Networkedminds http://www.networkedminds.com Where Networked Focused Minds Meet! Fri, 06 May 2016 13:57:28 +0000 en-US hourly 1 https://wordpress.org/?v=4.8.4 http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=wp-content/uploads/2016/02/cropped-NetworkMinds-150x150.png Networkedminds http://www.networkedminds.com 32 32 70-410 Objective 6.1 – Local Group Policy on Windows Server 2012 R2 http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-6-1-local-group-policy-windows-server-2012-r2/ http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-6-1-local-group-policy-windows-server-2012-r2/#respond Wed, 30 Mar 2016 02:18:41 +0000 http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=?p=892 In this video we explore the Local Group Policy inside of Windows Server 2012 R2. This video covers Objective 6.1 Creating and Managing Group Policy for the 70-410 exam. We start by opening the...

The post 70-410 Objective 6.1 – Local Group Policy on Windows Server 2012 R2 appeared first on Networkedminds.

]]>
In this video we explore the Local Group Policy inside of Windows Server 2012 R2. This video covers Objective 6.1 Creating and Managing Group Policy for the 70-410 exam. We start by opening the Local GPO using the MMC and adding the snap-in for the Group Policy Object Editor. We can also edit the Local Group Policy with the command gpedit.msc. However this command will only open the legacy style Group Policy and will not open the new enhanced GPO as of Vista/Windows Server 2008. The enhanced GPO allows per local user GPO settings. After we open the local GPO we will explore the differences between the local and domain based GPOs. We look at the User configuration and I explain how it has basically remained the same since Windows Server 2000. We then explore how it has changed in Vista and Windows Server 2008. We then open the per user setting via the MMC, which allows for creating GPOs for Administrators, Non-Administrators and Specific Local Users. We then create a local user in Computer Management so that we can see the specific user in the Local GPO. We then go back to the Local GPO so that we can see the specific user show up. We will then examine the per user GPO configuration for the specific user. After making a simple setting for a specific user we will examine the local file system via C:WindowsSystem32GroupPolicy and C:WindowsSystem32GroupPolicy to see the storage of the Local GPO.

Introduction – 0:10

Opening the Local Group Policy with the MMC – 0:21

Exploring the Local GPO – 0:45

Understand the Local User Configuration – 1:30

How the Local User Configuration has changed after Vista/Windows Server 2008 – 1:50

Exploring the local per user GPO settings – 2:10

Creating a local user in the Computer Management Console – 2:55

Examining the local per user GPO for a specific user – 3:15

Exploring the per user GPO for a specific user – 3:44

Examining the local file system storage of the GPO – 4:10

The post 70-410 Objective 6.1 – Local Group Policy on Windows Server 2012 R2 appeared first on Networkedminds.

]]>
http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-6-1-local-group-policy-windows-server-2012-r2/feed/ 0
70-410 Objective 6.1 – Understanding Group Policy Management on Windows Server http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-6-1-understanding-group-policy-management-windows-server/ http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-6-1-understanding-group-policy-management-windows-server/#respond Mon, 14 Mar 2016 01:20:05 +0000 http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=?p=759 This video explains Group Policy Management and the components of Group Policy. For Objective 6.1 Creating and Managing Group Policy for the 70-410. We start by looking at the Active Directory structure so that...

The post 70-410 Objective 6.1 – Understanding Group Policy Management on Windows Server appeared first on Networkedminds.

]]>
This video explains Group Policy Management and the components of Group Policy. For Objective 6.1 Creating and Managing Group Policy for the 70-410. We start by looking at the Active Directory structure so that we can compare it to what we see in the Group Policy Management Console. The GPMC or Group Policy Management Console is the primary tool to manage Group Policy in Windows Server 2012 R2. We look at the differences between Active Directory containers and AD Organizational Units, since we can only apply GPOs to an OU. We then compare the AD structure to what we see in the GPMC. We look at the carious components of GPO which is the GPO itself, the Organizational Unit it is applied to and the GPO Link that ties the two together. We also understand the two GPOs that are created by default when we create a domain. Which is; the Default Domain Policy and the Default Domain Controller Policy. We then look at where the actual Group Policies are stored in the Sysvol for Active Directory. We look further at how we can identify the GUIDs we see in the SysVol by looking at the properties of the GPO. We also look at the different components inside of the GPO from a storage aspect, identifying the Machine and User portion of the GPO. Next we discuss how to create and link a new GPO to an OU. We then identify the different sections of the newly created GPO and understand the computer and user settings. We also understand the basic structure and layout of settings inside of a GPO and the differences between Policies and Preferences.

