Contents
Overview 1
Administering a Windows 2000 Network 2
Centralized Management 3
Delegating Administrative Control 8
Controlling Access to Active Directory
Objects and Windows 2000 Resources 9
Demonstration: Examining Access Tokens 18
Review 19

Module 1: Introduction
to Advanced
Administration of a
Windows 2000 Network




Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

??1999 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, PowerPoint, and Windows are either registered trademarks or
trademarks of Microsoft Corporation in the U.S.A. and/or other countries.

The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.

Other product and company names mentioned herein may be the trademarks of their respective
owners.

Project Lead and Instructional Designer: Mark Johnson
Instructional Designers : Aneetinder Chowdhry (NIIT Inc.), Kathryn Yusi
(Independent Contractor)
Lead Program Manager: Ryan Calafato
Program Manager: Joern Wettern (Wettern Network Solutions)
Graphic Artist: Julie Stone (Independent Contractor)
Editing Manager: Tina Tsiakalis
Substantive Editor: Kelly Baker (Write Stuff)
Copy Editor: Wendy Cleary (S&T OnSite)
Online Program Manager: Nikki McCormick
Online Support: Arlo Emerson (MacTemps)
Compact Disc Testing: Data Dimensions, Inc.
Production Support: Arlene Rubin (S&T OnSite)

Manufacturing Manager: Bo Galford
Manufacturing Support: Mimi Dukes (S&T OnSite)
Lead Product Manager, Development Services: Elaine Nuerenberg
Lead Product Manager: Sandy Alto
Group Product Manager: Robert Stewart

Module 1: Introduction to Advanced Administration of a Windows 2000 Network iii


Introduction
This module provides students with an introduction to administering a
Microsoft® Windows® 2000 network. It provides a foundation for the course by
presenting the concepts of centralized management and decentralized
administration through the use of Windows 2000 features. This module also
provides an overview of how users are granted access to Active Directory
™

directory service objects and other network resources in Windows 2000.
Materials and Preparation
This section provides you with the materials and preparation needed to teach
this module.
Materials
To teach this module, you need the following materials:
?? Microsoft PowerPoint® file 1558A_01.ppt

Preparation
To prepare for this module, you should:
?? Read all the materials for this module.
?? Study the review questions and prepare alternative answers to discuss.
?? Anticipate questions that students may ask. Write out the questions and

provide the answers.
?? Read the white paper, Introduction to IntelliMirror™ on the Student
Materials compact disc.
?? Read the white paper, Introduction to Windows 2000 Change and
Configuration Management on the Student Materials compact disc.
?? Read the white paper, Windows 2000 Kerberos Authentication on the
Student Materials compact disc.
?? Read the white paper, Windows 2000 Security—Default Access Control
Settings on the Student Materials compact disc.

Presentation:

60 Minutes

iv Module 1: Introduction to Advanced Administration of a Windows 2000 Network


Demonstration
This section provides demonstration procedures that will not fit in the margin
notes or are not appropriate for the student notes.
Examining Access Tokens
??To view and compare the access tokens for the domain Administrator
account and a user account
1. Log on to your domain as Administrator, click the Start button, point to
Programs, point to Accessories, and then click Command Prompt.
2. At the command prompt, run the mytoken program, which is located in the
root directory on the Trainer Materials compact disc.
3. Start another command prompt, and using the runas command, run
mytoken using a standard user account.
4. Place the two command prompt windows side by side and compare the SID,

Group ID, and user rights for the administrator account and the standard
user account.
5. Ask students whether the information is the same.

Module 1: Introduction to Advanced Administration of a Windows 2000 Network v


Module Strategy
Use the following strategy to present this module:
?? Administering a Windows 2000 Network
In this topic, you will introduce administering a Windows 2000 network.
Explain the concepts of centralizing management and decentralizing
administration. Talk about the customization of the administrative tools by
an administrator to allow other administrators to perform specific tasks in
the network. Keep the presentation brief, as all the concepts will be taught in
subsequent modules in the course.
?? Centralized Management
In this topic, you will introduce centralized management. Explain the
purpose of Active Directory and Group Policy for centralized management
of resources. Emphasize that it is Active Directory that enables a single
administrator to manage all resources in the network. Tell students that
Group Policy allows an administrator to centrally manage users’ computer
environments without having to visit each desktop individually. Emphasize
that you only need to apply Group Policy once, and that the operating
system then enforces it continually. Applying Group Policy at an
organizational unit (OU) level enables you to place new objects in this OU
and have all settings automatically apply to the new object. Explain how
publishing shared resources, such as shared folders and printers, enables
centralized management. Point out that the location of these resources is
transparent to the user.

