La descarga está en progreso. Por favor, espere

La descarga está en progreso. Por favor, espere

TNT4-04 KEY MESSAGE: Entry Slide SLIDE BUILDS: 0 SLIDE SCRIPT:

Presentaciones similares


Presentación del tema: "TNT4-04 KEY MESSAGE: Entry Slide SLIDE BUILDS: 0 SLIDE SCRIPT:"— Transcripción de la presentación:

1 TNT4-04 KEY MESSAGE: Entry Slide SLIDE BUILDS: 0 SLIDE SCRIPT:
SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:

2 Unete a la Comunidad

3 Administración de Windows Server 2003 Difusión por el Web - Parte 4: Administración de grupos
KEY MESSAGE: Title Slide SLIDE BUILDS: 0 SLIDE SCRIPT: Hello and Welcome to this Microsoft TechNet session, Windows Server 2003 Administration Webcast Series Part 4 covering Group Management. My name is {insert name}. SLIDE TRANSITION: Here’s what we will cover today. ADDITIONAL INFORMATION FOR PRESENTER:

4 Lo que vamos a cubrir: Los diversos tipos y alcances de los grupos disponibles en un dominio Windows Server 2003 Crear grupos y administrar membresías de grupo Utilizar herramientas de línea de comando para administrar grupos KEY MESSAGE: What we will cover. SLIDE BUILDS: 0 SLIDE SCRIPT: During this session, we will discuss the groups that you can use in a Windows Server 2003 domain. You will see how to create groups and then view the properties of an Active Directory group object. Then we will cover two command-line tools to ease the management of large numbers of groups and users. SLIDE TRANSITION: To get the most out of this session, you should have the following knowledge and experience. ADDITIONAL INFORMATION FOR PRESENTER:

5 Conocimientos previos
Experiencia en administrar servidores Windows Server 2003 Experiencia en brindar soporte a los usuarios finales KEY MESSAGE: Prerequisite Knowledge SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD1] You should be familiar with the basics of the Windows Server 2003 user interface. [BUILD2] And the last section of this session will mean more to you if you have experience supporting end users on your network. SLIDE TRANSITION: Now let’s look at the session agenda. ADDITIONAL INFORMATION FOR PRESENTER: Nivel 100

6 Agenda Revisión Tipos y alcances del grupo
Herramientas de administración de grupos KEY MESSAGE: Agenda SLIDE BUILDS: 0 SLIDE SCRIPT: This session focus on concepts related to the management of Windows groups. But first, we’ll start with a Revisión of the previous session. If the topics covered in this Revisión feel unfamiliar to you, please refer to the previous parts of this series. Our discussion of groups will start with an overview of the types and scope of groups within the Windows Server 2003 server system. Then we will cover some command-line tools which can help automate the management of large numbers of Active Directory objects. SLIDE TRANSITION: In the previous Webcast, we covered the Windows user profile. ADDITIONAL INFORMATION FOR PRESENTER:

7 Revisión Perfiles del usuario
El perfil del usuario proporcionar la funcionalidad del ambiente personalizado del usuario Windows Los Perfiles del usuario itinerante proporcionan un ambiente consistente en varios PCs en toda la red Utilice la Política de grupo para controlar el ambiente del usuario conforme sea necesario KEY MESSAGE: Revisión SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD1] Both the local and the roaming user profile provides a customized experience to the end-user. A profiles contains a user’s documents and settings so different users of the same computer can configure the system to their liking. [BUILD2] Employing the Roaming User Profile extends this experience by enabling the profile to follow the user to any computer on the network. [BUILD3] And when you need to deploy mandatory settings to the user profile, you can gain granular control over the user profile best by using Group Policy. SLIDE TRANSITION: Now let’s look at some Revisión questions from the last session. ADDITIONAL INFORMATION FOR PRESENTER:

8 Revisión Perfiles del usuario local
Por predeterminación, ¿en dónde almacenan Windows 2003, XP y 2000 los perfiles del usuario local? C:\documents and settings C:\profiles C:\winnt\profiles C:\windows\profiles KEY MESSAGE: Revisión Question SLIDE BUILDS: 0 SLIDE SCRIPT: By default, where does Windows 2003, XP and 2000 store Perfiles del usuario local? SLIDE TRANSITION: Take a moment to decide. ADDITIONAL INFORMATION FOR PRESENTER:

9 Revisión Perfiles del usuario local
Por predeterminación, ¿en dónde almacenan Windows 2003, XP y 2000 los perfiles del usuario local? C:\documents and settings C:\profiles C:\winnt\profiles C:\windows\profiles KEY MESSAGE: Revisión Answer SLIDE BUILDS: 0 SLIDE SCRIPT: By default, where does Windows 2003, XP and 2000 store Perfiles del usuario local? The correct answer is 1. The current Windows operating systems store Perfiles del usuario on the system drive in the documents and settings folder. However, this location can be changed to any location the administrator requires by applying custom installation scripts or by editing the system registry. Windows NT stored the Perfiles del usuario in the c:\winnt\profiles folder. SLIDE TRANSITION: Let’s try another question. ADDITIONAL INFORMATION FOR PRESENTER:

