1. Active Directory, Groups and Permissions
1.1. How can we create user accounts? Last lecture single user accounts were made using DSA and ADAC which only make one at a time. this lecture we learn about making multiple at once.
1.1.1. Using PowerShell (takes a script and writes up multiple user accounts
1.1.2. User account templates using DSA (makes a medium amount of accounts process is in the name)
1.1.3. These tools are almost legacy now but they're used to bulk create accounts
1.2. Creating lots of user accounts creates issues, how can we organize all these accounts using Active directory?
1.2.1. Organisational Units: in the third dot point it refers to the user account templates, it can separate user accounts according to the templates you made
1.2.1.1. How an Organisational unit is applied across a company example. straight forward and aesthetic. nesting Organisational units together like so creates a neat structure
1.2.1.1.1. Second Level account groups: Creating group Scopes changes when there are second level accounts involved.
1.2.2. Another User account issue: when we create new user/computer accounts on AD, they aren't assigned to OU's (organisational units) as we have summarised above, you have to manually do that using the PowerShell commands as shown.
1.2.3. Another issue could be with Delegating the control of OU's to other users, compared to regular printer, file and folder permissions OU's have different features. you have to right click on the OU, and then click on the delegate control wizard and then from there alter different users control of the OU's (aka delegating permissions)
1.2.4. Permission inheritance and Precedence: following on from the "delegating control to OU's slide, inherited permissions are ones you have already assigned (grey ticks) and the explicit permissions are the black ticks that override them.
1.2.4.1. Permission precedence: first 3 dot points are understandable, although for the effective access tab you have to zoom in on the example shown, the tab is on the very left, that tab has final say (tick/cross) on the access of a user or group.
1.2.4.1.1. Explicit permissions = BLACK TICKS
1.2.4.1.2. Inherited permissions = GREY TICKS
1.3. Access Based enumeration: Hides all the files that users don't have permission to see
1.4. Special identities: Where do i see these special identities?
2. GPO's (group policy objects): It is a very powerful way of controlling computer settings in an Active Directory Environment
2.1. What is Group Policy? It is a very powerful way of controlling computer settings in an Active Directory Environment. These Configurations can be applied according to User/Computer accounts in that domain (not sure if its across all domains too)
2.1.1. Has 2 Components:
2.1.1.1. Group Policy container: stored in active directory. as a result it is automatically replicated to all the other domain controllers in the Domain
2.1.1.2. Group Policy template: It contains the settings itself. doesn't automatically replicate to the Domain Controllers.
2.1.1.2.1. Group Policy settings:
2.1.2. When/how do GPO setting apply? And how do we change them?
2.1.2.1. When do they apply?
2.1.2.2. GPO Linking
2.1.2.2.1. How they are applied to the forest: As you can see in the diagram on the right GPO settings can only be linked to sites, domains and OU's. the bottom two dot points also show how GPO's can be linked to diff containers and one container can have many GPO's linked.
2.1.2.2.2. Link Precedence: refers to when there are two GPO's in different scopes that configure the same settings differently. the GPO settings at the bottom of the given list wins (whichever scope is smaller).
2.1.3. How to alter and troubleshoot GPO settings
2.1.3.1. Enabling and disabling: right click on wherever the GPO is --> choose to either enable/disable it.
2.1.3.2. How to reset GPO settings: for extra context. there are 2 default GPO settings which are highlighted in the first two dot points.
2.1.3.3. How to delegate GPO settings (using wizard): right click on the OU --> click on delegate control --> assign control permissions
2.1.3.4. Troubleshooting:
2.1.3.4.1. Link Precedence: refers to when there are two GPO's in different scopes that configure the same settings differently. the GPO settings at the bottom of the given list wins (whichever scope is smaller).
2.1.3.4.2. Blocking inheritance (blocks all inheritance of GPO's): done to troubleshoot whether the father or child GPO's are causing issues. if inheritance is blocked in a child OU, that child OU's GPO's are disabled leaving behind only the parent GPO. now we can check if the issue belongs to the parent GPO. If it doesn't then you know the issue is with the child OU's GPO's.
