Active Directory management includes four core tasks: architecture administration, user account management, group management, and organizational unit management. You can use the Active Directory Sites and Services, Active Directory Domains and Trusts, Active Directory Users and Computers (ADUC), or the Active Directory Module for Windows PowerShell to manage the architecture. You can manage user accounts with ADUC or the AD Module for Windows PowerShell. The same tools can be used to manage groups and users. For organizational unit (OU) management, you must plan the OU structure and then implement it using the simple OU-creation process. You can also delegate administrative capabilities, such as password resetting, to users and groups that are not part of the Domain Admins or Account Operators groups.
- Create an OU named Sales in the training.local domain, and then create two child OUs within the Sales OU named Management and Sales Professionals.
- Create a domain local security group named Sales.
- Create a global distribution group named Campus A.
- Create two users with different names, and then add one to the Sales group and the other to the Campus A group.
Answers for Exercises
- Use the procedure provided earlier in the chapter to create the Sales OU, the Management child OU, and the Sales Professionals OU.
- Use the procedure provided earlier in the chapter to create the Sales domain local security group.
- Use the procedure provided earlier in the chapter to create the Campus A global distribution group.
- Use the procedure provided earlier in the chapter to create the user accounts. Use the Member Of tab in the user Properties dialog to add the users to the appropriate group.
- 1. Every user in the domain is an automatic member of which group?
- A. Domain Admins
- B. Domain Guests
- C. Domain Users
- D. Domain Accounts
- 2. True or false: Machine local groups can contain accounts and groups from any domain in the forest.
- 3. What kind of group can a global group contain when you are nesting groups?
- A. Global groups
- B. Domain local groups
- C. Universal groups
- D. Machine local groups
- 4. The Sessions tab of the user Properties dialog is used only when you are configuring the account for use with what service?
- 5. On what tab of the user Properties dialog can you set the home directory path for the user?
- A. General
- B. Address
- C. Account
- D. Profile
- 6. Define a distribution group.
- 7. AGDLP stands for what?
- 8. What can be created to display a subset of the objects within AD using the Active Directory Users and Computers tool?
- A. A query
- B. A filter
- C. A subset data type
- D. A subset group
- 9. What tool is used to manage delegated administration?
- A. Active Directory Domains and Trusts
- B. Computer Management
- C. Active Directory Sites and Services
- D. Active Directory Users and Computers
- 10. True or false: The Domain Naming Operations Master role is managed in the Active Directory Domains and Trusts tool.
Answers for Review Questions
- 1. C Every user is automatically a member of the Domain Users group. Additionally, every user is a member of the Everyone group.
- 2. True Local groups can contain accounts and groups from any domain in in the forest in which the local machine participates.
- 3. A Global groups can contain only other global groups.
- 4. Remote Desktop Services. The Sessions tab is relevant only to Remote Desktop Services connections. You can set properties for the connection (session) such as the delay timer for ending a disconnected session, the delay timer for ending an active or idle session, the setting for disconnecting or ending a session when the active or idle timer expires, and the setting for allowing reconnections to sessions from any client or from the original client only (called the originating client in the user Properties interface).
- 5. D The Profile tab allows you to set the home directory path, the logon script, and the roaming profile path.
- 6. A type of group that may not be assigned permissions and that is often used for email distribution lists.
- 7. AGDLP stands for Accounts (A), Global groups (G), Domain local groups (DL) and permissions (P).
- 8. A You can create queries in ADUC to display a subset of the information within the AD domain. You can export the queries as XML files to be imported into other administration machines.
- 9. D ADUC can be used to delegate administrative control to users and groups who are not members of the Domain Admins group.
- 10. True You can manage the Domain Naming Operations Master role using Active Directory Domains and Trusts. You can only move the Domain Naming Operations Master role to another DC within the same forest, and you must be logged on as a member of the Enterprise Admins group to perform this action.