?? Delegating Administrative Control
In this topic, you will explain the purpose of delegating administrative
control and the tools that simplify the task. Emphasize that in
Windows 2000 you can delegate administrative control at an OU level.
This enables an administrator to distribute administrative tasks to
other administrators.
?? Controlling Access to Active Directory Objects and Windows 2000
Resources
In this topic, you will introduce controlling access to Active Directory and
file system objects. Explain the purpose of discretionary access control lists
(DACLs) and how Windows 2000 assigns and manages resource security
through permission inheritance. Describe the logon process and briefly
discuss the local, network, and secondary logon processes. Describe the
purpose and components of access tokens. Emphasize that access tokens are
permanently attached to each resource. Explain how access token and
DACLs are used to gain access to Windows 2000 resources. Emphasize that
the process of gaining access to Active Directory objects and network
resources is identical to the process of gaining access to file system objects.
Demonstrate logging on as an administrator and using Mytoken.exe to see
the access token of an administrator, and then demonstrate logging on as a
user to see the access token of a user. Compare the two access tokens and
show students the difference between the SIDs, Group IDs, and the user
rights in the two access tokens.


Module 1: Introduction to Advanced Administration of a Windows 2000 Network 1


Overview
? Administering a Windows 2000 Network

? Centralized Management
? Delegating Administrative Control
? Controlling Access to Active Directory Objects and
Windows 2000 Resources


Microsoft® Windows® 2000 supports the management services that help you to
centrally administer and organize servers, networks, and client systems in your
organization. Centralizing and organizing users and computers to provide a
flexible administrative model reduces the total cost of ownership (TCO) of
users and computers. The Windows 2000 Active Directory
™
directory service
allows policy-based management for users and computers, authorization and
authentication services, remote administration, and security features.
At the end of this module, you will be able to:
?? Describe the methods of administering a Windows 2000 network.
?? Describe how Windows 2000 enables centralized management of users,
computers, and network resources.
?? Describe how to delegate administrative control of Windows 2000 users,
computers, and network resources.
?? Describe how you can use Windows 2000 to control access to Active
Directory objects and network resources.

Slide Objective
To provide an overview
of the module topics
and objectives.
Lead-in
In this module, you will learn

about how Windows 2000
authenticates users during
the logon process and uses
DACLs to control access
to resources.
Do not go into too much
detail about the concepts in
this module. This module
sets the foundation for the
main concepts that will
be covered in the
following modules.
2 Module 1: Introduction to Advanced Administration of a Windows 2000 Network


Administering a Windows 2000 Network
Centralize Management
Centralize Management
Delegate Administrative
Control
Delegate Administrative
Control
Group Policy
Group Policy
Active Directory
Active Directory
Administrative Tools
Administrative Tools
Customize Tools
Customize Tools



Windows 2000 provides administrators with the methods and utilities to
centralize the management of all desktop computers in an organization and
decentralize administrative tasks:
?? Centralize management. Active Directory and Group Policy allow
administrators to centrally manage large numbers of users, computers,
printers, and network resources from one place. Active Directory enables
you to centrally organize network resources according to administrative
requirements, while Group Policy enables you to specify settings and apply
management policies to Active Directory organizational units (OUs). In
addition, Group Policy enables you to define a policy for a user or computer
once, and then use the operating system to reinforce it continually.
?? Delegate administrative control. Active Directory allows an administrator
with the proper authority to delegate a selected set of administrative
privileges to appropriate individuals or groups within an organization. This
administrator can specify the specific privileges that these individuals have
over different containers and objects in Active Directory.
?? Customize tools. Windows 2000 also provides you with the tools to match
administrative responsibilities and to delegate network administrative
responsibilities to other administrators. In this way, administrators can
combine all of the tools needed for each administrative function into a
single console.

Slide Objective
To introduce the methods of
administering a
Windows 2000 network.
Lead-in
As an administrator, you can

take advantage of the
Windows 2000 Active
Directory and Group Policy
features to centrally manage
all computers in your
organization and to delegate
administrative control.
Ask the students to explain
what Active Directory and
Group Policy are.
Key Points
Active Directory and Group
Policy allow administrators
to centrally manage a large
number of users,
computers, and
network resources.

Senior administrators can
delegate administrative
tasks to other
administrators.

