In the This Administration Area's Security Policy dialog box, right-click the box to the right of Specific, right-click Select All, right-right-click the box again, and then click Copy..
Trang 1Lab A: Administering MMS
Objectives
After completing this lab, you will be able to:
! Create an administrative point and an administrative area
! Create and configure the security policy for an administrative area
! Create and configure entry-specific access control
! Use collective attributes to define organizational information for the administrative area
Lab Setup
To complete this lab, you need the following:
! MMS Server installed and running
! MMS Compass installed and configured to connect to your MMS Server
Estimated time to complete this lab: 30 minutes
Trang 2Exercise 1
Creating a Security Policy
In this exercise, you will modify the metaverse organizational unit to become an administrative
point, thereby making the entire metaverse an administrative area You will then create a security
policy and add Directory Administrators to its existing permissions
Scenario
Northwind Traders plans on having the administrators of each connected directory also administer
the associated metadirectory data Because of this, you need to configure security on the metaverse namespace data
1 Log on to Windows 2000,
start MMS Compass, and
then log on to your MMS
server
a Log on to Windows 2000 as Administrator with a password of
password
b Start MMS Compass, and then log on to your MMS server as
server@server.domain.nwtraders.msft (where server is your
computer name and domain is your domain name) with a password of
server
2 Create an instance of the HR
tutorial management agent
called HR MA
a In the control pane of MMS Compass, click Bookmarks, click
Management Agents, and then click Create New Management Agent
b In the Create Management Agent dialog box, in the Name of the
Management Agent box, type HR MA
c In the Type of the Management Agent box, click Tutorial HR
(LDIF) Management Agent, and then click Create
The Configure the Management Agent dialog box appears
3 Configure HR MA to place
metaverse namespace data
under the following
location:
ou=metaverse,dc=domain,d
c=nwtraders,dc=msft
(where domain is your
domain name)
a In the Configure the Management Agent dialog box, on the
Connected Directory Specifics tab, on the Mode and Namespace Management tab, before the existing text in the Metaverse location
box, type ou=metaverse, (including the comma and no spaces)
resulting in ou=metaverse,dc=domain,dc=nwtraders,dc=msft (where
domain is your domain name), and then click OK
4 Run the HR MA and
populate the metadirectory
with the human resources
data
a In the directory pane of MMS Compass, click HR MA, and then in the control pane, click Operate MA
b In the Operate the Management Agent dialog box, on the
Management Agent Logs tab, display the Operator’s Log tab
c Click Run the Management Agent
Trang 3Tasks Detailed Steps
5 Modify the metaverse
organizational unit to
become an administrative
point
a At the top of the directory pane, click The Known Universe
b In the directory pane, navigate to and select metaverse
c In the control pane, click Administration
d In the Entry Administration dialog box, under Directory Service
Specific Entries, select the Admin Point check box, and then click
OK
6 Create a security policy
called metaverse security for
the administrative area and
add the following
permissions for Directory
Administrators:
• Read—Granted all
attributes and entry can
be seen
• Modify—Granted all
attributes and do not
allow entry creation or
entry deletion
a In the directory pane, right-click metaverse, and then click Insert
b In the Insert Object Under dialog box, on the Administrative tab, under Type of Object To Create, click the button representing Access
Control Subentry The appropriate button is determined by pointing to
a button and viewing its tool tip
c In the Relative Name box, type metaverse security and then click
Insert
d In the This Administration Area's Security Policy dialog box, under
Permission granted to, click New
In the Permission granted to list, Anyone is added and selected
e Click Specific, and then click Select
f In the Select dialog box, in the control pane, click Search
g In the control pane, in the box, type Directory Administrators and
then press ENTER
h In the control pane, click Directory Administrators
The directory pane displays the Directory Administrators entry in relation to the known universe
i Move the Select dialog box enough to view the box to the right of
Specific in the This Administration Area's Security Policy dialog
box
j In the Select dialog box, drag and drop either of the Directory
Administrators entries to the box to the right of Specific in the This Administration Area's Security Policy dialog box
The box to the right of Specific is filled in with the distinguished name of the entry dragged and dropped
k Click OK to close the Select dialog box
l In the This Administration Area's Security Policy dialog box, right-click the box to the right of Specific, right-click Select All, right-right-click the box again, and then click Copy
m On the Admin Area's Create, Modify or Delete Permissions tab, under Permission granted to, click New
n Click Specific, right-click the box to the right of Specific, and then click Paste
The box displays the Directory Administrators distinguished name
o Clear the Allow entry creation/deletion check box, and then click
OK
p Click Cancel to close the Insert Object Under dialog box
Trang 4Exercise 2
Testing and Modifying the Security Policy
In this exercise, you will test the security policy by creating an administrative account inside of an
organizational unit that is used for security testing purposes Log on by using the new
administrative account and verify Directory Administrators have the appropriate permissions If the permissions are not correct, you will need to modify the security policy
Scenario
A security policy is in place for the data in the metaverse namespace Test this policy to ensure
Directory Administrators have read, modify, create, and delete permissions
