Contents Module 1: Introduction to Advanced Administration of a Windows 2000 Network Overview Administering a Windows 2000 Network Centralized Management Delegating Administrative Control Controlling Access to Active Directory Objects and Windows 2000 Resources Demonstration: Examining Access Tokens 18 Review 19 Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property ? ?1999 Microsoft Corporation All rights reserved Microsoft, Active Directory, PowerPoint, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Other product and company names mentioned herein may be the trademarks of their respective owners Project Lead and Instructional Designer: Mark Johnson Instructional Designers : Aneetinder Chowdhry (NIIT Inc.), Kathryn Yusi (Independent Contractor) Lead Program Manager: Ryan Calafato Program Manager: Joern Wettern (Wettern Network Solutions) Graphic Artist : Julie Stone (Independent Contractor) Editing Manager: Tina Tsiakalis Substantive Editor: Kelly Baker (Write Stuff) Copy Editor: Wendy Cleary (S&T OnSite) Online Program Manager: Nikki McCormick Online Support: Arlo Emerson (MacTemps) Compact Disc Testing : Data Dimensions, Inc Production Support: Arlene Rubin (S&T OnSite) Manufacturing Manager: Bo Galford Manufacturing Support: Mimi Dukes (S&T OnSite) Lead Product Manager, Development Services: Elaine Nuerenberg Lead Product Manager: Sandy Alto Group Product Manager: Robert Stewart Module 1: Introduction to Advanced Administration of a Windows 2000 Network iii Introduction Presentation: 60 Minutes This module provides students with an introduction to administering a Microsoft® Windows® 2000 network It provides a foundation for the course by presenting the concepts of centralized management and decentralized administration through the use of Windows 2000 features This module also provides an overview of how users are granted access to Active Directory™ directory service objects and other network resources in Windows 2000 Materials and Preparation This section provides you with the materials and preparation needed to teach this module Materials To teach this module, you need the following materials: ?? Microsoft PowerPoint® file 1558A_01.ppt Preparation To prepare for this module, you should: ?? Read all the materials for this module ?? Study the review questions and prepare alternative answers to discuss ?? Anticipate questions that students may ask Write out the questions and provide the answers ?? Read the white paper, Introduction to IntelliMirror™ on the Student Materials compact disc ?? Read the white paper, Introduction to Windows 2000 Change and Configuration Management on the Student Materials compact disc ?? Read the white paper, Windows 2000 Kerberos Authentication on the Student Materials compact disc ?? Read the white paper, Windows 2000 Security—Default Access Control Settings on the Student Materials compact disc iv Module 1: Introduction to Advanced Administration of a Windows 2000 Network Demonstration This section provides demonstration procedures that will not fit in the margin notes or are not appropriate for the student notes Examining Access Tokens ?? view and compare the access tokens for the domain Administrator To account and a user account Log on to your domain as Administrator, click the Start button, point to Programs, point to Accessories, and then click Command Prompt At the command prompt, run the mytoken program, which is located in the root directory on the Trainer Materials compact disc Start another command prompt, and using the runas command, run mytoken using a standard user account Place the two command prompt windows side by side and compare the SID, Group ID, and user rights for the administrator account and the standard user account Ask students whether the information is the same Module 1: Introduction to Advanced Administration of a Windows 2000 Network v Module Strategy Use the following strategy to present this module: ?? Administering a Windows 2000 Network In this topic, you will introduce administering a Windows 2000 network Explain the concepts of centralizing management and decentralizing administration Talk about the customization of the administrative tools by an administrator to allow other administrators to perform specific tasks in the network Keep the presentation brief, as all the concepts will be taught in subsequent modules in the course ?? Centralized Management In this topic, you will introduce centralized management Explain the purpose of Active Directory and Group Policy for centralized management of resources Emphasize that it is Active Directory that enables a single administrator to manage all resources in the network Tell students that Group Policy allows an administrator to centrally manage users’ computer environments without having to visit each desktop individually Emphasize that you only need to apply Group Policy once, and that the operating system then enforces it continually Applying Group Policy at an organizational unit (OU) level enables you to place new objects in this OU and have all settings automatically apply to the new object Explain how publishing shared resources, such as shared folders and printers, enables centralized management Point out that the location of these resources is transparent to the user ?? Delegating Administrative Control In this topic, you will explain the purpose of delegating administrative control and the tools that simplify the task Emphasize that in Windows 2000 you can delegate administrative