Administrators can
customize administrative
tools for specific
administrative tasks and
distribute them to other
administrators.
Module 1: Introduction to Advanced Administration of a Windows 2000 Network 3



? Centralized Management
? Using Active Directory for Centralized Management
? Using Group Policy for Centralized Management
? Managing the User Environment
? Publishing Resources


Distributed systems often lead to time-consuming and redundant management
tasks. For example, for each user, an administrator must visit the desktop to
perform tasks, such as configuring the operating system software to corporate
standards, limiting the user’s ability to change the standard configuration,
securing the desktop and important files from unauthorized users, and installing
and configuring applications.
As organizations add applications to their infrastructures and hire more
personnel, they need to create user accounts, configure computers, apply
administrative settings, and distribute software to the desktop appropriately.
The integration of Active Directory and Group Policy provides administrators
with a utility that allows them to manage the entire network from a
single location.
Slide Objective
To introduce the topics
related to centralized
management.
Lead-in
Active Directory and Group
Policy enable the
centralized management of
Windows 2000.

4 Module 1: Introduction to Advanced Administration of a Windows 2000 Network


Using Active Directory for Centralized Management
Active Directory:
? Is a Central Repository of Objects
? Contains Information About Objects
? Allows Administrators to Easily Locate Information
? Allows Administrators to Group Objects into OUs
? Uses Group Policy to Specify Policy-Based Settings
OU1
Domain
Computers
Users
OU2
Users
Printers
Computer1
User1
Printer1
User2
Domain
Domain
OU2
OU2
OU1
OU1
User1
User1
Computer1

Computer1
Printer1
Printer1
User2
User2
Search
Search
Search


Active Directory is the directory service for Windows 2000. Active Directory
stores information about network resources, such as computers and printers, and
provides services that make this information available to users and applications.
Active Directory provides administrators with the capability to centrally
manage resources because:
?? Active Directory is a central repository of objects. Users, groups,
computers, printers, and files can be organized into OUs according to
administrative need. In addition, all servers, domains, and sites in the
network are also represented as objects. By representing all network
resources as objects in a centralized database, Active Directory enables a
single administrator to centrally manage and administer these resources.
?? Active Directory contains attributes and information for each object. The
attributes hold data describing the resource that is identified by the directory
object. A user’s attributes might include the user’s first name, last name, and
e-mail address, while a printer’s attributes might include whether it is
capable of printing in color and the building and office in which it is
located. The attribute information facilitates searching in Active Directory
and administering resources in the network.
?? Active Directory allows administrators to easily locate information about
objects. By searching for selected attributes, you can find an object located

anywhere in the Active Directory tree.
?? Active Directory allows you to group objects with similar administrative
and security requirements into OUs. OUs provide multiple levels of
administrative authority for both applying policy-based administration and
delegating administrative control. This simplifies the task of managing these
objects and allows administrators to structure Active Directory to fit
their needs.
?? Active Directory uses Group Policy to provide administrators with the
ability to specify policy-based settings for a site, domain, or OU. Active
Directory then enforces these policy-based settings for all of the users and
computers within the container.
Slide Objective
To explain the purpose of
using Active Directory to
centralize management of
network resources.
Lead-in
Active Directory supports
centralized management
because it has a central
repository of objects,
contains information
regarding these objects, and
provides a single point of
access from which to
administer these objects.
Key Points
Active Directory is a central
repository of objects.


Administrators can use
search utilities to locate
objects and administer them
in Active Directory.

Active Directory uses Group
Policy to provide
administrators with the
ability to specify policy-
based administrative
settings for a site, domain,
or OU that apply to all
objects in the container.
Module 1: Introduction to Advanced Administration of a Windows 2000 Network 5


Using Group Policy for Centralized Management
? Group Policy Enables Policy-Based Centralized Management
? Policy Set on a Container Affects All Users and Computers
That it Contains
? Windows 2000 Continues to Apply Policy Settings to Users
and Computers Even When Disconnected from the Network
? Group Policy Provides Settings for Controlling Computer
Services and Desktop Settings
Windows 2000
Enforces Continually
Windows 2000
Enforces Continually
Apply Group
Policy Once

Apply Group
Policy Once
Domain
Domain
OU1
OU1
OU2
OU2
OU3
OU3
1
1
2
2
3
3
1
1
2
2
3
3


Group Policy enables policy-based centralized management of a network.
Policy-based administration eases the management of even the most complex
network by allowing you to apply a policy to an object once, and then to rely on
Windows 2000 to continually enforce the policy throughout the network.
Group Policy utilizes Active Directory containers (sites, domains, and OUs) as
administrative units. A policy set on a container affects all users and computers

that it contains. In addition, administrative control of the Group Policy assigned
to a site, domain, or OU can be delegated to another administrator without your
having to delegate control of the container itself.
Windows 2000 applies policy settings to users and computers when the
computer starts or when the user logs on. It also refreshes policy settings at
periodic intervals during the day. Policy settings continue to apply even if the
computer is disconnected from the network.
Group Policy provides settings for controlling computer services and users’
desktop environments and capabilities. Administrators can deploy applications
and lock down user desktops for a group of users and computers by creating
and applying a single Group Policy to a site, domain, or OU.

