Local Administrator Meeting 2-25-03 Brian Drendel.

Local Administrator Local Administrator MeetingMeeting

2-25-032-25-03

Brian DrendelBrian Drendel

What will we talk about What will we talk about today?today?

AnnouncementsAnnouncements– Win2k Migration ProgressWin2k Migration Progress– Key Server RetiredKey Server Retired– New WinXP Ghost ImageNew WinXP Ghost Image– Site Netbios Block Site Netbios Block

Fermilab Active Directory StructureFermilab Active Directory Structure Beams Division OU StructureBeams Division OU Structure Administering the BD OUAdministering the BD OU

Win2k Migration ProgressWin2k Migration Progress

Win2k Migration ProgressWin2k Migration Progress– Workstations:Workstations:

458 Users/463 Computers in Fermi458 Users/463 Computers in Fermi 95 computers on Beams browse list95 computers on Beams browse list

– ServersServers Win2k:Win2k: www-bdnew, Beamssrv1, Beams-Fmpro, www-bdnew, Beamssrv1, Beams-Fmpro,

beams-prt-srv, beams-backup, Beams-flexlmbeams-prt-srv, beams-backup, Beams-flexlm WinNT:WinNT: Beams-cdrom, beamsappsrv1, Beams-cdrom, beamsappsrv1,

beamsappsrv2beamsappsrv2

– Further ConcernsFurther Concerns MacintoshesMacintoshes BD-Controls DomainBD-Controls Domain

No more Key Server!No more Key Server! AnnouncementsAnnouncements

– Win2k Migration ProgressWin2k Migration Progress– Key Server RetiredKey Server Retired– New WinXP Ghost ImageNew WinXP Ghost Image– Site Netbios Block Site Netbios Block

Fermilab Active Directory StructureFermilab Active Directory Structure Beams Division OU StructureBeams Division OU Structure Local Admin Administrative SetupLocal Admin Administrative Setup Administrative Task ExamplesAdministrative Task Examples

Key Server RetiredKey Server Retired

Key Server Retired Feb. 17Key Server Retired Feb. 17thth..– Email warningsEmail warnings– Help desk ticketsHelp desk tickets– Key server error messages.Key server error messages.

Casper the friendly ghost Casper the friendly ghost image!image!

AnnouncementsAnnouncements– Win2k Migration ProgressWin2k Migration Progress– Key Server RetiredKey Server Retired– New WinXP Ghost ImageNew WinXP Ghost Image– Site Netbios Block Site Netbios Block


Casper the friendly ghost Casper the friendly ghost image!image!

Latest Drive ImageLatest Drive Image– Office XP ProOffice XP Pro– Exceed 8Exceed 8

Kerberos FTPKerberos FTP Jim Smedinghoff custom ACNET Jim Smedinghoff custom ACNET

configurationconfiguration

Remote Registry ServiceRemote Registry Service– Needed for SP ManagementNeeded for SP Management– Turn it back onTurn it back on

Site Netbios BlockSite Netbios Block AnnouncementsAnnouncements

– Win2k Migration ProgressWin2k Migration Progress– Key Server RetiredKey Server Retired– New WinXP Ghost ImageNew WinXP Ghost Image– Site Netbios Block Site Netbios Block


Site Netbios BlockSite Netbios Block

NetworkNetwork– NetBIOS BlockNetBIOS Block

137, 138, 139, 445 ports blocked in three stages137, 138, 139, 445 ports blocked in three stages– Fermi DCsFermi DCs– Site with exemptions for serversSite with exemptions for servers– Entire Site Entire Site

– Possible solution for offsite connectivityPossible solution for offsite connectivity VPNVPN

– Site VPN in BetaSite VPN in Beta– BD Controls VPNBD Controls VPN– Cross PlatformCross Platform

Win2k Domain Structure at Win2k Domain Structure at FermilabFermilab

AnnouncementsAnnouncements Fermilab Active Directory StructureFermilab Active Directory Structure

– Root DomainRoot Domain– Child DomainsChild Domains– Organizational Units (OU)Organizational Units (OU)– BD OUBD OU

Beams Division OU StructureBeams Division OU Structure Local Admin Administrative SetupLocal Admin Administrative Setup Administrative Task ExamplesAdministrative Task Examples

Active DirectoryActive Directory

Active Directory allows us to organize Active Directory allows us to organize and manage domain objects:and manage domain objects:– UsersUsers– ComputersComputers– PrintersPrinters– Global GroupsGlobal Groups– SharesShares

What does the Fermilab Active Directory What does the Fermilab Active Directory structure look like?structure look like?