Introduction – 0:10

Examining Active Directory – 0:20

Differences between AD Containers and AD OUs – 0:35

Comparing AD to the GPMC – 2:18

Components of GPO – 2:55

Storage of the GPOs in Active Directory via the SysVol – 4:42

How to identify which policy is which with the GUID – 5:15

Components of how the GPO is stored – 6:02

Creating a GPO and Linking it – 6:52

Components of GPO Settings – 7:35

Structure of the various settings inside of the GPO – 8:58

Differences between Policies and Preferences – 9:05

The post 70-410 Objective 6.1 – Understanding Group Policy Management on Windows Server appeared first on Networkedminds.

]]>
http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-6-1-understanding-group-policy-management-windows-server/feed/ 0
70-410 Objective 6.1 – Create and Manage GPO on Windows Server 2012 R2 Part 2 http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-6-1-create-manage-gpo-windows-server-2012-r2-part-2/ http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-6-1-create-manage-gpo-windows-server-2012-r2-part-2/#respond Mon, 07 Mar 2016 03:16:35 +0000 http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=?p=755 This video is part two of two videos where we cover Group Policy Objects for Objective 6.1 Create and Manage Group Policy 70-410. We being by discussing Group Policy management and the components of...

The post 70-410 Objective 6.1 – Create and Manage GPO on Windows Server 2012 R2 Part 2 appeared first on Networkedminds.

]]>
This video is part two of two videos where we cover Group Policy Objects for Objective 6.1 Create and Manage Group Policy 70-410. We being by discussing Group Policy management and the components of Group Policy. Group Policy had three main parts; the GPO itself, the Organizational Unit to be applied to, and the GPO link object to apply the Group Policy to the OU. Then we discuss how a GPO can be scoped down. When a GPO is scoped down, it means we are limiting its application of its settings. We have three main mean of scoping it down; the first is the links that are created to the Group Policy Object and we have the option to link, delete the link or disable the link. The next is security filtering, which is selectively applying it to a particular security group or primary principal. The last is using WMI filtering, which is a way to have the end computer or user perform a SQL type query and if it’s true the Group Policy Object is applied. The WMI filtering is the most granular since you can create an almost limitless number of ways the Group Policy can be applied conditionally. We then cover the different types of settings found inside of a Group Policy of Policies and Preferences. We also learn how everything is broken down to either Computer or User Objects for application. We then look at the three states to a Group Policy setting which is; Not Configured (default), Enabled, and Disabled. The last topic in relation to Group Policy is Local GPOs and the options we now have for local users. In operating systems prior to Vista and Windows Server 2008 we only had one GPO that we could create at the local GPO level. This applied to all users including administrators. In Vista or Windows Server 2008 of later operating systems we can now choose between specific local users, administrators or non-administrators. This allows maximum flexibility for creating local GPOs.

Introduction – 0:10

Group Policy management and components – 0:20

Scoping down a Group Policy Object – 2:26

Editing GPOs and the component in the GPO editor – 4:53

The three states of a GPO setting – 7:57

Multiple Local GPOs and the differences since Vista and Windows Server 2008 – 9:56

The post 70-410 Objective 6.1 – Create and Manage GPO on Windows Server 2012 R2 Part 2 appeared first on Networkedminds.

]]>
http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-6-1-create-manage-gpo-windows-server-2012-r2-part-2/feed/ 0
70-410 Objective 6.1 – Create and Manage GPO on Windows Server 2012 R2 Part 1 http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-6-1-create-manage-gpo-windows-server-2012-r2-part-1/ http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-6-1-create-manage-gpo-windows-server-2012-r2-part-1/#respond Sun, 06 Mar 2016 00:26:24 +0000 http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=?p=751 This video is part one of two videos where we cover Group Policy Objects for Objective 6.1 Create and Manage Group Policy 70-410. We begin by looking at what Group Policy is and how...