Slide Objective
To explain the purpose of
using Group Policy to
centralize the management
of network resources.
Lead-in
A policy affects all users in a
specific group. Policy-based
management eases the task
of managing all types
of networks.
Key Points
A policy set on an OU
affects all users and
computers in that OU.

Windows 2000 refreshes
policy settings at periodic

intervals. Users do not have
to log off for settings to be
applied, even when the
computer is disconnected
from the network.
6 Module 1: Introduction to Advanced Administration of a Windows 2000 Network


Managing the User Environment
User Data
User Data
User/Computer
Settings
User/Computer
Settings
Software
Deployment
Software
Deployment
? Control and Lock Down What Users Can Do
? Centrally Manage Software Installation, Repairs, Updates,
and Removal
? Configure User Data to Follow Users Whether They Are Online
or Offline
OU
OU
User1
User1
Computer1
Computer1

User2
User2
Computer2
Computer2
Group Policy Applied
to an OU


Group Policy allows you to control user’s data, personal computer settings,
computing environment, and software. Policies that follow the user enable
administrators to provide users with consistent access to all of their information
and software, regardless of whether they are working on the same computer.
You can use Group Policy to manage the user environment by:
?? Controlling and locking down what users can do when logged on to the
network. This ensures that users have access to the tools and information
that they need but do not have access to anything that is not required for
their jobs. You can also restrict the applications and tools that are available
to users. Limiting the scope of what a user can do ensures that no
unnecessary time is spent troubleshooting operating system and application
configuration problems.
?? Centrally managing software installation (applications, service packs, and
operating system updates), repairs, updates, and removal. When you use
Group Policy to install software, you can ensure that the same applications
are available on any computer to which a user logs on. You can also ensure
that missing files and settings are repaired automatically whenever an
application is invoked.
?? Configuring user data to follow users whether they are online, connected to
the network, or temporarily offline. User data follows a user because,
although the data is stored in specified network locations, it appears local to
the user. Offline files cache network data to the local computers so it is

available when the user disconnects from the network.

Slide Objective
To explain the purpose of
managing a user’s
desktop environment.
Lead-in
You can define different
Group Policy settings for
controlling users’ desktop
environments, and then
apply them consistently
across multiple computers.
Key Points
Group Policy enables
administrators to control
user environments, install
software, and redirect user
data to a network location.

Apply Group Policy to
containers (domains and
OUs) so that when new
users and computers are
added to these containers,
the Group Policy settings
automatically apply to the
new objects.
Module 1: Introduction to Advanced Administration of a Windows 2000 Network 7



Publishing Resources
Publishing Resources in Active Directory:
? Enables Users to Easily Locate and Gain Access to Resources
? Locates Resources Even if Their Physical Locations Change
? Enables Administering Multiple Shared Folders from a Single
Location Through Dfs
Administrator
Administrator
User
User
LocateManage
OU1
Domain
Shared Folder
Printer
Dfs Shared Folder


You can publish resources in Active Directory to enable users to easily locate
and gain access to what the resources they need to perform their jobs.
Another advantage of publishing resources in Active Directory is that you are
able to locate the resources there even if their physical locations change. Two
common resources that are published in Active Directory are shared folders and
printers that are on computers that are not running Windows 2000. Network
printers can be published so that users can easily locate them based on their
physical location and attributes. Administrators can group printer objects in
Active Directory based on administrative need, regardless of the printer’s
physical location. This can reduce the complexity of managing printer resources
As the size of the network grows, the shared files and folders can exist over

many servers. This makes resources very difficult for users to locate and for
administrators to manage. The Distributed file system (Dfs) provides a single
point of reference for file system resources that may be located anywhere on
the network.
Slide Objective
To explain the purpose of
publishing shared resources
in Active Directory for
centralized management.
Lead-in
With Windows 2000, you
can publish folders and
printers in Active Directory.
This method of sharing
makes it very convenient for
administrators and users to
locate resources in
the network.
Emphasize that the printers
on a computer running
Windows 2000 are
automatically published in
Active Directory.
Key Points
Users can easily locate
shared folders and printers
in a network when these
resources are published in
Active Directory.


