Informatika | Informatikai biztonság » Step by Step Guide to Managing the Active Directory

Step-by-Step Guide to Managing the Active Directory Step-by-Step Guide to Managing the Active Directory Document Change Control Table Version Number 1.00 1.01 Date of Issue 2/10/04 5/12/04 Author(s) Brief Description of Change(s) D. Aragon D. Aragon 1.02 5/21/04 D. Aragon 1.03 7/26/04 D. Aragon 1.04 3/15/07 D. Aragon Initial Version Added section on user profiles. Added Document Control Table and Table of Contents. Added security warning and corrected several typo’s. Updated guide to reflect procedures for Windows Server 2003 Active Directory FFL. ii Step-by-Step Guide to Managing the Active Directory Table of Contents Introduction . 1 Prerequisites . 1 In this Step-by-Step Guide . 1 Using the Active Directory Users and Computers Snap-in tool . 2 Recognizing Active Directory Objects . 3 Adding an Organizational Unit . 5 Creating a Computer Object . 6 Adding a Computer to the Domain . 9 Managing Computer Objects . 10 Managing a Remote Computer . 10 Creating a

Group . 13 Adding a User to a Group . 13 Nested Groups . 15 Creating Nested Groups . 16 Finding Specific Objects . 17 Filtering a List of Objects . 18 Writing a Group Policy Object . 19 Create a Group Policy Object . 20 Edit a Group Policy Object . 21 Use an ADM file to create a GPO . 22 Publishing a Shared Folder . 23 To publish the shared folder in the directory . 23 To browse the directory . 24 Publishing a Printer . 25 Windows 2000 Printers . 25 To add a new printer . 25 To locate a printer . 26 Adding Non-Windows 2000 Printers. 26 To use the Active Directory Users and Computers snap-in to publish printers. 27 Folder Redirection . 28 Let the system create folders for each user . 28 Use offline folder settings on the server share where the users info is stored . 29 Policy removal considerations . 30 Offline Folders Tips and Tricks. 30 User profiles overview . 30 Advantages of using user profiles . 31 User profile types . 31 Contents of a user profile . 32 NTuser.dat file 33 All

Users folder . 33 To copy a user profile . 33 To create a preconfigured user profile . 35 User Profiles and Roaming User Profiles Tips and Tricks . 36 Attachments: . 39 iii Step-by-Step Guide to Managing the Active Directory Creating a Local User Account . 39 To create a new local user account . 39 iv Step-by-Step Guide to Managing the Active Directory Introduction ITR in conjunction with TSAG Members have been tasked with implementation of the policies and management of the top level (root) organizational unit (OU) along with implementing TSAG approved changes to the schema and top level (root) Group Policy Object (GPO). As local autonomy of the individual colleges and organizations represented at the first level OU is desired, local administration of these OU’s will fall on TSAG members or their appointed representatives. This guide is provided to TSAG Members as an introduction to the administration of the Active Directory service and the Active Directory Users and

Computers snap-in. This snap-in allows you to add, move, delete, and alter the properties for objects such as users, contacts, groups, servers, printers, and shared folders. It is available for download as part of the Active Directory administrative tools from the Active Directory web site (http://www.csunedu/tsag/activedirectory) The Active Directory administrative tools can only be used from a computer with access to a domain. Prerequisites This document is based on the following documents and web pages: Step-by-Step How-To-Guide to the Common Infrastructure for Windows 2000 Server Deployment, Part One: http://www.microsoftcom/technet/win2000/depprof1asp, Part Two: http://www.microsoftcom/technet/win2000/depprof2asp, and http://www.microsoftcom/technet/prodtechnol/ad/windows2000/howto/managadasp http://www.microsoftcom/technet/prodtechnol/windowsserver2003/technologies/director y/activedirectory/stepbystep/admng.mspx This document assumes you are familiar with Windows 2003 or

Windows XP and that you have Administrative authority for your OU (i.e you have an “a under-bar” account) In this Step-by-Step Guide Common Administrative Tasks • • • • • Adding an Organizational Unit Creating a Computer Object Adding a Computer to the Domain Creating Groups and Adding Members to Groups Creating or Editing a Group Policy Object • • • • Publishing shared network resources, such as shared folders and printers Renaming, Moving, and Deleting Objects Creating Nested Groups Using Filters and Searches to retrieve objects Advanced Administrative Tasks 1 Step-by-Step Guide to Managing the Active Directory • Folder Redirection Additional Useful Information • Policy Removal Considerations • Offline Folder Tips and Tricks • User Profile Overview • User Profiles and Roaming User Profiles Tips and Tricks Attachments • • • • Creating a User Account Group Policy Object Settings Explanation Root Group Policy Object settings Blank

Group Policy Object Worksheet Using the Active Directory Users and Computers Snapin tool Note: For security reasons direct access to the Domain Controllers is prohibited. Maintenance of objects can only be performed through use of the Users and Computers Snap-in. Note: If you have not done so already, install the Administrative Package found on the Active Directory Administration Web Site (www.csunedu/tsag/activedirectory) Download and install the correct administrative package for your operating system (admin2k.exe for Windows 2000 or adminxpexe for Windows XP or Windows Server 2003) This will install the proper snap-in referenced in this section 1. To start the Active Directory Users and Computers snap-in, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. 2. Expand csunedu by clicking the + 3. Figure 1 below displays the key components of the Active Directory Users and Computers snap-in for csun.edu 2

Step-by-Step Guide to Managing the Active Directory Figure 1 The Active Directory Users and Computers Snap-In Recognizing Active Directory Objects The objects described in the following table are created during the installation of Active Directory. Icon Folder Description Domain The root node of the snap-in represents the domain being administered. Default Computers Contains all Windows NT, Windows 2000, Windows XP, and Windows Server 2003–based computers that join our domain incorrectly. This includes computers running Windows NT versions 3.51 and 40 If you upgrade from a previous version, Active Directory migrates the machine account to this folder. Computers in this folder will display a message to the user at logon, warning them the computer is in the wrong location, and to notify 3 Step-by-Step Guide to Managing the Active Directory their IT Tech to move it. You must get an Active Directory Enterprise Administrator to move these objects. System Contains Active

