Tài liệu OU – DELEGATE CONTROL ppt

Delegate Control Mục đích : Trong mô hình OU nay ta phan quyên như sau : - User kt1 c6 quyén quản lý các user trong OU Ketoan - User ns1 có quyên quản lý các user và group trong OU Nha

OU - DELEGATE CONTROL

I Tao OU(Organization Unit)

Bl : Logon Administrator > Start > Programs > Administrative Tools > Active Directory Users and Computers > click chudt phai lén domx.com > New

> Organizational Unit

<3 File Action View Window Help | - (2) x}

op teres Name Type Description |

Delegate Control builtinDomain Find Container Default container for upar

Connect to Domain Organizational Default container for dom

Connect to Domain Controller Container Default container for secu

Raise Domain Functional Level Container Default container For upar

Computer All Tasks > ~~ Contact

Refresh Organizational Unit

Export List Printer

Trong cua so New Object -— Organizational Unit > trong 6 Name : gõ THUCHANH > OK

New Object - Organizational Unit 7 ñ xi

Create in; dami.com

splace

t_3 eetate vee cows

B2 : Click phải chuột lên OU THUCHANH > New > Organizational Unit

<3 File Action View Window Help | -|#| x|

QB Active Directory Users and Computer [yfo twtr Te) on objects

=) dom1.com ame Ype aoe

C1 Builtin There are no items to show in this view

ce co Window From Here MSMQ Queue Alias Te tee Cut Organizatianal LInit

Delete Printer

Rename User Refresh Shared Folder Export List i

splace

t_3 eetate vee cows

B3 : Click phải chuột lên OU THUCHANH > New > Organizational Unit

ant ' Delegate Control

“4 42] Ketoan : isd] Ketoan j Mày So

Find

InetOrgPerson

Cut MSMQ Queue Alias Delete Organizational Unit Rename Printer Refresh User

> Trong ctra s6 New Object - Organizational Unit > trong 6 Name : g6 Nhansu

splace

B4 : Click phai chudt lén OU Ketoan > New > User

<3 Active Directory Users and Computer [ent es) ees

Trong cửa số New Object - User > trong 6 First Name va 6 Full Name điện ktl

> trong 6 User logon name va 6 User logon name (pre-Windows 2000) dién kt1

BS Hệ Thống Mạng Trang 4 Lê Xuân Tùng

S Jace

Sp “eptele ree newt

> Trong 6 Password va 6 Confirm password dién vao 12345?a > bỏ dau chon tai L) User must change password at next logon > Next > Finish

New Object - User Xi

¢: Create in: = dom1.com/THUCHANH/Ketoan

Password: |eeeeeee

Confirm password: |seeseee

[— Liser must change password at next logon [— Llser cannot change password

[ Password never expires

I Account is disabled

< Back | Next > Cancel |

BS : Trong OU Ketoan tạo user kí2 tương tự như bước 4

Bó : Click phải chuột lên OU Nhansu > New > ser

cả ñctive Directory Users and Computers ee {oj x}

& File Action View Window — Help | -|#| x

Shared Folder Properties

splace

Trong ctra so New Object — User > trong 6 First Name va 6 Full Name dién ns1

> trong 6 User logon name va 6 User logon name (pre-Windows 2000) dién ns1

> Next

New Object - User Xx}

¢: Create in: = dom1.com/THUCHANH/Nhansu

Full name: |nsi

User logon name:

New Object - User Xx}

¢: Create in: = dom1.com/THUCHANH/Nhansu

?Pạc€

B7 : Trong OU Nhansu tạo user ns2 tương tự như bước 6

B8 : Trong OU THUCHANH tao user có tên giamdoc

Click phải chuột lên OU THUCHANH > New > User

# Active Directory Users and Computers _ =ln| xỊ

gy File Action Yiew Window Help | =le| x| fe»i—iml#fA X#Aal3 @m 'fifi?iav «4#

QB Active Directory Users and Computer (yy'iifmsrs) objects

{89 dom1.com Type Description

Builtin (2) Ketoan Organizational

(9 Computers (Z]Nhansu Organizational

BS InetOrgPerson New Window From Here MSMO Queue Alias Cut Organizational Unit Delete Printer

Refresh Shared Folder

New Object - User xi

¢: Create in: = dom1.com/THUCHANH

Full narne: |giamdoc

User logon name:

“3 Active Directory Users and ec THUCHANH 3 objects

(J Saved Queries sei Type aga

=e dom1.com | = HE

Ẹ ESC

(9 Builtin 4) Ketoan Organizational

#i-(C Computers (Ø]Nhansu Organizational

#}-(@] Domain Controllers © giamdoc User

II Delegate Control

Mục đích : Trong mô hình OU nay ta phan quyên như sau :