control at an OU level This enables an administrator to distribute administrative tasks to other administrators ?? Controlling Access to Active Directory Objects and Windows 2000 Resources In this topic, you will introduce controlling access to Active Directory and file system objects Explain the purpose of discretionary access control lists (DACLs) and how Windows 2000 assigns and manages resource security through permission inheritance Describe the logon process and briefly discuss the local, network, and secondary logon processes Describe the purpose and components of access tokens Emphasize that access tokens are permanently attached to each resource Explain how access token and DACLs are used to gain access to Windows 2000 resources Emphasize that the process of gaining access to Active Directory objects and network resources is identical to the process of gaining access to file system objects Demonstrate logging on as an administrator and using Mytoken.exe to see the access token of an administrator, and then demonstrate logging on as a user to see the access token of a user Compare the two access tokens and show students the difference between the SIDs, Group IDs, and the user rights in the two access tokens Module 1: Introduction to Advanced Administration of a Windows 2000 Network Overview Slide Objective To provide an overview of the module topics and objectives ? ? Do not go into too much detail about the concepts in this module This module sets the foundation for the main concepts that will be covered in the following modules Delegating Administrative Control ? In this module, you will learn about how Windows 2000 authenticates users during the logon process and uses DACLs to control access to resources Centralized Management ? Lead-in Administering a Windows 2000 Network Controlling Access to Active Directory Objects and Windows 2000 Resources Microsoft® Windows® 2000 supports the management services that help you to centrally administer and organize servers, networks, and client systems in your organization Centralizing and organizing users and computers to provide a flexible administrative model reduces the total cost of ownership (TCO) of users and computers The Windows 2000 Active Directory™ directory service allows policy-based management for users and computers, authorization and authentication services, remote administration, and security features At the end of this module, you will be able to: ?? Describe the methods of administering a Windows 2000 network ?? Describe how Windows 2000 enables centralized management of users, computers, and network resources ?? Describe how to delegate administrative control of Windows 2000 users, computers, and netw ork resources ?? Describe how you can use Windows 2000 to control access to Active Directory objects and network resources Module 1: Introduction to Advanced Administration of a Windows 2000 Network Administering a Windows 2000 Network Slide Objective To introduce the methods of administering a Windows 2000 network Centralize Management Centralize Management Delegate Administrative Delegate Administrative Control Control Lead-in As an administrator, you can take advantage of the Windows 2000 Active Directory and Group Policy features to centrally manage all computers in your organization and to delegate administrative control Group Policy Active Directory Active Directory Administrative Tools Customize Tools Customize Tools Ask the students to explain what Active Directory and Group Policy are Key Points Active Directory and Group Policy allow administrators to centrally manage a large number of users, computers, and network resources Senior administrators can delegate administrative tasks to other administrators Administrators can customize administrative tools for specific administrative tasks and distribute them to other administrators Windows 2000 provides administrators with the methods and utilities to centralize the management of all desktop computers in an organization and decentralize administrative tasks: ?? Centralize management Active Directory and Group Policy allow administrators to centrally manage large numbers of users, computers, printers, and network resources from one place Active Directory enables you to centrally organize network resources according to administrative requirements, while Group Policy enables you to specify settings and apply management policies to Active Directory organizational units (OUs) In addition, Group Policy enables you to define a policy for a user or computer once, and then use the operating system to reinforce it continually ?? Delegate administrative control Active Directory allows an administrator with the proper authority to delegate a selected set of administrative privileges to appropriate individuals or groups within an organization This administrator can specify the specific privileges that these individuals have over different containers and objects in Active Directory ?? Customize tools Windows 2000 also provides you with the tools to match administrative responsibilities and to delegate network administrative responsibilities to other administrators In this way, administrators can combine all of the tools needed for each administrative function into a single console Module 1: Introduction to Advanced Administration of a Windows 2000 Network ? Centralized Management Slide Objective To introduce the topics related to centralized management Lead-in Active Directory and Group Policy