Professional Documents
Culture Documents
NALec07AD&Group 2024
NALec07AD&Group 2024
NALec07AD&Group 2024
Lecture 07
Improving Security using Active Directory & Groups
Cmdlet Use
New-ADUser* Creates user accounts.
Set-ADUser Modifies the properties of user accounts.
Remove-ADUser Deletes user accounts.
Set-ADAccountPassword Resets the password of a user account.
Set-ADAccountExpiration Modifies the expiration date of a user account.
Unlock-ADAccount Unlocks a user account.
Enable-ADAccount Enables a user account.
Disable-ADAccount Disables a user account.
e.g.
New-AdUser -name Jill will create a disabled user account in the Users container
New-AdUser –name “Jack” –Path “ou=ICT,dc=SWin,dc=local” –accountPassword (ConvertTo-SecureString –AsPlainText “Pa55w.rd” –Force) –enable $True
will create an active user account in the ICT Organisational Unit
* Examinable
Hint: Name the template in a way that makes it stand out from user accounts, e.g. _usrSalesTemplate.
Ldifde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1> <String2>] [-v] [-j <Path>] [-t <PortNumber>] [-d <BaseDN>] [-r <LDAPFilter>] [-p <Scope>] [-l
<LDAPAttributeList>] [-o <LDAPAttributeList>] [-g] [-m] [-n] [-k] [-a <UserDistinguishedName> <Password>] [-b <UserName> <Domain> <Password>] [-?]
https://technet.microsoft.com/en-us/library/2007.09.adtools.aspx
Navigating the Domain Hierarchy:
Organizational Units (OUs)
Create Via:
Right click in DSA or ADAC
PowerShell
New-ADOrganizationalUnit -name Hbt -path "dc=swin,dc=local"
The default AD containers Users and Computers are not OUs, they
cannot have GPOs linked to them.
It is best to change the default locations by using redircmp and
redirusr
e.g.
redircmp <Container-DistinguishedName>
redircmp “OU=Melb,DC=swin,DC=local”
Will redirect all new computers account that don’t have a DN set to the Melb OU
https://blogs.technet.microsoft.com/dubaisec/2016/02/01/who-can-add-workstation-to-the-domain/
HOW WAS YOUR TUITION WEEK?
5 MIN BREAK
CRICOS 00111D
TOID 3059
Revision -Security Permissions
FOLDER PERMISSIONS
NTFS
A part of the NTFS file system Full Control
Allow Deny
c
d
e
f
g c
d
e
f
g
Modify c
d
e
f
g c
d
e
f
g
– cannot be used on FAT Read & execute c
d
e
f
g c
d
e
f
g
partitions. List folder contents g
c
d
e
f c
d
e
f
g
Read c
d
e
f
g c
d
e
f
g
permissions.
FOLDER PERMISSIONS
FILE PERMISSIONS NTFS
NTFS Allow Deny
Active Directory.
Read & execute c
d
e
f
g c
d
e
f
g
List folder contents g
c
d
e
f c
d
e
f
g
Read c
d
e
f
g c
d
e
f
g
Read c
d
e
f
g c
d
e
f
g
Write c
d
e
f
g c
d
e
f
g
Write c
d
e
f
g c
d
e
f
g
to that object.
Permission Inheritance
Account Groups
– Used for grouping accounts that have similar requirements.
e.g. user accounts from the sales department
– Global groups nearly always fill this role
– The name of the group reflects the accounts e.g. G_Sales
G No
Cannot have
To group Identities Computer Accounts
members from
(i.e. user and computer Global Groups Yes Yes
another
accounts) that have Domain Local Grps
Global domain
similar requirements Universal Groups
User Accounts
DL
User Accounts Cannot give
No
Resource Computer Accounts
Computer Accounts access to
To control Access to Global Groups
Global Groups Yes resources in
Domain resources (e.g. files, Domain Local Grps
Domain Local Grps another
folders & printers) Universal Groups*
Local Universal Groups domain
*Only from the same forest
Do not belong to
User Accounts User Accounts
U
any one domain,
To collect groups from Computer Accounts Computer Accounts but to the whole
multiple domains in Global Groups Global Groups Yes Yes forest. Hence has
the forest. Domain Local Grps Domain Local Grps an overhead that
Universal can slow all DCs in
Universal Groups Universal Groups the forest down
Accountants CustAccounts
make a
member of
make a
member of
G_Accountants
Assign RW
DL_CustAccounts_RW
permissions to
Identity=Accountants
make a CustAccounts
Identity=Bookkeepers member of
DL_CustAccounts_R
Assign R
G_Bookkeeper permissions to
make a
member of
CRICOS 00111D
TOID 3059
Nesting Global Groups
Second Level Account Groups
2. The Sales department has a team in every domain. They should all
have access to the sale documents in every domain.