Root DomainRoot Domain The Root Win2k Domain is called The Root Win2k Domain is called

WIN.FNAL.GOV.WIN.FNAL.GOV.– Contains two Domain Controllers (FCC and WH).Contains two Domain Controllers (FCC and WH).– Owned, managed and maintained by Owned, managed and maintained by

Computing Division.Computing Division.– BD has no administrative access to this domain.BD has no administrative access to this domain.– Functions of Domain:Functions of Domain:

Used only for security.Used only for security. Can push policies down to other OUsCan push policies down to other OUs

– Legal BannerLegal Banner– Minimum password lengthMinimum password length

win.fnal.gov

Beams Division Active Directory Diagram

Brian Drendel6-12-01

Ro

ot

Do

mai

n

Child DomainsChild Domains AnnouncementsAnnouncements Fermilab Active Directory StructureFermilab Active Directory Structure



Child DomainsChild Domains Active Directory Objects are connected Active Directory Objects are connected

to the Win.fnal.gov domain via separate to the Win.fnal.gov domain via separate child domains. child domains.

Child Domains:Child Domains:– Have a two way transitive trust with Win.Have a two way transitive trust with Win.– Must be approved by Computer Security.Must be approved by Computer Security.

Fermi Domain: All users and computers at Fermi Domain: All users and computers at FermilabFermilab

Other Domains: Critical System??? Other Domains: Critical System??? Computer Security does not allow:Computer Security does not allow:

– Unattached Domains.Unattached Domains.– Child Domains of the Child Domains.Child Domains of the Child Domains.

Child DomainsChild Domains

Fermi Child DomainFermi Child Domain– Contains all users, computers, printers, Contains all users, computers, printers,

global groups and shares for the entire global groups and shares for the entire Fermilab Windows desktop community.Fermilab Windows desktop community.

– Contains all Child Domain user accounts.Contains all Child Domain user accounts.– Domain Controllers scattered throughout Domain Controllers scattered throughout

the site.the site. The BD Domain Controller is called Bert.The BD Domain Controller is called Bert.

BSS.win.fnal.gov

BDControls.win.fnal.gov

win.fnal.gov

Beams Division Active DirectoryDiagram


DC OwnersCDBDCDBSSD0CDF

fermi.win.fnal.gov

D0-Controls.win.fnal.gov

CDF-Controls.

win.fnal.gov

W2K Domainswin.fnal.govbd-controls.fnal.govfermi.win.fnal.govbss.win.fnal.govD0-Controls.win.fnal.govCDF-Controls.win.fnal.gov

DCs226222

Ro

ot

Do

mai

nC

hil

dD

om

ain

s

Organizational UnitsOrganizational Units AnnouncementsAnnouncements Fermilab Active Directory StructureFermilab Active Directory Structure



Organizational UnitsOrganizational Units

Child Domains are further broken Child Domains are further broken down into Organizational Units (OUs).down into Organizational Units (OUs).– Each Division has its own OU.Each Division has its own OU.– Management to each OU is delegated to Management to each OU is delegated to

managers in their respective Divisions.managers in their respective Divisions.– BD OU BD OU

Has all Beams Division users, computers, Has all Beams Division users, computers, printers, global groups and shares.printers, global groups and shares.

Managed by the BD/Networking Group.Managed by the BD/Networking Group.

BSS.win.fnal.govBDControls.

win.fnal.gov

win.fnal.gov

Beams Division Active DirectoryDiagram


DC OwnersBDBDCDBSSD0CDF

fermi.win.fnal.gov


CDF-Controls.

win.fnal.gov

ManymoreOUs

BD OU D0 OUCD OU CDF OU


DCs226222

Ro

ot

Do

mai

nC

hil

dD

om

ain

sO

Us

TD OU

BD OUBD OU AnnouncementsAnnouncements Fermilab Active Directory StructureFermilab Active Directory Structure



BD OU ManagementBD OU Management

The BD OU is further broken down The BD OU is further broken down into Sub-OUs for:into Sub-OUs for:– ComputersComputers– UsersUsers– GroupsGroups– PrintersPrinters– File SharesFile Shares

BSS.win.fnal.gov

win.fnal.gov

W2K Migration Working Group


DC OwnersCDBDCDBSSD0CDF

fermi.win.fnal.gov


CDF-Controls.