enable the centralized management of Windows 2000 ? Using Active Directory for Centralized Management ? Using Group Policy for Centralized Management ? Managing the User Environment ? Publishing Resources Distributed systems often lead to time-consuming and redundant management tasks For example, for each user, an administrator must visit the desktop to perform tasks, such as configuring the operating system software to corporate standards, limiting the user’s ability to change the standard configuration, securing the desktop and important files from unauthorized users, and installing and configuring applications As organizations add applications to their infrastructures and hire more personnel, they need to create user accounts, configure computers, apply administrative settings, and distribute software to the desktop appropriately The integration of Active Directory and Group Policy provides administrators with a utility that allows them to manage the entire network from a single location Module 1: Introduction to Advanced Administration of a Windows 2000 Network Using Active Directory for Centralized Management Slide Objective Domain To explain the purpose of using Active Directory to centralize management of network resources OU1 Search Search Domain Domain OU1 OU2 OU2 OU2 Active Directory supports centralized management because it has a central repository of objects, contains information regarding these objects, and provides a single point of access from which to administer these objects Active Directory is a central repository of objects Administrators can use search utilities to locate objects and administer them in Active Directory Active Directory uses Group Policy to provide administrators with the ability to specify policybased administrative settings for a site, domain, or OU that apply to all objects in the container Users User1 Lead-in Key Points Computers Computer1 User1 Computer1 User2 Printer1 Active Directory: ? Is a Central Repository of Objects ? Contains Information About Objects ? Allows Administrators to Easily Locate Information ? Allows Administrators to Group Objects into OUs ? Uses Group Policy to Specify Policy-Based Settings Users User2 Printers Printer1 Active Directory is the directory service for Windows 2000 Active Directory stores information about network resources, such as computers and printers, and provides services that make this information available to users and applications Active Directory provides administrators with the capability to centrally manage resources because: ?? Active Directory is a central repository of objects Users, groups, computers, printers, and files can be organized into OUs according to administrative need In addition, all servers, domains, and sites in the network are also represented as objects By representing all network resources as objects in a centralized database, Active Directory enables a single administrator to centrally manage and administer these resources ?? Active Directory contains attributes and information for each object The attributes hold data describing the resource that is identified by the directory object A user’s attributes might include the user’s first name, last name, and e-mail address, while a printer’s attributes might include whether it is capable of printing in color and the building and office in which it is located The attribute information facilitates searching in Active Directory and administering resources in the network ?? Active Directory allows administrators to easily locate information about objects By searching for selected attributes, you can find an object located anywhere in the Active Directory tree ?? Active Directory allows you to group objects with similar administrative and security requirements into OUs OUs provide multiple levels of administrative authority for both applying policy-based administration and delegating administrative control This simplifies the task of managing these objects and allows administrators to structure Active Directory to fit their needs ?? Active Directory uses Group Policy to provide administrators with the ability to specify policy-based settings for a site, domain, or OU Active Directory then enforces these policy-based settings for all of the users and computers within the container Module 1: Introduction to Advanced Administration of a Windows 2000 Network Managing the User Environment Slide Objective Group Policy Applied to an OU To explain the purpose of managing a user’s desktop environment User Data User Data User/Computer User/Computer Settings Settings Software Software Deployment Deployment Lead-in You can define different Group Policy settings for controlling users’ desktop environments, and then apply them consistently across multiple computers OU OU User1 Computer1 Computer2 User2 Computer1 Computer2 Apply Group Policy to containers (domains and OUs) so that when new users and computers are added to these containers, the Group Policy settings automatically apply to the new objects Centrally Manage Software Installation, Repairs, Updates, and Removal ? Group Policy enables administrators to control user environments, install software, and redirect user data to a network location Control and Lock Down What Users Can Do ? Key Points ? Configure User Data to Follow Users Whether They Are Online or Offline Group Policy allows you to control user’s data, personal computer settings, computing environment, and software Policies that follow the user enable