10 Revisión Perfiles del usuario local
¿En dónde busca Windows por primera vez la información del perfil cuando un usuario inicia sesión? En la carpeta C:\documents and settings En la lista de perfiles de HKEY_LOCAL_MACHINE En el uso compartido Netlogon del Controlador de dominio En la carpeta C:\windows\profiles KEY MESSAGE: Revisión Question SLIDE BUILDS: 0 SLIDE SCRIPT: Where does Windows first look for profile information when a user logs on? SLIDE TRANSITION: Take a moment to decide. ADDITIONAL INFORMATION FOR PRESENTER:

11 Revisión Perfiles del usuario local
¿ En dónde busca Windows por primera vez la información del perfil cuando un usuario inicia sesión? En la carpeta C:\documents and settings En la lista de perfiles de HKEY_LOCAL_MACHINE En el uso compartido Netlogon del Controlador de dominio En la carpeta C:\windows\profiles KEY MESSAGE: Revisión Answer SLIDE BUILDS: 0 SLIDE SCRIPT: Where does Windows first look for profile information when a user logs on? The correct answer is 2. As the first step in the log on process when looking at Perfiles del usuario, Windows will first check the profile list stored within the registry. This registry key will provide information about the user’s profiles if one exists. If no user profile exists for the user, Windows will refer to the Netlogon share and the Documents and Settings folder for a default profile. SLIDE TRANSITION: Let’s try another question. ADDITIONAL INFORMATION FOR PRESENTER:

12 Revisión Perfiles del usuario itinerante
¿El cliente Windows local trabaja de manera activa con el Perfil del usuario itinerante que se encuentra en el uso compartido en red? Sí. No. KEY MESSAGE: Revisión Question SLIDE BUILDS: 0 SLIDE SCRIPT: Does the local Windows client actively work with the Roaming User Profile located on the network share? SLIDE TRANSITION: Take a moment to decide. ADDITIONAL INFORMATION FOR PRESENTER:

13 Revisión Perfiles del usuario móvil
¿El cliente Windows local trabaja de manera activa con el Perfil del usuario itinerante que se encuentra en el uso compartido en red? Sí. No. KEY MESSAGE: Revisión Answer SLIDE BUILDS: 0 SLIDE SCRIPT: Does the local Windows client actively work with the Roaming User Profile located on the network share? The correct answer is No. When Windows works with a Roaming User Profile, it caches a copy of the profile to the local hard drive. Throughout the logon session, the system uses this cached profile and then merges the profiles at log off. SLIDE TRANSITION: Let’s try another question. ADDITIONAL INFORMATION FOR PRESENTER:

14 Revisión Perfiles del usuario móvil
¿En dónde revisa Windows el perfil predeterminado del usuario cuando está configurado para los Perfiles de usuario itinerantes? C:\Documents and Settings\Default User. \\<Server>\<ProfileShare>\Default User. \\<DomainController>\NETLOGON. Únicamente los perfiles locales copian la carpeta predeterminada del usuario. KEY MESSAGE: Revisión Question SLIDE BUILDS: 0 SLIDE SCRIPT: Where does Windows check for the default user profile when configured for Roaming Users Profiles? SLIDE TRANSITION: Take a moment to decide. ADDITIONAL INFORMATION FOR PRESENTER:

15 Revisión Perfiles del usuario móvil
¿En dónde revisa Windows el perfil predeterminado del usuario cuando está configurado para los Perfiles de usuario itinerantes? C:\Documents and Settings\Default User. \\<Server>\<ProfileShare>\Default User. \\<DomainController>\NETLOGON. Únicamente los perfiles locales copian la carpeta predeterminada del usuario. KEY MESSAGE: Revisión Answer SLIDE BUILDS: 0 SLIDE SCRIPT: Where does Windows check for the default user profile when configured for Roaming Users Profiles? The correct answer is 3. The Netlogon share on each Domain Controller contains the default domain user profile. If a profile exists in a folder named “Default User”, the system will create new Perfiles del usuario based on the contents of this folder. If this folder does not contain the default user folder, Windows creates a blank profile with no options configured. SLIDE TRANSITION: Let’s try another question. ADDITIONAL INFORMATION FOR PRESENTER:

16 Revisión Perfiles obligatorios del usuario
Con Windows Server 2003, ¿cuál es el mejor método para controlar el ambiente del usuario? Perfiles obligatorios del usuario Política de grupo Perfiles de usuario itinerante Políticas de PC de la compañía KEY MESSAGE: Revisión Question SLIDE BUILDS: 0 SLIDE SCRIPT: With Windows Server 2003, what is the best method to control the user’s environment? SLIDE TRANSITION: Take a moment to decide. ADDITIONAL INFORMATION FOR PRESENTER:

17 Revisión Perfiles obligatorios del usuario
Con Windows Server 2003, ¿cuál es el mejor método para controlar el ambiente del usuario? Perfiles obligatorios del usuario Política de grupo Perfiles de usuario itinerante Políticas de PC de la compañía KEY MESSAGE: Revisión Answer SLIDE BUILDS: 0 SLIDE SCRIPT: With Windows Server 2003, what is the best method to control the user’s environment? The correct answer is 2. Creating a mandatory user profile prevents any changes made to the user’s environment from being saved, and since Perfiles obligatorios del usuario add too much administrative overhead, they are rarely the best option. Group Policies provide granular control over the user environment allowing you to mandate certain settings while leaving other to the user’s discretion. Perfiles del usuario móvil alone do not provide any level of control and company computer policies puts the control in the hands of the end user. SLIDE TRANSITION: Now let’s return to the agenda to start our discussion of group management. ADDITIONAL INFORMATION FOR PRESENTER:

18 Agenda Revisión Tipos de grupo y alcance
Herramientas de administración de grupos KEY MESSAGE: Agenda SLIDE BUILDS: 0 SLIDE SCRIPT: Now let’s move on and take a look at the types and scopes of groups available to Windows Server 2003. SLIDE TRANSITION: We’ll begin by discussing group types. ADDITIONAL INFORMATION FOR PRESENTER:

19 Tipos de grupo y alcance Comprender los tipos de grupo
Grupos de distribución KEY MESSAGE: Overview of Group Types. SLIDE BUILDS: 0 SLIDE SCRIPT: A group is a collection of user accounts, computer objects, contacts and, in the case of group nesting, other groups that can be managed as a single unit. Users and computers that belong to a particular group are referred to as group members. Using groups can simplify administration by assigning a common set of permissions and rights to many accounts at once, rather than assigning permissions and rights to each account individually. Groups are characterized by their scope and their type. The scope of a group determines the extent to which the group is applied within a domain or forest. We will Revisión Alcance del grupo shortly. There are two types of groups in Active Directory: distribution groups and security groups. You can use distribution groups as distribution lists and security groups to assign permissions to shared resources. There are also groups for which you cannot modify or view the memberships. These groups are referred to as special identities and are used to represent different users at different times, depending on the circumstances. Special groups will also be covered shortly. Distribution groups can be used only with applications, such as Microsoft Exchange Server 2003, to send to collections of users. Distribution groups are not security-enabled, which means that they cannot be listed in discretionary access control lists, or DACLs. Distribution group Membresía is static meaning that administrators must manually add and remove user from the list, which is an inefficient use of the administrator’s time. The query-based distribution group is a new type of distribution group that is included in Exchange A query-based distribution group provides the same functionality as a standard distribution group, but it uses a Lightweight Directory Access Protocol, or LDAP query. A query-based distribution group uses the LDAP filter rules to dynamically build Membresía in the distribution group instead of specifying static user Membresía. You can easily construct a mailing list for all users who have mailboxes on a particular server, or in a particular storage group or in a database, by using a query-based distribution group. It is less time-consuming to use this method than to add the users to a standard distribution group by using Exchange System Manager or by using a programmatic method. Grupos de seguridad

20 Tipos de grupo y alcance Comprender los tipos de grupo
Grupos de distribución Used with care, security groups provide an efficient way to assign access to resources on your network. Using security groups, you can assign permissions to Active Directory resources. User rights are assigned to security groups to determine what members of that group can do within the scope of a domain or forest. User rights are automatically assigned to some security groups at the time Active Directory is installed to help administrators define a person's administrative role in the domain. For example, a user who is added to the Backup Operators group in Active Directory has the ability to backup and restore files and directories located on each domain controller in the domain. You can assign user rights to security groups, using Group Policy, to help delegate specific tasks. Permissions should not be confused with user rights. Permissions are assigned to the security group on the shared resource. Permissions determine who can access the resource and the level of access, such as Full Control. When assigning permissions for resources, such as file shares, printers, and so on, you should assign those permissions to a security group rather than to individual users. The permissions are assigned once to the group, instead of several times to each individual user. Each account added to a group receives the rights assigned to that group in Active Directory and the permissions defined for that group at the resource. Like distribution groups, security groups can also be used as an entity. Sending an message to the group sends the message to all the members of the group. SLIDE TRANSITION: Both types of groups can be configured to one of three Alcance del grupos. ADDITIONAL INFORMATION FOR PRESENTER: Grupos de seguridad

21 Tipos de grupo y alcance Alcance del grupo – Grupos locales de dominio
Otorgan permisos a los recursos del dominio local Pueden incluir miembros de todo el Bosque Disponibles en todos los niveles funcionales del dominio KEY MESSAGE: Overview of Grupo local del dominios. SLIDE BUILDS: 0 SLIDE SCRIPT: Groups, whether a security group or a distribution group, are characterized by a scope that identifies the extent to which the group is applied in the domain or forest. There are three Alcance del grupos: universal, global, and domain local. Groups with domain local scope help you define and manage access to resources within a single domain. As a best practice, you should only assign permissions to resources using Grupo local del dominios and add global and Grupos universales as members of the Grupo local del dominio to gain access to the network resources. We refer to the technique of adding groups as members of other groups as group nesting which will be covered shortly. The Grupo local del dominio can include members from any domain in the forest or other trusted domains. This Alcance del grupo exists in all mixed, interim and native functional level domains and forests. When operating in a domain in mixed or interim mode, the Grupo local del dominio functions as a local group on the domain controller. In Windows 2000 native or Windows Server 2003 domain functional level domains, groups of this scope are treated as domain-wide groups. SLIDE TRANSITION: Compare this to groups with global scope. ADDITIONAL INFORMATION FOR PRESENTER: Membresía Otorga permisos a Grupo local del dominio