Users can locate
published resources
even if you change the
physical locations of
these resources.
8 Module 1: Introduction to Advanced Administration of a Windows 2000 Network


Delegating Administrative Control
Domain
OU1
OU2
OU3
Admin1
Admin2
Admin3
? Assign Permissions:
? For specific OUs to other
administrators
? To modify specific attributes of an
object in a single OU
? To perform the same task in all OUs
? Customize Tools for Administrative Tasks to:
? Map to the assigned permissions
? Simplify interface design


Windows 2000 enables you to delegate administrative privileges for certain
objects to appropriate individuals within an organization. This is possible
because the structure of Active Directory allows you to assign permissions and

grant user rights in very specific ways.
You can delegate the following types of administrative control:
?? Assigning the permissions, such as Full Control, for specific OUs to
different administrators. For example, three OUs could have three
different administrators.
?? Assigning the permissions to modify specific attributes of an object in a
single OU. For example, assigning the permission to change name, address,
telephone number, and reset passwords on a user account object.
?? Assigning the permissions to perform the same task (for example, resetting
passwords) in all OUs of a domain.

Windows 2000 provides customized tools to administer Active Directory that
allow you a great deal of flexibility. You can create customized administrative
tools to:
?? Map to the permissions that have been assigned to a user for an
administrative task.
?? Simplify interface design for users with limited administrative privileges.

Slide Objective
To explain the purpose of
delegating administrative
control and the tools that
simplify the task.
Lead-in
You can manage your
network more efficiently by
delegating administrative
control to other
administrators.
Key Points

Decentralize administration
by delegating some
administrative tasks to
other individuals.

Customizing administrative
tools enables you to provide
administrators with only the
amount of functionality that
they require to perform
their jobs.
Module 1: Introduction to Advanced Administration of a Windows 2000 Network 9


? Controlling Access to Active Directory Objects and
Windows 2000 Resources
and Windows 2000 Resources
? Discretionary Access Control Lists
? Permission Inheritance
? The Logon Process
? Access Tokens
? How Windows 2000 Grants Access to Resources


Windows 2000 controls access to resources in two ways. First, no user is given
access to any resource without logging on to the computer. Second, access to
resources is possible only by requesting access from the operating system. The
operating system grants access to only those resources that the user has
permission to use. Windows 2000 requires users to log on using a set of
verifiable security credentials. These credentials are then compared against a set

of permissions assigned to Active Directory objects and network resources,
such as shared folders and NTFS file system files. After the user’s unique
identify has been authenticated by Windows 2000 and Active Directory, the
user can receive universal access to network resources on any computer in any
domain of the organization.
Slide Objective
To introduce the topics
related to controlling access
to Active Directory and file
system objects.
Lead-in
The security descriptor of an
object defines which users
have permission to gain
access to the object and the
actions that they can
perform on it.
10 Module 1: Introduction to Advanced Administration of a Windows 2000 Network


Discretionary Access Control Lists
? DACLs Define Object
Permissions and the Level of
Access Granted to a User
? All Resources in a
Windows 2000 Network
Have DACLs
? The Type of Access Granted
or Denied to a Resource is
Added to the DACL

? Entries in a DACL Are
Called ACEs
DACLs
DACLs
ACEs
ACEs
User 1
User 1
No Access
No Access
User 2
User 2
Write
Write
Group 1
Group 1
Read
Read


Windows 2000 uses lists of security groups, user accounts, and associated
permissions called discretionary access control lists (DACLs). DACLs define
object permissions (granted or denied) that currently exist to enforce
resource security for each list member. The DACL also defines the level of
access granted.
All resources in a Windows 2000 network have a DACL for:
?? Files and folders on NTFS volumes. These lists define what action users can
perform on a file or folder.
?? Active Directory objects. These lists define what administrative actions can
be performed on objects, such as modifying the attributes for a user account.

?? Printer objects. These lists define the actions that users can perform on
printers, such as who can print and manage documents in the queue.

Every user of the system must have a user account. When access is granted or
denied to a resource, the user or group account, and the type of access granted
or denied, is added to the resource DACL. When a user wants to gain access to
an object, the system checks the user’s security identifier and group
memberships against the DACL to determine whether the user is allowed to
complete the request.
The entries in a DACL are called access control entries (ACEs). Each entry
identifies a group or user and the permissions that have been granted or denied
for the object. It is usually groups containing users—and not individual user
accounts—that are granted or denied access to a resource.
Slide Objective
To explain the purpose
of DACLs.
Lead-in
DACLs keep a record of the
actions that users and
groups are allowed to
perform on an object.
Key Points
DACLs explicitly define
whether an object can
be accessed.
Module 1: Introduction to Advanced Administration of a Windows 2000 Network 11


Permission Inheritance
DACLs Are

Inherited by
Child Objects
Parent
Object
Parent
Object
Child
Object
DACL
DACL
User 1
User 1
Read
Read
Group 1
Group 1
Full Control
Full Control
DACL
DACL
User 1
User 1
Read
Read
Group 1
Group 1
Full Control
Full Control
Users Granted
Access Permission

for Parent Object
? Objects Within a Container Automatically Inherit the Permissions of
That Container
? Permission Inheritance Simplifies Managing Permissions
? How Permissions Are Inherited by Active Directory Objects


