Network Admin

Lecture 07
Improving Security using Active Directory & Groups

CRICOS 00111D, TOID 3059

Powershell

Cmdlet Use
New-ADUser* Creates user accounts.
Set-ADUser Modifies the properties of user accounts.
Remove-ADUser Deletes user accounts.
Set-ADAccountPassword Resets the password of a user account.
Set-ADAccountExpiration Modifies the expiration date of a user account.
Unlock-ADAccount Unlocks a user account.
Enable-ADAccount Enables a user account.
Disable-ADAccount Disables a user account.

e.g.
New-AdUser -name Jill will create a disabled user account in the Users container
New-AdUser –name “Jack” –Path “ou=ICT,dc=SWin,dc=local” –accountPassword (ConvertTo-SecureString –AsPlainText “Pa55w.rd” –Force) –enable $True
will create an active user account in the ICT Organisational Unit
* Examinable

Warren (2017), 70-742, p.53

User Account Templates

Attributes that copy:

Group Memberships
Home Directories
– %username%
Profile Settings
Logon Scripts
Logon Hours
Password Settings
Department Name
Manager

Hint: Name the template in a way that makes it stand out from user accounts, e.g. _usrSalesTemplate.

Warren (2017), 70-742, p.51

Bulk User Account Creation

CSVDE - Can import/export new user account details from a Comma

Separated Value (i.e. spreadsheet text). Since Windows Server 2003

LDIFDE - Can import/export new user account details from an LDAP

database. Since Windows Server 2008
(Hint: AD DS uses LDAP format, so if you want to export user accounts and import them into a new domain use LDIFDE)

Ldifde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1> <String2>] [-v] [-j <Path>] [-t <PortNumber>] [-d <BaseDN>] [-r <LDAPFilter>] [-p <Scope>] [-l
<LDAPAttributeList>] [-o <LDAPAttributeList>] [-g] [-m] [-n] [-k] [-a <UserDistinguishedName> <Password>] [-b <UserName> <Domain> <Password>] [-?]

https://technet.microsoft.com/en-us/library/2007.09.adtools.aspx
Navigating the Domain Hierarchy:
Organizational Units (OUs)

• Organizational Units (OUs) are hierarchical

containers within a domain that help organize
user and computer accounts.
• Function similarly to departments within an
organization.
• OUs enable administrators to delegate control
and apply group policies to specific subsets of
users or computers.
• Imagine a large company with departments like
Marketing, Sales, and IT. OUs in Active Directory
can mirror this structure, allowing for more
granular management of resources.
Why OU’s?

Allows a logical structure that speeds up

locating objects

Allows users to be delegated management

privileges.

Allows configurations to be targeted using

Group Policy

Create Via:
Right click in DSA or ADAC
PowerShell
New-ADOrganizationalUnit -name Hbt -path "dc=swin,dc=local"

Warren (2017), 70-742, p.70

Organisational Unit Structure

The hierarchy of OUs is generally based on:

Location: e.g. Aus, USA, Jpn
Business Unit: e.g. Sales, Accounting, Research
Resource: e.g. Server, Laptop, PC, User

Hierarchy determined by Admin e.g.

Location > Unit > Resource
Location > Resource > Unit
Unit > Resource > Location
Resource > Unit> Location
etc

Warren (2017), 70-742, p.69

Delegating Control to OUs
i.e. Allocating permissions to OUs

Run Delegate Control Wizard by

right clicking OU

View, Advanced Features to

access OU Security Permissions
for fine tuned access.