Directory systems and services information. Auth/People Contains all the users in the domain. Like computers, the user objects can be moved, however, this will cause them to become out of sync with the enterprise and therefore moving a user object is not allowed. Users Contains all the user types in the domain. You can use Active Directory to create the following objects. Icon Object Description User A user object is an object that is a security principal in the directory. A user can log on to the network with these credentials and access permissions can be granted to users. Contact A contact object is an account that does not have any security permissions. You cannot log on to the network as a contact. Contacts are typically used to represent external users for the purpose of e-mail. Computer An object that represents a computer on the network. For Windows NT-based workstations and servers, this is the machine account. Organizational Unit Organizational units are used

as containers to logically organize directory objects such as users, groups, and computers in much the same way that folders are used to organize files on your hard disk. Group Groups can have users, computers, and other groups. Groups simplify the management of large numbers of objects. Shared Folder A shared Folder is a network share that has been published in the directory. 4 Step-by-Step Guide to Managing the Active Directory Shared printer A shared printer is a network printer that has been published in the directory Adding an Organizational Unit This procedure creates an organizational unit (OU) in the CSUN domain. Note: You can create nested organizational units and there is no limit to the nesting levels, though Microsoft suggests that nesting more than five levels deep might slow the logon process. These steps follow the Active Directory structure begun in the "Step-by-Step Guide to a Common Infrastructure for Windows 2000 Server Deployment"

http://www.microsoftcom/technet/win2000/depprof1asp For your own organization, add the OU’s under your organizational OU contained within the csun.edu active directory forest Note: You are not allowed to add a first level OU. Unauthorized first level OU’s will be deleted without warning. 1. Click the + next to your OU to expand it 2. Right-click the location you wish to insert the new OU under 3. Point to New and click Organizational Unit Type the name of your new organizational unit Click OK 4. Repeat steps 2 and 3 above to create additional organizational units, as needed For example, the screen shot in figure 2 shows Organizational unit ITR under csun.edu Organizational unit Network Engineering & Operations under the ITR organizational unit. Organizational unit Computers and Groups Network Administration and Operations under the Network Engineering & Operations organizational unit. (To do this, right-click Network Engineering & Operations, point to New, and then

click Organizational Unit.) Click Network Engineering & Operations so that its contents will display in the right pane. When you are finished, you should have a hierarchy similar to Figure 2 below: 5 Step-by-Step Guide to Managing the Active Directory Figure 2 New OUs Creating a Computer Object A computer object is created automatically when a computer joins a domain; however, this places the computer object in the (first level) OU = Default Computers. Additionally, a warning is displayed on the computer that pops up whenever someone logs into the machine stating the system is in the wrong location and to contact his or her local IT Tech staff or UHD to have it moved. To get it out of this OU and into your OU requires an Active Directory Enterprise Administrator to move it for you. A better method is for you to create the computer object before the computer joins a domain so it will join in the correct OU Note: There is no unified object naming conventions employed at CSUN,

however, object naming should be standardized within your OU to enable the rapid and correct identification of each object within your organization. 6 Step-by-Step Guide to Managing the Active Directory Note: Note: Each object name must be unique within the entire Active Directory. To view the name of the computer you plan to add to Active Directory. a. To view the computers name in Windows 2000 i. Right click on My Computer ii. Click on Properties iii. In panel on the left side, click the Network Identification link iv. Computer Name is shown as Full Computer Name (use portion preceding the .csunedu if it is present) v. For example if the full computer name is daxpscsunedu, the computer name you will want to enter is daxps. b. To view the computers name in Windows XP i. Right Click on My Computer ii. Click on Properties iii. Click on Computer Name Tab iv. Computer Name is shown as Full Computer Name (use portion preceding the .csunedu if it is present) v. For example if the full

computer name is daxpscsunedu, the computer name you will want to enter is daxps. 7 Step-by-Step Guide to Managing the Active Directory Figure 3 Computer Name Using the previous structure as an example, if we wanted to add a computer named GDUHON to the Computers OU under the Network Engineering & Operations OU we would complete the following tasks: Note: Naming a computer with the name of the primary user may present an unnecessary security risk by alerting those who may be snooping on the network of the identity of the user of a particular machine, thereby making a particular machine a target of a directed attack. From a security stand point, it would be better to name the computers in your OU something less identifying. 1. Right-click the Computers organizational unit under the Network Engineering & Operations OU, point to New, and then click Computer. 2. Type in the computer name: GDUHON 3. You can manage this computer in the Active Directory Users and Computers

snap-in, by right clicking the computer object, and then clicking Manage. 8 Step-by-Step Guide to Managing the Active Directory 4. Optionally, you can select which users are permitted to join a computer to the domain. This allows the administrator to create the computer account and someone with lesser permissions to install the computer and join it to the domain 5. Once created, you should right click the object, select the Security tab Insure that your a account is not present, if it is then remove it. Also insure your Administrative group is listed If it isn’t, then add it Not doing this could restrict your administrative control of this object. Note: If you cannot see the Security tab, from the top line menu select View and select Advanced Features. Figure 4 Adding a New Computer Adding a Computer to the Domain After creating a computer object but prior to first use, a computer must be physically joined to the Domain. This process insures that the appropriate policies are

applied The first step in this process is to ensure that the local computers clock is synchronized with the network. Note: It is important to create the computer object in active directory prior to joining the computer to the domain. If there is no object in active directory for the computer to join to, an object will be automatically created and placed in OU = com9 Step-by-Step Guide to Managing the Active Directory puters. You must then contact one of the e account holders or a member of ITRAdmin group to move it to its correct location 1. Open up a command window (Select Start, select Run and type cmd in the text box) 2. At the prompt, type: net time /setsntp:ntpcsunedu 3. You should get a response that states: The command completed successfully 4. Type: net stop w32time 5. You should get a response that states: The Windows Time service was stopped successfully. 6. Type: net start w32time 7. You should get a response that states: The Windows Time service was started

