Tag Archives: ad

70-742 Additional Notes – Default Windows Server Security Groups

GPOs

It is super important to be familiar with the default security groups of Active Directory and their purpose. Here is a handy review for you! While most I am sure you are familiar with – some might be a surprise a perhaps you have never needed them in your Enterprise. The exam of course does not care! Be sure to locate the READ MORE link as this list DOES NOT end after Domain Users. 🙂

  • Access Control Assistance Operators – Members of this group can remotely query authorization attributes and permissions for resources on the computer.
  • Account Operators – The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.
  • Administrators – Members of the Administrators group have complete and unrestricted access to the computer, or if the computer is promoted to a domain controller, members have unrestricted access to the domain.
  • Allowed RODC Password Replication Group – The purpose of this security group is to manage a RODC password replication policy. This group has no members by default, and it results in the condition that new Read-only domain controllers do not cache user credentials. The Denied RODC Password Replication Group group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication group supersedes the Allowed RODC Password Replication group.
  • Backup Operators – Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. Its membership can be modified by the following groups: default service Administrators, Domain Admins in the domain, or Enterprise Admins. It cannot modify the membership of any administrative groups. While members of this group cannot change server settings or modify the configuration of the directory, they do have the permissions needed to replace files (including operating system files) on domain controllers. Because of this, members of this group are considered service administrators.
  • Certificate Service DCOM Access – Members of this group are allowed to connect to certification authorities in the enterprise.
  • Cert Publishers – Members of the Cert Publishers group are authorized to publish certificates for User objects in Active Directory.
  • Cloneable Domain Controllers – Members of the Cloneable Domain Controllers group that are domain controllers may be cloned. In Windows Server 2012 R2 and Windows Server 2012, you can deploy domain controllers by copying an existing virtual domain controller. In a virtual environment, you no longer have to repeatedly deploy a server image that is prepared by using sysprep.exe, promote the server to a domain controller, and then complete additional configuration requirements for deploying each domain controller (including adding the virtual domain controller to this security group).
  • Cryptographic Operators – Members of this group are authorized to perform cryptographic operations. This security group was added in Windows Vista Service Pack 1 (SP1) to configure Windows Firewall for IPsec in Common Criteria mode.
  • Denied RODC Password Replication Group – Members of the Denied RODC Password Replication group cannot have their passwords replicated to any Read-only domain controller.
  • Distributed COM Users – Members of the Distributed COM Users group are allowed to launch, activate, and use Distributed COM objects on the computer. Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. Distributed Component Object Model (DCOM) allows applications to be distributed across locations that make the most sense to you and to the application. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
  • DnsUpdateProxy – Members of the DnsUpdateProxy group are DNS clients. They are permitted to perform dynamic updates on behalf of other clients (such as DHCP servers). A DNS server can develop stale resource records when a DHCP server is configured to dynamically register host (A) and pointer (PTR) resource records on behalf of DHCP clients by using dynamic update. Adding clients to this security group mitigates this scenario.However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates by using the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account.
  • DnsAdmins – Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions.
  • Domain Admins – Members of the Domain Admins security group are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. The Domain Admins group is the default owner of any object that is created in Active Directory for the domain by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group. The Domain Admins group controls access to all domain controllers in a domain, and it can modify the membership of all administrative accounts in the domain. Membership can be modified by members of the service administrator groups in its domain (Administrators and Domain Admins), and by members of the Enterprise Admins group. This is considered a service administrator account because its members have full access to the domain controllers in a domain.
  • Domain Computers – This group can include all computers and servers that have joined the domain, excluding domain controllers. By default, any computer account that is created automatically becomes a member of this group.
  • Domain Controllers – The Domain Controllers group can include all domain controllers in the domain. New domain controllers are automatically added to this group.
  • Domain Guests – The Domain Guests group includes the domain’s built-in Guest account. When members of this group sign in as local guests on a domain-joined computer, a domain profile is created on the local computer.
  • Domain Users – The Domain Users group includes all user accounts in a domain. When you create a user account in a domain, it is automatically added to this group. By default, any user account that is created in the domain automatically becomes a member of this group. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group on the print server that has permissions for the printer).

Continue reading 70-742 Additional Notes – Default Windows Server Security Groups

Active Directory (AD) Components

AD

AD Components Overview

In this post, we examine the key concepts that make up Windows Server Active Directory (AD). This is a continuing series here at the blog as we get excited for my 70-742 Identity in Windows Server 2016 to get fired up at CBT Nuggets.

Domains

The key element of AD is the domain. This is how we organize the structure in an enterprise. A domain consists of:

  • An X.500 (LDAP) based hierarchical structure of containers and objects
  • A DNS domain name
  • A security service
  • Policies
  • A Domain Controller (DC) that is authoritative for the domain (you should have more than one DC!)

Note that you can string domains together in your enterprise to create a domain tree. Perhaps we have cbtnuggetlabs.com as our first domain, then we create eugene.cbtnuggetlabs.com as our next domain. Note that these domains in a tree explicitly trust each other in a transitive way.

Forests

What a perfect name for our next component. A forest is a collection of domain trees! The first domain you create is called the forest root domain. This forest root domain could be renamed later on, but it cannot be removed. Once you have multiple domain trees in a forest,  trust relationships permit resource sharing.

You can even create forest trust relationships if your forest must access resources in another separate forest.

While it is cool that we can create a forest of multiple domain trees, it is almost always correct to keep things as simple as possible and create a single domain forest.

Organizational Units

What most of us think of when we envision AD is Organization Units (OUs). These are containers we create to fill with objects like users and groups and printers and then we assign policy to these units using Group Policy. Do not confuse OUs with another type of container object in AD called – a container. While there are some default containers in Windows Server, we tend to use OUs all the time as we are building our hierarchy.

When you install AD, some default containers and OUs get created for you. For example, there is a Domain Controllers OU.

The Global Catalog (GC)

Need to search a forest for something? The Global Catalog (GC) server comes to the rescue. The attributes you can search on are inside the GC and we call this a partial attribute set (PAS). There are tools you can use to manipulate what attributes make it into the GC.

I hope you found this post informative, and I would like to thank you for reading. Next up, we will examine the Flexible Single Master Operator (FSMO) Roles in AD.
Pearson Education (InformIT)