Which of the following Active Directory containers are new computer accounts placed in by default?

Default Groups in Users Container

In addition to the groups we’ve discussed, up to 13 built-in groups can be located by default in the Users container, including:

Cert Publishers, which gives members the ability to publish certificates

DnsAdmins, which provides administrative access to the DNS Server service

DnsUpdateProxy, which provides members with the ability to perform dynamic updates for other clients

Domain Admins, which gives members full control of the domain

Domain Computers, which includes computers that are part of the domain

Domain Controllers, which includes DCs

Domain Guests, which includes guests of the domain

Domain Users, which includes users of the domain

Enterprise Admins, which gives full control over every domain in the forest

Group Policy Creator Owners, which allows members to manage group policies in the domain

IIS_WPG, which is used by Internet Information Service (IIS)

RAS and IAS Servers, which allows members to manage remote access

Schema Admins, which allows members to modify the schema

Telnet Clients, which is used for clients to connect using Telnet

The Cert Publishers group is used for digital certificates, which we discussed in Chapter 1. Although this group has no default members, when members are added to it they have the ability to publish certificates for users and computers. This allows data to be encrypted and decrypted when sent across the network.

The DnsAdmins and DnsUpdateProxy groups are installed when DNS is installed. Both of these groups have no default members, but when members are added they have abilities relating to the DNS Server service. The DnsAdmins group allows members to have administrative access to the DNS Server service. The DnsUpdateProxy group allows members to perform dynamic DNS updates on behalf of other clients, and circumvent the DACLs that typically accompany Secure Dynamic Updates.

The Domain Admins group has full control in a domain. This group becomes a member of the Administrators group on each DC, workstation, and member server when they join a domain. Because of this membership, group members have all of the rights associated with the Administrators group, including the ability to back up and restore files, change the system time, create page files, enable accounts for delegation, shut down a computer remotely, load and unload device drivers, and perform other takes relating to administration of Active Directory and servers.

The Domain Computers and Domain Controllers groups have memberships consisting of computers in the domain. The Domain Computers group contains all workstations and servers that have joined a domain, except for DCs. When a computer account is created, the computer object automatically becomes a part of this group. Similarly, the Domain Controllers group contains all DCs that are part of the domain. Using these groups, you can set permissions and rights that apply to the computer accounts that exist within a domain.

The next two groups we’ll discuss are for users who have their own accounts, or log on using a guest account. The Domain Guests group has a membership consisting of any domain guests, while the Domain Users group consists of all domain users, by default. Any user account that is created in a domain automatically becomes a member of the Domain Users group.

Enterprise Admins is a group that appears in the forest root domain, and allows members to have full control over every domain in the forest. Members of this group are automatically added to the Administrators group on every DC in every domain of the forest. As discussed earlier in this chapter, the Administrator account is a member of this group. Because of the power it gives a user, additional members should be added with caution.

The Group Policy Creator Owners group is used to manage group policy within a domain. Group policies allow you to control a user’s environment. Using policies, you can control such things as the appearance and behavior of a user’s desktop, and limit the user’s control over his or her computer. Members of the Group Policy Creator Owners group can modify these policies. Due to the power these members have over users within a domain, the Administrator account is the only default member of this group.

The IIS_WPG group is installed when IIS is installed. IIS version 6.0 uses worker processes to serve individual DNS namespaces, and allow them to run under other identities. For example, a worker process might serve the namespace www.syngress.com, but could also run under another identity in the IIS_WPG group called Syngress. Because these identities need configuration to apply them to a particular namespace, there are no default members in this group.

The RAS and IAS Servers group is used for the Remote Access Service (RAS) and Internet Authentication Service (IAS), which provide remote access to a network. The members of this group have the ability to access the remote access properties of users in a domain. This allows them to assist in the management of accounts that need this access.