administrators to provide users with consistent access to all of their information and software, regardless of whether they are working on the same computer You can use Group Policy to manage the user environment by: ?? Controlling and locking down what users can when logged on to the network This ensures that users have access to the tools and information that they need but not have access to anything that is not required for their jobs You can also restrict the applications and tools that are available to users Limiting the scope of what a user can ensures that no unnecessary time is spent troubleshooting operating system and application configuration problems ?? Centrally managing software installation (applications, service packs, and operating system updates), repairs, updates, and removal When you use Group Policy to install software, you can ensure that the same applications are available on any computer to which a user logs on You can also ensure that missing files and settings are repaired automatically whenever an application is invoked ?? Configuring user data to follow users whether they are online, connected to the network, or temporarily offline User data follows a user because, although the data is stored in specified network locations, it appears local to the user Offline files cache network data to the local computers so it is available when the user disconnects from the network Module 1: Introduction to Advanced Administration of a Windows 2000 Network Publishing Resources Slide Objective Manage To explain the purpose of publishing shared resources in Active Directory for centralized management Locate OU1 Shared Folder Printer Lead-in With Windows 2000, you can publish folders and printers in Active Directory This method of sharing makes it very convenient for administrators and users to locate resources in the network Domain Dfs Shared Folder Administrator User User Publishing Resources in Active Directory: Enables Users to Easily Locate and Gain Access to Resources ? Locates Resources Even if Their Physical Locations Change ? Emphasize that the printers on a computer running Windows 2000 are automatically published in Active Directory ? Enables Administering Multiple Shared Folders from a Single Location Through Dfs You can publish resources in Active Directory to enable users to easily locate and gain access to what the resources they need to perform their jobs Users can easily locate shared folders and printers in a network when these resources are published in Active Directory Another advantage of publishing resources in Active Directory is that you are able to locate the resources there even if their physical locations change Two common resources that are published in Active Directory are shared folders and printers that are on computers that are not running Windows 2000 Network printers can be published so that users can easily locate them based on their physical location and attributes Administrators can group printer objects in Active Directory based on administrative need, regardless of the printer’s physical location This can reduce the complexity of managing printer resources Users can locate published resources even if you change the physical locations of these resources As the size of the network grows, the shared files and folders can exist over many servers This makes resources very difficult for users to locate and for administrators to manage The Distributed file system (Dfs) provides a single point of reference for file system resources that may be located anywhere on the network Key Points Module 1: Introduction to Advanced Administration of a Windows 2000 Network Delegating Administrative Control Slide Objective Domain To explain the purpose of delegating administrative control and the tools that simplify the task OU1 Admin1 OU2 Admin2 OU3 Admin3 Lead-in You can manage your network more efficiently by delegating administrative control to other administrators ? Assign Permissions: ? For specific OUs to other administrators ? To modify specific attributes of an object in a single OU ? To perform the same task in all OUs ? Customize Tools for Administrative Tasks to: ? Map to the assigned permissions interface design ? Simplify Key Points Decentralize administration by delegating some administrative tasks to other individuals Customizing administrative tools enables you to provide administrators with only the amount of functionality that they require to perform their jobs Windows 2000 enables you to delegate administrative privileges for certain objects to appropriate individuals within an organization This is possible because the structure of Active Directory allows you to assign permissions and grant user rights in very specific ways You can delegate the following types of administrative control: ?? Assigning the permissions, such as Full Control, for specific OUs to different administrators For example, three OUs could have three different administrators ?? Assigning the permissions to modify specific attributes of an object in a single OU For example, assigning the permission to change name, address, telephone number, and reset passwords on a user account object ?? Assigning the permissions to perform the same task (for example, resetting passwords) in all OUs of a domain Windows 2000 provides customized tools to administer Active Directory that allow you a great deal of flexibility You can create customized administrative tools to: ?? Map to the permissions that have been