- User kt1 c6 quyén quản lý các user trong OU Ketoan

- User ns1 có quyên quản lý các user và group trong OU Nhansu

- User giamdoc c6 quyén quan ly OU THUCHANH, Ketoan, Nhansu

Chuan bi:

Cho group Users cé quyén Allow log on locally

> Logon Administrator > Start > Programs > Administrative Tools > Domain Controller Security Policy

File Action View Help

« + lÌm| X al@m

K Security Settings Name | Description

#149 Account Policies 9 account Policies Password and account lockout policies

# Local Policies @Local Policies Auditing, user rights and security options policies

tì - 69 Event Log e@Event Log Event Log

oe Restricted Groups (Brestricted Groups Restricted Groups

#:C8 DỊ services CÑ5ystem Services System service settings

a Seca CÑRegitry Registry security settinqs

Cfrile System File security settings

ef Wireless Network (IEEE 802.11) F

H i Public Key ae ) YY Wireless Network (IEEE 802.1 Wireless Network Policy Administration, Manage th

(29 Software Restriction Policies Public Key Policies

#)-, IP Security Policies on Active Dire Csoftware Restriction Policies

® IP Security Policies on Active Internet Protocol Security (IPSec) Administration

fi Default Domain Controller Security Settings

File Action View Help

© >|&—imlxXr#làli@m

Audit Policy RE] Add workstations to domain Authenticated Users

User Rights Assignment R¥] Adjust memory quotas for a process LOCAL SERVICE,NETWORK SERVI

Security Options

đh BE +]: vent EL Log Allow faye on locally

2] Allow log on through T:

a GB system Services (88]Back up files and direct Heln Administrators,Backup Operators,

a G@ Resistry Re] Bypass traverse checking Everyone, Administrators, 4uthenti

-2@ File System [82] Change the system time LOCAL SERYICE, Administrators, Se

- Y Wireless Network (IEEE 802.11) F Rd] Create a pagefile Administrators

(+) Public Key Policies (Rd) Create a token object

(2 Software Restriction Policies [88] Create global objects Not Defined

4 IP Security Policies on Active Dire [88] Create permanent shared objects | -

(88]Debug programs Administrators (88]Deny access to this computer from the netw DOM1\SUPPORT_388945a0 (§E]Deny log on as 4 batch job

82] Deny log on as 4 service

(88]Deny log on locally

RE] Deny log on through Terminal Services

88] Force shutdown From a remote system [82] Generate security audits

4 | | >| (88) Impersonate a client after authentication

82] Enable computer and user accounts to be tr

DOM1\SUPPORT_388945a0

Not Defined

Administrators Administrators, Server Operators LOCAL SERVICE, NETWORK SERVICE

lOpens the properties dialog box for the current selection

BS Hé Thong Mang Trang 10 Lé Xuan Tung

splace

> Cua sé Allow log on locally properties

Allow log on locally Properties

splace

Ị vee vows

> Trong hop Enter the object names to select g6 : users

Select Users, Computers, or Groups

Select this object type:

|Users Groups, or Built-in security principals Object Types

From this location:

|domt com Locations

Enter the object names to select (examples):

users Check Names

Advanced | | OK | Cancel 4

> bdm nit Check Names

Toe ee Miele ees lee ss

Select this object type:

|Users Groups, or Built-in security principals Object Types

From this location:

|domt com Locations

Enter the object names to select (examples):

Users Check Names

splace

> OK

Allow log on locally Properties

splace

1 Phân quyền cho user ktI quản lý các user trong OU Ketoan

Bl : Logon Administrator > Start > Programs > Administrative Tools > Active Directory Users and Computers > click phai chudt OU Ketoan > chon Delegate Control

€Ở Ele Action View Window — Help | = 1a x

Computers (2lNhansu Organizational

{@] Domain Controllers © siamdoc User

New Window from Here Cut

Delegates control of objects in this folder

> Trong cira so Welcome > chon Next

Welcome to the Delegation of Control Wizard

This wizard helps you delegate control of Active Directory objects ‘You can grant users permission to manage users, groups, computers, organizational units, and other objects stored in Active Directory

To continue, click Next

splace

> Trong ctra s6 Users or Groups > chon Add

Users or Groups

Select one of more users or groups to whom you want to delegate control &

> g6 ktl > bam nit Check Names

select Users, Computers, or Groups TE

Select this object type:

|Users Groups, or Built-in security principals Object Types | From this location:

|domt com Locations |

Enter the object names to select (examples):