The Schema Admins group is another group that only appears in the forest root domain. This group allows members to modify the schema. The schema is used to define the user classes and attributes that form the backbone of the Active Directory database. As mentioned previously, the Administrator account is a default member of this group. Additional users should be added with caution, due to the widespread effect this group can have on a forest.

User account properties

In addition to the username and password properties, domain user accounts include additional properties such as office location, office phone number, and e-mail address. These fields can be referenced (and populated) by various applications, including Microsoft Exchange Server, Office Communications Server, and SharePoint Server. Some of the additional user account properties are:

First Name

Last Name

Initials

Display Name

Description

Office

Telephone Number

E-mail

Web page

Physical Address Information (Street, City, State, Country)

Organization Information (Job Title, Department, Company, Manager, Direct Reports)

The following exercise will walk you through setting up a user account in AD:

Log on to a DC and open Server Manager.

Expand the nodes Roles | Active Directory Domain Services | Active Directory Users and Computers | <your domain>.

Right-click on the User's container. Then, select the option New → User. The New Object User wizard will launch.

Type John and Doe in the First name and Last name fields, respectively. Type jdoe in the User logon name text box as seen in Figure 4.34. Then, click Next.

Enter and confirm a password for the user. In our example, we will use [email protected]. Leave the box selected for User must change password at the next logon. This will force John Doe to change his password the first time he logs on to the network. The following password options are available when creating user accounts:

User must change password at next logon—This setting forces the user to change his password during the first logon.

User cannot change password—This prevents the user from changing his password.

Password never expires—This exempts the user from any account policies that might force password changes after x number of days.

Account is disabled—This disables the user account. It cannot be logged onto until it is enabled again.

Click Next to continue.

Verify the account settings and click Finish to create the user account.

Best practices

Domain Accounts

In the case of a machine that is a member of an Active Directory domain, the administrator must create and manage domain accounts. There are significant differences in the portability of these accounts, their authentication methods, and the access that they can achieve throughout the enterprise. In this section, I take a quick look at the domain account structure and briefly describe some of the differences that need explanation in relation to the domain accounts and their functions (Active Directory is out of the scope of this book). While looking at domain accounts, it's important to understand that these accounts are created and maintained on domain controllers that replicate their content to each other. DCs that hold the domain account database do not use local accounts for their operation. As the DC is created, the tools for management of the user and group accounts switch from a local management console to a new tool, the Active Directory Users and Computers (ADUC) management console. From within this console, administrators are able to create, modify, and control user and group memberships. Figure 2.5 illustrates the ADUC console with the Users container open.

Note the significant difference in the number of default user accounts that are created as you create an Active Directory structure. This container contains not only the default users, but a number of domain-wide security groups that are used to maintain and manage the domain operations. Some new security groups are also created, which include Domain Computers, Domain Controllers, Enterprise Admins, Schema Admins, and Domain Admins, among others. All of these groups are used for domain-wide groupings that allow you to control or grant access to specific operations within the domain. Security groups also allow you to enforce group policy conditions, which I touch on later in this chapter and fully explore in Chapter 6. Figure 2.6 shows us the Built-in Groups that are created in an Active Directory domain.

This collection of groups allows administrators to assign or delegate permission to work within specially defined areas of control to perform system-based tasks in the domain. These built-in groups provide the ability to delegate control. Notice in Figure 2.6 that there is a group called Pre-Windows 2000 Compatible Access. This group can lead to security difficulties, because it can contain the special group Everyone in its membership. When this is true, down-level machines (or attackers) may establish a null session connection with the use of a blank password for anonymous access. In this case, anonymous users (such as to a Web page) could potentially access and obtain control of your machine. This particular configuration requires much diligence as you prepare file and drive access control settings, but may be needed depending on your network's makeup.