assigned to a user for an administrative task ?? Simplify interface design for users with limited administrative privileges Module 1: Introduction to Advanced Administration of a Windows 2000 Network ? Controlling Access to Active Directory Objects and Windows 2000 Resources2000 Resources and Windows Slide Objective To introduce the topics related to controlling access to Active Directory and file system objects Lead-in The security descriptor of an object defines which users have permission to gain access to the object and the actions that they can perform on it ? Discretionary Access Control Lists ? Permission Inheritance ? The Logon Process ? Access Tokens ? How Windows 2000 Grants Access to Resources Windows 2000 controls access to resources in two ways First, no user is given access to any resource without logging on to the computer Second, access to resources is possible only by requesting access from the operating system The operating system grants access to only those resources that the user has permission to use Windows 2000 requires users to log on using a set of verifiable security credentials These credentials are then compared against a set of permissions assigned to Active Directory objects and network resources, such as shared folders and NTFS file system files After the user’s unique identify has been authenticated by Windows 2000 and Active Directory, the user can receive universal access to network resources on any computer in any domain of the organization 10 Module 1: Introduction to Ad vanced Administration of a Windows 2000 Network Discretionary Access Control Lists Slide Objective To explain the purpose of DACLs ? DACLs Define Object Permissions and the Level of Access Granted to a User ? DACLs DACLs All Resources in a Windows 2000 Network Have DACLs ? The Type of Access Granted or Denied to a Resource is Added to the DACL ? Entries in a DACL Are Called ACEs Lead-in DACLs keep a record of the actions that users and groups are allowed to perform on an object ACEs ACEs Write Write Group Group DACLs explicitly define whether an object can be accessed No Access No Access User User Key Points User User Read Read Windows 2000 uses lists of security groups, user accounts, and associated permissions called discretionary access control lists (DACLs) DACLs define object permissions (granted or denied) that currently exist to enforce resource security for each list member The DACL also defines the level of access granted All resources in a Windows 2000 network have a DACL for: ?? Files and folders on NTFS volumes These lists define what action users can perform on a file or folder ?? Active Directory objects These lists define what administrative actions can be performed on objects, such as modifying the attributes for a user account ?? Printer objects These lists define the actions that users can perform on printers, such as who can print and manage documents in the queue Every user of the system must have a user account When access is granted or denied to a resource, the user or group account, and the type of access granted or denied, is added to the resource DACL When a user wants to gain access to an object, the system checks the user’s security identifier and group memberships against the DACL to determine whether the user is allowed to complete the request The entries in a DACL are called access control entries (ACEs) Each entry identifies a group or user and the permissions that have been granted or denied for the object It is usually groups containing users—and not individual user accounts—that are granted or denied access to a resource Module 1: Introduction to Advanced Administration of a Windows 2000 Network 11 Permission Inheritance Slide Objective DACL User Read User Read Group Full Control Group Full Control To explain how objects inherit permissions Lead-in Windows 2000 checks the ACEs in the object’s DACL to determine whether access should be granted Windows 2000 assigns and manages resource security through permission inheritance DACLs Are Inherited by Child Objects Parent Parent Object Object Users Granted Access Permission for Parent Object ? ? ? DACL Child Object User Read User Read Group Full Control Group Full Control Objects Within a Container Automatically Inherit the Permissions of That Container Permission Inheritance Simplifies Managing Permissions How Permissions Are Inherited by Active Directory Objects Emphasize that permission inheritance in Active Directory objects is identical to permission inheritance in file system objects Windows 2000 makes it easy to assign and manage resource security through permission inheritance Objects within a container automatically inherit the permissions of that container For example, when created, the objects within an OU inherit the permissions of that OU Key Points Windows 2000 permission inheritance simplifies the task of managing permissions in the following ways: The child object automatically inherits the permissions of a parent object unless the permission inheritance is blocked ACEs that are directly applied to Active Directory objects are given a higher priority than inherited ACEs ?? Inheritance eliminates the need to manually apply permissions to child objects as they are created ?? Inheritance ensures that the permissions applied to a parent object are applied consistently to all child objects ?? When permissions on all objects within a container need to be modified, you only need to change the permissions on the parent