Week 3

Active Directory

An essential part of corporate security is having the facility to set user controls and deployments from a common interface.

Active Directory allows us to have a single point of control over all users, cutting down on provisioning time and, by integrating into other services such as Office 365, Git, and many more, allows us to ensure that all services are secure at all times. This also gives us the ability to rapidly revoke access at any time.

Staff Summaries

Member A

Introduction

This document describes Active Directory.

What is Active Directory

It is a function of Windows Server, providing centralized account management and single sign-on,

It is a service that centrally manages accounts and computers according to Group Policy.

About account management and policy management

I would like to compare the difference in environment between when Active Directory is not used and when it is used.

When not using Active Directory
Account management

Create a local account on your computer and log in.

Normally, this environment is a WORKGROUP environment.

Authentication management

To connect to a file server, etc., authenticate and connect.

* Avoid the second authentication by registering with the credential manager.

Policy management

Set a local group policy to limit the operation of the computer.

  • USB memory prohibition, desktop shortcut distribution, etc.
  • Settings for individual users, common settings for the entire PC, etc. are possible “problem”

If there is only one computer, the above settings are easy, but when it comes to tens to hundreds.

It will be difficult to make the above settings the same and maintain variable settings.

Active Directory can solve this problem and manage various things.

When using Active Directory (centralized account management and policy management)
Working with Windows Server
  1. Set to enable Active Directory functions from roles and functions
  2. Create a domain of the company organization (example: charm.local)
  3. Create an organizational unit OU (●● section) for company departments, etc.
  4. Create a user security group that groups authority groups
  5. Create a security group according to each computer
  6. Create a group unit such as Windows 10, Windows 8, Server, etc.

This depends on the design policy, such as creating on the OU side.

Creating a group policy

Settings for individual users, common settings for the entire PC, etc. are possible

There are various controls such as permission settings for reliable printers.

Up to this point, the vessel to be introduced has been completed.

User Registration

Account registration for employees, contract employees, temporary employees, guests, special users, etc.

* There is also an expiration date setting and a loginable time setting.

Forest setting of company organization domain (organizational association)

If you want to divide the group companies such as Leaf and OJI into domains and have a relationship,

Organizations are linked in the forest settings.

Computer work

Join the domain created from workgroup from computer management

After restarting, the login screen was changed to the setting for the domain, so

Log in as a domain registered user.

  • Group policy will be reflected each time you log in.
  • This eliminates the need to create a user for each computer.
Working with Windows Server

When a computer joins a domain, since the computer of the domain is registered, allocate to the created OU or security group.

When using single sign-on

By participating in the domain environment, you can connect without authentication,

Access control can be performed on a department-by-department basis using security groups, etc.

File server

By joining the file server to the domain, for folders in the file server it will be possible to assign a security group for the domain.

Prepare folders for each department or project unit. By associating a security group, it can be made inaccessible to other departments and users who are not in charge.

If the file on the file server is taken out of the company,

As a setting that can not be opened outside the domain environment

The following functions also exist in the roles and functions of Windows Server.

  • Active Directory Rights Management Services
WSUS server

WSUS server that is centrally managed by Windows Update

Update distribution group for each OS, etc.

Settings can be made for each OU and security group. ‥

Various user management services

With user account management services such as Office 365

User management cooperation can also be performed.

For import, export, cooperation, etc. of personnel systems, etc.

A design that avoids multiple management is required.

Notes on Active Directory

Login

Each computer always goes to the Active Directory server when logging in

Authenticate your account

If you cannot connect on the Active Directory side, log in with a temporary cache,

You can also make settings such as not being able to log in.

However, in the case of temporary cache login, to a file server etc.

Connection is not possible.

About profile

Normally, user information is created as a user profile on the local computer side.

You can also manage it on the server side instead of the local computer, which is called a roaming profile.

If there are many bases, it is necessary to investigate how it will affect traffic.

About user CAL and device CAL

Windows Server depends on the number of users or computers

You must purchase an account license called CAL.

About introduction to Charm environment

As of October 2020, there is a domain environment such as charm2012.local in the charm environment.

However, each computer does not use domain users, but uses local users.

The file server is also in a situation where local users can access all folders.

* Some img-servers have department-based control.

It is necessary to design and build while paying attention to the following contents.

  1. Obtaining a domain: Separate domains for Charm, Leaf, and OJI, or organize domain information

Whether to consider separately from the existing domain charm2012.local, etc.

  • Organize account and group information such as employees, contract employees, part-time workers, outsourcing, guests, special authority, etc.
  • Organize information on services that manage accounts
  • Arrangement of methods such as import, export, data linkage, etc.
  • Organize against server failures and server loads
  • Distribution of installation location and authentication destination Active Directory, etc.
  • Consider whether to combine other server functions such as DNS and DHCP with the Active Directory server
  • Folder design such as file server and Sharepoint of Office 365
  • Security and cooperation design for other services such as WSUS
  • Group policy design

Confirmation of existing, group policy, etc.

  • Transition plan
  • Because the user computer cannot manage individual programs from local files,
  • It is necessary to prepare for migration such as deletion of local users and program distribution policy.
  • Design of other operation management services
  • Design group management such as SKYSEA and Eset and program distribution.
  • Maintenance of operation manual

Leave a Reply

Your email address will not be published. Required fields are marked *