1 Under metaverse, create an
organizational unit named
Security Test for testing
MMS security
a In the directory pane, right-click metaverse, and then click Insert
b In the Insert Object Under dialog box, on the General tab, click the
icon that represents an organizational unit
c In the Relative Name box, type Security Test and then click Insert
d Click OK to close the dialog box representing the Security Test OU
e Click Cancel to close the Insert Object Under dialog box
2 Under Security Test, create
a user object named Test
Admin with a password of
password and an e-mail
address of
tadmin@nwtraders.msft
a In the directory pane, expand metaverse, right-click Security Test, and then click Insert
b In the Insert Object Under dialog box, on the General tab, in the
Relative Name box, type Test Admin and then click Insert
c Click OK to close the dialog box representing Test Admin
d Click Cancel to close the Insert Object Under dialog box
e In the directory pane, expand Security Test
f Click Test Admin, and then in the control pane, click Properties
g In the Test Admin dialog box, on the General tab, in the Email box, type tadmin@nwtraders.msft
h On the Identity tab, in the Password box, type password and then click OK
i In the Change Password dialog box, in the Confirm New Password
for userPassword, type password in the Enter the password you
logged in with, type server (where server is your computer name) and
then click OK
Trang 5Tasks Detailed Steps
3 Make Test Admin a member
of Directory Administrators
a In the control pane, click Search
b In the control pane, in the search box, type Directory Administrators
and then press ENTER
c In the control pane, click Directory Administrators to locate the entry
in The Known Universe
d In the directory pane, drag Test Admin and drop it onto Directory
Administrators
e In the Copy Entry dialog box, under Copy Entry Action, ensure that
Create alias to this entry is selected, and then click OK
Test Admin is created under Directory Administrators in the directory pane
4 Restart MMS Compass and
log on as Test Admin
a Close MMS Compass
b Start MMS Compass, and then log on to your MMS server as
tadmin@nwtraders.msft with a password of password
5 Under the Security Test
organizational unit, create
and person named Test
User
a In the directory pane, navigate to the Security Test organizational unit
b Right-click Security Test, and then click Insert
c In the Insert Object Under dialog box, on the General tab, in the
Relative Name box, type Test User and then click Insert
d Click OK to close the dialog box representing Test User
Why is Test Admin, a member of the Directory Administrators group, not able to create a person object? Why was Administrator able to do it?
The security policy for this administrative area grants Directory Administrators permission to read and modify all attributes but not the ability to creation or deletion permission Although both Test Admin and Administrator are members of Directory Administrators, Administrator was able to create objects because the security policy has a specific entry for Administrator Administrator has the ability
to create and delete objects and was a closer match than Directory Administrators
5 (continued) e Click OK to close the message indicating that an error occurred
processing your request due to not having the add permission
f Click Cancel to close the Insert Object Under dialog box
6 Modify the security policy
to allow Directory
Administrators to create and
delete entries
a In the directory pane, click metaverse security, in the control pane, click Actions, and then click Properties
b In the This Administration Area's Security Policy dialog box, on the
Admin Area's Create, Modify or Delete Permissions tab, in the Permission granted to box, click Directory Administrators, select
the Allow entry creation/deletion check box, and then click OK
Trang 6Tasks Detailed Steps
7 Under the Security Test
organizational unit, create a
person named Test User
a In the directory pane, right-click Security Test, and then click Insert
b In the Insert Object Under dialog box, on the General tab, in the
Relative Name box, type Test User and then click Insert
c Click OK to close the dialog box representing Test User
d Click Cancel to close the Insert Object Under dialog box
8 Configure Test User with an
e-mail address of
tuser@nwtraders.msft and a
password of password
a In the directory pane, expand Security Test, and then click Test User
b In the control pane, click Properties
c In the Test User dialog box, on the General tab, in the Email box, type tuser@nwtraders.msft
d On the Identity tab, in the Password box, type password and then click OK
e In the Change Password dialog box, in the Confirm New Password
for userPassword, type password and in the Enter the password you
logged in with box, type password and then click OK
9 Verify that a Directory
Administrator can modify
Test User by changing
Office to 555-1234
a In the directory pane, click Test User, and then in the control pane, click Properties
b In the Test User dialog box, on the General tab, in the Office box, type 555-1234 and then click OK
Trang 7Exercise 3
Configuring Access Control on Specific Entries
In this exercise, you will place permissions on a user account that will allow that user to modify
permission to its own information and Directory Administrators are allowed modify permission for all its attributes except the office telephone number
Scenario
There are occasions where different permissions than the security policy need to be placed on an
individual entry
1 Determine the metaverse
namespace attribute name
for Office and then set
specific entry permissions,
so that Self has modify
permission for all attributes
and only Self can modify
the attribute associated with
Office
a In the directory pane, click Test User, and then in the control pane, click Properties
b In the Test User dialog box, on the General tab, CTRL+right-click in the Office box
A tool tip appears displaying the attribute name of telephoneNumber for the Office field
A tool tip displays what attribute name for the Office field?