Warren (2017), 70-742, p.69

Changing Default Location of Computer Accounts

The default AD containers Users and Computers are not OUs, they
cannot have GPOs linked to them.
It is best to change the default locations by using redircmp and
redirusr
e.g.
redircmp <Container-DistinguishedName>
redircmp “OU=Melb,DC=swin,DC=local”

Will redirect all new computers account that don’t have a DN set to the Melb OU

https://blogs.technet.microsoft.com/dubaisec/2016/02/01/who-can-add-workstation-to-the-domain/
HOW WAS YOUR TUITION WEEK?
5 MIN BREAK

CRICOS 00111D
TOID 3059
Revision -Security Permissions
FOLDER PERMISSIONS
NTFS
A part of the NTFS file system Full Control
Allow Deny
c
d
e
f
g c
d
e
f
g
Modify c
d
e
f
g c
d
e
f
g
–  cannot be used on FAT Read & execute c
d
e
f
g c
d
e
f
g
partitions. List folder contents g
c
d
e
f c
d
e
f
g
Read c
d
e
f
g c
d
e
f
g

– sometimes called NTFS Write c

d
e
f
g c
d
e
f
g

permissions.

– always apply whether the user is FILE PERMISSIONS

local (i.e. interactive), network or NTFS
remote.
Allow Deny
Full Control c
d
e
f
g c
d
e
f
g
Modify c
d
e
f
g c
d
e
f
g
– attached to the object (i.e. File or Read & execute c
d
e
f
g c
d
e
f
g
Folder) not the User account. Read c
d
e
f
g c
d
e
f
g
 always apply Write c
d
e
f
g c
d
e
f
g

Zacker (2017), 70-740, p.118, Table 2-3  READ THIS it is examinable!!!

Revision - Permissions Change with Each Object Type

FOLDER PERMISSIONS
FILE PERMISSIONS NTFS
NTFS Allow Deny

There are many

Allow Deny Full Control c
d
e
f
g c
d
e
f
g
Full Control c
d
e
f
g c
d
e
f
g
Modify c
d
e
f
g c
d
e
f
g
different objects in Modify c
d
e
f
g c
d
e
f
g
Read & execute c
d
e
f
g c
d
e
f
g

Active Directory.
Read & execute c
d
e
f
g c
d
e
f
g
List folder contents g
c
d
e
f c
d
e
f
g
Read c
d
e
f
g c
d
e
f
g
Read c
d
e
f
g c
d
e
f
g
Write c
d
e
f
g c
d
e
f
g
Write c
d
e
f
g c
d
e
f
g

Each object has a set of

permissions applicable PRINTER PERMISSIONS

to that object.
Permission Inheritance

Permissions assigned for an object are

Explicit (black ticks)

Permissions assigned for a parent

object are Inherited (grey ticks)

Explicit permissions override Inherited

permissions

Zacker (2017), 70-740, p.117

Permission Precedence
For Security Permissions attached
to an object:
Explicit Deny overrides Explicit Allow
Explicit Allow overrides Inherited Deny
Inherited Deny overrides Inherited
Allow

The Effective Access tab

in Advanced Security can
confirm the effective access
of a user or group.

Zacker (2017), 70-740, p.116-117

Inheritance Example:
Revision - Group Role Based Access Control

Account Groups
– Used for grouping accounts that have similar requirements.
e.g. user accounts from the sales department
– Global groups nearly always fill this role
– The name of the group reflects the accounts e.g. G_Sales

Resource Groups (ACL)

– Used to control access to resources [Object/files/folder] (hence ACL)
– Domain Local groups nearly always fill this role
(Global groups can fill this role in an SBS or temporary domain)
– The name reflects the resource(s) and the permissions being given
e.g. DL_SalesData_RW or ACL_SalesFolders_RO

Warren (2017), 70-742, p.64

Revision - GROUP SCOPES
Membership Resources
i.e. who can be a member of this group i.e. where are the resources that this group can
Scope Purpose have permissions to? Limitations
In the same In another
From the same domain From another domain
domain domain

Role User Accounts

G No
Cannot have
To group Identities Computer Accounts
members from
(i.e. user and computer Global Groups Yes Yes
another
accounts) that have Domain Local Grps
Global domain
similar requirements Universal Groups

User Accounts

DL
User Accounts Cannot give

No
Resource Computer Accounts
Computer Accounts access to
To control Access to Global Groups
Global Groups Yes resources in
Domain resources (e.g. files, Domain Local Grps
Domain Local Grps another
folders & printers) Universal Groups*
Local Universal Groups domain
*Only from the same forest

Do not belong to
User Accounts User Accounts

U
any one domain,
To collect groups from Computer Accounts Computer Accounts but to the whole
multiple domains in Global Groups Global Groups Yes Yes forest. Hence has
the forest. Domain Local Grps Domain Local Grps an overhead that
Universal can slow all DCs in
Universal Groups Universal Groups the forest down

Local groups will not be used in Network Admin.

