Information Technology Reference
In-Depth Information
9. Click the Domain Controllers OU in the left pane. A computer object representing your
domain controller is displayed in the right pane.
10. Right-click the Domain Controllers OU and click Properties . If you have worked with Active
Directory Users and Computers in Windows Server 2003, you might notice that the Group
Policy tab is missing. In Windows Server 2008, all group policy management is done with
the Group Policy Management MMC. Click Cancel .
11. Click the Users folder in the left pane. The right pane displays a list of groups and two user
accounts created by default when Active Directory is installed.
12. Leave Active Directory Users and Computers open for the next activity.
Active Directory Leaf Objects
A leaf object doesn't contain other objects and usually represents a security account, network
resource, or GPO. Security account objects include users, groups, and computers. Network
resource objects include servers, domain controllers, file shares, printers, and so forth. GPOs
aren't viewed as objects in the same way as other Active Directory objects. In Windows Server
2008, GPOs are managed by the Group Policy Management MMC, discussed later. The follow-
ing paragraphs explain some common leaf objects in Active Directory.
User Accounts A user account object contains information about a network user. Typically,
when a user account is created, the administrator enters at least the user's name, logon name,
and password. However, the user account object contains much more information, such as group
memberships, account restrictions (allowed logon hours and account expiration date, for exam-
ple), profile path, and dial-in permissions. In addition, administrators can fill in descriptive
fields, such as office location, job title, and department. The main purpose of a user account
is to allow a user to log on to a Windows computer or an Active Directory domain to access
computer and domain resources. By supplying a user logon name and password, a user is authen-
ticated on the computer or network. Authentication confirms a user's identity, and the account
is then assigned permissions and rights that authorize the user to access resources and perform
certain tasks on the computer or domain.
Windows Server 2008 defines three user account types: local user accounts, domain user
accounts, and built-in user accounts. A local user account is defined on a local computer and is
authorized to access resources only on that specific computer. Local user accounts are mainly
used on stand-alone computers or in a workgroup network with computers that aren't part of
an Active Directory domain. A domain user account is created in Active Directory and provides
a single logon for users to access all resources in the domain for which they have been author-
ized. Windows creates two built-in user accounts automatically: Administrator and Guest. They
can be local user accounts or domain user accounts, depending on the computer where they're
created. On a workgroup or stand-alone Windows computer, these two accounts are created
when Windows is installed, and they are local accounts that have access to resources only on the
local computer. When Active Directory is installed on a Windows Server 2008 computer, these
two accounts are converted from local user accounts to domain user accounts. User accounts are
discussed in more detail in Chapter 5.
Groups A group object represents a collection of users with common permissions or rights
requirements on a computer or domain. Permissions define which resources users can access and
what level of access they have to resources. For example, a user might have permission to open
and read a certain document but not to change it. A right specifies what types of actions a user
can perform on a computer or network. For example, a user might have the right to log on to and
log off a computer but not shut down the computer. Groups are used to assign members permis-
sions and rights. This method is more efficient than assigning permissions and rights to each user
account separately because you have to perform the assignment task only once. For example, if
all users in the Accounting Department need access to a shared folder, you can create a group
containing all users in this department as members and assign permission to access the shared
folder to the group as a whole. In addition, if a user leaves the department, you can remove his
 
Search WWH ::




Custom Search