounts, computer accounts, global groups, and other universal groups from any domain in the forest.
The Ifmember utility is commonly used in batch files and logon scripts to determine group membership before running a command. You can see how the Ifmember utility works by performing the following steps:
1. Insert the Supplemental CD-ROM and run the \70-294\Labs\Chapter08\Lab8.bat batch file if you have not already. This batch file creates several groups and makes Amy a member of those groups. When the batch file runs, it will leave the commands it runs on-screen for you to review. Press the spacebar when you are finished reviewing what happened.
Run the IfMember_Setup.exe program from the \70-294\Labs\Chapter08 folder on the Supplemental CD-ROM. The Microsoft Web Installation Wizard appears.
3- Click Next to proceed.
4.Read the license agreement. If you do not agree, you cannot continue. If you agree, click the I Agree option button. Then, click Next to proceed. The Destination Directory opens.
5.Adjust the installation location if necessary, and click Install Now.
6.Click Finish.
7.In the new command prompt window, type and press Enter.
Type notepad c:\membership.txt and press Enter. You’ll see a list of your current group memberships displayed in Notepad.
Group scopes allow you to use groups in different ways to assign permissions. The three group scopes are global, domain local, and universal. Global security groups are most often used to organize users who share similar network access requirements. Domain local security groups are most often used to assign permissions to resources. Universal security groups are most often used to assign permissions to related resources in multiple domains.
Use the following strategy for planning groups: place user accounts into global groups, create a domain local groups for a group of resources to be shared in common, place the global groups into the domain local group, and then assign permissions to the domain local group.
The following scope changes are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003: global to universal, as long as the group is not a member of another group having global scope; domain local to universal, as long as the group being converted does not have another group with a domain local scope as its member; universal to global, as long as the group being converted does not have another universal group as its member; and universal to domain local.
You should avoid running your computer while logged on as an administrator because running Windows Server 2003 as an administrator makes the system vulnerable to Trojan horse attacks and other security risks. If you frequently need to log on as an administrator, use the Run As program, which allows you to run specific tools and programs with permissions other than those provided by the account with which you are currently logged on.
Modifications that you make to user accounts that affect the functionality of the user accounts include the following:
Rename a user account when you want to retain all rights, permissions, and group memberships for the user account and reassign it to a different user. For example, if there is a new company accountant replacing an accountant who has left the company, rename the account by changing the first,last, and user logon names to those of the new accountant.
Disabling and enabling a user account Disable a user account when a user does not need an account for an extended period, but will need it again. For
example, if a user takes a two-month leave of absence, you would disable his or her user account at the beginning of the leave. When the user returns, you would enable his or her user account so that he or she could log on to the network again.
Deleting a user account Delete a user account when an employee leaves the organization and you are not going to rename the user account. You might decide
first to disable such an account and then delete it at a later time. This allows access to any items to which the user had exclusive rights or time to assign the account to another user. In the end, if the account remains unused, you should delete it so you do not have unused accounts in Active Directory.
To modify a user account, you make changes to the user account object in Active Directory. To complete the tasks for modifying user accounts successfully, you must have permission to administer the OU or container in which the user accounts reside. The procedures for renaming, disabling, enabling, and deleting user accounts are very similar.
To reset a user password
1.Click Start, point to Administrative Tools, and then click Active Directory Users And Computers.
2.Expand the appropriate domain, and then click the appropriate OU.
3.In the details pane, select the user account for which you want to reset a password. Click Action.
4.On the Action menu, click Reset Password.
In the Reset Password dialog box, shown in , type a new password for the user in the New Password box. Confirm the password in the Confirm Password box. Select User Must Change Password At Next Logon to force the user to change his or her password the next time he or she logs on. Click OK.
Read more on Renaming, Disabling, Enabling, and Deleting The User Accounts…
To protect access to the domain or a computer, every user account should have a strong password. A strong password is a password that provides an effective defense against unauthorized access to a resource. It’s important to educate users about the benefits of using strong passwords and to teach them how to create passwords that are actually strong.
Passwords can be up to 127 characters. However, if your network has computers running Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows Millennium Edition (Windows Me), you should use a maximum of 14 characters because these operating systems support passwords of up to only 14 characters. A minimum length of seven characters is recommended.
Password Security
Password security is a real problem and remains a fairly large security hole for many organizations and individuals. You can and should set a password policy at the domain level in order to enforce strong passwords. You’ll learn more about this in Chapter 13, “Administering Security with Group Policy.” You should also consider using a password auditing tool in order to monitor your network for weak passwords. There are several password auditing tools available.
access control list (ACL) The mechanism for limiting access to certain items of information or to certain controls based on users’ identity and their membership in various predefined groups. An ACL is typically used by system administrators for controlling user access to network resources such as servers, directories, and files and is typically implemented by granting permissions to users and groups for access to specific objects.
nested OUs The creation of organizational units (OUs) within OUs.
organizational unit (OU) An Active Directory container object used within a domain. An OU is a logical container into which you can place users, groups, computers, and other OUs. It can contain objects only from its parent domain. An OU is the smallest scope to which you can apply a Group Policy or delegate authority.
Use the Active Directory Users And Computers console to rename, move within a domain, and delete OUs. If you delete an OU that contains objects, all of the
objects that are in the OU are also deleted.
Use the Active Directory Users And Computers console to set properties for an OU. Properties provide additional information about the OU or to assist in finding the OU.
An OU is a container used to organize objects within one domain into logical administrative groups. can be added to other OUs to form a hierarchical
structure.
Recent Articles