Windows 2000 makes it easy to assign and manage resource security
through permission inheritance. Objects within a container automatically inherit
the permissions of that container. For example, when created, the objects within
an OU inherit the permissions of that OU.
Windows 2000 permission inheritance simplifies the task of managing
permissions in the following ways:
?? Inheritance eliminates the need to manually apply permissions to child
objects as they are created.
?? Inheritance ensures that the permissions applied to a parent object are
applied consistently to all child objects.
?? When permissions on all objects within a container need to be modified, you
only need to change the permissions on the parent object, and the child
objects automatically inherit those changes.
?? ACEs that are directly applied to Active Directory objects are applied before
any conflicting inherited ACEs.

The following steps illustrate how permissions are inherited by Active
Directory objects in Windows 2000:
1. You create an OU called Sales, and then assign Read permission for User1
to the Sales OU.
2. Child OUs and users and computers created in the Sales OU inherit the
Read permission for User1 from the Sales OU.
3. If you assign an explicit permission to an object in the Sales OU that

conflicts with an inherited permission, the explicit permission takes.
precedence over inherited permissions. If you assign User1 Full Control
access to a child OU in the Sales OU, the explicit permission takes
precedence, and User1 has Full Control.
Slide Objective
To explain how objects
inherit permissions.
Lead-in
Windows 2000 checks the
ACEs in the object’s DACL
to determine whether
access should be granted.
Windows 2000 assigns and
manages resource security
through permission
inheritance.
Emphasize that permission
inheritance in Active
Directory objects is identical
to permission inheritance in
file system objects.
Key Points
The child object
automatically inherits the
permissions of a parent
object unless the permission
inheritance is blocked.

ACEs that are directly
applied to Active Directory

objects are given a higher
priority than inherited ACEs.
12 Module 1: Introduction to Advanced Administration of a Windows 2000 Network


4. When you make changes to the DACL on the top-level folder, you do not
delete any of the explicit DACLs defined on the subordinate Active
Directory objects. If you remove the DACL from the Sales OU that gives
User1 Read permission, User1 still has Full Control to the child OU.

Module 1: Introduction to Advanced Administration of a Windows 2000 Network 13


The Logon Process
User Logs On
User Logs On
Local Security Subsystem
Obtains a Ticket for the User
Local Security Subsystem
Obtains a Ticket for the User
Local Security Subsystem
Requests a Workstation Ticket
Local Security Subsystem
Requests a Workstation Ticket
Kerberos Service Sends a
Workstation Ticket
Kerberos Service Sends a
Workstation Ticket
Local Security Subsystem
Constructs an Access Token

Local Security Subsystem
Constructs an Access Token
Access Token Is Attached to
the User’s Process
Access Token Is Attached to
the User’s Process
11
1
2
22
3
3
3
44
4
5
55
6
6
6
Local
Security
Subsystem
Local
Security
Subsystem
Domain Controller
Global Catalog
Server
Ticket

Ticket
Ticket
Access
Token
Access Access
TokenToken
1
1
1
Ticket
Ticket
Ticket
Ticket
Ticket
Ticket
2
2
2
3
33
44
4
66
6
Constructs
Access Token
Constructs
Access Token
55
5

Kerberos
Service
Kerberos
Service


Windows 2000 controls access to resources by requiring a user to first log on to
a computer. To log on to a computer, Windows 2000 requires each user to
provide a unique user name and password. The logon process that occurs for a
Windows 2000 computer includes the following steps:
1. A user logs on providing his or her security credentials, including user
name, password, and domain name. These credentials are passed to the
security subsystem on the local computer.
2. The local security subsystem uses the Domain Name System (DNS) to
locate a domain controller in the user’s domain. The security subsystem
then contacts the Kerberos service (called the Key Distribution Center)
running on the domain controller, and requests a session ticket for the user
to communicate with the Kerberos service. (A ticket is a record that allows a
client computer to authenticate itself to a server.) The Kerberos service
queries Active Directory to authenticate the user and contacts a global
catalog server to obtain the user’s universal group memberships. The
Kerberos service then returns a session ticket to the client computer that
contains the user’s security identifier (SID) and the user’s universal, global,
and domain local group memberships, which are used for future transactions
with the Kerberos service.

Every domain controller in the domain runs the Kerberos service and is
capable of granting session tickets for users and computers. If a domain
controller is not available, then domain authentication fails and the user is
logged on using cached logon credentials at the client computer. The client

computer will periodically attempt to locate the Kerberos service during the
user’s session and will complete the domain authentication process if one
is found.