successfully. 8. Close the command window Now join the computer to the network 9. Right click My Computer and select Properties 10. In Windows 2000 select Network Identification followed by Properties, in Windows XP select Computer Name followed by Change. 11. Select Member of Domain and enter csunedu or just csun 12. You will be prompted to enter your username and password, use your a account name and password to authenticate your authority to perform this action. 13. If successful you will receive a notice welcoming you to the domain and informing you to reboot the system 14. Reboot the system 15. Users may now logon to the csun domain Managing Computer Objects Computer objects in Active Directory can be managed directly from the Active Directory Users and Computers snap-in. Computer Management is a component you can use to view and control many aspects of the computer configuration. Computer Management combines several administration utilities into a single console tree, providing

easy access to a local or remote computers administrative properties and tools. Note: The following example assumes that you are working from a system and with an account that has management privileges on the system being managed and that the system being managed is currently running. Managing a Remote Computer To manage a remote computer 10 Step-by-Step Guide to Managing the Active Directory 1. In the Active Directory Users and Computers snap-in, click the + next to csun.edu 2. Select the appropriate OU and expand it by clicking the + Repeat this process until you get down to the level of the computer you wish to remotely manage. 3. Right-click the computer object and then click Manage 4. If you are authorized to do so, a management window will open as shown in Figure 5 If the system can not be remotely managed a warning will be issues (figure 6) and a management window will open as shown in Figure 7. If you are not authorized a management window will open as shown in Figure 8

Figure 5 Remotely Managing a Computer Figure 6 Remote Computer not Found Warning 11 Step-by-Step Guide to Managing the Active Directory Figure 7 Remote Computer not Found Figure 8 Remote Computer Management not Authorized 12 Step-by-Step Guide to Managing the Active Directory Creating a Group A group is a container for people who have something in common and that need to be managed in a similar fashion. A few examples of the members that might be used to form a group could include students in a specific class are the only ones authorized to utilize the resources of a particular computer lab or the administrative staff. However, a group could just as easily be those people with birthdays in August. For example, to create a group called Comp100Users in the ECS OU: 1. Right-click the ECS OU, click New, and then click Group 2. In the Name of New Group text box, type: Comp100Users 3. Select the appropriate Group type and Group scope and then click OK • The Group type

indicates whether the group can be used to assign permissions to other network resources, such as files and printers. • The Group scope determines the visibility of the group and what type of objects can be contained within the group. Scope Visibility May contain Domain Local Domain Users, Domain Local, Global, or Universal Groups Global Forest Users or Global groups Universal Forest Users, Global, or Universal Groups Adding a User to a Group For example, to add users to the Comp 100 group created above: 1. Click ECS in the left pane 2. Right-click the Comp100Users group in the right pane, and click Properties 3. Click the Members Tab and click Add 4. Enter their user identification (UID) If adding multiple users separate them with a semi-colon (;). When finished adding names click on the Check Names button as in Figure 9 below, this will check the entered names against the list of current users. Any discrepancies will be identified and you will be asked to correct or

remove the UID from the list (Figure 10). 5. If you do not know the UID click on the Advanced button and follow instructions in the section called Finding Specific Objects below. 13 Step-by-Step Guide to Managing the Active Directory Figure 9 Add User to the Comp100Users Group 14 Step-by-Step Guide to Managing the Active Directory Figure 10 User not Found Nested Groups Nested groups allow you to provide college-wide or department-wide access to resources with minimum maintenance. Placing every user account into a single college-wide resource group is not an effective solution because it requires the creation and maintenance of a large number of membership links. To use nested groups, administrators create a series of account groups that represent the managerial divisions of the college or unit 15 Step-by-Step Guide to Managing the Active Directory For example, the top account group might be called "ECS Users," and would be attached to a resource group that

gives access to resources and shared directories. The next level might contain account groups that represent major divisions of the college for example CEAM, ME, CS, ECE, and MSEM. Each group at this level is a member of ECS Users, and is attached to a resource group giving access to shares and other resources appropriate to the division it represents. Within a division, the next level of account groups might represent departments. Shared resources for the department might include project schedules, meeting schedules, vacation schedules, or any network information appropriate to the whole department. The department account groups are all members of the division account group Within a department, the management structure can be organized into security groups to any required level of specificity. These might be team account groups and might represent leaf nodes in the organization’s hierarchical tree With this group hierarchy in place, you can give a new employee or student assistant

instant access to the resources of the team, department, the division, and the college as a whole by placing the user in a team account group. This system supports the principle of least access because the new employee or student assistant cannot view the resources of adjacent teams, other departments, or other divisions. Creating Nested Groups To create a nested group 1. In the Active Directory Users and Computers snap-in, click the + next to csun.edu 2. Select the appropriate OU (ECS in our example) and expand it by clicking the + Repeat this process until you get down to the level where you wish to create a group(ex. OU=Groups,OU=CECS,OU=ECS,DE=CSUN,DC=EDU) 3. Create a new group by right-clicking Groups, pointing to New, and then clicking Group. Type ECS Users, and then click OK 4. Right-click the ECS Users Group, and then click Properties 5. Click the Members tab, and then click Add 6. In the Enter the objects name to select box, type CECS, and then click OK 7. Click OK again A

nested group has been created 8. Repeat steps 3 through 7 if additional nesting is required 16 Step-by-Step Guide to Managing the Active Directory Finding Specific Objects In a large directory deployment like ours, it may be unreasonable to browse a comprehensive list of objects in search of a unique object (we have over 400,000 objects in our Active Directory). Often, it is more efficient to find specific objects that meet a certain criteria. In the following example, you will find all users who have a first name starting with “Zeph” in the CSUN domain. To find users with a first name starting with Zeph 1. Click to select csunedu Right-click csunedu, and then click Find 2. Enter the letters zeph and press the Find Now button Figure 11. Employing Simple Directory Search Techniques Note: The same procedure is also valid for last names or UID’s. Additionally changing the Find dropdown will allow you to search for a number of other object types including computers, printers,

shared folders, OU’s using the same general procedure. 17 Step-by-Step Guide to Managing the Active Directory 3. If what you are searching for isn’t in any of the lists above you need to do an advanced search Click the Advanced tab In the Field drop-down list, select Group, and then click Name. 4. Type Comp for Value, and then click Add Click Find Now Your results should be similar to those shown in Figure 12 Figure 12. Employing Advanced Directory Search Techniques 5. Select the one or more user objects you were looking for, double click to open the objects. 6. Close the Find User, Contacts, and Groups window Filtering a List of Objects Filtering the list of returned objects from the directory can allow you to manage the directory more efficiently. The filtering option allows you to restrict the types of objects returned to the snap-in For example, you can choose to view only users and groups, or you may want to create a more complex filter. If an OU has more than a