Apply groups using an I  G  DL A like strategy.

Warren (2017), 70-742, p.64
Wake Brain
Accountants need to be able to update customer accounts. Bookkeepers
need to be able to read the accounts.
TASK: Develop a group strategy for this scenario:
1. What groups need to be created (Global, Universal, Domain Local)?
2. What names will you give these groups?
3. What permissions should you assign?

Accountants CustAccounts

Bookkeepers CRICOS 00111D

TOID 3059
Account versus ACL groups example

make a
member of
make a
member of
G_Accountants
Assign RW
DL_CustAccounts_RW
permissions to

Identity=Accountants
make a CustAccounts
Identity=Bookkeepers member of

DL_CustAccounts_R
Assign R
G_Bookkeeper permissions to
make a
member of

Note: If the folder is not

shared, users must log on
locally.

CRICOS 00111D
TOID 3059
Nesting Global Groups
Second Level Account Groups

Occasionally we face the need to group multiple account groups e.g.

– A department made of up teams:
• Sometimes the whole department has the same requirements, but the teams the department have
different requirements.
• Solution create an account group for the department, nest the team account groups into the
department’s group.

– A team is spread across numerous domains, yet have the same

requirements
• Resources (Object/Files/Folder) for the ITAdmin team is spread across many domains. Members of the
ITAdmin team are spread across many domains.
• Solution: create an account group for ITAdmin members on each domain e.g. Au_ITAdmin, Id_ITAdmin,
Co_ITAdmin. Create forest wide account group for the ITAdmin team, nest the domain account groups
into the forest account group.
Second Level Account Groups - Scope
If the 2° account group is collecting groups from
within a single domain it should be a Global group.

If the 2° account group collects groups from

different domains it should be a Universal group.

Note: We do not use Domain Local groups for 2° account groups.

Choose a Second Level Account Group for the Following:
(Scope and Name)

Acme is a multi-Domain forest:

1. The Head-office domain has the Finance department. This comprises of

the Customer_Accounts and the Supplier_Accounts teams. Sometimes
the user accounts need to be treated as a department other times as a
team.

2. The Sales department has a team in every domain. They should all
have access to the sale documents in every domain.

CRICOS 00111D
TOID 3059
2nd Level Account Groups - Global

Use when grouping

Global groups from
the same Domain

e.g. A department is made up

of many teams. Sometimes
access needs to be based on
department membership,
other times team
membership
2nd Level Account Groups - Universal

Global groups cannot have members from other Domains, so

Universal groups must be used when grouping teams from different
domains.
e.g. The IT technicians in each domain need to have the same access.
Why don’t we just use Universal groups?

Warren (2017), 70-742, p.64

TOILET BREAK SLIDE

CRICOS 00111D
TOID 3059
REMEMBER!

If you don’t share the Folder/Printer no user can access it over the
network!

Share, Share, Share, Share, Share!

Access Based Enumeration

A property of the Share that

prevents users from seeing
resources (object/files/folder)
they don’t have permissions to.
Special Identities
There are some groups whose memberships are automatically generated:

Everyone - all user accounts and the guest account

Authenticated users - all user and computer accounts

Anonymous Logon - all users, even those without accounts

Interactive - users logged on locally

Network - users accessing resources (object/files/folder) from a remote

computer

Creator Owner - the user account that created the file or the user/group
allocated ownership.
Creator Owner automatically have FC permissions for files they create.