object, and the child objects automatically inherit those changes ?? ACEs that are directly applied to Active Directory objects are applied before any conflicting inherited ACEs The following steps illustrate how permissions are inherited by Active Directory objects in Windows 2000: You create an OU called Sales, and then assign Read permission for User1 to the Sales OU Child OUs and users and computers created in the Sales OU inherit the Read permission for User1 from the Sales OU If you assign an explicit permission to an object in the Sales OU that conflicts with an inherited permission, the explicit permission takes precedence over inherited permissions If you assign User1 Full Control access to a child OU in the Sales OU, the explicit permission takes precedence, and User1 has Full Control 12 Module 1: Introduction to Advanced Administration of a Windows 2000 Network When you make changes to the DACL on the top-level folder, you not delete any of the explicit DACLs defined on the subordinate Active Directory objects If you remove the DACL from the Sales OU that gives User1 Read permission, User1 still has Full Control to the child OU Module 1: Introduction to Advanced Administration of a Windows 2000 Network 13 The Logon Process Domain Controller Slide Objective To describe the logon process Access Access Token Token Token Lead-in The Windows 2000 authentication process ensures that only valid users have access to network or computer resources Local Local Security Security Subsystem Subsystem 5 2 3 Ticket Ticket Ticket Ticket Ticket Ticket Constructs Constructs Access Token Access Token Global Catalog Server Key Points A KDC is required to authenticate the logon process in a Windows 2000 native-mode domain If a KDC is not available, domain authentication fails and the user is logged on using cached credentials A global catalog server is required to log on in a domain in native-mode in order to determine universal group membership In a single domain, universal groups exist only in that domain If a global catalog server is not found, Active Directory is queried directly to determine universal group membership If a global catalog server is unavailable for log on in a multi-domain enterprise, the user will be logged on using cached credentials Kerberos Service Sends a Kerberos Service Sends a Workstation Ticket Workstation Ticket Local Security Subsystem Local Security Subsystem Obtains a Ticket for the User Obtains a Ticket for the User Local Security Subsystem Local Security Subsystem Constructs an Access Token Constructs an Access Token Using the steps in the illustration, demonstrate the steps of the network and secondary logon process User Logs On User Logs On Delivery Tip Kerberos Kerberos Service Service Local Security Subsystem Local Security Subsystem Requests a Workstation Ticket Requests a Workstation Ticket Access Token Is Attached to Access Token Is Attached to the User’s Process the User’s Process Windows 2000 controls access to resources by requiring a user to first log on to a computer To log on to a computer, Windows 2000 requires each user to provide a unique user name and password The logon process that occurs for a Windows 2000 computer includes the following steps: A user logs on providing his or her security credentials, including user name, password, and domain name These credentials are passed to the security subsystem on the local computer The local security subsystem uses the Domain Name System (DNS) to locate a domain controller in the user’s domain The security subsystem then contacts the Kerberos service (called the Key Distribution Center) running on the domain controller, and requests a session ticket for the user to communicate with the Kerberos service (A ticket is a record that allows a client computer to authenticate itself to a server.) The Kerberos service queries Active Directory to authenticate the user and contacts a global catalog server to obtain the user’s universal group memberships The Kerberos service then returns a session ticket to the client computer that contains the user’s security identifier (SID) and the user’s universal, global, and domain local group memberships, which are used for future transactions with the Kerberos service Note Every domain controller in the domain runs the Kerberos service and is capable of granting session tickets for users and computers If a domain controller is not available, then domain authentication fails and the user is logged on using cached logon credentials at the client computer The client computer will periodically attempt to locate the Kerberos service during the user’s session and will complete the domain authentication process if one is found 14 Module 1: Introduction to Advanced Administration of a Windows 2000 Network The local security subsystem again contacts the Kerberos service on the domain controller and requests another session tic ket authorizing the user to gain access to the Workstation service on the client computer in order to complete the user logon process This request includes a copy of the user’s session ticket that the Kerberos service uses to identify the user The Kerberos service authenticates the user’s ticket by querying Active Directory and the global catalog server to verify the information contained in the user’s session ticket The Kerberos service then constructs a Workstation session ticket for the user that contains the validated security credentials copied from the user’s original ticket, and