The post 70-410 Objective 6.1 – Create and Manage GPO on Windows Server 2012 R2 Part 1 appeared first on Networkedminds.

]]>
This video is part one of two videos where we cover Group Policy Objects for Objective 6.1 Create and Manage Group Policy 70-410. We begin by looking at what Group Policy is and how it is used for administration of User and Computer Objects. We briefly discuss the background refresh of Group Policy, which is partially how GPO is enforced. We also identify the two GPOs that a domain is created with which is; the Default Domain Policy and the Default Domain Controller Policy. Before getting into Domain based Group Policy we discuss the Local Group Policy and some of the differences between the Local GPO and Domain GPO. We also identify where it is stored on the local machine. We then look at Active Directory Group Policy Object Processing and the order of Local GPO, Site GPO, Domain GPO, and finally the Organizational Unit structure. We look at an example of a particular object in a structure of OUs and how Group Policy would be applied for this particular example. We then cover the Starter Group Policy Objects and how they are used and what they are. Then we discuss my favorite topic which is history of Group Policy and talk about then and now and how it’s changed. Specifically the new structure of ADMX and ADML files compared to pre-2008/Vista Group Policy ADM templates. We then look at the advantages of a Central Policy Definition Store and how to create a GPO Central Store. We investigate the directory structure that needs to be created inside of the SYSVOL to accommodate the PolicyDefinitions folder. Stay tuned for Part 2 of the lecture notes.

Introduction – 0:10

What is Group Policy Objects – 0:20

Local Group Policy definition – 1:30

Group Policy Object Application Order – 3:05

Starter Group Policy Objects – 4:54

Differences between ADM and ADMX templates – 6:14

Group Policy Central Store – 9:42

The post 70-410 Objective 6.1 – Create and Manage GPO on Windows Server 2012 R2 Part 1 appeared first on Networkedminds.

]]>
http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-6-1-create-manage-gpo-windows-server-2012-r2-part-1/feed/ 0
70-410 Objective 5.3 – Active Directory Group Conversion on Windows Server 2012 R2 http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-5-3-active-directory-group-conversion-windows-server-2012-r2/ http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-5-3-active-directory-group-conversion-windows-server-2012-r2/#respond Mon, 29 Feb 2016 03:08:47 +0000 http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=?p=747 Active Directory Group Conversion is covered as Objective 5.3 for the 70-410 Exam. Conversion of groups from Domain Local to Global Group is not directly possible. Also conversion from Global Group to Domain Local...

The post 70-410 Objective 5.3 – Active Directory Group Conversion on Windows Server 2012 R2 appeared first on Networkedminds.

]]>
Active Directory Group Conversion is covered as Objective 5.3 for the 70-410 Exam. Conversion of groups from Domain Local to Global Group is not directly possible. Also conversion from Global Group to Domain Local is not directly possible. However, it is possible by converting to a Universal Group first then converting to the desired group. It is not directly possible, not because it is not common to do so. It is not directly possible because of the availability of Domain Local group outside of the Active Directory domain. This carries consequence to the memberships along with those groups to be converted.

The rules are a Domain Local Group is only permitted to be converted to a Universal Group, if there are no other Domain Local groups as members. There is no limitation on converting a Universal Group to a Domain Local Group. On the other hand, a Global Group is only permitted to be converted to a Universal Group. If the Global Group is not a member of another Global Group, only then can it be converted. A Universal Group can only be converted to a Global Group, if it doesn’t have any other Universal Group as members.

In the lab we create a brand new Global Group in Active Directory. We then try to convert the group directly to a Domain Local group, but the option is grayed out not allowing us. So we convert the group to a Universal Group, then to a Domain Local Group. After conversion the option to directly convert it to a Global Group is grayed out. We then examine the rules of converting a Global Group to a Universal by adding the group to be converted as a member of another Global Group. When we try to convert it fails. We then try to same with a Domain Local Group converting to a Universal Group and find it fails. If another Domain Local Group is a member. This is because when converted to a Universal Group, it can’t have members from a local domain such as a Domain Local Group. We then examine Universal Group conversion.