win.fnal.gov

ManymoreOUs

BD OU D0 OUCD OU CDF OU


DCs226222

Ro

ot

Do

mai

nC

hil

dD

om

ain

sO

Us

Computers Users Global Groups PrintersShares

BERT

Su

b-O

Us

BD OU in DetailBD OU in Detail AnnouncementsAnnouncements Fermilab Active Directory StructureFermilab Active Directory Structure Beams Division OU StructureBeams Division OU Structure

– Win2k Admin GuideWin2k Admin Guide– UsersUsers– ComputersComputers– PrintersPrinters– Global GroupsGlobal Groups– SharesShares

Local Admin Administrative SetupLocal Admin Administrative Setup Administrative Task ExamplesAdministrative Task Examples

Win2k Admin Guide Win2k Admin Guide

The Win2k Admin guide covers The Win2k Admin guide covers administration of the BD OU. administration of the BD OU. – Covers specific details for administration by:Covers specific details for administration by:

BD Active Directory Administrators (BD\Network BD Active Directory Administrators (BD\Network Group)Group)

Local AdministratorsLocal Administrators

More detail can be found in my Win2k More detail can be found in my Win2k Admin Guide Document located atAdmin Guide Document located at

http://www-bdnew.fnal.gov/network/http://www-bdnew.fnal.gov/network/Win2k-Adminguide/Adminguide.htmWin2k-Adminguide/Adminguide.htm

UsersUsers AnnouncementsAnnouncements Fermilab Active Directory StructureFermilab Active Directory Structure Beams Division OU StructureBeams Division OU Structure



UsersUsers

We now want to take a few We now want to take a few moments to explore each of the moments to explore each of the subOUs within the Fermi\BD OU.subOUs within the Fermi\BD OU.– UsersUsers– ComputersComputers– PrintersPrinters– SharesShares– Global GroupsGlobal Groups

User’s OUUser’s OU

The BD User’s OU is further divided by the The BD User’s OU is further divided by the org chart. org chart. – Each department/group has their own OU.Each department/group has their own OU.– Each department/group OU is further broken Each department/group OU is further broken

down into a General and Special OU.down into a General and Special OU.– Management of Users is covered in the users Management of Users is covered in the users

portion of the Win2k Admin Guide:portion of the Win2k Admin Guide:

http://www-bdnew.fnal.gov/network/Wihttp://www-bdnew.fnal.gov/network/Win2k-Adminguide/users.htmn2k-Adminguide/users.htm

5 Types of Fermi Domain 5 Types of Fermi Domain AccountsAccounts

There are five types of users in the There are five types of users in the Fermi Domain:Fermi Domain:– Users: Users: – Admins: Admins: – Managers: Managers: – Captive Accounts: Captive Accounts: – Service Accounts:Service Accounts:

User AccountsUser Accounts Every user that wants to access Fermi Domain Every user that wants to access Fermi Domain

resources has a user account.resources has a user account.– All of your everyday work.All of your everyday work.– The account does not have administrative privileges The account does not have administrative privileges

across multiple computers.across multiple computers.– Equivalent of your Kerberos Principal.Equivalent of your Kerberos Principal.

Cannot share your passwordCannot share your password Cannot send your password over the network.Cannot send your password over the network.

– User accounts are cloned to the Fermi Domain to User accounts are cloned to the Fermi Domain to maintain Beams Domain access.maintain Beams Domain access.

– Username has the format of Username has the format of Fermi\{username}Fermi\{username}..– Users live in AD in the Users live in AD in the Fermi\BD\Users\{Department Fermi\BD\Users\{Department

or Group}\Generalor Group}\General– Only Computing Division creates accounts.Only Computing Division creates accounts.– You can apply for a user account at You can apply for a user account at

http://www-bdnew.fnal.gov/network/add_user.ashttp://www-bdnew.fnal.gov/network/add_user.aspp

..

Admin accountsAdmin accounts

Every users that needs administrative access to Every users that needs administrative access to objects in the Fermi Domain needs an Admin objects in the Fermi Domain needs an Admin account.account.– Not for your everyday work.Not for your everyday work.– The account is delegated administrative functions in The account is delegated administrative functions in

the domain.the domain.– A user must be a registered sysadmin (A user must be a registered sysadmin (https://https://

miscomp.fnal.gov/sysadmindbmiscomp.fnal.gov/sysadmindb//))..– Can be used by LOCALADMINS Can be used by LOCALADMINS

Manage desktop computers.Manage desktop computers. Manage Departmental SubOU.Manage Departmental SubOU.