returns it to the client computer The local security subsystem on the client computer extracts the user’s SID and universal, global, and domain local group memberships from the Workstation session ticket The subsystem then constructs the user’s access token by adding the SIDs for local groups to which the user belongs and a list of the local user rights assigned to the user The local computer creates a process with an access token attached The access token is used to authenticate the user and serves as an identity card whenever the user attempts to use system resources The Network Logon Process A network logon occurs when a user establishes a network connection to a remote computer running Windows 2000 (for example, when connecting to a shared folder) The authentication process is very similar to that of an interactive logon process The client computer obtains a server session ticket from the Kerberos service running on a domain controller in the user’s domain The client computer then sends the server session ticket to the local security subsystem on the server, which extracts the user’s security credentials and constructs an access token for the remote user This access token is used to authenticate the user whenever a resource on the server is accessed The Secondary Logon Process Secondary logon provides the ability to start and run an application by using the security credentials of another user without ending a session already in progress For example, you can run administrative tools while logged on with a standard user account Module 1: Introduction to Advanced Administration of a Windows 2000 Network 15 Access Tokens Slide Objective Security ID: S-1-5-21-146 Security ID: S-1-5-21-146 To explain the purpose and components of access tokens Access Token Lead-in Access tokens are the key to security in Windows 2000 Access Tokens: Group IDs: Employees Group IDs: Employees EVERYONE EVERYONE LOCAL LOCAL User Rights: User Rights: SeChangeNotifyPrivilege (attributes) SeChangeNotifyPrivilege (attributes) SeSecurityPrivilege (attributes) SeSecurityPrivilege (attributes) ? ? An access token is permanently attached to a user’s process Windows 2000 checks the user SID and the list of group SIDs in the access token against the object’s DACL before granting access to a resource Contain Group ID, a List of the Groups to Which a User Belongs ? The main components of an access token are SIDs, the Group ID, and user rights Contain a SID, a Unique Identifier Used to Represent a User or a Group ? Key Points Created During the Logon Process and Used Whenever a User Attempts to Gain Access to an Object Contain User Rights, the Privileges of a User To gain access to any resource on the network, a user must have an access token An access token is created for the user during the logon process and contains attributes that establish the security credentials for that user on the local computer The access token is used whenever a user attempts to gain access to an object When the user runs an application, a new process is launched that inherits the user’s access token The access token is permanently attached to each of the user’s processes and serves as an identity card whenever the user attempts to use system resources When a user’s process attempts to gain access to any object, Windows 2000 checks the user’s SID and the list of group IDs in the access token against the object’s DACL This check determines whether the user is granted access to the object Security Identifier A SID is the security identifier for the user who is logged on A SID is a unique identifier used to represent a user or a group and DACLs instead of user names or group names A SID allows the operating system to uniquely identify each user and group account, even if that account is renamed or has the same name as another account In this way, permissions assigned to an object can only be used by that object, regardless of what the user or group is named Group ID The Group ID is a list of the groups to which the user belongs For a domain logon process, the domain controller compiles a list of the SIDs for the global and domain local groups of which the user is a member The domain controller contacts a global catalog server to obtain the SIDs of any universal groups of which the user is a member This list is returned to the client computer, which then adds any local groups of which the user is a member 16 Module 1: Introduction to Advanced Administration of a Windows 2000 Network User Rights User rights are the privileges of the user The local computer adds the list of user rights to the access token User rights determine what administrative actions the user can perform on the local computer Examples include shutting down the computer, logging on interactively, and taking ownership of objects Module 1: Introduction to Advanced Administration of a Windows 2000 Network 17 How Windows 2000 Grants Access to Resources Slide Objective Domain To explain how Windows 2000 uses DACLs to grant access to resources Access File Read Allowed OU2 Lead-in Windows 2000 uses access tokens and DACLs to grant access to resources OU1 User User Application Sends Read Request Security Subsystem Checks Appropriate ACE in DACL for File ACE Found Security Subsystem Security Subsystem DACL User Read User Read Group Full Control Group Full Control Key Points The process of accessing an Active Directory object is identical to the process of accessing any file system object Windows 2000 allows