specified number of 18 Step-by-Step Guide to Managing the Active Directory objects, the Filter function allows you to restrict the number of objects displayed in the results pane. You can use the Filter function to configure this option To create a filter designed to display Groups only 1. In the Active Directory Users and Computers snap-in, click the + next to csun.edu 2. Select the appropriate OU (COBAE in our example) and expand it by clicking the +. You should see a mixture of OU’s, computers and groups 3. Click the View menu, and then click Filter Options 4. Click the radio button for Show only the following types of objects, select Groups, and then click OK. 5. Reselect the appropriate OU (COBAE in our example) and expand it by clicking the +. Verify the filtering results You should now only see a mixture of OU’s and groups. 6. Remove the filter Writing a Group Policy Object Writing a Group Policy Object (GPO) can be a daunting and formidable task. The purpose of the

GPO is to provide a mechanism to limit the behavior of a system or the user currently using that system. To make the task easier, the GPO is divided into logical sections Below the root node, the namespace is divided into two parent nodes: Computer Configuration and User Configuration. These are the parent folders that you use to configure Group Policy settings Computer-related Group Policy is applied when the operating system boots and during the periodic refresh cycle, while User-related Group Policy settings are applied when users log on to the computer and during the periodic refresh cycle. Three nodes exist under the Computer Configuration and User Configuration parent nodes: Software Settings, Windows Settings, and Administrative Templates. The Software Settings and Windows Settings nodes contain extension snap-ins that extends either or both of the Computer Configuration or User Configuration nodes. Most of the extension snap-ins extends both of these nodes, but frequently with

different options The Administrative Templates node namespace contains all policy settings pertaining to the registry. Several documents are attached to help in deciding which settings are appropriate and which are necessary. • GPO Settings Explanations – This document goes through each setting and gives a brief explanation of what it does • Root (overridable and non-overrideable) GPO Settings – A listing of the settings that have been implemented at the root. Some of these settings are overridable and describe best practice, while others are not overrideable, describ19 Step-by-Step Guide to Managing the Active Directory ing policy. In both cases the settings apply to all systems and users in Active Directory. Note: To increase the security of the Active Directory Forest, the only users granted accesses to objects in the Active Directory from the root are members of the Enterprise and Local Administrative group. The permission to login to a system will need to be allocated

to the user via permissions given from a GPO placed within the local administrators OU. The so-called “account/account” will also be blocked, unless granted access privilege. Note: The no override setting on user settings is reserved for the root level GPO. It should not be used by any local administrator on settings designed for user behavior modification, as this setting will cause the User GPO settings to be propagated throughout the entire forest. Note: A GPO has been developed to automatically map a network drive to the U-drive share for a user as they log on to the system. This GPO is disabled for all users If a local administrator wished to enable it, please forward a request to an Enterprise Administrator identifying the OU and the name of the Group to enable. • Blank GPO Worksheet – a worksheet that can be used to document the settings you use in the GPO(s) developed for your OU. Create a Group Policy Object Because of the unique structure employed at CSUN for

the Active Directory forest, local administrators must develop two separate GPO’s. The first GPO would be for computer settings and the second GPO for user settings. As local administration of OU’s is desired, the computer GPO will be placed on the OU containing the computers and the group(s) by local administrator. The user GPO (if necessary) will have to be submitted to an Enterprise Administrator to be placed in the OU=Auth or at the root of the tree. Note: While the Computer GPO’s can be set as not overrideable (though this practice is not recommended), the User GPO’s must be overrideable and must have the Authenticated User security settings for both read and apply disabled and the group the GPO applies to added with the read and apply GPO enabled. 1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. 2. Select location of GPO Note: This may require you to click the + next to your OU to expand it. 3.

Right click the selected location and click on Properties 20 Step-by-Step Guide to Managing the Active Directory 4. Select the Group Policy Tab 5. Click New A new GPO is created 6. Enter the name of the new GPO and press enter Note: There is currently no universal naming convention at CSUN for GPO’s, however, as all GPO’s are stored in a single folder GPO names must start with the name of the first level OU responsible for it. For example all GPO’s for ITR will start with “ITR-“, also if a User GPO is being developed for use in conjunction with a Computer GPO they both should have the same name with a “–u” or “–c” appended to the end of the name. 7. Select the newly created GPO and click on Edit 8. Using a previously completed Blank GPO Worksheet as a guide, fill in the appropriate settings 9. When you are finished, exit the GPO and check the security settings of the GPO to insure that they are correct, then click OK. The new GPO will be applied to all

systems from that OU and below either the next time a user logs into a system in that OU or at the next system wide update (within 90 minutes). Note: You should note that the number of User GPO’s that are applied to a user affect the logon processing time and the number of Computer GPO’s applied affects the boot time. This time can be reduced by disabling the unused half of the GPO. To do this, right-click the GPO, click Properties, click either Disable Computer Configuration settings or Disable User Configuration settings, and then click OK. These options are available on the GPO Properties page, on the General tab. Edit a Group Policy Object Occasionally, a policy will need to be updated or changed. To do this: 1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. 2. Select location of GPO Note: This may require you to click the + next to your OU to expand it. Note: If a previously implemented User GPO needs

editing, it must be done by an Enterprise Administrator. 3. 4. 5. 6. Right click the selected location and click on Properties. Select the Group Policy Tab Select the GPO that needs changing and click on Edit. Expand the appropriate section(s). 21 Step-by-Step Guide to Managing the Active Directory 7. Find the setting that needs updating and double click it 8. Make the appropriate corrections and press enter Note: Changing a setting from either Enabled or Disabled to “Not Defined” will not delete the local setting. Once defined, the best way to change a setting is to select the opposite setting from the original (Enabled changes to Disabled and vice versa). 9. When you are finished exit the GPO editor, changes will be saved automatically The new GPO will be applied to all systems from that OU and below either the next time a user logs on to a system in that OU or at the next system wide update (within 90 minutes). Use an ADM file to create a GPO It is possible to implement