– Username has the format of Username has the format of Fermi\{username}-Fermi\{username}-adminadmin

– CD stores these accounts in a separate location in AD.CD stores these accounts in a separate location in AD.– You can apply for a user account at You can apply for a user account at

http://www-bdnew.fnal.gov/network/add_http://www-bdnew.fnal.gov/network/add_user.aspuser.asp

..

Manager AccountsManager Accounts Each Division assigns no more than three Each Division assigns no more than three

administrators to perform advanced administrators to perform advanced Active Directory Administration for their Active Directory Administration for their respective Division.respective Division.– The account is used to create active directory The account is used to create active directory

structure, move users and create group structure, move users and create group policy.policy.

– Username has the format of Username has the format of Fermi\Fermi\{username}-mgr{username}-mgr

– CD stores these accounts in a separate CD stores these accounts in a separate location in ADlocation in AD

– These accounts are assigned. There is no These accounts are assigned. There is no web application form.web application form.

Captive AccountsCaptive Accounts These are domain accounts that require a These are domain accounts that require a

shared login to a dedicated console. shared login to a dedicated console. – Computing Security does not allow users to Computing Security does not allow users to

share their account passwords, so user share their account passwords, so user accounts can not be used for this function. accounts can not be used for this function.

– These accounts need Win2k Policy Committee These accounts need Win2k Policy Committee and CD Security approval.and CD Security approval.

– Accounts names are of the form Accounts names are of the form Fermi\bd-Fermi\bd-cap-{function}cap-{function}..

– Accounts are stored in Active Directory in Accounts are stored in Active Directory in Fermi\BD\Users\{Department or Group}\Fermi\BD\Users\{Department or Group}\SpecialSpecial

– Accounts can be applied for at Accounts can be applied for at http://computing.fnal.gov/pcmanagers/captivhttp://computing.fnal.gov/pcmanagers/captiveform.htmleform.html..

Service AccountsService Accounts When accounts are required to run applications, a shared When accounts are required to run applications, a shared

service account is used.service account is used.– Computing Security does not allow users to share their account Computing Security does not allow users to share their account

passwords, so user accounts can not be used for this function.passwords, so user accounts can not be used for this function.– Win2k Policy Committee and CD Security approval.Win2k Policy Committee and CD Security approval.– A Shared Service Account has the following requirements:A Shared Service Account has the following requirements:

Run software as an unattended service, like Unix daemons Run software as an unattended service, like Unix daemons Use Domain account authentication Use Domain account authentication Usage of this account over the network Usage of this account over the network Sharing of the account password between multiple administrators Sharing of the account password between multiple administrators

– These accounts need Accounts names are of the form These accounts need Accounts names are of the form Fermi\Fermi\bd-srv-{function}.bd-srv-{function}.

– Accounts are stored in Active Directory in Accounts are stored in Active Directory in Fermi\BD\Users\Fermi\BD\Users\{Department or Group}\Special{Department or Group}\Special

– Accounts can be applied for at Accounts can be applied for at http://www-win2k.fnal.gov/pub/Docs/Sharing_service_accounts.http://www-win2k.fnal.gov/pub/Docs/Sharing_service_accounts.docdoc..

Users OUUsers OU

Users are stored in Active Directory in Fermi\BD\Users\Fermi\BD\Users\{Department or Group}\General.{Department or Group}\General.

ComputersComputers AnnouncementsAnnouncements Fermilab Active Directory StructureFermilab Active Directory Structure Beams Division OU StructureBeams Division OU Structure



BD Computers OUBD Computers OU

The BD Group OU is further divided by the The BD Group OU is further divided by the org chart. org chart. – Each department/group has their own OU.Each department/group has their own OU.– Each department/group OU is further broken Each department/group OU is further broken

down into a Desktop, Laptop and Server OU.down into a Desktop, Laptop and Server OU. The GPO applied on Servers different from Desktops, The GPO applied on Servers different from Desktops,

different from laptops.different from laptops.

– Management of Computers is covered in the Management of Computers is covered in the computers portion of the Win2k Admin Guide:computers portion of the Win2k Admin Guide:

http://www-bdnew.fnal.gov/network/Wihttp://www-bdnew.fnal.gov/network/Win2k-Adminguide/computers.htmn2k-Adminguide/computers.htm

Computers Computers OUOU

Computers are stored in Computers are stored in Fermi\BD\Computers\Fermi\BD\Computers\{Department or Group}\{Department or Group}\{Computer Type}.{Computer Type}.