Slide Objective
To describe the
logon process.
Lead-in
The Windows 2000
authentication process
ensures that only valid users
have access to network or
computer resources.
Delivery Tip
Using the steps in the
illustration, demonstrate the
steps of the network and
secondary logon process.
Key Points
A KDC is required to
authenticate the logon
process in a Windows 2000
native-mode domain. If a
KDC is not available,
domain authentication fails
and the user is logged on
using cached credentials.

A global catalog server is
required to log on in a

domain in native-mode in
order to determine universal
group membership. In a
single domain, universal
groups exist only in that
domain. If a global catalog
server is not found, Active
Directory is queried directly
to determine universal group
membership. If a global
catalog server is unavailable
for log on in a multi-domain
enterprise, the user will be
logged on using
cached credentials.
Note
14 Module 1: Introduction to Advanced Administration of a Windows 2000 Network


3. The local security subsystem again contacts the Kerberos service on the
domain controller and requests another session ticket authorizing the user to
gain access to the Workstation service on the client computer in order to
complete the user logon process. This request includes a copy of the user’s
session ticket that the Kerberos service uses to identify the user.
4. The Kerberos service authenticates the user’s ticket by querying Active
Directory and the global catalog server to verify the information contained
in the user’s session ticket. The Kerberos service then constructs a
Workstation session ticket for the user that contains the validated security
credentials copied from the user’s original ticket, and returns it to the
client computer.

5. The local security subsystem on the client computer extracts the user’s SID
and universal, global, and domain local group memberships from the
Workstation session ticket. The subsystem then constructs the user’s access
token by adding the SIDs for local groups to which the user belongs and a
list of the local user rights assigned to the user.
6. The local computer creates a process with an access token attached. The
access token is used to authenticate the user and serves as an identity card
whenever the user attempts to use system resources.

The Network Logon Process
A network logon occurs when a user establishes a network connection to a
remote computer running Windows 2000 (for example, when connecting to a
shared folder). The authentication process is very similar to that of an
interactive logon process.
The client computer obtains a server session ticket from the Kerberos service
running on a domain controller in the user’s domain. The client computer then
sends the server session ticket to the local security subsystem on the server,
which extracts the user’s security credentials and constructs an access token for
the remote user. This access token is used to authenticate the user whenever a
resource on the server is accessed.
The Secondary Logon Process
Secondary logon provides the ability to start and run an application by using the
security credentials of another user without ending a session already in
progress. For example, you can run administrative tools while logged on with a
standard user account.
Module 1: Introduction to Advanced Administration of a Windows 2000 Network 15


Access Tokens
Access Tokens:

? Created During the Logon Process and Used Whenever a User
Attempts to Gain Access to an Object
? Contain a SID, a Unique Identifier Used to Represent a User or
a Group
? Contain Group ID, a List of the Groups to Which a User Belongs
? Contain User Rights, the Privileges of a User
Access
Token
Access
Access
TokenToken
Security ID: S-1-5-21-146
Group IDs: Employees
EVERYONE
LOCAL
User Rights:
SeChangeNotifyPrivilege - (attributes) 3
SeSecurityPrivilege - (attributes) 0
Security ID: S-1-5-21-146
Group IDs: Employees
EVERYONE
LOCAL
User Rights:
SeChangeNotifyPrivilege - (attributes) 3
SeSecurityPrivilege - (attributes) 0


To gain access to any resource on the network, a user must have an access
token. An access token is created for the user during the logon process and
contains attributes that establish the security credentials for that user on the

local computer. The access token is used whenever a user attempts to gain
access to an object. When the user runs an application, a new process is
launched that inherits the user’s access token. The access token is permanently
attached to each of the user’s processes and serves as an identity card whenever
the user attempts to use system resources. When a user’s process attempts to
gain access to any object, Windows 2000 checks the user’s SID and the list of
group IDs in the access token against the object’s DACL. This check
determines whether the user is granted access to the object.
Security Identifier
A SID is the security identifier for the user who is logged on. A SID is a unique
identifier used to represent a user or a group and DACLs instead of user names
or group names.
A SID allows the operating system to uniquely identify each user and
group account, even if that account is renamed or has the same name as another
account. In this way, permissions assigned to an object can only be used by that
object, regardless of what the user or group is named.
Group ID
The Group ID is a list of the groups to which the user belongs. For a domain
logon process, the domain controller compiles a list of the SIDs for the global
and domain local groups of which the user is a member. The domain controller
contacts a global catalog server to obtain the SIDs of any universal groups of
which the user is a member. This list is returned to the client computer, which
then adds any local groups of which the user is a member.
Slide Objective
To explain the purpose
and components of
access tokens.
Lead-in
Access tokens are the
key to security in

Windows 2000.
Key Points
The main components of an
access token are SIDs, the
Group ID, and user rights.