Registry-Based Group Policies. These policies allow the local administrator to define and implement registry settings that further control the state of the computers and users via a GPO. While explaining how to write an adm file is beyond the scope of this document, a good reference of how to write an .adm file can be found at http://www.microsoftcom/technet/prodtechnol/windows2000serv/deploy/confeat/ regappgp.asp Note: Two .adm files are provided for use or as examples The first sets the local computer up to point to the Software Update Service (SUS) server This SUS server can either be local to the OU or the one provided and maintained by the ITR. The purpose of the SUS server is to reduce bandwidth usage and provide local systems with an unassisted ability to receive and install critical updates automatically at a given time and on a given day. The second adm file provides the local administrator the ability to limit the user’s ability to do specific things This .adm file is

useful in a computer laboratory setting where limits need to be in place. Once an .adm file is created it needs to be integrated into a GPO (both for testing and for implementation). The integration is accomplished as follows (assuming the GPO exists): 1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. 2. Select location of GPO Note: This may require you to click the + next to your OU to expand it. 3. Right click the selected location and click on Properties 4. Select the Group Policy Tab 5. Select the GPO that needs changing and click on Edit 22 Step-by-Step Guide to Managing the Active Directory 6. Under either Computer Settings OR User Settings, right click on Administrative Templates. 7. On the context menu that appears, click on Add/Remove Templates 8. A new dialog box will appear that will allow you to add or remove adm templates Click on Add 9. Enter the name of the filename of the adm file that you would

like to add 10. Click on Open 11. If your adm file was successfully loaded, you will be returned to the dialog that you saw in Step 8. In this case click on Close Your policy template has been added successfully Skip all the steps below 12. If your adm file was not successfully loaded, you will be presented with a dialog displaying the errors that occurred during the loading of .adm 13. At this point, make a note of the errors that were found Click on OK 14. You will be returned to the dialog that you saw during Step 8 Although your .adm file was not successfully loaded, it will still appear in the list of adm files loaded. 15. Select your adm file, and click on Remove 16. Click on Close 17. You are now back to the Group Policy snap-in At this point, edit your adm file and correct any problems. Then repeat this process again starting from Step 6, to try to load your .adm template again Publishing a Shared Folder Any shared network folder, including a Distributed File System (DFS)

folder, can be published in Active Directory. Creating a Shared folder object in the directory does not automatically share the folder. This is a two-step process: you must first share the folder, and then publish it in Active Directory. To share a folder called Engineering Specs and share it from the ITRNetwork Engineering & Operations OU: 1. Use Windows Explorer to create a new folder called Engineering Specs on one of your disk volumes. 2. In Windows Explorer, right-click the folder name, and then click Properties Click Sharing, and then click Share this folder. 3. In the New Object–Shared Folder dialog box, type ES in the Share name box and click OK. By default, Everyone has permissions to this shared folder If you want, you can change the default by clicking the Permissions button. 4. Populate the folder with files, such as documents, spreadsheets, or presentations To publish the shared folder in the directory 1. In the Active Directory Users and Computers snap-in,

right-click the ITRNetwork Engineering & Operations OU, point to New, and click Shared Folder. 2. In the Name box, type Engineering Specs 23 Step-by-Step Guide to Managing the Active Directory 3. In the Network Path name box, type the IP address of the system where the folder resides, for example: \130166250255ES or \daxpscsuneduES and click OK. 4. The ITRNetwork Engineering & Operations organizational unit appears as shown in Figure 13 below: 5. Users can now see this volume while browsing in the directory Figure 13 Network Engineering & Operations OU contents showing a shared folder To browse the directory 1. 2. 3. 4. Double-click My Network Places on the desktop. Double-click Entire Network, and then click Entire contents of the network. Double-click the Directory. Double-click the domain name, csun, and then double-click the name of the OU (e.g ITRNetwork Engineering & Operations To view the files in the volume, either right-click the Engineering Specs

volume, and click Open, or doubleclick Engineering Specs) 24 Step-by-Step Guide to Managing the Active Directory Publishing a Printer This section describes the processes for publishing printers in a Windows 2000 Active Directory-based network. Windows 2000 Printers You can publish a printer shared by a computer running Windows 2000 by using the Sharing tab of the printer Properties dialog box. By default, Listed in the directory is enabled The directory is the Active Directory data store (This means that Windows 2000 Server publishes the shared printer by default.) The print subsystem will automatically propagate changes made to the printer attributes (location, description, loaded paper, and so forth) to the directory. Note: For this section of this guide, you must have a printer available and know its IP address. If you do not have an IP printer, you can still run through these procedures, substituting the correct port for Standard TCP/IP Port To add a new printer 1. Click

Start, point to Settings, click Printers, and then double-click Add Printer. The Add Printer Wizard appears Click Next 2. Click Local Printer, clear the Automatically detect and install my Plug and Play printer checkbox, and click Next. 3. Click the Create a new port option, then scroll to Standard TCP/IP Port, and click Next. 4. The Add Standard TCP/IP Printer Port Wizard appears Click Next 5. On the Add Port page, type the IP address of the printer in the Printer Name or IP Address box, type the port name in the Port name box, and click Next. Click Finish. 6. Select your printers manufacturer and model in the Printers list box, and then click Next. 7. In the Printer name text box, type the name of your printer 8. On the Printer Sharing page, type a name for the shared printer Choose a name no more than eight characters long so computers running earlier versions of the operating system display it correctly. 9. Type in the Location and Comment in those text boxes 10. Print a test page