PrintersPrinters AnnouncementsAnnouncements Fermilab Active Directory StructureFermilab Active Directory Structure Beams Division OU StructureBeams Division OU Structure



PrintersPrinters

Printers are published in Active Directory.Printers are published in Active Directory.– The Win2k Print queues still live on beams-prt-The Win2k Print queues still live on beams-prt-

srvsrv– Additionally, the printers are published in Additionally, the printers are published in

Active Directory.Active Directory. Makes adding printers easier for the client Makes adding printers easier for the client

computers.computers.

– Management of Printers is covered in the Management of Printers is covered in the printers portion of the Win2k Admin Guide:printers portion of the Win2k Admin Guide:

http://www-bdnew.fnal.gov/network/Wihttp://www-bdnew.fnal.gov/network/Win2k-Adminguide/printers.htmn2k-Adminguide/printers.htm

PrintersPrinters

Computers are stored in Computers are stored in Fermi\BD\Printers\Fermi\BD\Printers\

Global GroupsGlobal Groups AnnouncementsAnnouncements Fermilab Active Directory StructureFermilab Active Directory Structure Beams Division OU StructureBeams Division OU Structure



Global GroupsGlobal Groups Win2k Domain permissions are assigned Win2k Domain permissions are assigned

by global groups.by global groups.– Beams Domain global groups are cloned to Beams Domain global groups are cloned to

the Fermi Domain to maintain Beams the Fermi Domain to maintain Beams Domain access.Domain access.

– Global groups follow the naming convention Global groups follow the naming convention Fermi\BD {group name}Fermi\BD {group name}..

– Management of Global Groups is covered in Management of Global Groups is covered in the global groups portion of the Win2k the global groups portion of the Win2k Admin Guide:Admin Guide:http://www-bdnew.fnal.gov/network/http://www-bdnew.fnal.gov/network/Win2k-Adminguide/groups.htmWin2k-Adminguide/groups.htm

Global Global GroupsGroups

Computers are stored in Computers are stored in Fermi\BD\Global Fermi\BD\Global Groups\Groups\

SharesShares AnnouncementsAnnouncements Fermilab Active Directory StructureFermilab Active Directory Structure Beams Division OU StructureBeams Division OU Structure



SharesShares

Server shares can be published to Active Server shares can be published to Active Directory.Directory.– The share still lives on the server.The share still lives on the server.– Published to Active Directory for client Published to Active Directory for client

convenience.convenience.– Allows us to collect share from multiple Allows us to collect share from multiple

servers and put them in one place.servers and put them in one place.– Management of Shares is covered in the Management of Shares is covered in the

shares portion of the Win2k Admin Guide:shares portion of the Win2k Admin Guide:

http://www-bdnew.fnal.gov/network/Whttp://www-bdnew.fnal.gov/network/Win2k-Adminguide/shares.htmin2k-Adminguide/shares.htm

SharesShares

Shares are published in Shares are published in Fermi\BD\Global Fermi\BD\Global Shares\Shares\

Setting up for AD Setting up for AD ManagementManagement

AnnouncementsAnnouncements Fermilab Active Directory StructureFermilab Active Directory Structure Beams Division OU StructureBeams Division OU Structure Local Admin Administrative SetupLocal Admin Administrative Setup

– Install AD ToolInstall AD Tool– Configure AD ToolConfigure AD Tool– Add Fermi\user-admin account to local Add Fermi\user-admin account to local

computerscomputers– Enable Remote Registry on local computers.Enable Remote Registry on local computers.

Administrative Task ExamplesAdministrative Task Examples

Administrative ToolsAdministrative Tools To manage our Active Directory and To manage our Active Directory and

Computers, we need:Computers, we need:– Active Directory ManagementActive Directory Management

An An Fermi\user-adminFermi\user-admin account account The AD User and Computer management tool.The AD User and Computer management tool.

– Desktop Management (option)Desktop Management (option) Fermi\User-adminFermi\User-admin account in administrators group account in administrators group Remote Registry Service.Remote Registry Service.

– Installation and setup of management tools Installation and setup of management tools is covered in the administrative tools is covered in the administrative tools portion of the Win2k Admin Guide:portion of the Win2k Admin Guide:http://www-bdnew.fnal.gov/network/http://www-bdnew.fnal.gov/network/Win2k-Adminguide/tools.htmWin2k-Adminguide/tools.htm

Administrative Tools: Administrative Tools: InstallInstall

The Active Directory Users and The Active Directory Users and Computers tool runs as a snap-in tool in Computers tool runs as a snap-in tool in the MMC.the MMC.

The tool can be run on any Win2k or The tool can be run on any Win2k or WinXP (must be SP1) desktop or laptop WinXP (must be SP1) desktop or laptop computer that is in the Fermi Domain.computer that is in the Fermi Domain.