Select LIsers, Coniputers, or Groups

Select this object type:

|Users Groups, or Built-in security principals Object Types

From this location:

|domt com Locations |

Enter the object names to select (examples):

ktl [kt @dom1.com Check Names

> Next

> Trong ctra sO Tasks to Delegate >danh dau chon vio 6 © Delegate the

following common tasks > danh dau chon vao 6 M1 Create, delete, and manage

user accounts > Next > Finish

‘You can select common tasks or customize your own

Create, delete, and manage user accounts

(C0 Reset user passwords and force password change at next logon

C0 Read all user information

LH Create, delete and manage groups

(0 Modify the membership of a group (J Manage Group Policy links

(J Generate Resultant Set of Policy (Planning)

|_| Generate Resultant Set of Policy (Logai

BS Hệ Thống Mạng Trang 16 Lê Xuân Tùng

splace pee eet

B2 : Logoff Administrator > Log on ktl > Start > Programs > Administrative Tools > Active Directory Users and Computers > click phải chuột OU Ketoan

> New > User

“€2 File Action View Window Help - (2) x}

Lưu ý : Quan sát ta thấy ktl chỉ có duy nhất quyên tạo User

~> Trong cửa số New Object — User > tao user kt3 > Next > dat password 1a 12345?a > bo dau chon LJ User must change password at next logon > Next >

Finish

New Object - User a x)

¢: Create in: = dom1.com/THUCHANH/Ketoan

splace

+.” vwdsisvseseei

B3 : click chuột phải trên user kt2 chon Reset Password

4 Active Directory Users and Computers

“<2 File Action View Window Help JEEIE:

hl | a

Resets the password For the current selection

> tao password mdi cho kt2 2 OK > OK

B4 : click chuột phải lên user kt2 chọn Delete > Yes

es Active Directory Users and Computers

(ðJ Domain Controllers User Copy

(3) ForeignSecurityPrincipals Add to 4 group

=)-(3) THUCHANH Disable Account

-_ 3] Ketoan Reset Password

-_ -{3) Nhansu Move

Send Mail All Tasks ›

Cut

Rename

Properties Help

Deletes the current selection,

BS Hệ Thông Mạng Trang 18 Lê Xuân Tùng

splace

2 Phân quyên cho user ns1 quan ly cac users va cac groups trong OU Nhansu

Bl : Logon Administrator > Start > Programs > Administrative Tools > Active Directory Users and Computers > click phai chudt OU Nhansu > chon Delegate Control

€2 Fle Action View Window Help ¡ =l#l x|

> Trong cira so Welcome > chon Next

Delegation of Control Wizard xi

Welcome to the Delegation of Control Wizard

This wizard helps you delegate control of Active Directory objects ‘You can grant users permission to manage users,

groups, computers, organizational units, and other objects stored in Active Directory

To continue, click Next

splace

t_3 eetate vee cows

> Trong ctra s6 Users or Groups > chon Add

Users or Groups Select one or more users or groups to whom you want to delegate control

> gd nsl > bam ntit Check Names

Select Users, Computers, or Groups

Select this object type:

|Users Groups, or Built-in security principals Object Types

From this location:

Enter the object names to select [examples):

nsl| Check Names pH

Advanced | [ oK | Cancel |

⁄⁄

Select Users, Computers, or Groups

Select this object type:

|Users Groups, or Built-in security principals Object Types |

From this location:

|domt com Locations |

Enter the object names to select [examples}:

ns1 [ns1Œðdam1.comi| Check Names

> Trong ctra sO Tasks to Delegate >danh dau chon vio 6 © Delegate the

following common tasks > danh dau chon vao 6 M1 Create, delete, and manage

user accounts va 6 M1 Create, delete and manage groups > Next > Finish

Delegation of Control Wizard a Xi

Tasks to Delegate You can select common tasks or customize your own

( Delegate the following common tasks:

Create, delete, and manage user accounts a

HH Reset user passwords and force password change at next logon (J Read all user information

Create, delete and manage groups (J Modify the membership of a group (] Manage Group Policy links () Generate Resultant Set of Policy (Planning) (] Generate Resultant Set of Policy (Logging) >|

sDace

Administrative Tools > Active Directory Users and Computers > click phai

chudt OU Nhansu > New > Group

@ Active Directory Users and Computers

129 dom1.com Name Type Description |

Builtin BP domt com Domain

(9 Computers (DSaved Queries Folder to store your Favor

Lưu ý : Quan sát ta thấy ns1 có quyền tạo User và Group

> Trong cửa số New Object - Group tạo group Nhansu > trong Group scope chon © Global > trong Group type chon © Security > OK

New Object - Group xi

£8 Create in: dom1.com/THUCHANH/Nhansu

™ Domain local @ Security