Introduction – 0:10

Creating of a new Global Group – 0:22

Example of indirect group conversion – 0:36

Rule in conversion of a Global Group with example – 1:10

Rule in conversion of a Domain Local Group with example – 2:09

Rule in conversion of a Universal Group with example – 3:03

Table of Active Directory Group conversion – 3:45

The post 70-410 Objective 5.3 – Active Directory Group Conversion on Windows Server 2012 R2 appeared first on Networkedminds.

]]>
http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-5-3-active-directory-group-conversion-windows-server-2012-r2/feed/ 0
70-410 Objective 5.3 – Using Restricted Groups via GPO on Windows Server 2012 R2 http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-5-3-using-restricted-groups-via-gpo-windows-server-2012-r2/ http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-5-3-using-restricted-groups-via-gpo-windows-server-2012-r2/#respond Wed, 24 Feb 2016 03:24:01 +0000 http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=?p=743 We will review using Restricted Groups via Group Policy Object for the Object 5.3 Creating and Managing Groups for the 70-410 Exam. Restricted Groups is a security configuration under the computer object of Group...

The post 70-410 Objective 5.3 – Using Restricted Groups via GPO on Windows Server 2012 R2 appeared first on Networkedminds.

]]>
We will review using Restricted Groups via Group Policy Object for the Object 5.3 Creating and Managing Groups for the 70-410 Exam. Restricted Groups is a security configuration under the computer object of Group Policy. It allows for the policing of Groups on a remote machines. This is can be extremely important so that users do not obtain administrative access by getting added to the Administrators Group. There are two modes it works in; the first mode is what I call an absolute mode or “Members of this group”. Whatever is set for membership is absolute, meaning any security principles not explicitly set for the remote computers local group will be removed. This is the primary way to policy computers so that administrative access is not given by mistake or unintentionally by another admin. The second is additive or “This group is a member of”, meaning the group that is specified will be added to the local group on the remote computer. This method is used when we want to make sure that a user is added to a remote local computer group.

We start by creating a Group Policy Object and linking it to the Organizational Unit containing the computer to be policed. We then edit the GPO created and drill down to the settings for restricted group which can be found under: Computer Configuration – Policies – Windows Settings – Security Settings – Restricted Groups. We then add a group to Restricted Groups matching the name of the local group on the remote computer. We edit the section of “Members of this group”, this evicts anyone that is not explicitly add in GPO. We then switch over to the remote computer and run a gpupdate /force so that the changes are immediate. Then we inspect the local computer group for the changes applied from GPO. I follow this up with an explanation of what has happened. Next we examine how we can add an Active Directory group to a remote machines local group via Restricted Groups. This time we specify the Active Directory group that we want to set “This group is a member of” Restricted Group setting. This will nest the AD Group under the remote machines local group, it will not modify Active Directory.

Introduction – 0:10

Lab overview of the Active Directory domain – 0:23

Inspection of the target computer for GPO – 0:30

Creation of the Group Policy Object for Restricted Groups – 1:20

Editing of the GPO created – 2:03

Adding a Group to Restricted Groups – 2:28

Inspecting the remote servers after Restricted Group is applied – 3:10

Explanation of what has happened – 3:50

Adding a group to a remote computer’s local group – 5:17

Inspecting what has been applied – 6:42

Explanation of how the setting works – 7:08

The post 70-410 Objective 5.3 – Using Restricted Groups via GPO on Windows Server 2012 R2 appeared first on Networkedminds.

]]>
http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-5-3-using-restricted-groups-via-gpo-windows-server-2012-r2/feed/ 0
70-410 Objective 5.3 – Creating and Managing Groups via PowerShell on Windows Server 2012 R2 http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-5-3-creating-managing-groups-via-powershell-windows-server-2012-r2/ http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-5-3-creating-managing-groups-via-powershell-windows-server-2012-r2/#respond Fri, 19 Feb 2016 19:43:11 +0000 http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=?p=735 In this video for Objective 5.3 Creating and Managing Groups and OUs in Windows 2012 R2 we investigate creating and managing groups via PowerShell. PowerShell is an integral part of Windows 2012 R2 because...