There are two versions:There are two versions:– Win2k: Obtained from the Win2k Server CD.Win2k: Obtained from the Win2k Server CD.– WinXP: Downloaded from Microsoft.WinXP: Downloaded from Microsoft.

We will walk through the installation on We will walk through the installation on a WinXP SP1 client computer.a WinXP SP1 client computer.

Active Directory Users and Active Directory Users and Computers InstallationComputers Installation

Login to your WinXP desktop using Login to your WinXP desktop using your local administrator accountyour local administrator account

Check the Service pack levelCheck the Service pack level– Start->RunStart->Run


Type Type winverwinver in the open field. in the open field.


WinXP WinXP needs to needs to be at SP1 be at SP1 level or level or later.later.


If you need to install WinXP SP1, If you need to install WinXP SP1, then you can do so from then you can do so from \\\\Beamssrv1\WinXP-Setup\WinXP Beamssrv1\WinXP-Setup\WinXP SP1 + hotfixes.batSP1 + hotfixes.bat..


When prompted When prompted for username and for username and password, do not password, do not forget to use the forget to use the form form Fermi\Fermi\{username}{username} for for your username.your username.


Follow online directions to complete Follow online directions to complete SP1 installation followed by a reboot.SP1 installation followed by a reboot.

We will now install the Active We will now install the Active Directory Users and Computers Directory Users and Computers tool.tool.

Login to your local administrator Login to your local administrator account and browse the network to account and browse the network to Beamssrv1.Beamssrv1.



Again, you are Again, you are prompted for prompted for your Fermi your Fermi Domain Domain credentials.credentials.

Wouldn’t it be Wouldn’t it be nice not to have nice not to have to do this? to do this? Stay Stay tuned!tuned!

Go to the installation directory as shown here (different for Win2k than Go to the installation directory as shown here (different for Win2k than WinXP).WinXP).

Run Run adminpak.msiadminpak.msi Note the installation is faster if you copy the entire directory to your PC Note the installation is faster if you copy the entire directory to your PC

and run it locally.and run it locally.



Click NEXT> Click NEXT> at the at the welcome welcome screen.screen.


Select to Select to agree to the agree to the license license agreement.agreement.

Click Click NEXT>.NEXT>.


When the When the installation installation has has completed, completed, click FINISH.click FINISH.

Configure the AD Tool!Configure the AD Tool! AnnouncementsAnnouncements Fermilab Active Directory StructureFermilab Active Directory Structure Beams Division OU StructureBeams Division OU Structure Local Admin Administrative SetupLocal Admin Administrative Setup




Active Directory Users and Active Directory Users and Computers ConfigurationComputers Configuration

The Active Directory Users and The Active Directory Users and Computers tool needs to be configured Computers tool needs to be configured for use.for use.

We willWe will– Add the tool to an MMC ConsoleAdd the tool to an MMC Console– Save the MMC configurationSave the MMC configuration– Later we will use the tool using Later we will use the tool using runasrunas with with

Fermi\user-adminFermi\user-admin (more on admin accounts (more on admin accounts later) credentials.later) credentials.


Logon to either your Fermi\user Logon to either your Fermi\user account or your local admin account or your local admin account.account.

Click Click Start -> RunStart -> Run..


Type Type MMCMMC in the run window, then in the run window, then click OK.click OK.


In the MMC Console file menu, click In the MMC Console file menu, click File File -> Add/Remove Snap-in…-> Add/Remove Snap-in…


Click the Click the AddAdd button.button.


Select the Select the Active Active Directory Directory Users and Users and computers computers (only once)(only once)

Click AddClick Add Click CloseClick Close

1

1

2 3


The Add/Remove The Add/Remove Snap in window Snap in window now shows the now shows the Active Directory Active Directory Users and Users and Computers toolComputers tool

Click OK.Click OK.


The MMC The MMC console now console now shows the Active shows the Active Directory Users Directory Users and Computers and Computers Tool.Tool.

From the file From the file menu, click menu, click File -File -> Save As> Save As..


Save the file to Save the file to a location that a location that is not in your is not in your profile (i.e. not profile (i.e. not on your on your desktop)desktop)

C:\AdminTools\C:\AdminTools\Active Active Directory.MMCDirectory.MMC in my example.in my example.

Setting up for Desktop Setting up for Desktop ManagementManagement





Administration of client Administration of client computerscomputers

To better manage your desktop To better manage your desktop computers we will make two more computers we will make two more configuration changes.configuration changes.– Add your Add your Fermi\{user}-adminFermi\{user}-admin account to account to

the administrator group on all computers the administrator group on all computers that you manage.that you manage.