Warren (2017), 70-742, p.63

Combining NTFS & Share permissions

The most restrictive applies

*when combining for a single SID

What is the effective permission?

for:
- Group A
- Group B
Combining NTFS & Share permissions

The most restrictive applies

*when combining for a single SID

What is the effective permission?

for:
- Group A
- Group B

Answers:
GroupA = R
GroupB = C
Combining Permissions allocated to different groups

Allow Permissions Cumulate (for both Share and NTFS permissions)

GroupA GroupB GroupC Cumulated

NTFS NTFS NTFS NTFS
Allow Deny Allow Deny Allow Deny Allow Deny
Full Control c
d
e
f
g c
d
e
f
g Full Control c
d
e
f
g c
d
e
f
g Full Control c
d
e
f
g c
d
e
f
g Full Control c
d
e
f
g c
d
e
f
g
Modify Modify Modify Modify

=
c
d
e
f
g c
d
e
f
g c
d
e
f
g c
d
e
f
g c
d
e
f
g c
d
e
f
g c
d
e
f
g c
d
e
f
g
Read & execute c
d
e
f
g c
d
e
f
g Read & execute c
d
e
f
g c
d
e
f
g Read & execute c
d
e
f
g c
d
e
f
g Read & execute c
d
e
f
g c
d
e
f
g
List folder contents g
b
c
d
e
f c
d
e
f
g List folder contents g
c
d
e
f c
d
e
f
g List folder contents g
c
d
e
f c
d
e
f
g List folder contents g
b
c
d
e
f c
d
e
f
g
Read c
d
e
f
g c
d
e
f
g Read b
c
d
e
f
g c
d
e
f
g Read c
d
e
f
g c
d
e
f
g Read b
c
d
e
f
g c
d
e
f
g
Write c
d
e
f
g c
d
e
f
g Write c
d
e
f
g c
d
e
f
g Write b
c
d
e
f
g c
d
e
f
g Write b
c
d
e
f
g c
d
e
f
g

Folder Zacker (2017), 70-740, p.199-100

Cumulative for different groups
I want to read a
file in MktData Object’s Security
Descriptor

User Access
Token Object Owner SID

User SID Group SID

User
G_Sales SID
DL_MktData_R SID SACL
G_Marketing SID
DL_MktData_W SID
Match
X
ACE
ACE Where is your
Privileges
ACE
access token?

DACL
Other Information

DL_MktData_R = R
DL_MktData_W = W

As the user is inside both

DL_MktData_R and DL_MktData_W MktData
group, both would be counted
How permissions combine

If accessing the resource locally – combine NTFS Allow permissions

from all ACL groups the account is a ‘member’ of, remembering that
deny overrides other permissions.

If accessing the resource Not appliedRwith local

R C accessC
via the network –
RW FC M FC

Zacker (2017), 70-740, p.120

Exercise 1A
GROUP A GROUP B GROUP C
NTFS NTFS NTFS
Allow Deny Allow Deny Allow Deny
Full Control Full Control Full Control
A folder on a member server Modify Modify Modify

has the following permissions. Read & execute Read & execute Read & execute

List folder contents List folder contents List folder contents

A user who is a member of all Read Read Read

three groups logs on to this Write Write Write

member server locally and SHARE

Allow Deny
SHARE
Allow Deny
SHARE
Allow Deny

accesses a file in the folder. If Full Control Full Control Full Control

the file only has inherited

Change Change Change

permissions what will be the

Read Read Read

effective permissions for this Effective Permission

user? NTFS
Allow Deny
Full Control

Modify

Read & execute

List folder contents

Read

Write

SHARE
Allow Deny
Full Control

Change

Read

CRICOS 00111D
TOID 3059
Solution 1A
GROUP A GROUP B GROUP C
NTFS NTFS NTFS
Allow Deny Allow Deny Allow Deny
Full Control Full Control Full Control

A folder on a member server Modify Modify Modify

has the following Read & execute Read & execute Read & execute

permissions. List folder contents List folder contents List folder contents

Read Read Read

A user who is a member of

Write Write Write

all three groups logs on to SHARE

Allow Deny
SHARE
Allow Deny
SHARE
Allow Deny

this member server locally

Full Control Full Control Full Control

Change Change Change

and accesses a file in the Read Read Read
folder. If the file only has
inherited permissions what Effective Permission
will be the effective NTFS
permissions for this user? Full Control
Allow Deny