The post 70-410 Objective 5.3 – Creating and Managing Groups via PowerShell on Windows Server 2012 R2 appeared first on Networkedminds.

]]>
In this video for Objective 5.3 Creating and Managing Groups and OUs in Windows 2012 R2 we investigate creating and managing groups via PowerShell. PowerShell is an integral part of Windows 2012 R2 because everything is managed through PowerShell and Windows Remote Management. However, PowerShell by itself is cumbersome to implement for everyday tasks. It does however, excel for repetitive tasks by allowing automation via PowerShell Scripts and that is the basis of this objective. Creating and management of groups via PowerShell is for automation of repetitive tasks that allows for scripting of these tasks in bulk. Such as creation of user accounts in a RBAC or Role Based Access Control environments. Imagine you have several types of employees like Sales, Marketing and Research. Where every time an employee enters into the company they should be members of certain groups… This is where PowerShell scripting gains traction.
We first investigate how to creating a new AD Group via PowerShell using the ‘New-ADGroup’ PowerShell cmdlet. We then look at Active Directory and see the change we’ve made with the PowerShell command. We also look at another tool that can be used at the command line which is DSQuery. This tools helps us get the Distinguished Names for the group and some user accounts we will add to the new group via PowerShell. We proceed to add the members via the ‘Add-ADGroupMember’ PowerShell cmdlet. Then we observe the changes to the Active Directory group. We then discuss why we are learning PowerShell and how it can be applied. We also look at management of groups with the DSQuery command and DSAdd command and how we can add a group to Active Directory. You’ll notice I fumble around a bit with the DSAdd command, because it’s not a common task at the command line. We then proceed to look at AD and see the results. Next we look at adding members to a group with the DSMod command and reviewing the changes in AD. We then review why we use the command line tools to create and manage Active Directory.

Introduction – 0:10

Creating an AD Group with PowerShell – 0:30

Review of what the command did in AD – 2:09

Using DSQuery to query Users in Active Directory – 2:29

Adding members to a group via PowerShell – 3:22

Review of what the Add-ADGroupMember cmdlet did – 3:59

Why are we learning PowerShell – 4:12

Using the DSQuery Command – 4:44

Adding a group with the DSAdd command – 5:35

Review of what the DSAdd command did – 7:36

Modifying an AD Group with DSMod – 7:52

Review of what the DSMod command did – 8:40

Final review of why we use command line – 8:48

The post 70-410 Objective 5.3 – Creating and Managing Groups via PowerShell on Windows Server 2012 R2 appeared first on Networkedminds.

]]>
http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-5-3-creating-managing-groups-via-powershell-windows-server-2012-r2/feed/ 0
70-410 Objective 5.3 – Group Scope and Nesting Groups on Windows Server 2012 R2 http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-5-3-group-scope-nesting-groups-windows-server-2012-r2/ http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-5-3-group-scope-nesting-groups-windows-server-2012-r2/#respond Fri, 12 Feb 2016 14:00:50 +0000 http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=?p=686 In this video for Objective 5.3 Creating and Managing Groups and Organizational units, we will look at group scope and nesting of groups. Group Scope is defined with two characteristics, the first is the...

The post 70-410 Objective 5.3 – Group Scope and Nesting Groups on Windows Server 2012 R2 appeared first on Networkedminds.

]]>
In this video for Objective 5.3 Creating and Managing Groups and Organizational units, we will look at group scope and nesting of groups. Group Scope is defined with two characteristics, the first is the availability of the group. The second is what it can be a member of and which type of groups can use it. A table of these characteristics can be found here https://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx. A blended strategy of using the proper group scope and the nesting of groups, will allow for the most flexibility of assignment of permissions. For example, when creating permissions we usually only use one group. We assign users to that group and then the permissions onto the resource. However, when a particular user does not fit into the model we’ve created we add that one user to the resource. This is completely wrong and it’s the reason we should use the model of AGDLP or AGUDLP. AGDLP is Accounts are added to a Global Group, the Global Group is added to the Domain Local Group and the Domain Local Group is assigned Permissions. An alternate approach is AGUDLP which is: Accounts are added to a Global Group, the Global Group is added to a Universal Group, the Universal Group is added to the Domain Local Group and the Domain Local Group is assigned Permissions. The second approach is best used in large multi domain forests, where the first approach should be used in single domain forests or multi domain forests.