– Turn on the Remote Registry Service on all Turn on the Remote Registry Service on all computers that you manage.computers that you manage.

These changes need to occur on all These changes need to occur on all desktops that you want to manage.desktops that you want to manage.

Add Fermi\user-admin to Add Fermi\user-admin to Administrators GroupAdministrators Group

Start the User Account applet in the Start the User Account applet in the control panel.control panel.– Start->Settings->Control Panel->User Start->Settings->Control Panel->User

AccountsAccounts


In the User In the User Accounts Accounts applet, click applet, click the the Advanced Advanced TabTab, then the , then the Advanced Advanced buttonbutton..

1

2


Select Select GroupsGroups.. Double-click on Double-click on AdministratorsAdministrators..

1 2


In the In the Administrators Administrators Properties Properties window, click window, click the the AddAdd button. button.


Type your Type your Fermi\user-adminFermi\user-admin account in the account in the object name field.object name field.

Click Click OKOK..

12


Type your Type your Fermi\Fermi\useruser account in the account in the object name field.object name field.

Click Click OKOK.. With the With the Fermi\Fermi\

user-adminuser-admin account account in the in the Administrators Administrators group, you won’t group, you won’t have to do this have to do this anymore!anymore!


Verify that your Verify that your Fermi\user-adminFermi\user-admin account in the account in the members listmembers list

Click Click OKOK.. Repeat for your Repeat for your

other desktops.other desktops.

Setting up the Remote Registry Setting up the Remote Registry ServiceService


– Install AD ToolInstall AD Tool– Configure AD ToolConfigure AD Tool– Add Fermi\user-admin account to Add Fermi\user-admin account to

local computerslocal computers– Enable Remote Registry on local Enable Remote Registry on local

computerscomputers Administrative Task ExamplesAdministrative Task Examples

Remote Registry ServiceRemote Registry Service

Right-Click Right-Click My ComputerMy Computer and and select select ManageManage..

Right-click


Find Find ServicesServices.. Double-click on Double-click on Remote RegistryRemote Registry


Set startup type to Set startup type to AutomaticAutomatic..

Click the Click the ApplyApply button to enable button to enable the service for the service for future logins.future logins.

Click the Click the StartStart button to start the button to start the service. service.

1

2

3

Putting it all together!Putting it all together! AnnouncementsAnnouncements Fermilab Active Directory StructureFermilab Active Directory Structure Beams Division OU StructureBeams Division OU Structure Local Admin Administrative SetupLocal Admin Administrative Setup Administrative Task ExamplesAdministrative Task Examples

– Fermi\user-admin for desktop supportFermi\user-admin for desktop support– Start the AD ToolStart the AD Tool– Reset a user passwordReset a user password– Reset a computerReset a computer– Delete a computerDelete a computer– Computer ManagementComputer Management

Admin TasksAdmin Tasks

How can you use your How can you use your Fermi\user-Fermi\user-adminadmin account to administer users account to administer users and computers in your department?and computers in your department?– Local logon to desktops that you Local logon to desktops that you

managemanage– Administration over the network using Administration over the network using

the Active Directory Users and the Active Directory Users and Computers tool.Computers tool.

Using Fermi\user-admin on Using Fermi\user-admin on client computersclient computers

On any desktop On any desktop computer that you computer that you manage, logon to your manage, logon to your Fermi\user-adminFermi\user-admin account.account.

You know haveYou know have– Access to all “local Access to all “local

administrator” resources administrator” resources on Beamssrv1.on Beamssrv1.

– Have administrative Have administrative privileges on the localprivileges on the local computer.computer.

Putting it all together!Putting it all together! AnnouncementsAnnouncements Fermilab Active Directory StructureFermilab Active Directory Structure Beams Division OU StructureBeams Division OU Structure Local Admin Administrative SetupLocal Admin Administrative Setup Administrative Task ExamplesAdministrative Task Examples


Starting the Active Directory Starting the Active Directory Users and ComputersUsers and Computers

Login to your Login to your Fermi\Fermi\useruser account on the account on the desktop that you are desktop that you are managing your users managing your users and computers from.and computers from.– You do You do NOTNOT need to login need to login

to your to your Fermi\user-adminFermi\user-admin account.account.

Right-clickRight-click and select and select Run asRun as on the Active on the Active Directory shortcut that Directory shortcut that you made in the you made in the previous step.previous step.