Modify

Read & execute

List folder contents

Read

Write

As Share permissions
do not apply, the
SHARE
Allow Deny
Full Control
effective permission is
Change
Full Control
Read

CRICOS 00111D
TOID 3059
Exercise 1B
GROUP A GROUP B GROUP C
NTFS NTFS NTFS
Allow Deny Allow Deny Allow Deny
Full Control Full Control Full Control

Modify Modify Modify

A folder on a member Read & execute Read & execute Read & execute

server has the following List folder contents List folder contents List folder contents

permissions. Read Read Read

Write Write Write

A user who is a member of SHARE SHARE SHARE

all three groups logs on to

Allow Deny Allow Deny Allow Deny
Full Control Full Control Full Control

their network workstation Change Change Change

and accesses a file in the Read Read Read

folder. If the file only has

inherited permissions what Effective Permission

will be the effective NTFS

Allow Deny

permissions for this user? Full Control

Modify

Read & execute

List folder contents

Read

Write

SHARE
Allow Deny
Full Control

Change

Read

CRICOS 00111D
TOID 3059
Solution 1B
GROUP A GROUP B GROUP C
NTFS NTFS NTFS
Allow Deny Allow Deny Allow Deny
Full Control Full Control Full Control

A folder on a member Modify Modify Modify

server has the following

Read & execute Read & execute Read & execute

permissions.
List folder contents List folder contents List folder contents

Read Read Read

Write Write Write

A user who is a member SHARE SHARE SHARE

of all three groups logs
Allow Deny Allow Deny Allow Deny
Full Control Full Control Full Control

on to their network Change Change Change

workstation and accesses Read Read Read

a file in the folder. If the

file only has inherited Effective Permission

permissions what will be NTFS

Allow Deny

the effective permissions Full Control

for this user?

Modify

Read & execute

List folder contents

Read

Write As Share permissions

SHARE
are more restrictive that
Full Control
Allow Deny
NTFS, the effective
Change
permission is Change
Read

CRICOS 00111D
TOID 3059
 Exercise 2
GROUP A GROUP B GROUP C
NTFS NTFS NTFS
Allow Deny Allow Deny Allow Deny
Full Control Full Control Full Control
A folder on a member server Modify Modify Modify

has the following permissions. Read & execute Read & execute Read & execute

List folder contents List folder contents List folder contents

A user who is a member of all Read Read Read

three groups logs on to their Write Write Write

network workstation and SHARE

Allow Deny
SHARE
Allow Deny
SHARE
Allow Deny

accesses a file in the folder. If Full Control Full Control Full Control

the file only has inherited

Change Change Change

permissions what will be the

Read Read Read

effective permissions for this Effective Permission

user? NTFS
Allow Deny
Full Control

Modify

Read & execute

List folder contents

Read

Write

SHARE
Allow Deny
Full Control

Change

Read

CRICOS 00111D
TOID 3059
Solution 2
GROUP A GROUP B GROUP C
NTFS NTFS NTFS
Allow Deny Allow Deny Allow Deny

A folder on a member server Full Control Full Control Full Control

has the following permissions.

Modify Modify Modify

Read & execute Read & execute Read & execute

List folder contents List folder contents List folder contents

Read Read Read

Write Write Write

SHARE SHARE SHARE

Allow Deny Allow Deny Allow Deny
Full Control Full Control Full Control

Change Change Change

Read Read Read

A user who is a member of all

three groups logs on to their Effective Permission

network workstation and NTFS

Allow Deny

accesses a file in the folder. If Full Control

the file only has inherited

Modify

Read & execute

permissions what will be the List folder contents

effective permissions for this Read

user? Write

SHARE

Full Control
Allow Deny
The effective
Change
permission is Full
Control
Read

CRICOS 00111D
TOID 3059
Best Practice for Sharing a Folder

Remove Inheritance (convert to explicit permissions)

Remove the Users group from NTFS permissions

Then

Share Everyone Full Control and allow NTFS permissions to control access

Or

Share Everyone Change if the boss is anxious about security

And
Justify your choice, if doing this in an exam ;)