Introduction – 0:10

Machine Local Groups – 0:22

Creating a Machine Local Group – 0:55

Explanation of the lab setup – 1:52

Creating a Domain Local Group under Contoso.com – 2:20

Example of a Domain Local Group’s availability in another domain – 3:20

Creating a Global Group under Contoso.com – 4:29

Example of a Global Group’s availability in another domain – 4:50

Example of using AGDLP nesting – 5:18

Recap of the AGDLP nesting and bringing it all together – 8:05

Example of using AGUDLP nesting – 9:25

Examining the Machine Local Group – 11:59

The post 70-410 Objective 5.3 – Group Scope and Nesting Groups on Windows Server 2012 R2 appeared first on Networkedminds.

]]>
http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-5-3-group-scope-nesting-groups-windows-server-2012-r2/feed/ 0
70-410 Objective 5.3 – Differences Between OUs and Groups on Windows Server 2012 R2 http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-5-3-differences-ous-groups-windows-server-2012-r2/ http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-5-3-differences-ous-groups-windows-server-2012-r2/#respond Sat, 06 Feb 2016 20:58:31 +0000 http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=?p=674 In this video for Objective 5.3 Creating and Managing Organizational Units and Groups we will learn the differences between OUs and Groups. Organizational Units are often confused with Security Groups, because we are organizing...

The post 70-410 Objective 5.3 – Differences Between OUs and Groups on Windows Server 2012 R2 appeared first on Networkedminds.

]]>
In this video for Objective 5.3 Creating and Managing Organizational Units and Groups we will learn the differences between OUs and Groups. Organizational Units are often confused with Security Groups, because we are organizing users or computers into OUs or groups. So the act of putting the objects into the various containers seem to be similar, but OUs and Groups are not the same and cannot be used for the same purposes.
We start by examining what OUs cannot be used for, which is ACLs on a file or folder. They are not security principals like a security group. I demonstrate by creating a folder and trying add an OU as an ACL. It simply does not exist, because they are not used for security on ACLs. We then create a group and add members. We then go back to the folder and apply the security of the group.
We then ask the question, “Why are we organizing users into folder… If we can’t use them for security?”. Which is a valid question, but OUs are used for a very different purpose. Which is apply policies from GPO (Group Policy Objects) and allowing delegation of an OU to an average user. We then open the GPMC or the Group Policy Management Console and examine the structure of the OUs, which is along identical to the domain structure. We then create a GPO and link it to an OU. Lastly we discuss delegation of an OU to an average use for purposes of password resets. I use the example of an office manager being able to reset his or her employee’s passwords with an administrator. We also discuss the “Principal of Least Privilege”, which state only to give the user the necessary privileges they need to perform their duties. We then examine the permissions that were applied to the OU during the Delegation Wizard.

Introduction – 0:10

Explanation of the structure – 0:43

Explanation of OU types – 1:15

What OUs cannot do – 2:10

Creating a group – 3:04

Adding a group on an ACL – 3:45

What OUs are used for – 4:30

Opening Group Policy Management Console – 4:50

Creating a GPO and linking it – 5:20

Delegation of an OU – 5:56

Examining the permissions on an OU – 7:15

The post 70-410 Objective 5.3 – Differences Between OUs and Groups on Windows Server 2012 R2 appeared first on Networkedminds.

]]>
http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-5-3-differences-ous-groups-windows-server-2012-r2/feed/ 0
70-410 Objective 5.3 – Creating and Managing Groups and OUs on Windows Server 2012 R2 http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-5-3-creating-managing-groups-ous-windows-server-2012-r2/ http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-5-3-creating-managing-groups-ous-windows-server-2012-r2/#respond Mon, 01 Feb 2016 13:37:21 +0000 http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=?p=668 In this video I will explain concepts for the 70-410 Objective 5.3 of Creating and Managing Active Directory Groups and Organizational Units. Most people confuse Organizational Units or OUs and Active Directory Security Groups....