Right-click


Pass your Pass your Fermi\user-Fermi\user-adminadmin account account credentials credentials as shown as shown here.here.


You are now ready to manage You are now ready to manage Active Directory Objects!!! Active Directory Objects!!!

Password amnesia?Password amnesia? AnnouncementsAnnouncements Fermilab Active Directory StructureFermilab Active Directory Structure Beams Division OU StructureBeams Division OU Structure Local Admin Administrative SetupLocal Admin Administrative Setup Administrative Task ExamplesAdministrative Task Examples


Reset User PasswordReset User Password To reset a password, we will browse To reset a password, we will browse

through Active Directory to through Active Directory to Fermi\BD\Fermi\BD\UsersUsers

Reset User PasswordReset User Password Browse to your Browse to your Department/group OU.Department/group OU. Go to the Go to the General OU.General OU. Right-clickRight-click on the user and select on the user and select reset passwordreset password..

Right-click

Reset User PasswordReset User Password Type in the new password and confirm it.Type in the new password and confirm it. Make sure to check the box that requires the user to Make sure to check the box that requires the user to

change their password on next logonchange their password on next logon.. Click Click OKOK..

3

4

12

Reset User PasswordReset User Password You will be notified that the password change You will be notified that the password change

was successful.was successful. Click Click OKOK..

After a fresh ghost image!After a fresh ghost image! AnnouncementsAnnouncements Fermilab Active Directory StructureFermilab Active Directory Structure Beams Division OU StructureBeams Division OU Structure Local Admin Administrative SetupLocal Admin Administrative Setup Administrative Task ExamplesAdministrative Task Examples


Reset Computer before Reset Computer before rejoining to the Domainrejoining to the Domain

To reset a password, we will browse To reset a password, we will browse through Active Directory to through Active Directory to Fermi\Fermi\BD\ComputersBD\Computers


Browse to your Browse to your Department/group OUDepartment/group OU.. Go to the Go to the Desktop or Laptop OUDesktop or Laptop OU.. Right-click on the computer and select Right-click on the computer and select

reset account.reset account.

Right-click


Click Click OKOK when asked to reset the computer when asked to reset the computer account.account.


You will be notified that the computer account You will be notified that the computer account reset was successful.reset was successful.

Click Click OKOK..

Renaming or retiring a Renaming or retiring a computer?computer?

AnnouncementsAnnouncements Fermilab Active Directory StructureFermilab Active Directory Structure Beams Division OU StructureBeams Division OU Structure Local Admin Administrative SetupLocal Admin Administrative Setup Administrative Task ExamplesAdministrative Task Examples


Delete a Computer Delete a Computer AccountAccount

Browse through Active Directory to Browse through Active Directory to Fermi\BD\ComputersFermi\BD\Computers


Right-click


deletedelete..


Click Click OKOK when asked to delete the computer when asked to delete the computer account.account.

The Power of Computer The Power of Computer ManagementManagement

AnnouncementsAnnouncements Fermilab Active Directory StructureFermilab Active Directory Structure Beams Division OU StructureBeams Division OU Structure Local Admin Administrative SetupLocal Admin Administrative Setup Administrative Task ExamplesAdministrative Task Examples


Computer ManagementComputer Management Browse through Active Directory to Browse through Active Directory to

Fermi\BD\ComputersFermi\BD\Computers

Computer ManagementComputer Management

Right-click


managemanage..

Computer ManagementComputer Management The Computer The Computer

Management Management Tool is Tool is launched.launched.


Application, Security and System entries Application, Security and System entries can be viewed through the Event Viewer.can be viewed through the Event Viewer.


Local user accounts and local groups can Local user accounts and local groups can be managed through computer be managed through computer management.management.

Computer ManagementComputer Management The The

Device Device Manager Manager can be can be viewed in viewed in read-only read-only mode.mode.

Computer ManagementComputer Management Partitions Partitions

can be can be viewed viewed with the with the Disk Disk ManagemManagement.ent.

Computer ManagementComputer Management Services can Services can

be stopped, be stopped, started or started or configured.configured.

What did we talk about What did we talk about today?today?

AnnouncementsAnnouncements Fermilab Active Directory Fermilab Active Directory

StructureStructure Beams Division OU StructureBeams Division OU Structure Local Admin Administrative Local Admin Administrative

SetupSetup Administrative Task ExamplesAdministrative Task Examples

Local Administrator Meeting 2-25-03 Brian Drendel.

Documents

fermi n

root domain n

beamsflexlm n winnt

list servers n win2k

win2k domain structure

bd ou slide

root win2k domain

beams prt