May 2011

Administering Active Directory Users and Groups

I work as a Systems Administrator for a small company (user base), it is easy to manage users and groups. It used to be mostly ad-hoc with no planning whatsoever. You create a group when needed and add users to that group.

The company started doing well things started picking up. I don’t want to be in a position creating user accounts for the first half of my day. Growth began challenging the practices of administering users and groups within Active Directory.

A best practice from Microsoft is utilizing a strategy called AGDLA: Accounts are members of Global groups which are members of Domain Local groups which are added to Access control lists.

 

Accounts are the user accounts created for logins which have a unique security identifier (SID).

Global groups determine roles within the organization. I like to think of them as departments such as Accounting or Human Resources.

Domain Local groups are very similar to ACLs except that it is used to define which global groups will have access to a resource and what kind of access which is placed in an ACL of the resource.

Implementing This Strategy

My environment was full of ad-hoc groups and permissions to resources. It got so ugly and unmanageable. For example:

  • Dozens of individual users with different permissions to an Accounting folder on the file server.
  • Dozens of individual users with permissions to an email account.

What I’ve done to resolve this issue is create organizational units for each department. Within those OUs I created a global group that contained all the department users. So continuing with the Accounting department, I created a domain local group called ACL_AccountingShare_MOD and added the Accounting global group to the domain local group. If other departments collaborated within this shared folder I can add their global group to the domain local group as well.

 

Let me analyze the naming convention of the domain local group:

ACL_AccountingShare_MOD

ACL = this tells me that this group specifies who has access to a resource

AccountingShare = tells me that this group is an ACL resource group to the AccountingShare

MOD = tells me that this ACL resource group to the AccountingShare is able to modify all documents within that resource

Open the group and document as much as you can. In the Description I state what the group is for and within the Notes field I will list the path to the resource.

 

Closing Notes

Managing users, groups and resources with this method keeps everything clean. So when it comes to account creation, I create a template account that contains access to the necessary groups. It’s a disabled account within each department’s OU.

Whenever a department gets new employees all I have to do is copy the template and change the name of the account to the new user. Now I don’t have to manually set permissions to every resource that user will need.

This also eliminates the ghost accounts. A ghost account is an account that was given permissions to a resource but then that user account is deleted from Active Directory leaving just the SID within the resource’s ACL.

{ 0 comments }

Sub-Prime Employment, bin Laden Beats U.S. Intelligence w/ Email – Interesting Reads this Week

Came across an article where a user accepted a new position that included a great relocation package. The guy got out of his bad mortgage with this but had to accept a two year recovery clause on the relocation package. Basically, he has to pay the money back if he leaves his new company within two years. Sounds like a good deal right? Could be if the new company is awesome and didn’t restructure the position you signed up for.

Osama bin Laden was able to communicate using email and U.S. intelligence couldn’t pick up on it. Turns out he typed up his emails on a computer (which had no internet connection), saved them on his computer, transferred them to a thumb drive and gave them to a courier. The courier would use another computer to copy the emails bin Laden typed and then sent them to the email addresses provided by bin Laden. Very sneaky.. you bin Laden. Guess he knows his way around technology haha.

Career Advice Tuesday by InfoSec Leaders

How bin Laden Emailed Without Being Detected by the US by Associated Press

This week I also published the following:

Internet Explorer 9 64 bit Compatibility

Postponing my CCNP for Microsoft?

 

{ 0 comments }

Internet Explorer 9 64 bit Compatibility

I was very optimistic with Internet Explorer 9. I feel that it is a lot faster than IE8, especially with SharePoint 2007.

I did run into a hiccup though. While working within SharePoint sites I noticed that certain features had disappeared. One in particular was the Rich Text Editor Toolbar. I use this quite often to update different lists and content within our SharePoint intranet site.

Because the toolbar disappeared my only option to make edits (such as Bold, Italics and even spacing) had to be done using html. I know how to use html but end users wont have a clue.

On Microsoft TechNet I was able to find an Internet Explorer compatibility table

Luckily, I found a resolution. Initially, I had uninstalled IE9 which reverted my Windows 7 (I’m running 64 bit) to IE8 64 bit. In Windows 7 you can’t install a 32 bit version of IE.

Fortunately, IE8 and IE9 64 bit installations also install a 32 bit version. The shortcuts just happen to be hidden deep within the Windows folder. So instead of uninstalling IE9 just browse to this path on your computer and create a shortcut:

C:Windowswinsxswow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_8.0.7600.16385_none_19ba3f8a72d988f3

 

 

{ 0 comments }

← Previous Entries