2.1.3.4.3. Enforcing GPO's (used by network admins to make sure that OU managers cant block inheritance and prevent the GPO's from the domain being applied inside the OU's):
2.1.3.5. Administrative templates: In the case where in a company there are administrators who speak different languages who need to alter GPO's.
3. DNS file and print (DNS is essentially the internets yellow pages)
3.1. STRUCTURE OF DNS: (click on link below for an alternate explanation of how DNS works) https://www.cloudflare.com/en-au/learning/dns/what-is-dns/
3.1.1. DNS Structure
3.1.1.1. Root servers (root hints): They refer iterative DNS queries to top level domain name servers
3.1.2. Explanatino of how DNS works "explainlikeim5"
3.1.3. DNS zone and record types
3.1.3.1. DNS zone and record types: A DNS zone is used to host the DNS records for a particular domain.
3.1.3.1.1. Zone focus: most zones are forward focused, you put in a query for a domain name and it will return an IP Address.
3.1.3.1.2. Zone type:
3.1.3.1.3. Record types
3.1.3.1.4. Zone storage: dynamic updates,
3.1.4. DNS Queries (last bit of stuff we need to know about DNS)
3.1.4.1. Recursive vs iterative
3.1.4.1.1. Recursive
3.1.4.1.2. Iterative: can return requires result or return a referral to another server
3.1.4.1.3. The decision on whether to use an iterative or recursive query, hinders of whether that DNS server has been configured with a forwarder.
3.1.5. DNS Security
3.1.5.1. How a client resolves a name
3.2. File and Print services (go back and add more detail)
3.2.1. Share permissions
3.2.1.1. Share permissions IMPORTANT FACTS: they only apply to user accounts that gain access to resource over the network (from different computers), not to users who log on locally (same computer).
4. ADDS Active Directory Domain Services:
4.1. Network topology we will focus on for remainder of course: Domain
4.1.1. Domain Terminology: we will look at Active Directories Domain Terminology, it is a distributed database (meaning it doesn't all reside in the one location, it can be multiple).
4.1.2. Installing a Domain:
4.1.2.1. Options for installing Domain Controller: 1. Add DC to an existing Domain (This copies all the Active directory information from one domain to the One you're creating forming a new Domain controller). 2. Add a new domain to an existing forest. You have to choose the tree and child domain position. (copies some of Active directory but not all of it). 3. Add a new forest (means its going to be the first DC in a new forest, installs default copy of active directory to work with).
4.1.2.2. Multi Master Replication: Neat process that backs up object creation/information on all Domain Controllers (DC).
4.2. Access control for Users across network (Share permissions): these are more outdated than NTFS, these only apply to users coming in from the network
4.2.1. In order for servers to make the decision on whether to give access or not, they need to be able to identify the user, the user account is the log on of the user in the Windows network, the computer account is the identity of the specific computer being used in the Windows network (you cant just bring in a random laptop and expect server to identify it)
4.2.1.1. User Accounts Introduction (important):
4.2.1.1.1. Access tokens: every time a user logs on to network they're assigned an Access token. they contain the SID's that uniquely identify user accounts across the network
4.2.2. User accounts example: (use knowledge from week 5 share permissions)
4.2.2.1. Answers: for Question 1, Kim is logged onto same computer as Jeanie which is the computer which is hosting the resource. share permissions only apply when you're coming into the network to access the resource. Thus Kim will have access to the documents.
4.2.2.2. Answers: for Question 2, Assuming that Minh's laptop (computer account) and her login on that laptop (user account) is not apart of the network, he/she will not have any access.
4.3. NTFS system: used to define permissions of Objects!!! it also solves this issue of access control, because its permissions ALWAYS APPLY. no matter if the user is accessing data locally or across the network. NTFS permissions accumulate for users in multiple groups (see below).
4.3.1. NTFS permissions change with diff objects, these objects are defined as... An object is a resource within a network such as user accounts, passwords, computers, applications, printers, file/folder shares, security groups, and their permissions. Active directory is simply a database
4.3.1.1. NTFS File and folder permission, we will focus on these permissions mainly: notice the difference between the folder and file tabs
4.3.1.1.1. Access control lists (subject = user, Object = resource defined in network): the "user SID" is compared to the admin defined "ACE" or access control list in the DACL. if the SID is defined then they will receive their according permissions.