22 Tipos de grupo y alcance Alcance del grupo – Grupos globales
Otorgan permisos a los recursos en cualquier dominio Pueden incluir miembros únicamente del dominio local Disponibles en todos los niveles funcionales del dominio KEY MESSAGE: Overview of Grupos globales. SLIDE BUILDS: 0 SLIDE SCRIPT: Use Grupos globales primarily to group uses and computers of similar purpose, department, responsibility, or geographic region that will require access to the same resources. For example, all users from the Operations department or all users from the London office may be included in a single Grupos global. Then, if you locate a network printer near the Operations department, you can place the Operations Grupos global to the Grupo local del dominio that will have permissions to use the printer. This type of security group exists in all mixed, interim, and native functional level domains and forest. Grupos globales can only include members from within their domain but can be made a member of a Grupo local del dominio anywhere in the forest. Use groups with global scope to manage directory objects that require daily maintenance, such as user and computer accounts. Because groups with global scope are not replicated outside of their own domain, accounts in a group having global scope can be changed frequently without generating replication traffic to the global catalog. Although rights and permissions assignments are valid only within the domain in which they are assigned, by applying groups with global scope uniformly across the appropriate domains, you can consolidate references to accounts with similar purposes. For example, in a network with two domains, Europe and UnitedStates, if there is a group with global scope called GGAccounting in the UnitedStates domain, there should also be a group called GGAccounting in the Europe domain. SLIDE TRANSITION: The third Alcance del grupo is the Grupo universal. ADDITIONAL INFORMATION FOR PRESENTER: Otorga permisos a Membresía Grupo global

23 Tipos de grupo y alcance Alcance del grupo – Grupos universales
Otorgan permisos a los recursos en cualquier dominio Pueden incluir miembros de todo el Bosque Disponibles únicamente en: Windows 2000 nativo Dominios a nivel funcional de Windows Server 2003 KEY MESSAGE: Overview of Grupos universales. SLIDE BUILDS: 0 SLIDE SCRIPT: The Grupo universal can only be used in a Windows 2000 native or Windows Server 2003 domain functional level domain. To keep with the best practices for group nesting, you should use Grupos universales to bring together the Grupos globales created in each domain. For example, use the Grupo universal to combine the GGAccount groups from the Europe and United States domain. In this way, you can reduce the Membresía list of the Grupo local del dominio that directly assigns permissions to the network resources. Grupos universales can help you represent and consolidate groups that span domains, and perform common functions across the enterprise. A useful guideline is to designate widely used groups that seldom change as Grupos universales. The Membresía of a group with universal scope should not change frequently, since any changes to these group memberships cause the entire Membresía of the group to be replicated to every global catalog in the forest. SLIDE TRANSITION: Let’s look at how group nesting works. ADDITIONAL INFORMATION FOR PRESENTER: Otorga permisos a Membresía Grupo universal

24 Tipos de grupo y alcance Anidar grupos
KEY MESSAGE: Explain group nesting. SLIDE BUILDS: 4 SLIDE SCRIPT: [BUILD1] Using nesting, you can add a group as a member of another group. You nest groups to consolidate member accounts and reduce replication traffic. Nesting options depend on the domain functionality level of your Windows Server 2003 domain. Groups in domains set to the Windows Sever 2003 domain functional level can be nested using the following guidelines. A Grupos global can contain other Grupos globales along with user and computer accounts from the same domain that the Grupos global belongs to. A Grupos global cannot contain any Grupos universales, Grupo local del dominios, or any Grupos global or account from another domain. Grupo global

25 Tipos de grupo y alcance Anidar grupos
[BUILD2] A Grupo universal can contain other Grupos universales, Grupos globales and user and computer accounts from any domain in any forest. A Grupo universal cannot contain any Grupo local del dominios. Grupo global Grupo universal

26 Tipos de grupo y alcance Anidar grupos
[BUILD3] And the Grupo local del dominio can contain Grupos universales, Grupos globales and user and computer accounts from any domain or forest. A Grupo local del dominio can also contain other Grupo local del dominios from the same domain that the group belongs to. A Grupo local del dominio cannot contain other Grupo local del dominios from any other domain or forest. Grupo global Grupo universal Grupo local del dominio

27 Tipos de grupo y alcance Anidar grupos
[BUILD4] Security groups in domains set to the Windows 2000 Server mixed mode or Windows Server 2003 interim functional level are restricted. Groups with global scope can have as their members only accounts. Groups with domain local scope can have as their members other groups with global scope and accounts. Security groups with universal scope cannot be created in domains with the domain functional level set to Windows 2000 mixed because universal scope is supported only in domains where the domain functional level is set to Windows 2000 native or Windows Server 2003. For additional information on how to approach security group nesting, refer to the Designing a Resource Authorization Strategy section of the Windows Server 2003 Deployment Kit’s chapter on Designing and Deploying Directory and Security Services. SLIDE TRANSITION: Let’s look at how this works in a two domain forest. ADDITIONAL INFORMATION FOR PRESENTER: Grupo global Grupo local del dominio

28 Tipos de grupo y alcance Utilizar la anidación de grupos
KEY MESSAGE: Explain group nesting. SLIDE BUILDS: 5 SLIDE SCRIPT: [BUILD1] In this example, let’s assume we have to assign permissions across two domains to various network shared folder and network printers. The marketing department spans two domains and you want to provide everybody in the marketing department to the network resources.

