User Account Management and Permissions

[pjordan871]

Goal: Learn how to create and manage users and groups within Active Directory.

Tasks: Create several user accounts, including student and admin accounts. Assign specific permissions and organize users into groups (e.g., "Students," "Staff"). Test access by logging in from client machines with these accounts. Create Organizational Units (OUs) for structure and practice moving users and computers into appropriate OUs.

Skills Developed: Active Directory basics, user permissions, and group policies.

Scenario: University Department with Secure Access Requirements Client: A university's Computer Science Department

Situation: The Computer Science Department has several types of users, including faculty members, administrative staff, and students. They recently upgraded their IT infrastructure, and the university wants to improve security, simplify access management, and ensure only authorized users can access certain resources.

Requirements:

User Accounts for Different Roles: Each user should have a unique account for authentication and access to department resources.

Faculty: Should have full access to teaching resources, grading systems, and research files. Administrative Staff: Should have access to student records, department budgeting documents, and other administrative files.

Students: Should only have access to course materials, lab computers, and shared resources for assignments.

Organizational Units (OUs):

The IT administrator wants a way to organize user accounts for easy management. Faculty, Staff, and Students will each be placed into their own OU in Active Directory, which will make it easier to apply role-based policies. Folder and File Permissions:

Faculty Folders: Need to be accessible only to faculty members. Admin Folders: Only accessible to administrative staff. Course Materials: Available to both faculty and students but with read-only access for students.

Group Policy Implementation:

Remote Desktop Access: Faculty and staff should be able to access their desktop computers remotely for flexibility, but students should not have this capability. Firewall and Security Settings: All systems should have firewalls enabled and security policies enforced, including password complexity and account lockout after multiple failed login attempts.

[pjordan871]

1. Create Users in OUs:

Open Active Directory Users and Computers (ADUC):

Go to Start > Administrative Tools > Active Directory Users and Computers.

Create User Accounts:

Right-click on the Users container select New > User. Enter the user’s First Name, Last Name, User Logon Name (username), and set a default password. Check User must change password at next logon to ensure security. Repeat this for all faculty, administrative staff, and student accounts.

Organize Your Naming Convention:

Create a consistent naming convention for usernames (e.g., last name, first initial like Seinfeldj - Jerry Seinfeld). This will help you manage users more easily as the department grows.

Create Security Groups

Once you create the users you need to create security groups. Grouping users by role in OUs allows you to apply policies and permissions at the group level, simplifying account management and improving security.

• Right-click on the domain in ADUC and select New > Groups
• Create security groups with the corresponding names: Staff, Students, Faculty
• Once created add the members of each group

[pjordan871]

Step 2: Organize Users into Organizational Units (OUs)

Create Organizational Units for Each Role:

In ADUC, right-click on your domain (e.g., acs.edcc.ctc.edu), and select New > Organizational Unit.

Name the OUs based on user roles: Faculty, Staff, and Students.

Move Users into Their Respective OUs:

Drag and drop user accounts from the Users container into the appropriate OU (Faculty, Staff, or Students). Alternatively, right-click on a user, select Move, and choose the appropriate OU.

[pjordan871]

3. Assign permissions to Shared folders

Create Shared Folders on the File Server (Zeus):

Log in to Zeus (file server) and navigate to the folder location where you want to set up shared folders (e.g., C:). Create new folders for each user group, like _Faculty Files, _Admin Files, and )_Course Materials.

Share Each Folder:

Right-click on each folder, select Properties, then go to the Sharing tab. Click on Advanced Sharing, check Share this folder, and click Permissions. Here, you’ll specify which groups or users can access the folder.

Set Permissions for Each Folder:

Faculty Files: Add the Faculty group with Full Control. Admin Files: Add the Staff group with Full Control. Course Materials: Add the Faculty group with Modify permissions and the Students group with Read permissions. Click OK to apply permissions.

Add Folder Paths to AD User Accounts (Optional for User Profiles):

In ADUC, go to each user’s properties (right-click > Properties), select the Profile tab, and set a Home folder path

Select the connect button

Choose a Drive Letter (typically H: for Home drive)

enter in path (e.g., \Zeus\Profiles%username%) if needed.

You can find the file path by going to the file server --> select the matching folder --> Go to the sharing tab --> look for the path under the Network path:

[pjordan871]

Step 4: Implement Group Policy for Access Control