Click Finish After you create the printer, the printer is automatically published in Active Directory and the Listed in the Directory check box is selected. 25 Step-by-Step Guide to Managing the Active Directory You might also need to find the server from which a printer is shared out before adding it to the machine you are working on. To locate a printer 1. 2. 3. 4. 5. 6. Note: Click Start, point to Settings, and then click on Printers. Double-click the Add Printer icon. In the Add Printer Wizard dialog box, click the Next button. Select the Network printer button, and then click Next. Select the Find a printer in the Directory button, and then click Next. The Find Printers dialog box displays. If you know which domain your printer resides in, click the Browse button and choose that domain to narrow your search. Then, on the Printer tab, add the printer Name, Location, or Model to those text boxes, and click the Find Now button. If you do not know the name, location, or model

of the printer, you can simply click the Find Now button, and all the printers in the domain you selected will be listed in the list box. Adding Non-Windows 2000 Printers You can publish printers shared by operating systems other than Windows 2000 in the directory. The simplest way to do this is to use the pubprn script This script will publish all the shared printers on a given server. It is located in the winntsystem32 directory. To publish a printer shared from a non-Windows 2000 server using the pubprn.vbs script 1. Click Start, click Run, and type cmd in the text box Click OK 2. Type cd winnt/system32 and press Enter 3. Type cscript pubprnvbs printer server name where in this example "LDAP://ou=ecs,dc=csun,dc=edu" and press Enter. This publishes the printer to the specified OU. This script copies only the following subset of the printer attributes: Location Model Comment UNCPath You can add other attributes by using the Active Directory Users and Computers snap-in. 26

Step-by-Step Guide to Managing the Active Directory Note: You can rerun pubprn and it will update rather than overwrite existing printers. Alternatively, you can use the Active Directory Users and Computers snap-in to publish printers on non-Windows 2000 servers. To use the Active Directory Users and Computers snapin to publish printers Right-click the Marketing organizational unit, click New, and click Printer. The New Object-Printer dialog box pops up. In the text box, type the path to the printer, such as \servershare name. Click OK End users can realize the benefit of printers being published in the directory because they can browse for printers, submit jobs to those printers, and install the printer drivers directly from the server. To browse and use printers in the directory On the Desktop, click Start, click Search, and click For Printers. In the Find Printers dialog, select the subdirectory in which you would like to search for printers. Then type information into the

Name, Location, or Model text boxes Click the Find Now button to get a list of published printers Renaming, Moving, and Deleting Objects Every object in the directory can be renamed and deleted, and most objects can be moved to different containers provided you have the appropriate authorizations and permissions. To move an object, right-click the object, and then click Move. Click Browse. The Directory Browser will appear, enabling you to select the destination container for the object that you are moving 27 Step-by-Step Guide to Managing the Active Directory Figure 14 List of available OUs Folder Redirection The Folder Redirection extension to Group Policy is used to redirect such user-specific folders as My Documents from the client to a server, facilitating administrative management of user data. Let the system create folders for each user To ensure that folder redirection works as well as possible, create the root share only on the server, and let the system create the

folders for each user. For the best experience, set the share permissions to Full Control for the security groups you are redirecting, and set the NTFS permissions for Everyone to Full Control, this folder, subfolders and files. If you must create folders for the users, ensure that you have the correct permissions set. The tables below shows the default and minimum permissions required for folder redirection. User Account Folder faults Redirection Creator/owner Full Control, this folder, Full Control, this folder, subsubfolders and files folders and files Local Administrator Full Control, this folder, Full Control, this folder, subsubfolders and files folders and files Everyone Full Control, this folder, List Folder/Read data, Create subfolders and files Files/Write Data, Create Folders/Append Data - This 28 De- Minimum permissions needed Step-by-Step Guide to Managing the Active Directory Folder only Local System Full Control, this folder, Full Control, this folder,

subsubfolders and files folders and files NTFS Permissions required for root folder User Account Everyone Folder faults Redirection De- Minimum permissions needed Use security group that matches the users who will need to put data on share Full Control Share level (SMB) Permissions required for root folder User Account Folder faults Redirection De- Minimum permissions needed %username% Full Control, owner of Full Control, owner of folder folder Local System Full Control Everyone Traverse Folder, Read Attributes, Read Extended Everyone - no permissions Attributes and Read Permissions Full Control NTFS Permissions required for each users redirected folder Use offline folder settings on the server share where the users info is stored This is especially important for users with laptops. Redirected folders of any type should be coupled with offline files. The recommended configuration for offline files to use is: • MyDocs: Autocaching for Documents or Manual Caching

for documents (if you want users to have to "pin" files) • AppData: Autocaching for Programs • Desktop: Autocaching for Programs if the desktop is read-only • StartMenu: Autocaching for Programs 29 Step-by-Step Guide to Managing the Active Directory Incorporate %username% into fully qualified universal naming convention (UNC) paths. This allows the system to easily create folders for users based on their username. o For example, \servershare\%username%My Documents Have My Pictures follow My Documents o This is advisable unless there is a compelling reason not to, such as file share scalability. Policy removal considerations Keep in mind the behavior your folder redirection policies will have upon policy removal. The Folder Redirection section of the online help gives details • Accept defaults. In general, accept the default folder redirection settings • Dont store roaming profiles on the same server as redirected folders that are enabled for offline use

• When a share is unavailable, offline folders considers the whole server to be unavailable until the offline cache is manually synchronized. Roaming profiles will not be synchronized with the server while offline folders considers the server to be unavailable. • If you are using offline folders in conjunction with folder redirection and roaming user profiles, you should ensure that the folder redirection share and the profiles share are located on different servers. Offline Folders Tips and Tricks • • • • • • • • Do not put the server share in a Distributed File System (DFS) tree Using offline folders located in a Distributed File System (Dfs) tree is not supported. If you do put shares configured for offline use in a Dfs tree, unexpected behavior, such as Access Denied errors, may occur when moving from an offline to online state. Not all types of files can be synchronized By default, .mdb and pst files are not synchronized as they have other mechanisms of

synchronizing Dont store roaming profiles on the same server as redirected folders that are enabled for offline use See Folder Redirection Tips and Tricks for details. Leaving certain kinds of documents open can prevent entering standby mode. When using offline folders, the original versions of Microsoft Word 2000and Excel 2000 prevent the computer from going into standby mode when a document or spreadsheet is open. This is fixed in Office 2000 SR1 User profiles overview 30 Step-by-Step Guide to Managing the Active Directory On computers running Windows 2000 and above operating systems, user profiles automatically create and maintain the desktop Advantages of using user profiles User profiles provide several advantages: • • • • • • • More than one user can use the same computer. When users log on to their individual workstations, they receive the desktop settings as they existed when they logged off. Customization of the desktop environment made by one user does