An access token is
permanently attached to a
user’s process.

Windows 2000 checks the
user SID and the list of
group SIDs in the access
token against the object’s
DACL before granting
access to a resource.
16 Module 1: Introduction to Advanced Administration of a Windows 2000 Network


User Rights
User rights are the privileges of the user. The local computer adds the list
of user rights to the access token. User rights determine what administrative
actions the user can perform on the local computer. Examples include shutting
down the computer, logging on interactively, and taking ownership of objects.
Module 1: Introduction to Advanced Administration of a Windows 2000 Network 17


How Windows 2000 Grants Access to Resources
User 1
User 1

Application Sends
Read Request
DACL
DACL
User 1
User 1
Read
Read
Group 1
Group 1
Full Control
Full Control
Security Subsystem
Security Subsystem
Access File
Read Allowed
Security Subsystem
Checks Appropriate
ACE in DACL for File
ACE Found
Domain
OU1
OU2


Windows 2000 allows access to resources by checking the DACL list of
allowed permissions against the user’s requested access.
The user gains access to a resource through the following process:
1. The user requests access to an Active Directory object. For example, a user
requests Read access to an object in an OU by attempting to display the

Properties dialog box for a user account.
2. By attempting to display the Properties dialog box, the user causes Active
Directory Users and Computers to generate an input/output (I/O) request to
Windows 2000, which validates the request through the security subsystem.
3. The security subsystem reads the DACL for an object, searching for ACEs
that contain the user’s SID or the SID of a group to which the user belongs.
Each ACE that applies to the user is compared against the requested access
until an ACE that denies or allows the requested access is located. If a deny
is encountered, or no ACE exists for the requested access, the user’s
request fails.
ACEs that deny access are listed first in the DACL. The security subsystem
processes the ACEs in order and grants access to the object as soon as an
ACE that allows the requested access is encountered.
4. If access is granted, then the resource is opened for only the requested
access. If the user is denied access, an error message appears.

A DACL is checked only when the resource is initially opened. If a user’s
permissions for an object are changed while the user is accessing the object, the
user retains his or her current access to the object. Access for the object is
updated the next time that the user accesses it.
Slide Objective
To explain how
Windows 2000 uses
DACLs to grant access
to resources.
Lead-in
Windows 2000 uses access
tokens and DACLs to grant
access to resources.
Key Points

The process of accessing
an Active Directory object is
identical to the process of
accessing any
file system object.
18 Module 1: Introduction to Advanced Administration of a Windows 2000 Network


Demonstration: Examining Access Tokens


Slide Objective
To introduce the Examining
Access Tokens
demonstration.
Lead-in
In this demonstration, you
will see and compare the
access tokens of two
logon accounts.
Delivery Tip
Log on as Administrator,
and at the command prompt
run Mytoken.exe. Show the
access token to students.
Point out the SID, Group
IDs, and the user rights
components of the access
token for the Administrator
account.


Using the secondary logon
process (Run as), log on as
any user, run Mytoken.exe,
and show the students this
access token. Point out the
SID, Group IDs, and the
user rights components of
the access token for the
user account.

Display the two access
tokens side by side and ask
students to identify the
differences between SIDs,
Group IDs, and User Rights.
Module 1: Introduction to Advanced Administration of a Windows 2000 Network 19


Review
? Administering a Windows 2000 Network
? Centralized Management
? Delegating Administrative Control
? Controlling Access to Active Directory Objects and
Windows 2000 Resources


1. How does Active Directory enable centralized network management and
decentralized administration?
Active Directory is a central repository of objects. It contains

information about the properties of objects and allows the editing of
this information. It also makes it easy for administrators to locate
information about objects anywhere in the enterprise. It allows you to
group objects with identical administrative and security requirements
into domains and OUs. Finally, Active Directory allows you to set
administrative permissions for OUs and Active Directory objects that
allow other users to administer them.


2. You are the senior administrator in an organization. Because your workload
has increased you want to delegate the administration of users in the Sales
department to a junior administrator. How can you do this?
Assign the Full Control permission for managing users in the Sales OU
to the junior administrator.


3. Your time is typically divided between answering e-mail queries,
developing standards and training documents, and using Windows 2000
administrative tools. Because most of the work that you do requires you to
be logged on using your standard user account, you do not want to log off to
run administrative tools. What can you do to accomplish this?
Use the secondary logon process (Run as) to run the
administrative tools.


Slide Objective
To reinforce module
objectives by reviewing
key points.
Lead-in

The review questions cover
some of the key concepts
taught in the module.