You are in the process of building your Active Directory, and have some user data from the Human Resources department that includes first and last name, address, and telephone number. Company policy states that the user logon name should be the combination of first name or initial and last name (for example, Ben Smith would be bsmith).
You have 500 users, 30 groups, and 10 OUs. In practical terms, what is the best way to get your Active Directory set up as quickly and easily as possible?
Although there is no absolutely correct answer, there are different levels of complexity to consider. A blending of methods is probably best, given the following considerations:
■ The user data can be edited as needed, but those edits are minimal, and the users can be brought into Active Directory using LDIFDE.
■ The OU construction can be part of the user construction, all from the same file, with minimal editing. For the OUs, use LDIFDE as well.
■ The groups might be another matter. Because group membership is a multivalued attribute in Active Directory, group membership must be listed, uniquely, for each group as it is created. It would be very confusing to do that within a single file, and errors would be likely. A better approach is to do the group memberships individually.
4-20 Chapter 4 Group Accounts Troubleshooting Lab
Creating individual objects (users, groups, and computers) in your Active Directory is a straightforward process, but finding objects and their associations after many objects have been created can present challenges. In a large, multiple-domain environment (or in a complicated smaller one), solving resource access problems can be difficult. For example, if Sarah can access some but not all of the resources that are intended for her, she might not have membership in the groups that have been assigned permissions to the resources.
If you have multiple domains with multiple OUs in each domain, and multiple, nested groups in each of those OUs, it could take a great deal of time to examine the membership of these many groups to determine whether the user has the appropriate membership. Active Directory Users And Computers would not be the best tool choice.
You will use the DSGET command to get a comprehensive listing of all groups of which a user is a member. For the purposes of this lab, the user Ben Smith in the contoso.com domain, the Users OU will be used.
1. Choose a user in your Active Directory to use as a test case for the steps that follow. If you do not have a construction that is to your liking, create a number of nested groups across several OUs, making the user a member of only some of the groups.
2. Open a command prompt.
3. Type the following command (substituting your selected user name and OU for Ben Smith):
dsget user "CN=Ben Smith,CN=Users,DC=contoso,DC=com" -memberof -expand
The complete listing of all groups of which the user is a member is displayed.
■ Groups may be created within any OU within the Active Directory.
■ There are two types of groups: security and distribution.
■ There are three scopes of groups: domain local, global, and universal.
■ Manual creation of groups is accomplished with the Active Directory Users And Computers MMC.
■ Automated creation of groups is accomplished with the LDIFDE command-line tool.
Chapter 4 Group Accounts 4-21 ■ Directory Services Tools such as DSQUERY, DSGET, and DSMOD can be used to list, create, and modify groups and their membership.
■ Group types can only be changed when the domain functional level is at least Windows 2000 native.
■ Advanced group nesting is only possible when the domain functional level is at least Windows 2000 native.
Before taking the exam, review the key points and terms that are presented below to help you identify topics you need to review. Return to the lessons for additional practice and review the “Further Readings” sections in Part 2 for pointers to more information about topics covered by the exam objectives.
■ The types of groups and their available uses depending on the domain functional level
■ The scope of groups and their various nesting constructions depending on the domain functional level
■ The basic use of Active Directory Users And Computers in creating groups and modifying their membership
■ The basic use of LDIFDE for exporting groups from one directory to another, and in creating groups
■ The basic use of DSGET for listing complete group memberships for a user
Domain local group (scope) In mixed or interim domain functional level, these local groups are available only on domain controllers, not domainwide.
Global group (scope) A group that is available domainwide in any domain functional level.
Universal group (scope) A group that can be available domainwide in any functional level, but limited to distribution scope in Windows 2000 mixed and Windows Server 2003 interim domain functional levels.
Security group (type) Can have permissions assigned in an ACL.
Distribution group (type) Cannot have permissions assigned in an ACL.
4-22 Chapter 4 Group Accounts Questions and Answers Page 4-8
Lesson 1 Review
1. What type of domain group is most like the local group on a member server? How are they alike?
Domain local groups are very similar to local groups on a member server in that they are, in a mixed or Windows Server 2003 interim domain functional level domain, limited to the comput ers on which they reside; in the case of domain local groups, the domain controller. Until the domain functional level is raised to Windows 2000 native or Windows Server 2003, the domain local groups cannot be used for permission assignment on any servers in the domain other than the domain controllers.
2. If you are using universal groups in your domain or forest, and you need to give permission-based access to the members of the universal group, what configuration must be true of the universal group?
