Guide to Managing the Active Directory for Enterprise Administrators

Guide to Managing the Active Directory for Enterprise Administrators

Document Change Control Table
Version
Number / Date of
Issue / Author(s) / Brief Description of Change(s)
1.00 / 2/10/04 / D. Aragon / Initial Version
1.01 / 5/12/04 / D. Aragon / Added section on implementing the U-Drive.
1.02 / 5/21/04 / D. Aragon / Added Document Control Table and Table of Contents.
1.03 / 6/30/04 / D. Aragon / Added new section on adding limited scope administrative accounts.

Table of Contents

Introduction

Prerequisites

Creating a New Administrative Account

Limited Scope Administrative Accounts

Creating a New Administrative Group

Adding an Organizational Unit and Delegating Administrative Control

Editing a Root Group Policy Object

Deleting an Administrative Group or Account

Special Considerations for Implementing the U-Drive

1

Guide to Managing the Active Directory for Enterprise Administrators

Introduction

ITR, in conjunction with TSAG members, have been tasked with implementation of the policies and management of the top level (root) organizational unit (OU) along with implementing TSAG approved changes to the schema and top level (root) Group Policy Object (GPO). This guide is provided to those individuals as an overview of each of the tasks they may be called upon to perform.

Prerequisites

This document is based on Step-by-Step How-To-Guide to the Common Infrastructure for Windows 2000 Server Deployment,

Part One:

Part Two: and

This document assumes you are familiar with Windows 2000 or Windows XP and that you have Enterprise Administrative authority (i.e. you have an e“under-bar” account). It also assumes that you have the basic knowledge of how to get around in the Active Directory;and is therefore not a step-by-step guide, but rather a task-by-task guide to helpinsure that all the necessary tasks are performed in the correct order.

Creating a New Administrative Account

When a College or Organization wants to join Active Directory, they must first identify who will have administrative authority for their OU. If they wish ITR to perform this task, then skip to the Adding an Organizational Unitsection.

  1. In OU = Auth, OU = Admin, Right-click and create a newUser.
  2. Enter their First Name and Last Name.
  3. Full Name should be “a_” followed by their user account name. For example if George Low’s normal login name is glow, then his admin account would be a_glow.
  4. Set his User Login Name to the same value.
  5. Click Next.
  6. Enter and then re-enter a temporary password.
  7. Write this password along with the login on a piece of paper. This piece of paper must be hand delivered to the individual.
  8. Check the box next to User must change password next time they logon, this forces them to change the password the first time they try to use the account.
  9. Click Next and Finish.

Note: / Because of the method utilized to provide security to the Active Directory Tree and restrict administrative privilege, the following additional steps must be followed, otherwise the account created above will be automatically removed by the Domain Controller during its next refresh.
  1. Remotely connect to one of the Domain Controllers and logon with your e_account.
  2. Open the Domain Security Policy (Start, Programs, Administrative Tools, Domain Security Policy).
  3. Select Restrictive Groups.
  4. Select the name of the Local Administrative Group you wish to add the newly created a_account to.
  5. Right click on the group and select Security.
  6. In the Top section select Add, Browse, and either select the a_account(s) from the list or type in each a_account, separated by a semicolon (;). After each name press the Check Name button.
  7. When finished press Ok enough times to bring you back to the Restrictive Groups (3 to 5 times will be required).
  8. Select All_Admins group, right click and select Security.
  9. In the Top section select Add, Browse, and either select the a_account(s) you just created from the list or type in each a_account, separated by a semicolon (;). After each name press the Check Name button. When finished press Ok followed by another Ok.
  10. Close the MMC and Logoff of the Domain Controller.

Limited Scope Administrative Accounts

Occasionally a college or unit will want to delegate some administrative responsibility to student assistants or other staff members. It is the policy to separate user privilege from administrative privilege. Therefore, to maintain this separation a sub-administrator account must be created to these people. Procedures necessary to accomplish this will follow those enumerated in “Create a New Administrative Account” with the following changes:

  1. The account will be proceeded by an “s_” instead an “a_”.
  2. When granting administrative rights, only grant the specific ones requested. This may require you to be a little creative.
  3. If appropriate, limit the days and hours this account may be used.

Creating a New Administrative Group

  1. In OU = Auth, OU = Proxie, Right-click and create a new Group.
  2. Enter the name of the group as OU Name – Admin and press Ok. For example if the group will administer the ITR OU then the group name would be ITR-Admin.
  3. Select the group, open the Properties, select Members tab and press the Add button.
  4. Either select the a_account(s) from the list or type in each a_account, separated by a semicolon (;). After each name press the Check Name button. When finished press Ok.
  5. Remotely connect to one of the Domain Controllers and logon with your e_account.
  6. Open the Domain Security Policy (Start, Programs, Administrative Tools, Domain Security Policy).
  7. Select Restrictive Groups and Right click and select Add Group.
  8. Enter the name of the Group you previously created and select Ok.
  9. Right click on the group and select Security.
  10. In the Top section select Add, Browse, and either select the a_account(s) from the list or type in each a_account, separated by a semicolon (;). After each name press the Check Name button. When finished press Ok followed by another Ok.
  11. In the bottom section select Add, Browse, Group Policy Creator Owner, then Ok three times.
  12. Select All_Admins group, right click and select Security.
  13. In the Top section select Add, Browse, and either select the a_account(s) you just created from the list or type in each a_account, separated by a semicolon (;). After each name press the Check Name button. When finished press Ok followed by another Ok.
  14. Close the MMC and Logoff of the Domain Controller.

Adding an Organizational Unit and Delegating Administrative Control

This procedure creates an organizational unit (OU) in the CSUN domain and gives administrative control to a specific administrative group.