The attribute name for the Office field is telephoneNumber
1 (continued) c Click OK to close the Test User dialog box
d In control pane, click Access Control
e In the This Entry's Permissions dialog box, on the Entry's Modify
Permissions tab, under the Permission granted to box, click New
f In the This Entry's Permissions dialog box, on the Entry's Modify
Permissions tab, under the list box displaying all attributes, click New
g In the Edit Attribute dialog box, in the Grant or deny permissions to
attribute box, type telephoneNumber and then click OK
h Click Denied, and then clear the Allow this user to delete this entry
check box
i Under Permissions granted to, click New, and then click Self
j Click OK to close the This Entry's Permissions dialog box
2 Verify that Test
Administrator cannot
modify Pager and can
modify other attributes of
Test User
a In the directory pane, verify that Test User is selected, and then in the control pane, click Properties
b In the Test User dialog box, on the General tab, in the Office box, replace the existing value by typing 555-9876 and in the Pager box, type 555-1111 and then click OK
Trang 8Tasks Detailed Steps
Did the specific permissions on an entry override the security policy? Were either values, Office or Pager, successfully modified?
Yes, the specific permissions on the entry took precedence over the security policy Office was not modified; and Pager was modified
2 (continued) c Click OK to close the message indicating that an error occurred
processing your request due to no modification permission on attribute
telephoneNumber
d Verify that Test User is selected, and then in the control pane, click
Properties
e Verify that Office was not changed and the value still is 555-1234
f Verify that Pager was modified to 555-1111, and then click OK
3 Restart MMS Compass and
log on as Test User and
verify that you do not have
permission to create or
delete entries, and do have
permission to modify Office
and Pager for Test User
a Close MMS Compass
b Start MMS Compass, and then log on to your MMS server as
tuser@nwtraders.msft with a password of password
c In the directory pane, navigate to and right-click Security Test, and then click Insert
d In the Insert Object Under dialog box, on the General tab, in the
Relative Name box, type Secret Admin and then click Insert
e Click OK to close the dialog box representing Secret Admin, and then click OK to close the message indicating that an error occurred
processing your request due to no add permission
f Click Cancel to close the Insert Object Under dialog box
g Navigate to and right-click Test Admin, point to Delete, click Delete
selected entries, click Yes to confirm the deletion, and then click OK
to close the message indicating that an error occurred processing your request due to no delete permission
h Click Test User, and then in the control pane, click Properties
i In the Test User dialog box, on the General tab, in the Office box, type 555-2222 and in the Pager box type 555-3333 and then click OK
j Verify that Test User is selected, and then in the control pane, click
Properties
k Verify that Office was changed to 555-2222, and that the Pager was changed to 555-3333, and then click OK
Trang 9Tasks Detailed Steps
Was Test User able to create or delete objects? Was Test User able to modify Office and Pager for its own entry?
No, Test User was not able to create or delete objects Yes, Test User was able to modify Office and Pager for its own entry
Trang 10Exercise 4
Configuring Access to the Security Policy
In this exercise, you will verify that a user cannot change the security policy You will then hide the subentry itself by placing permissions on the security policy subentry that will override the security policy for the administrative area for only that entry You will prevent non-administrators from
seeing the subentry in the directory tree and yet allow Directory Administrators to read, modify,
and delete the subentry
Scenario
As it is not desirable for non-administrators to view or modify the security policy subentry, you
need to configure the access control settings such that Directory Administrators can view and
modify the security policy subentry while a non-administrator cannot see this entry The
permissions for the administrative area cannot be affected
1 As Test User, change the
security policy to grant
modify, create, and delete
permission for Test User
a In the directory pane, click metaverse security, and then in the control pane, click Properties
b In the This Administration Area's Security Policy dialog box, on the
Admin Area's Create, Modify or Delete Permissions tab, under Permission granted to, click New
c Click Specific, and then click Select
d In the Select dialog box, click Search
e In the control pane, in the search box, type Test User and then press
ENTER
f Move the Select dialog box enough to view the box to the right of
Specific in the This Administration Area's Security Policy dialog
box
g In the Select dialog box, drag and drop Test User entry to the box to the right of Specific in the This Administration Area's Security
Policy dialog box
h Click OK to close the Select dialog box, and then click OK to close
This Administration Area's Security Policy dialog box
Was there any permission errors encountered when the security policy was changed?
No