Strengthening Security on Service Accounts and Groups: By creating a subtree containing all service administrator accounts and the administrative workstations that they use, you can apply specific security and policy settings to maximize their protection.
Creating the OU Structure for the Controlled Subtree: To create the subtree, create three OUs: 1. Service Admins, under the domain root, which will hold the following two sub-OUs: 2. Users and Groups, to hold administrative user and group accounts. 3. Admin Workstations, to hold administrative workstations. Tasks: 1. Log on as a member of the Domain Admins group, and then open Active Directory Users and Computers. 2. In the console tree, right-click the domain name, point to New, and click Organizational Unit. 3. In the Name box, type Service Admins and click OK. 4. In the console tree, right-click Service Admins, point to New, and click Organizational Unit. 5. In the Name box, type Users and Groups and click OK. 6. In the console tree, right-click Service Admins, point to New, and click Organizational Unit. 7. In the Name box, type Admin Workstations and click OK.
Setting the Permissions on the Controlled Subtree OUs: Doing the following can help you limit access to the controlled subtree, so that only service administrators can administer the membership of the service administrator groups and their workstations. Tasks: 1. Log on as a member of the Domain Admins group, and open Active Directory Users and Computers. 2. On the View menu, select Advanced Features. 3. Right-click the Service Admins OU, and click Properties. 4. On the Security tab, click Advanced to view all of the permissions that exist for the OU. 5. Clear the Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here check box. 6. In the Security dialog box, click Remove. This removes the permissions that were inherited from the domain. 7. Remove the remaining permissions. Select all of them and click Remove. 8. For each group listed in the Name column of the list below, add a permission entry to agree with the Access and the Applies to columns as shown in the list. To add an entry, click Add, then in the Select User, Computer, or Group dialog box, click Advanced. In the expanded dialog box, click Find Now. In the search results box, select the group name and click OK twice. This brings up the Permission Entry dialog box, where you can select he Access and Applies To items to agree with the list. List: Allow, SYSTEM, Full Control, This object and all child objects. Allow, Enterprise Admins, Full Control, This object and all child objects. Allow, Domain Admins, Full Control, This object and all child objects. Allow, Administrators, Full Control, This object and all child objects. Allow, Pre–Windows 2000 Compatible Access, List Contents, Read All Properties, Read Permissions, User objects. Allow, Pre–Windows 2000 Compatible Access, List Contents, Read All Properties, Read Permissions, InetOrgPerson objects. Allow, Enterprise Domain Controllers, List Contents, Read All Properties, Read Permissions, This object and all child objects. Allow, Authenticated Users, List Contents, Read All Properties, Read Permissions, This object and all child objects. That's it. Now we are going to move all accounts and their workstations to the Subtree. I wil blog that piece this evening.
End of Part 4.
Creating the OU Structure for the Controlled Subtree: To create the subtree, create three OUs: 1. Service Admins, under the domain root, which will hold the following two sub-OUs: 2. Users and Groups, to hold administrative user and group accounts. 3. Admin Workstations, to hold administrative workstations. Tasks: 1. Log on as a member of the Domain Admins group, and then open Active Directory Users and Computers. 2. In the console tree, right-click the domain name, point to New, and click Organizational Unit. 3. In the Name box, type Service Admins and click OK. 4. In the console tree, right-click Service Admins, point to New, and click Organizational Unit. 5. In the Name box, type Users and Groups and click OK. 6. In the console tree, right-click Service Admins, point to New, and click Organizational Unit. 7. In the Name box, type Admin Workstations and click OK.
Setting the Permissions on the Controlled Subtree OUs: Doing the following can help you limit access to the controlled subtree, so that only service administrators can administer the membership of the service administrator groups and their workstations. Tasks: 1. Log on as a member of the Domain Admins group, and open Active Directory Users and Computers. 2. On the View menu, select Advanced Features. 3. Right-click the Service Admins OU, and click Properties. 4. On the Security tab, click Advanced to view all of the permissions that exist for the OU. 5. Clear the Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here check box. 6. In the Security dialog box, click Remove. This removes the permissions that were inherited from the domain. 7. Remove the remaining permissions. Select all of them and click Remove. 8. For each group listed in the Name column of the list below, add a permission entry to agree with the Access and the Applies to columns as shown in the list. To add an entry, click Add, then in the Select User, Computer, or Group dialog box, click Advanced. In the expanded dialog box, click Find Now. In the search results box, select the group name and click OK twice. This brings up the Permission Entry dialog box, where you can select he Access and Applies To items to agree with the list. List: Allow, SYSTEM, Full Control, This object and all child objects. Allow, Enterprise Admins, Full Control, This object and all child objects. Allow, Domain Admins, Full Control, This object and all child objects. Allow, Administrators, Full Control, This object and all child objects. Allow, Pre–Windows 2000 Compatible Access, List Contents, Read All Properties, Read Permissions, User objects. Allow, Pre–Windows 2000 Compatible Access, List Contents, Read All Properties, Read Permissions, InetOrgPerson objects. Allow, Enterprise Domain Controllers, List Contents, Read All Properties, Read Permissions, This object and all child objects. Allow, Authenticated Users, List Contents, Read All Properties, Read Permissions, This object and all child objects. That's it. Now we are going to move all accounts and their workstations to the Subtree. I wil blog that piece this evening.
End of Part 4.
No comments:
Post a Comment