CRICOS 00111D
TOID 3059
2nd Level Account Groups - Global
CRICOS 00111D
TOID 3059
REMEMBER!
If you don’t share the Folder/Printer no user can access it over the
network!
Creator Owner - the user account that created the file or the user/group
allocated ownership.
Creator Owner automatically have FC permissions for files they create.
Answers:
GroupA = R
GroupB = C
Combining Permissions allocated to different groups
=
c
d
e
f
g c
d
e
f
g c
d
e
f
g c
d
e
f
g c
d
e
f
g c
d
e
f
g c
d
e
f
g c
d
e
f
g
Read & execute c
d
e
f
g c
d
e
f
g Read & execute c
d
e
f
g c
d
e
f
g Read & execute c
d
e
f
g c
d
e
f
g Read & execute c
d
e
f
g c
d
e
f
g
List folder contents g
b
c
d
e
f c
d
e
f
g List folder contents g
c
d
e
f c
d
e
f
g List folder contents g
c
d
e
f c
d
e
f
g List folder contents g
b
c
d
e
f c
d
e
f
g
Read c
d
e
f
g c
d
e
f
g Read b
c
d
e
f
g c
d
e
f
g Read c
d
e
f
g c
d
e
f
g Read b
c
d
e
f
g c
d
e
f
g
Write c
d
e
f
g c
d
e
f
g Write c
d
e
f
g c
d
e
f
g Write b
c
d
e
f
g c
d
e
f
g Write b
c
d
e
f
g c
d
e
f
g
User Access
Token Object Owner SID
User
G_Sales SID
DL_MktData_R SID SACL
G_Marketing SID
DL_MktData_W SID
Match
X
ACE
ACE Where is your
Privileges
ACE
access token?
DACL
Other Information
DL_MktData_R = R
DL_MktData_W = W
has the following permissions. Read & execute Read & execute Read & execute
accesses a file in the folder. If Full Control Full Control Full Control
Modify
Read
Write
SHARE
Allow Deny
Full Control
Change
Read
CRICOS 00111D
TOID 3059
Solution 1A
GROUP A GROUP B GROUP C
NTFS NTFS NTFS
Allow Deny Allow Deny Allow Deny
Full Control Full Control Full Control
has the following Read & execute Read & execute Read & execute
permissions. List folder contents List folder contents List folder contents
Modify
Read
Write
As Share permissions
do not apply, the
SHARE
Allow Deny
Full Control
effective permission is
Change
Full Control
Read
CRICOS 00111D
TOID 3059
Exercise 1B
GROUP A GROUP B GROUP C
NTFS NTFS NTFS
Allow Deny Allow Deny Allow Deny
Full Control Full Control Full Control
server has the following List folder contents List folder contents List folder contents
Modify
Read
Write
SHARE
Allow Deny
Full Control
Change
Read
CRICOS 00111D
TOID 3059
Solution 1B
GROUP A GROUP B GROUP C
NTFS NTFS NTFS
Allow Deny Allow Deny Allow Deny
Full Control Full Control Full Control
permissions.
List folder contents List folder contents List folder contents
Read
CRICOS 00111D
TOID 3059
Exercise 2
GROUP A GROUP B GROUP C
NTFS NTFS NTFS
Allow Deny Allow Deny Allow Deny
Full Control Full Control Full Control
A folder on a member server Modify Modify Modify
has the following permissions. Read & execute Read & execute Read & execute
accesses a file in the folder. If Full Control Full Control Full Control
Modify
Read
Write
SHARE
Allow Deny
Full Control
Change
Read
CRICOS 00111D
TOID 3059
Solution 2
GROUP A GROUP B GROUP C
NTFS NTFS NTFS
Allow Deny Allow Deny Allow Deny
user? Write
SHARE
Full Control
Allow Deny
The effective
Change
permission is Full
Control
Read
CRICOS 00111D
TOID 3059
Best Practice for Sharing a Folder
Then
Share Everyone Full Control and allow NTFS permissions to control access
Or
And
Justify your choice, if doing this in an exam ;)