For the universal group:
■ The domain functional level must be Windows 2000 native or Windows Server 2003.
■ The universal group must be of the type security (not distribution). 3. In a domain running in Windows Server 2003 domain functional level, what security principals can be a member of a global group?
■ Universal groups
■ Global groups
Lesson 2 Review
1. In the properties of a group, which tab will you access to add users to the group?
The Members tab is used for adding members to the group.
2. You want to nest the IT Administrators group responsible for the Sales group inside the Sales group so that its members will have access to the same resources (set by permissions in an ACL) as the Sales group. From the Properties page of the IT Administrators group, what tab will you access to make this setting?
The Members Of tab is used for adding the IT Administrators group to the Sales group.
Questions and Answers 4-23 3. If your environment consists of two domains, one Windows Server 2003 and one Windows NT 4, what group scopes can you use for assigning permissions on any resource on any domain-member computer?
In a Windows Server 2003 interim domain functional level domain, which is what you must be running to support a Windows NT 4 domain, you will only be able to use global groups as secu rity principals. Domain local groups will only be useful on the domain controllers in the Windows Server 2003 domain, and universal groups cannot be used as security groups in a Windows Server 2003 interim domain functional level domain.
Page Lesson 3 Review
1. Which of the following LDIFDE commands changes the function of LDIFDE from export to import?
The correct answer is a. The -i command changes the default function of LDIFDE from exporting to importing.
2. What object classes are possible to export and import using LDIFDE?
Any object in Active Directory can be exported or imported using LDIFDE, including users, groups, computers, or OUs. In addition, any property of these objects can be modified using LDIFDE.
3. You have a database of users that is capable of exporting CSV files. Can you use such a file, or must you create an *.ldf file manually for importing?
You can use a CSV file for importing user data into Active Directory. Windows Server 2003 will fill in missing values with default values where possible, but if a mandatory item is missing from the file, then errors will occur during importing and the object will not be created.
注册－为何申请Payoneer万事达预付卡+美国/欧洲/英国银行账号？ ｜ P卡申请被拒绝的原因
Payoneer有卡账户和无卡账户的区别 ｜ Payoneer个人账户注册申请教程 | （公司帐户）
Payoneer欧洲支付服务（欧元帐户） ｜ 激活Payoneer欧元虚拟卡 ｜ Payoneer推出日元收款帐户
Payoneer英国支付服务（英镑帐户） ｜ 订购Payoneer实体卡（P卡） ｜ Payoneer卡年费啥时候扣？
收到Payoneer万事达预付卡（P卡） ｜ Payoneer卡休眠和激活 ｜ 如何注销P卡 ｜ P卡到期后如何更换？
官方－Payoneer秉承公正、公开、透明服务 ｜ Payoneer官方最新政策汇总 ｜ 官方客服联系方式
Payoneer欧美收款账户费用表 ｜ 如何减少Payoneer入帐和取款手续费？
跨境收款服务商拷问篇——Payoneer ｜ Payoneer客户答疑手册（FAQ） ｜ Payoneer手机App
收款－跨境电商/外贸收款方式对比 ｜ Payoneer可以错名收款吗？ ｜ Payoneer还是蛮人性化的
Payoneer可接受个人与公司信用卡付款（请求付款） ｜ 关于Payoneer卡充值
Amazon亚马逊卖家设置Payoneer卡收款教程 ｜ Amazon联盟设置Payoneer卡收款
申请CJ联盟并设置Payoneer卡收款 ｜ ClickBank联盟设置Payoneer卡收款教程
Payoneer如何从东南亚电商平台Lazada收款 ｜ 如何在Lazada开店？
Payoneer如何从拉美电商平台Linio收款？ ｜ Payoneer绑定非洲电商平台Jumia收款
Payoneer如何从跨境移动电商Wish收款？ ｜ Wish模式正在改变电商格局
Payoneer支持从法国乐天Priceminister收款 ｜ 法国电商平台CDiscount对接Payoneer收款
Airbnb房东如何使用Payoneer收款？ ｜ Airbnb房东用哪种收款方式最划算？
从PayPal提现到Payoneer卡教程及手续费用 ｜ PayPal无法绑定并转账到Payoneer卡？
提现－从Payoneer卡提现到国内银行账户 ｜ Payoneer无法从Dating联盟收款并限制提现方式
用P卡在中国银行ATM机取款4000元 ｜ 用Payoneer卡在中国建设银行ATM机取款500元