The post 70-410 Objective 5.3 – Creating and Managing Groups and OUs on Windows Server 2012 R2 appeared first on Networkedminds.

]]>
In this video I will explain concepts for the 70-410 Objective 5.3 of Creating and Managing Active Directory Groups and Organizational Units. Most people confuse Organizational Units or OUs and Active Directory Security Groups. They are both use for totally different reasons, but still share the same concept of organizing users and computers. OUs organize Users or Computer objects in AD so that we can Policy the objects with Group Policy. Groups organize user or computer account in AD so that we can administrate by role. This administration is in the form of securing resource with ACLs in which we allow the groups to either allow access or deny access in varying levels of access. We cover this first so that we can have a clear understanding of the differences between the two before we proceed.
We then proceed to understand the security on Organizational Units and how we can delegate an OU for admins to follow the principle of least permissions. In the example we can delegate an OU to an average user whom might be a manager, so that he or she can provide password reset for their employees. We could always give a higher level of permission than what is needed. However, that would not limit mistakes and abuse of privileges.
We then look at group types of Distribution and Security. Since Distribution is solely used for Exchange users we will not be discussing them and Distribution Groups are not an objective for the exam. Security Groups have several scopes, such as Machine Local Groups, Domain Local Groups, Global Groups and Universal Groups. Before discussing Group Scopes further we look at the basic purpose of groups to organize users together. We do this so that we can administrate by groups and not by individual users. The process is called Role Based Access Control.
We then focus on group scope types and begin with Machine Local Groups and which group types can be nested inside of them. Machine local groups have no availability outside of the local machine. Domain Local Groups can contain other Domain Local Groups, Global Groups and Universal groups in addition to User accounts or Computer accounts. The availability of a Domain Local Group for nesting under other Domain Local Groups is only for the Domain they are created in; they are “Local” to the domain. Global Groups can contain only other global groups in addition to User account and Computer accounts. They however are available outside of the domain for nesting in other Domain Local Groups, Machine Local Groups and Universal Groups. Universal Groups can contain Global Groups and other Universal groups in addition to User accounts and Computer accounts. They are available throughout the entire forest.
We then focus on nesting of groups to achieve administrative control for permissions. While allowing autonomous control by other admins. Such as allowing an administrator to secure a resource, while allowing the other administrator to organize their users by role. We use the process of AGDLP or AGUDLP. Which is simply adding users to global groups nesting global groups inside of domain local groups and securing permissions with the domain local group. A variation of that is adding users to global groups nesting global groups inside of universal group then nesting the universal group inside of domain local groups and securing permissions with the domain local group.
We briefly talk about creating groups with GUI and the Command line via the DS commands and PowerShell. We also talk about managing groups with Group Policy using Restricted Groups inside of GPO. Thus allowing a user to be a member of a machine local group or only allowing an absolute list of people to be members of the machine local group. Finally we learn about group conversion and how we can convert a domain local group to a global group and a global group to a domain local group. We also understand the rules behind these conversions.

Understanding the differences between OUs and Groups – 0:20

Understanding what Organization Units are used for – 0:32

Understanding what Groups are used for – 0:59

How to use OUs for delegated admin access – 1:16

Group Types and Group Scopes – 3:20

Group Concepts for Security – 4:51

Understanding the Machine Local Group Scope – 5:55

Understanding the Domain Local Group Scope – 6:52

Understanding the Global Group Scope – 7:30

Understanding the Universal Group Scope – 7:55

Nesting of groups for permissions – 8:28

Creating Groups – 12:20

Managing Groups with AD – 13:15

Group Conversion – 14:28

The post 70-410 Objective 5.3 – Creating and Managing Groups and OUs on Windows Server 2012 R2 appeared first on Networkedminds.

]]>
http://forensics.sch.ac.kr/?demo=best-pdf-download&cert=70-410-objective-5-3-creating-managing-groups-ous-windows-server-2012-r2/feed/ 0