  1. Right-click the root.
  2. Point to New and click Organizational Unit. Type the name of your new organizational unit following the naming conventions used for PeopleSoft and Meeting Maker. Click OK.
  3. Select the OU, Right click and select Delegate Control.
  4. Select Next,Add, and either select the appropriate admin group from the list or type in the admin group name and press the Check Name button. When finished press Ok followed by another Ok and Next.
  5. Select all check boxes EXCEPT Create, delete, and manage user accounts and Reset passwords on user account followed by the Next and Finish buttons.
  6. Right click OU again and select Properties and Security.
  7. Select the Admin group from the top half and check all of the boxes in the bottom half, then click on the Advanced button.
  8. There should be three (3) permissions listed for the Admin group
  9. Full Control – This object and all child objects.
  10. Full Control – Group objects
  11. Read All Properties – User objects
  12. If this is not the case, edit and correct the settings.

Note: / The first one (setting 8.a above) will most likely be set to: “This object only” and is normally the only one that needs to be changed.
  1. Once completed select Ok, insure that the Inherit box is checked (bottom left corner) and press Ok.

Editing a Root Group Policy Object

Writing a Group Policy Object (GPO) can be a daunting and formidable task. The purpose of the GPO is to provide a mechanism to limit the behavior of a system or the user currently using that system. To make the task easier, the GPO is divided into logical sections. Below the root node, the namespace is divided into two parent nodes: Computer Configuration and User Configuration. These are the parent folders that you use to configure Group Policy settings. Computer-related Group Policy is applied when the operating system boots and during the periodic refresh cycle, while User-related Group Policy settings are applied when users log on to the computer and during the periodic refresh cycle.

Three nodes exist under the Computer Configuration and User Configuration parent nodes: Software Settings, Windows Settings, and Administrative Templates. The Software Settings and Windows Settings nodes contain extension snap-ins that extends either or both of the Computer Configuration or User Configuration nodes. Most of the extension snap-ins extends both of these nodes, but frequently with different options. The Administrative Templates node namespace contains all policy settings pertaining to the registry.

Several documents are attached to help in deciding which settings are appropriate and which are necessary.

  • GPO Settings Explanations – This document goes through each setting and gives a brief explanation of what it does
  • Root (overridable and non-overrideable) GPO Settings – A listing of the settings that have been implemented at the root. Some of these settings are overridable and describe best practice, while others are not overrideable, describing policy;both apply to all systems and users in Active Directory.
  • Blank GPO Worksheet – A worksheet that can be used to document the settings you change in the Root GPO(s).

Occasionally, the root policy will need to be updated or changed. These changes will only be implemented when directions have been received from TSAG or when some portion of the GPO has been found cause incompatibilities that have lead to a break in connectivity. If changes are made because of an incompatibility issue which breaks connectivity, temporary changes to the GPO can be made, however, these changes must be documented, justified, and reported to TSAG.

To change the Root GPO:

  1. Select the Root, Right click and select Properties.
  2. Select the Group Policy Tab
  3. Select the GPO that needs changing and click on Edit.
  4. Expand the appropriate section(s).
  5. Find the setting that needs updating and double click it.
  6. Make the appropriate corrections and press enter.

Note: / Changing a setting from either “Enabled” or “Disabled” to “Not Defined” will not delete the local setting. Once defined, the best way to change a setting is to select the opposite setting from the original (a setting of “Enabled” changes to “Disabled” and vice versa).
  1. When you are finished, save and exit. The new changes to the GPO will be applied to all systems from the root and below either the next time a user logs on to a system or at the next system wide update (usually within 90 minutes).

Deleting an Administrative Group or Account

Occasionally the administrative staff of a unit changes, when this occurs, the administrative authority for the departing individual needs to be removed.

  1. Remotely connect to one of the Domain Controllers and logon with your e_account.
  2. Open the Domain Security Policy (Start, Programs, Administrative Tools, Domain Security Policy).
  3. Select Restrictive Groups and select the administrative group the account belongs to, right click on it, and select Security.
  4. In the Top section select the individual account to remove and click the Deletebutton followed by an Ok. Repeat the process for each account that needs to be deleted. When finished press Ok.
  5. Select All_Admins group, right click on it, and select Security.
  6. In the Top section select the individual account to remove and click the Delete button followed by an Ok. Repeat the process for each account that needs to be deleted. When finished press Ok.
  7. Close the MMC and Logoff of the Domain Controller.
  8. Go into Users and Computers, in OU=Auth, OU=Admins, delete the account(s) deleted above. Then go to OU=Proxie select the Group the account is in.
  9. Right click, select Properties. Select the Members tab. Select the account from the list presented and click the Remove button. Repeat until you have deleted all unnecessary account(s) from the listing.

Special Considerations for Implementing the U-Drive

The U-Drive is a drive share that will be universally available to every staff member, faculty member, and student from any computer the individual logs in to. This is accomplished in Active Directory via implementing a GPO at the root. The current problem is that several of the colleges use the letter “U” for some other purpose. To keep from causing a conflict with these locally defined drive mappings, the U=Drive implementation is not yet universal. As a college or department indicates their desire for the U-Drive, enough information is obtained from the local administrator to define membership in a group. An example would be “all students taking a Business class” would define the group COBAEStudents. Once defined the group is put into the list of authorized recipients to automatically get a U-Drive on login. This is accomplished as follows:

  1. Select the Root, Right click and select Properties.
  2. Select the Group Policy Tab
  3. Select the U-Drive GPOand click on Edit.
  4. Select the Security tab.
  5. Add the name of the group to the list with Read and Apply Group Policy boxes checked.
  6. Close the GPO.

1