There is a not significant difference in the sphere of influence of these groups in Windows 2000 and Windows 2003. Please remember that in NT 4.0, these groups had access only on machines that were either a PDC or BDC. In Windows 2003, these built-in groups have access and control over any Windows 2003 machine that is a domain member, even if it is not a domain controller. This is a change that you must be aware of as you assign membership to these groups. Now, what about the “Everyone” group that is discussed all the time? Windows 2003 also has a number of groups that are not detailed here, but rather are present and utilized based on actions being performed. For instance, the Interactive group contains users who are allowed to log on locally to a machine. The Network group contains users that are allowed to connect from the Network. Membership in these groups is not assigned, but rather occurs during operation of the machine and network operations.

Cluster Configuration Log File Security

When a cluster is created or a node is added to a cluster using the wizard, a file containing critical information about the cluster is placed the %systemroot%\System32\LogFiles\Cluster\ directory, unless you do not have administrative permissions on the node; in that case, the file is placed in the %temp% directory. The log file, ClCfgSrv.log, should have NTFS permissions that allow access to only the Administrators group and the cluster service account.

Exercise 9.01

Creating a New Cluster

This exercise will walk you through the steps of creating a server cluster. Only the creation of the first node is covered. Each server cluster and network configuration is unique. You will need to substitute your TCP/IP addresses and account names, and adjust this process to fit your hardware.

Properly assemble your hardware. Ensure that only this first node is connected to and can access the shared storage unit(s).

Assign friendly names to your network interfaces and configure them with static IP addresses.

Log on to your domain with an account capable of creating user accounts. Open Active Directory Users and Computers. In the Users container, create an account called ClusterAdmin matching the settings shown in Figures 9.26 and 9.27. Close Active Directory Users and Computers.

Log on to your first cluster node and start Cluster Administrator by selecting Start | Administrative Tools | Cluster Administrator.

When the Open Connection to Cluster dialog box is presented (Figure 9.28), select Create new cluster from the Action drop-down box and click OK.

The New Server Cluster Wizard will start, as shown in Figure 9.29. Click Next.

Select your domain in the Domain drop-down list and enter cluster1 in the Cluster name text box, as shown in Figure 9.30. Click Next.

Enter the name of the computer that will become your first node in the Computer name text box, as shown in Figure 9.31, and click Next.

The Analyzing Configuration window will appear, as shown in Figure 9.32, while the configuration of the node is verified. You can click the View Log… button to see the history of actions the Wizard has performed, or click the Details… button to see the most recent task.

When the analysis is completed, the Analyzing Configuration window will show the tasks completed, as shown in Figure 9.33. Click the plus signs (+) to see the details behind each step. When you’re finished examining the details, click Next.

You are asked what IP address you want assigned to the server cluster, as shown in Figure 9.34. Enter the appropriate IP Address and click Next.

In the Cluster Service Account window, shown in Figure 9.35, enter the User name, Password, and Domain for the cluster service account you created in step 3. Then click Next.

The Wizard will display the proposed server cluster configuration, as shown in Figure 9.36. Review the information.

Click the Quorum… button. Select the correct quorum disk for your configuration from the drop-down list, as shown in Figure 9.37, and select OK.

The wizard will now create the server cluster, as shown in Figure 9.38. As the configuration progresses, you can click View Log… or Details… to see what the wizard is doing.

When the wizard finishes creating the server cluster, the Creating the Cluster window will show the tasks completed, as shown in Figure 9.39. Click the plus signs (+) to see details about each step performed. Click Next.

The wizard informs you that the server cluster is created, as shown in Figure 9.40. You can click View Log… to examine all of the activity involved in the creation. Click Finish to exit the wizard.

The Cluster Administrator utility appears. As shown in Figure 9.41, it displays the server cluster you just created.

Right-click the server cluster name (CLUSTER1) and select Properties. Click the Network Priority tab and move Interconnect to the top of the list, as shown in Figure 9.42. Click Apply.

Examine the Quorum and Security tabs to become familiar with the default settings on these tabs. When you have finished reviewing the configuration of these tabs, click OK. Then close Cluster Administrator.