Managing and Maintaining a Microsoft Windows Server 2003 Environment.
Study Guide
1. Managing Users, Computers, and Groups
To create users you must have administrative privileges.
Normally this means an Account operator or Administrator, however it could mean
a user who has been delegated rights to create other users, groups or computers
in an OU.
Logon name (sAMAccountName) is required and must be unique in the Domain. 'Full
name' must be unique within OU, particularly for Exchange mailboxes.
On Windows 98 computers user's password must be no longer than 14 characters.
 Windows
Server 2008 Enterprise Admin
Train Signal have an excellent Windows Server 2008 course. You get over 70
hrs instruction with Ed Liberman and Ben "Coach" Culbertson. Try their
step-by-step videos and master Windows Server 2008 Enterprise Admin.
The package includes the Transcender exams, which are the key to gaining the
coverted Microsoft Certified IT Professional certification. However, the
course also builds practical experience so that you can manage your network
effectively once you complete the course.
Watch a Demo of Train Signal's MCITP course
Command-line tools: dsadd, dsmod, dsget, dsrm, dsmove, dsquery, gpresult, whoami.
To add users to a group use dsadd group with parameters: -secgrp <yes|no>,
-scope <l|g|u>, -members, -memberof.
To modify members of a group use dsmod group with parameters: -addmbr or -rmmbr
(but you cannot use both at once).
To reset computer account use dsmod with -reset parameter.
Dsquery parameters: -o <format>, -inactive <weeks>, -stalepwd <days>
By default, each ordinary user can join 10 computers the domain. You can
adjust this setting through Group Policy Object Add workstations to a domain.
If user is able to log on but he cannot access any network resources, try
re-setting the password for the COMPUTER account. You have to be a member
of the local Administrators to change computer's name.
NETDOM is a command-line Support Tool for creation and modifying domain
accounts. Nltest is an obscure command line utility to check which domain
your in.
In command-line tools you use $username$ (case sensitive) not %username% (use to
define path for profile storage).
After a computer is removed or disjoined from a domain its account appears as
disabled. See more on Windows 8 Join
Domain.
Movetree command-line tool can be used to move objects like OUs from one domain
to another domain.
Local Group can include members from any domain in a forest, from trusted
domains in other forests, and from trusted down-level domains; however it's
scope is limited to that machine. Be sure to know the difference from the
next group: Domain Local Group.
Domain Local Group (mixed, interim, native) can include members from any domain
in a forest, from trusted domains in other forests. In Windows 2003 Domain
Local Groups have domain-wide scope in native or Server 2003 domains.
Global Groups can only include members from within domain. However, Global
Groups can join Local or Domain local groups. Once you raise the domain
level to Window 2000 native, you can nest Global Groups within other Global
Groups, and add Global to Universal
Universal Group combine the properties of Global and Domain Local, and can
contain members from any domain in the forest. As expected, Universal
Groups can be granted permission in any domain including trusted forests.
Remember the acronyms AGP, AGDLP and AGUDLP
As a user logs on to the network, that user is added to the Everyone group.
Whenever a user accesses a given resource over network, that user is added to
the Network group. The opposite of Network Group, is the Interactive
group.
Anonymous Logons IUSER_SERVER are a group of users using network resources
without authentication process; whereas Authenticated Users are a group of
users which have been checked out by Active Directory.
Creator Owner is a group of users who created the resource. Only available
on NTFS partitions.
Dialup is a group of users connected to the network through dialup connection.
Groups conversion:
You cannot change the scope of a group if the domain level is not Windows 2000
or higher.
Global groups cannot directly be converted to domain local groups and vice
versa, the trick is to change the scope to universal, then you can made the
(other) change.
Global to universal. This is only allowed if the group you want to change is not
a member of another global scope group.
Domain local to universal. This is only allowed if the group you want to change
is not nested
Universal to domain local. No restrictions for this operation.
The only way to provide separate password policies to a group of users is to
move their accounts to another domain (child domain does not inherit the
password policy from parent domain).
Universal groups Distribution groups can be created regardless of the domain
functional level.
Account Operators can move computer accounts to organizational units but
surprisingly, not to default containers, such as Computers. However,
Account Operators cannot move computer accounts into the Domain Controllers
organizational unit but can move computer accounts from the Domain Controllers
organizational unit.
There is a policy called : 'Only Allow Local User Profiles' which disallows
roaming profiles on computers.
Csvde is a command line tool for import or export of objects to and from Active Directory. Also LDIFDE which can modify existing objects, including
passwords.
ADMT can import accounts from an NT domain into Windows Server 2003 Active Directory. To copy a user profile you must be a member of Administrators group.
To create a mandatory profile rename Ntuser.dat to Ntuser.man. N.B. must be done
on the server, not locally.
Account Logon Events are generated in the Event Log when a domain user account
is authenticated on a domain controller. Logon Events are when users logon
locally. Account Logon events need to be monitored on each domain
controller.
When you log on to workstation using a domain account, the workstation registers
Logon event and the domain controller registers Account Logon event. When
you connect to a network server�s shared folder the server registers Logon event
and the domain controller registers Account Logon event.
When you need to audit files or printers, turn on Object Access before you
select Audit.
There is a policy to redirect My Documents, navigate to: User
Configuration\Windows Settings\Folder Redirection policy.
Containers that are not OUs cannot be have Group Policies. Check Active Directory for the Icons corresponding to the yellow containers: Built-in, Users,
and Computer Containers
 Troubleshooting
Group Policies is tricky
As an MCT trainer, I can thoroughly recommend TrainSignal because they
provide practical hands on training. In particular, I like the way TrainSignal cover all learning methods, instructor lead, video and of course text material. You can either take one module, for example Group Policy or go for
a combination of modules.
See more about Group Policy training here
|