access to resources by checking the DACL list of allowed permissions against the user’s requested access The user gains access to a resource through the following process: The user requests access to an Active Directory object For example, a user requests Read access to an object in an OU by attempting to display the Properties dialog box for a user account By attempting to display the Properties dialog box, the user causes Active Directory Users and Computers to generate an input/output (I/O) request to Windows 2000, which validates the request through the security subsystem The security subsystem reads the DACL for an object, searching for ACEs that contain the user’s SID or the SID of a group to which the user belongs Each ACE that applies to the user is compared against the requested access until an ACE that denies or allows the requested access is located If a deny is encountered, or no ACE exists for the requested access, the user’s request fails ACEs that deny access are listed first in the DACL The security subsystem processes the ACEs in order and grants access to the object as soon as an ACE that allows the requested access is encountered If access is granted, then the resource is opened for only the requested access If the user is denied access, an error message appears A DACL is checked only when the resource is initially opened If a user’s permissions for an object are changed while the user is accessing the object, the user retains his or her current access to the object Access for the object is updated the next time that the user accesses it 18 Module 1: Introduction to Advanced Administration of a Windows 2000 Network Demonstration: Examining Access Tokens Slide Objective To introduce the Examining Access Tokens demonstration Lead-in In this demonstration, you will see and compare the access tokens of two logon accounts Delivery Tip Log on as Administrator, and at the command prompt run Mytoken.exe Show the access token to students Point out the SID, Group IDs, and the user rights components of the access token for the Administrator account Using the secondary logon process (Run as), log on as any user, run Mytoken.exe, and show the students this access token Point out the SID, Group IDs, and the user rights components of the access token for the user account Display the two access tokens side by side and ask students to identify the differences between SIDs, Group IDs, and User Rights Module 1: Introduction to Advanced Administration of a Windows 2000 Network 19 Review Slide Objective To reinforce module objectives by reviewing key points Lead-in The review questions cover some of the key concepts taught in the module ? Administering a Windows 2000 Network ? Centralized Management ? Delegating Administrative Control ? Controlling Access to Active Directory Objects and Windows 2000 Resources How does Active Directory enable centralized network management and decentralized administration? Active Directory is a central repository of objects It contains information about the properties of objects and allows the editing of this information It also makes it easy for administrators to locate information about objects anywhere in the enterprise It allows you to group objects with identical administrative and security requirements into domains and OUs Finally, Active Directory allows you to set administrative permissions for OUs and Active Directory objects that allow other users to administer them You are the senior administrator in an organization Because your workload has increased you want to delegate the administration of users in the Sales department to a junior administrator How can you this? Assign the Full Control permission for managing users in the Sales OU to the junior administrator Your time is typically divided between answering e-mail queries, developing standards and training documents, and using Windows 2000 administrative tools Because most of the work that you requires you to be logged on using your standard user account, you not want to log off to run administrative tools What can you to accomplish this? Use the secondary logon process (Run as) to run the administrative tools 20 Module 1: Introduction to Advanced Administration of a Windows 2000 Network A user sitting at a computer running Windows 2000 Professional attempts to connect to a shared folder in Active Directory What is the process that the Windows 2000 server uses to verify that the user is allowed to gain access to the resource? User requests access to the shared folder Windows 2000 validates the request through the security subsystem The security subsystem reads the DACL for the shared folder and searches for ACEs that contain the user’s SID or the SID of a group to which the user belongs If access is granted, then the resource is opened for only the requested access If the user is denied access, an error message appears ... use Windows 2000 to control access to Active Directory objects and network resources Module 1: Introduction to Advanced Administration of a Windows 2000 Network Administering a Windows 2000 Network. .. Policy allow administrators to centrally manage a large number of users, computers, and network resources Senior administrators can delegate administrative tasks to other administrators Administrators... Elaine Nuerenberg Lead Product Manager: Sandy Alto Group Product Manager: Robert Stewart Module 1: Introduction to Advanced Administration of a Windows 2000 Network iii Introduction Presentation: