Group types:
Security: used for granting resource permissions
Distribution: non-security for distribution of information
Group scopes:
Domain local : Can contain Accounts from any domain, Global and Universal groups from any domain,
but domain local groups from same domain only
Global: Can contain Accounts from same domain, global groups from same domain
Universal: Accounts from any domain in the forest, global groups from any domain in forest, universal
group from any domain in forest
Group permission assignment:
Universal: resources in any domain or forest
Global: resources in any domain
Domain local: only to resources in same domain
5.3.1 Configure group nestingMS's "best practice" AGUDLP method suggests putting users and other
groups into Global groups, then assigning that to Universals if needed,
then assigning to Domain Locals which are assigned permissions to a
resource. So Global for users and groups, and domain locals for the
resource assignments.
5.3.2 convert groups including security,
distribution, universal, domain local, and domain global
Universal can convert to Domain local
Universal can convert to Global if no other universal groups exist as members.
Global can convert to universal, as long as its not a member in other Globals
Domain local can convert to universal as long as no other domain local groups exists as members.
5.3.3 manage group
membership using Group Policy
In GPO drill down to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups. Here you can configure what members can be in this group for the computers this GPO affects, and/or what groups this group can belong to in relation to the computers this GPO affects.
This is used most effectively to limit local group memberships.
5.3.4 enumerate group membership
ADUC and ADAC: right click properties, members tab
get-adgroupmember "cn=sales,ou=sales,dc=contoso,dc=com"
dsget group "cn=sales,ou=sales,dc=contoso,dc=com" -members
5.3.5 delegate the
creation and management of Active Directory objects
see 1.2.2 Delegate Administraton
Tools used to delegate administration:
Delegation of Control Wizard in ADUC
ACL Editor
ldp.exe
dsacls.exe
acldiag.exe
dsrevoke.exe
5.3.6 manage default
Active Directory containers; create, copy, configure, and delete groups and OUs
default containers CN objects cannot have GPO's assigned or use admin delegation
Domain container - root domain container
Builtin - default service admin accounts
Users - default location for new user and groups
Computers - default location for new computers
Other default containers: Foreign Security Principals. Managed Service Accounts
4 others are hidden in ADUC under Advanced: LostAndFound, NTDS Quotas, System, Program Data
There's also a default OU Domain Controllers.
Create new:
ADUC and ADAC: Right click and New-OU, right click and new Group
command line:
dsadd ou "ou=Sales,dc=contoso,dc=com"dsadd group "cn=salesgroup,ou=sales,dc=contoso,dc=com"
powershell:
new-adorganizationalunit -name HR -path "dc=contoso,dc=com"
new-adgroup -name "Human Resources" -path "ou=HR,dc=contoso,dc=com"
-groupscope Global
Configure: ADUC and ADAC: Right click, properties
command line
dsmod group "ou=sales,dc=contoso,dc=com" -addmbr
"cn=administrator,cn=users,dc=contoso,dc=com"
dsmod ou
powershell
set-adgroup -identity "cn=human resources,ou=HR,dc=contoso,dc=com"
add-adgroupmember -identity "cn=human resources,ou=HR,dc=contoso,dc=com" -members
"cn=John Doe,ou=HR,dc=contoso,dc=com"
set-adorganizationalunit
Remove:
ADUC and ADAC: right click, delete
remove-adgroup
remove-adorganizationalunit
No comments:
Post a Comment