not affect another users settings. User profiles can be stored on a server so that they can follow users to any computer running a Microsoft Windows NT or later operating system on the network. These are called roaming user profiles. As an administrative tool, user profiles provide these options: You can create a default user profile that is appropriate for the users tasks. You can set up a mandatory user profile that does not save changes made by the user to the desktop settings. Users can modify the desktop settings of the computer while they are logged on, but none of these changes are saved when they log off. The mandatory profile settings are downloaded to the local computer each time the user logs on. For more information on mandatory profiles, see http://www.microsoftcom/resources/documentation/WindowsServ/2003/standard /proddocs/en-us/sag UP Create Mandatory Profile.asp You can specify the default user settings that will be included in all of the individual user profiles. User

profile types A user profile defines customized desktop environments, which include individual display settings, network and printer connections, and other specified settings. You or your system administrator can define your desktop environment. Types of user profiles include: • Local user profile--A local user profile is created the first time you log on to a computer and is stored on a computers local hard disk. Any changes made to your local user profile are specific to the computer on which you made the changes. • Roaming user profile--A roaming user profile is created by the system administrator and is stored on a server. This profile is available every time you log on to any computer on the network. Changes made to your roaming user profile are updated on the server. 31 Step-by-Step Guide to Managing the Active Directory Note: • • CSUN Active Directory does not actively support the use of roaming profiles. References to roaming profiles are for informational

purposes only Mandatory user profile--A mandatory user profile is a roaming profile that can be used to specify particular settings for individuals or an entire group of users. Only system administrators can make changes to mandatory user profiles. Temporary user profile--A temporary profile is issued any time that an error condition prevents the users profile from being loaded. Temporary profiles are deleted at the end of each session Changes made by the user to their desktop settings and files are lost when the user logs off. Contents of a user profile Every user profile begins as a copy of Default User, which is a default user profile stored on each computer running a Windows operating system. The NTuserdat file within Default User contains Windows configuration settings Every user profile also uses the common program groups contained in the All Users folder. The user profile folders contain various items including the desktop and Start menu. The following table lists and describes

the contents of each user profile folder. User profile folder Contents Application Data Program-specific data (for example, a custom dictionary). Program vendors decide what data to store in this user profile folder. Cookies User information and preferences. Desktop Desktop items, including files, shortcuts, and folders. Favorites Shortcuts to favorite locations on the Internet. Local Settings Application data, history, and temporary files. Application data roams with the user by way of roaming user profiles. My Documents User documents and subfolders. My Recent Doc- Shortcuts to the most recently used documents and accessed folders. uments NetHood Shortcuts to My Network Places items. PrintHood SendTo Shortcuts to printer folder items. Shortcuts to document-handling utilities. 32 Step-by-Step Guide to Managing the Active Directory Start Menu Shortcuts to program items. Templates User template items. NTuser.dat file The NTuser.dat file is the registry portion of the

user profile When a user logs off of the computer, the system unloads the user-specific section of the registry (that is, HKEY CURRENT USER) into NTuser.dat and updates it For more information about the registry, see http://www.microsoftcom/resources/documentation/WindowsServ/2003/ standard/proddocs/en-us/sag ntregconcepts mply.asp All Users folder Although they are not copied to user profile folders, the settings in the All Users folder are used to create the individual user profiles. The Windows operating system supports two program group types: • Common program groups are always available on a computer, no matter who is logged on. • Personal program groups are private to the user who creates them. Common program groups are stored in the All Users folder under the Documents and Settings folder. The All Users folder also contains per-computer settings for the Desktop and the Start menu. Note: The My Documents, My Pictures, Favorites, Start Menu, and Desktop folders are the only

folders displayed in Windows Explorer by default. The NetHood, PrintHood, Local Settings, Recent, and Templates folders are hidden and do not appear in Windows Explorer. To view these folders and their contents in Windows Explorer, on the Tools menu, point to Folder options, click the View tab, and then click Show hidden files and folders. Note: On computers running Windows operating systems with the NTFS file system, only members of the Administrators group can create, delete, or modify the common program groups. To copy a user profile • • • Open System in Control Panel. On the Advanced tab, under User Profiles, click Settings. Under Profiles stored on this computer, click the user profile you want to copy, and then click Copy To. 33 Step-by-Step Guide to Managing the Active Directory • Do one or more of the following: 1. To specify where the new profile will be saved:  In Copy profile to, type the location for the new profile, or click Browse to select the path.

2. To specify who is permitted to use the copied profile  In Permitted to use, click Change. • In the Select User or Group dialog box, in Enter the object name to select, add the user, group, or built-in security principle or click Object Types to select an object type. • To specify a domain to search, in the Select User or Group dialog box, click Locations, and then select the domain. • To further narrow your search, in the Select User or Group dialog box, click Advanced. • Click OK Note: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure Note: To open System, click Start, click Control Panel, click Performance and Maintenance, and then click System. Note: The My Documents,

My Pictures, Favorites, Start Menu, and Desktop folders are the only folders displayed in Windows Explorer by default. The NetHood, PrintHood, Local Settings, Recent, and Templates folders are hidden and do not appear in Windows Explorer. To view these folders and their contents in Windows Explorer, on the Tools menu, point to Folder options, click the View tab, and then click Show hidden files and folders. Note: To open System from a command line as an administrator, type: Note: You cannot copy or delete a user profile that belongs to the currently logged on user or any user whose profile is in use. Note: If you copy the profile to a new location, you must update the User Profile Path entry for the users account to refer to this new location as well. Note: You cannot use Windows Explorer or any other file management utility to copy user profiles. runas /user:computernameAdministrator "rundll32.exe shell32dll,Control RunDLL sysdmcpl" 34 Step-by-Step Guide to

Managing the Active Directory To create a preconfigured user profile 1. Create a new user account that will be used as a template for the preconfigured user profile. For more information, see Create a new user account in the Step-by-Step Guide to Managing the Active Directory. 2. Log on as the new user, then customize the desktop and install applications to configure this users profile for the user profile template 3. Log off, and then log on as the administrator 4. Open System in Control Panel 5. On the Advanced tab, under User Profiles, click Settings 6. Under Profiles stored on this computer, select the user that you created in step 1, and click Copy To.  If you want a domain-wide default profile, enter the path to NETLOGONDefault User on the domain controller. This creates the default user profile for the domain  If you want to change the default profile for the local computer only, copy the profile to the systemrootDocuments and SettingsDefault User folder. 7. In the Copy To

dialog box, under Permitted to use, click Change 8. In the Select User or Group dialog box, in Enter the object name to select, type Everyone. This sets the profile as the default for everyone in this domain If you are using a roaming profile and install a program on one computer while simultaneously logged on to another computer, you might overwrite crucial program-related registry settings stored in your roaming profile, thus preventing you from running those programs. Caution: For example: You are logged on to computer A and computer B. You install a program on computer B and then log off computer B. Computer B stores the shortcuts for the application, and the registry is saved to your roaming profile. Computer A does not get updated profile information until you log off and log on again. When you log off from computer A, however, the computer writes to the registry stored in the roaming profile (which now includes the Microsoft Windows Installer (MSI) registration for the program

you installed on computer B) with the stale registry information from computer A. The program shortcuts remain in your roaming profile but the Windows Installer data stored in the registry settings is lost, preventing you from running the programs. You can repair your roaming profile by repairing or reinstalling the program on computer B or by installing the program on computer A. 35 Step-by-Step Guide to Managing the Active Directory Note: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure As a security best practice, consider using Run as to perform this procedure Note: To open System, click Start, click Control Panel, click Performance and Maintenance, and then click System. Note: To open System from a command line as an administrator, type: Note: You

cannot copy or delete a user profile that belongs to the currently logged on user or any user whose profile is in use. Note: The first time a user logs on, a copy of the preconfigured user profile is returned from the server instead of a copy of the default profile on the local computer. Thereafter, the user profile functions the same as a standard roaming user profile does Each time the user logs off, the user profile is saved locally and is also copied to the server Note: The Windows operating system does not support the use of encrypted files within the roaming user profiles. Note: Roaming user profiles used with Terminal Services clients are not replicated to the server until the interactive user logs off and the interactive session is closed. runas /user:computernameAdministrator "rundll32.exe shell32dll,Control RunDLL sysdmcpl" User Profiles and Roaming User Profiles Tips and Tricks Profiles are basic to the system and they were part of Windows NT 4.0 Generally,

they work and are configured in Windows 2000 as they did in Windows NT 4.0 When the user object is enabled with roaming user profiles, it is considered part of IntelliMirror feature set. If your users roam between Windows NT 4.0 clients and Windows 2000 clients, set the profile path during installation on Windows 2000 o For more info: Q224012 Using User Profiles with Both Windows 2000 and Windows NT 4.0 <http://support.microsoftcom/support/kb/articles/Q224/0/12ASP> Redirect the location of My Documents folder outside of the users roaming profile. 36 Step-by-Step Guide to Managing the Active Directory o The best way is with folder redirection. If you do not have Active Directory enabled, you can do this with a logon script or instruct the user to do so. Do not use Encrypted File System (EFS) with roaming user profiles, offline folders, or File Replication Service (FRS). o EFS is not compatible with roaming user profiles, offline folders, or FRS. Dont set disk quotas too low

for users with roaming profiles o If a users disk quotas are set too low, roaming profile synchronization may fail. Make sure enough disk space is allocated to allow the system to create a temporary duplicate copy of a users profile. The temporary profile is created in the users context as part of the synchronization process, so it debits his or her quota. Do not use offline folders on roaming profile shares. o Make sure that you turn off offline files for shares where roaming user profiles are stored. If you do not turn off offline folders for a users profile, you may experience synchronization problems as both offline folders and roaming profiles try to synchronize the files in a users profile. Note: This does not affect using offline folders with redirected My Documents etc. Dont store roaming profiles on the same server as redirected folders that are enabled for offline use o See Folder Redirection Tips and Tricks for details. If roaming profiles are stored on a Windows NT 4.0

share, ensure that users are given "Full Control" share permissions. o If you are using Windows 2000 Professional in a Windows NT 4.0 domain, and the server hosting the profile share is a Windows NT 40 computer, make sure that users are given Full Control share permissions Not having the share permissions set to Full Control will result in profiles not synchronizing. The event log will contain errors such as : Event Type: Error Event Source: Userenv Event Category: None Event ID: 1000 Description: Windows cannot unload your registry file. If you have a roaming profile, your settings are not replicated. Contact your administrator. Detail - Access is denied. 37 Step-by-Step Guide to Managing the Active Directory This problem occurs because Change permission does not allow WRITE DAC access, so the system cannot copy ACL’s. Windows 2000 copies Roaming Profiles ACL’s, whereas Windows NT 4.0 does not 38 Step-by-Step Guide to Managing the Active Directory

Attachments: Creating a Local User Account The following procedure creates the user account James Smith in the /ITR/Network Engineering & Operations OU. Note: This procedure is provided for informational purposes only. Active Directory is populated with a list authorized users (contained in OU = Auth/People). This list is a mirror of the list maintained at the Enterprise level. This procedure would be followed for a specialized user (e.g if a local daemon requires a local logon, though this practice is strongly discouraged). Only Enterprise Administrators are authorized to create local accounts. If you need a local user account please contact the Enterprise Administrator. Local user accounts not created by an Enterprise Administrator will be deleted whenever found To create a new local user account 1. Right-click the /ITR/Network Engineering & Operations organizational unit, point to New, and then click User, or click New User on the snap-in toolbar. 2. Type user

information as in Figure 15 below: Figure 15 New User dialog 39 Step-by-Step Guide to Managing the Active Directory Note: The Full name is automatically filled in after you enter the First and Last names. 3. Click Next to proceed 4. Type a password in both the Password and Confirm password boxes and click Next. 5. Accept the confirmation in the next dialog box by clicking Finish You have now created an account for James Smith in the /ITR/Network Engineering & Operations OU. To add additional information about this user: 6. Select /ITR/Network Engineering & Operations in the left pane, right-click James Smith in the right pane, and then click Properties. 7. Add more information about the user in the Properties dialog box on the General tab as shown in Figure 13 below, and click OK. You are provided with this selection of optional entries Click each tab you want to go to Figure 16 Additional User Information 40