29 Tipos de grupo y alcance Utilizar la anidación de grupos
[BUILD2] As a rule, you will use Grupos globales to group together users and computers within one domain according to certain geographical, departmental, or functional criteria. So in this example, we add all the users in the marketing department to the marketing Grupos global in each domain.

30 Tipos de grupo y alcance Utilizar la anidación de grupos
[BUILD3] To further consolidate these groups, we can optionally create a new Grupo universal that includes in it Membresía both of the domain Grupos globales. Remember the Grupo universal can include members from any domain to provide access to resources throughout the forest.

31 Tipos de grupo y alcance Utilizar la anidación de grupos
[BUILD4] Then, on the domain where the network resources reside, create a Grupo local del dominio and provide the security permissions to those resources.

32 Tipos de grupo y alcance Utilizar la anidación de grupos
[BUILD5] Now we can add the groups with user Membresía to the group with permissions to the network resources. With just one or two Grupos globales, you may find it easy to use these groups as members of the Grupo local del dominios. However, once the number of Grupos globales expand beyond five or ten groups, you may simplify the group Membresía structure by using the Grupo universal member option. SLIDE TRANSITION: Windows Server 2003 also includes several Grupos especiales integrados. ADDITIONAL INFORMATION FOR PRESENTER:

33 Tipos de grupo y alcance Grupos especiales integrados
Todos Red Interactivo Inicio de sesión anónimo Usuarios autenticados Autor propietario Acceso telefónico KEY MESSAGE: Describe Grupos especiales integrados SLIDE BUILDS: 7 SLIDE SCRIPT: There are also some special groups called special identities, that are managed by the operating system. Special identities cannot be created or deleted; nor can their Membresía be modified by administrators. Special identities do not appear in the Active Directory Users And Computers snap-in or in any other computer management tool, but can be assigned permissions in an ACL. These special groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances. [BUILD1] Todos includes all current network users, including guests and users from other domains. Whenever a user logs on to the network, that user is automatically added to the Todos group. [BUILD2] Red represents users currently accessing a given resource over the network, as opposed to users who access a resource by logging on locally at the computer where the resource is located. Whenever a user accesses a given resource over the network, the user is automatically added to the Red group. [BUILD3] The Interactivo group includes all users currently logged on to a particular computer and accessing a given resource located on that computer, as opposed to users who access the resource over the network. Whenever a user accesses a given resource on the computer to which they are logged on, the user is automatically added to the Interactivo group. [BUILD4] The Inicio de sesión anónimo group refers to any user who is using network resources, but did not go through the authentication process.

34 Tipos de grupo y alcance Grupos especiales integrados
Todos Red Interactivo Inicio de sesión anónimo Usuarios autenticados Autor propietario Acceso telefónico [BUILD5] The Usuarios autenticados group includes all users who are authenticated into the network by using a valid user account. When assigning permissions, you can use the Usuarios autenticados group in place of the Todos group to prevent anonymous access to resources. [BUILD6] The Autor propietario group refers to the user who created or took ownership of the resource. For example, if a user created a resource, but the Administrator took ownership of it, then the Autor propietario would be the Administrator. [BUILD7] The Acceso telefónico group includes anyone who is connected to the network through a dialup connection. Use caution, These groups can be assigned permissions to network resources, although caution should be used when assigning some of these groups permissions. Members of these groups are not necessarily users who have been authenticated to the domain. For instance, if you assign full permissions to a share for the Todos group, users connecting from other domains will have access to the share. Although the special identities can be assigned rights and permissions to resources, the memberships cannot be modified or viewed. Alcance del grupos do not apply to special identities. Users are automatically assigned to these special identities whenever they log on or access a particular resource. SLIDE TRANSITION: Now let’s go to the first demo to see how to create and manage groups. ADDITIONAL INFORMATION FOR PRESENTER:

35 demo Tipos de grupo y alcance Crear un nuevo grupo de seguridad
Propiedades de un grupo Agregar usuarios a un grupo Crear grupos de distribución dinámica KEY MESSAGE: Demonstration: Group Types and Scope SLIDE BUILDS: 0 SLIDE SCRIPT: SLIDE TRANSITION: Let’s take a moment to Revisión Tipos y alcances del grupo. ADDITIONAL INFORMATION FOR PRESENTER:

36 Revisión Tipos de grupo y alcance
¿Qué tipos de Grupos se pueden utilizar como grupos de distribución? Grupos de seguridad Grupos de distribución Grupos de distribución basados en consultas Todos los anteriores KEY MESSAGE: Revisión Question SLIDE BUILDS: 0 SLIDE SCRIPT: ¿Qué tipos de Grupos se pueden utilizar como grupos de distribución groups? SLIDE TRANSITION: Take a moment to decide. ADDITIONAL INFORMATION FOR PRESENTER:

37 Revisión Tipos de grupo y alcance
¿Qué tipos de Grupos se pueden utilizar como grupos de distribución? Grupos de seguridad Grupos de distribución Grupos de distribución basados en consultas Todos los anteriores KEY MESSAGE: Revisión Answer SLIDE BUILDS: 0 SLIDE SCRIPT: ¿Qué tipos de Grupos se pueden utilizar como grupos de distribución groups? The correct answer is 4, Todos los anteriores. Though the primary purpose of security groups is to provide authorization to network resources, you can direct to a security group. Windows has provided the features of Grupos de distribución for years to group recipient. With the introduction of Microsoft Exchange Server 2003, administrators can now create dynamic distribution lists to direct to users meeting a specified criteria, such as all IT personnel in the London office. SLIDE TRANSITION: Let’s try another question. ADDITIONAL INFORMATION FOR PRESENTER:

38 Revisión Tipos de grupo y alcance
¿Qué tipo de grupo debe utilizar para asignar permisos directamente a los recursos de la red? Grupos de distribución global Grupos locales de seguridad de dominio Grupos de seguridad universales Grupos locales de distribución de dominio KEY MESSAGE: Revisión Question SLIDE BUILDS: 0 SLIDE SCRIPT: ¿Qué tipo de grupo debe utilizar para asignar permisos directamente a los recursos en red permissions directly to network resources? SLIDE TRANSITION: Take a moment to decide. ADDITIONAL INFORMATION FOR PRESENTER:

39 Revisión Tipos de grupo y alcance
¿Qué tipo de grupo debe utilizar para asignar permisos directamente a los recursos de la red? Grupos de distribución global Grupos locales de seguridad de dominio Grupos de seguridad universales Grupos locales de distribución de dominio KEY MESSAGE: Revisión Answer SLIDE BUILDS: 0 SLIDE SCRIPT: ¿Qué tipo de grupo debe utilizar para asignar permisos directamente a los recursos en red permissions directly to network resources? The correct answer is 2, Grupos de seguridad local de dominio. As a best practice, you should group users within a domain into Global Grupos de seguridad. Combine Global Grupos de seguridad of the same purpose from different domains into Grupos de seguridad universal. Then assign security permissions to Grupos de seguridad local de dominio while including the Universal and Global Grupos de seguridad in the Membresía of the Domain Local Security Group. You cannot assign permissions to network resources to Grupos de distribución of any kind. SLIDE TRANSITION: Let’s try another Revisión question. ADDITIONAL INFORMATION FOR PRESENTER:

40 Revisión Tipos de grupo y alcance
¿Cómo agrega un usuario al Grupo de seguridad especial de usuarios autenticados? Acceda al grupo habilitando la vista avanzada de la MMC y modifique la pestaña de los miembros Conecte a un usuario al dominio La membresía de grupo para los Grupos de seguridad especial no se puede controlar de manera administrativa KEY MESSAGE: Revisión Question SLIDE BUILDS: 0 SLIDE SCRIPT: How do you add a user to the Usuarios autenticados Special Security Group? SLIDE TRANSITION: Take a moment to decide. ADDITIONAL INFORMATION FOR PRESENTER:

41 Revisión Tipos de grupo y alcance
¿Cómo agrega un usuario al Grupo de seguridad especial de usuarios autenticados? Acceda al grupo habilitando la vista avanzada de la MMC y modifique la pestaña de los miembros Conecte a un usuario al dominio La membresía de grupo para los Grupos de seguridad especial no se puede controlar de manera administrativa KEY MESSAGE: Revisión Answer SLIDE BUILDS: 0 SLIDE SCRIPT: How do you add a user to the Usuarios autenticados Special Security Group? The correct answer is 3, group Membresía to Special Grupos de seguridad cannot be administratively controlled. While security permissions can be granted to Special Grupos de seguridad for network resources, nobody can access a properties dialog for a Special Security Group. Windows does not provide any way for the administrator to configure these groups. Although logging a user into the domain does add them to the Usuarios autenticados Special Security Group, this process does not fall under the administrator’s control. SLIDE TRANSITION: Let’s try one more Revisión question before continuing to the next agenda item. ADDITIONAL INFORMATION FOR PRESENTER:

42 Revisión Tipos de grupo y alcance
¿Cuál de los siguientes usuarios puede incluir la membresía del grupo de seguridad de dominio local? Usuarios dentro del dominio local Usuarios de todo el bosque Usuarios dentro de los dominios de confianza Todos los anteriores KEY MESSAGE: Revisión Question SLIDE BUILDS: 0 SLIDE SCRIPT: ¿Cuál de los siguientes usuarios puede incluir la membresia del grupo de seguridad de dominio local include which of the following? SLIDE TRANSITION: Take a moment to decide. ADDITIONAL INFORMATION FOR PRESENTER:

43 Revisión Tipos de grupo y alcance
¿Cuál de los siguientes usuarios puede incluir la membresía del grupo de seguridad de dominio local? Usuarios dentro del dominio local Usuarios de todo el bosque Usuarios dentro de los dominios de confianza Todos los anteriores KEY MESSAGE: Revisión Answer SLIDE BUILDS: 0 SLIDE SCRIPT: ¿Cuál de los siguientes usuarios puede incluir la membresia del grupo de seguridad de dominio local include which of the following? The correct answer is 4, all of the above. Local Domain Security groups can include Membresía from any domain within the local forest along with any trusted domain to provide security permissions to resources within the local domain only. Global Security groups can include members from the local domain only to provide security permissions throughout the forest or any trusted domain. Grupos universales Puede incluir miembros de todo el Bosque or trusted domains to provide security permissions to resources throughout the forest or in trusted domains. SLIDE TRANSITION: Now let’s return to the agenda to start the next topic. ADDITIONAL INFORMATION FOR PRESENTER:

44 Agenda Revisión Tipos de grupo y alcances
Herramientas de administración de grupos KEY MESSAGE: Agenda SLIDE BUILDS: 0 SLIDE SCRIPT: In the next section, we will introduce two command-line Herramientas de administración de grupos. SLIDE TRANSITION: Let’s first look at the LDIFDE tool. ADDITIONAL INFORMATION FOR PRESENTER:

45 Herramientas de administración de grupos Herramienta de intercambio de directorios LDIF
Protocolo ligero de acceso a directorios (LDAP) KEY MESSAGE: Introduce thee LDIFDE Tool SLIDE BUILDS: 0 SLIDE SCRIPT: The Lightweight Directory Access Protocol Data Interchange Directory Exchange, or more simply, the LDIFDE tool is a command-line tool that allows you to import and export objects to and from Active Directory. You can create, modify, and delete directory objects by using this tool. As the main access protocol for Active Directory, this tool uses LDAP to query or apply changes to the Active Directory Database. The LDAP Data Interchange Format is a draft Internet standard for a file format that may be used for performing batch operations against directories that conform to the LDAP standards. LDIF can be used to export and import data, allowing batch operations such as add, create, and modify to be performed against the Active Directory. To tool uses the LDIF file format to address directory objects. The LDIF format is used to convey directory information, or a description of a set of changes made to directory entries. An LDIF file consists of a series of records separated by line separators. A record consists of a sequence of lines describing a directory entry, or a sequence of lines describing a set of changes to a directory entry. An LDIF file specifies a set of directory entries, or a set of changes to be applied to directory entries, but not both. There is a one-to-one correlation between LDAP operations that modify the directory, and the types of change records. This correspondence is intentional, and permits a straightforward translation from LDIF change records to protocol operations. The tool can be used on a server running Windows 2000 or Windows Server 2003 or copied to a workstation running Windows 2000 Professional or Windows XP Professional. For example, LDIFDE can be used to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory with data from other directory services. SLIDE TRANSITION: To manage large numbers of account, you can use the directory services command-line tools. ADDITIONAL INFORMATION FOR PRESENTER: Base de datos de Active Directory Formato de intercambio de datos (LDIF) - LDAP

46 Herramientas de administración de grupos Herramientas de servicios de directorio
DSADD – Agrega objetos al directorio DSGET – Muestra las propiedades del objeto DSMOD – Modifica las propiedades del objeto DSMOVE – Mueve el objeto dentro del directorio DSRM – Elimina un objeto de directorio DSQUERY – Consulta Active Directory KEY MESSAGE: Introduction to the Directory Services command-line tools. SLIDE BUILDS: 0 SLIDE SCRIPT: Windows Server 2003 supports a number of powerful command-line tools to facilitate the management of Active Directory. The DSADD command enables you to create objects in Active Directory. When creating a new security group, utilize the DSADD GROUP command. DSADD parameters allow you to configure specific properties of an object. The parameters are self-explanatory, however the Windows Server 2003 Help And Support Center provides thorough descriptions of the DSADD command’s parameters if you desire more explanation. Each of the other tools provide command line access to alter the object. The DSQUERY command queries Active Directory for objects that match a specific criteria set. With several commands linked together or grouped into a script, the directory services tools can greatly improve your ability to manage user accounts in a large environment. SLIDE TRANSITION: Next, let’s look at these tools in the second demo. ADDITIONAL INFORMATION FOR PRESENTER:

47 demo Herramientas de administración de grupos
Exportar el directorio utilizando LDIFDE Modificar un grupo utilizando LDIFDE Agregar grupos utilizando DSADD Modificar grupos utilizando DSMOD KEY MESSAGE: Demonstration: Herramientas de administración de grupos SLIDE BUILDS: 0 SLIDE SCRIPT: ¿Qué herramientas proporciona un método eficaz para importar y exportar objetos de Active Directory and export Active Directory objects? SLIDE TRANSITION: Take a moment to decide. ADDITIONAL INFORMATION FOR PRESENTER:

48 Revisión Herramientas de administración de grupos
¿Qué herramienta proporciona un método eficaz para importar y exportar objetos de Active Directory? DSQuery LDIFDE DSMod LDAPDE KEY MESSAGE: Revisión Question SLIDE BUILDS: 0 SLIDE SCRIPT: ¿Qué herramientas proporciona un método eficaz para importar y exportar objetos de Active Directory and export Active Directory objects? SLIDE TRANSITION: Take a moment to decide. ADDITIONAL INFORMATION FOR PRESENTER:

49 Revisión Herramientas de administración de grupos
¿Qué herramienta proporciona un método eficaz para importar y exportar objetos de Active Directory? DSQuery LDIFDE DSMod LDAPDE KEY MESSAGE: Revisión Answer SLIDE BUILDS: 0 SLIDE SCRIPT: ¿Qué herramientas proporciona un método eficaz para importar y exportar objetos de Active Directory and export Active Directory objects? The correct answer is 2, LDIFDE.exe. The Directory Services Command-line tools, DSQuery and DSMod, have specific purposes to search for and modify Active Directory Objects. Windows Server 2003 includes no tool called LDAPDE. SLIDE TRANSITION: Let’s try one more question from this agenda item. ADDITIONAL INFORMATION FOR PRESENTER:

50 Revisión Herramientas de administración de grupos
¿Qué agrupación de herramientas de línea de comando de los servicios de Active Directory puede configurar los atributos específicos de objetos de Active Directory? DSQuery | DSMod DSAdd | DSMod DSMod | DSRm DSQuery | DSMove KEY MESSAGE: Revisión Question SLIDE BUILDS: 0 SLIDE SCRIPT: ¿Qué agrupación de herramientas de línea de comando de los servicios de Active Directory pueden configurar los atributos objetivos del objetivo Active Directory grouping can configure targeted Active Directory objects’ attributes? SLIDE TRANSITION: Take a moment to decide. ADDITIONAL INFORMATION FOR PRESENTER:

51 Revisión Herramientas de administración de grupos
¿ Qué agrupación de herramientas de línea de comando de los servicios de Active Directory puede configurar los atributos específicos de objetos de Active Directory? DSQuery | DSMod DSAdd | DSMod DSMod | DSRm DSQuery | DSMove KEY MESSAGE: Revisión Answer SLIDE BUILDS: 0 SLIDE SCRIPT: ¿Qué agrupación de herramientas de línea de comando de los servicios de Active Directory pueden configurar los atributos objetivos del objetivo Active Directory grouping can configure targeted Active Directory objects’ attributes? The correct answer is 1, DSQuery coupled with a DSMod command. This grouping queries the directory for objects with specified attributes and then runs a modification command to change SLIDE TRANSITION: Let’s Revisión what this session covered. ADDITIONAL INFORMATION FOR PRESENTER:

52 Resumen de la sesión Los tipos de grupo incluyen grupos de seguridad y grupos de distribución El alcance del grupo incluye los grupos locales de dominio, grupos globales y universales Utilice la anidación de grupos como la manera más eficaz de agrupar usuarios y otorgar autorización de seguridad en todo el bosque de Active Directory KEY MESSAGE: Session Summary SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD1] First we discussed the concept of group types. Use security groups to collect users of a common purpose or location to assign access permissions to network resources. Distribution groups also provide a method to collect users of a common purpose or location but can only be used as mailing lists. Security groups can also be used as mailing lists. [BUILD2] Windows Server 2003 provides three Alcance del grupos. The local domain group can include Membresía from throughout the forest or trusted domain to give access to resources in the local domain. Grupos globales, on the other hand, can only include members from the local domain but can be used throughout the forest or trusted domains to assign permissions to network resources. Grupos universales bring together the most flexible option, by allowing Membresía from and assigning permissions to resources throughout the forest or trusted domains. [BUILD3] Group nesting provides the ability to use the three types of Alcance del grupo to effectively manage enterprise permissions to network resources. Within each domain, group users of similar purpose or geographical location in Grupos globales. Use the Grupo universal to combine Grupos globales of similar purpose or location from different domains. Then provide access to network resources to Grupo local del dominios and add the global and Grupos universales as members of the Grupo local del dominio. SLIDE TRANSITION: For more information, refer to the TechNet web site. ADDITIONAL INFORMATION FOR PRESENTER:

53 Preguntas

54 Para mayores informes…
Visite TechNet en Para obtener información adicional sobre los libros, cursos y otros recursos de la comunidad que respalden esta sesión visite KEY MESSAGE: More Information SLIDE BUILDS: 0 SLIDE SCRIPT: For the most comprehensive technical information on Microsoft products visit the main TechNet Web site at Additionally visit for more concise information on books, courses, certifications and other community resources that related directly to this particular session. SLIDE TRANSITION: What other resources are available from TechNet. ADDITIONAL INFORMATION FOR PRESENTER:

55 MS Press Información interna para profesionales de informática
KEY MESSAGE: MS Press SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD1] Introducing Microsoft® Windows® Server 2003 By Jerry Honeycutt. This book/CD-ROM guide provides information and tools needed to understand, evaluate, and begin deployment planning for Windows Server 2003, whether upgrading from Microsoft Windows NT or Windows 2000 Server. Coverage encompasses features and requirements, management and security services, communications, and multilingual support, as well as testing for application compatibility. [BUILD2] Active Directory® for Microsoft® Windows® Server 2003 Technical Reference by Mike Mulcare and Stan Reimer. This book guides readers through advanced design and deployment issues related to using Active Directory in the Windows Server 2003 environment. Coverage includes underlying concepts, architectural components, and real-world functionality, with sections on overview, implementation, administration, and maintenance. [BUILD3] Microsoft® Windows® Server 2003 TCP/IP Protocols and Services Technical Reference by Joseph Davies and Thomas Lee. A thorough reference to the TCP/IP protocols and services that Windows Server 2003 supports, with emphasis on how they work and how they are used in the operating system. Includes updated information about Point-to-Point Protocol (PPP), Remote Authentication Dial-In User Service (RADIUS), IP Security (IPSec), and Virtual Private Networks (VPNs). SLIDE TRANSITION: Several third party books will also provide helpful information. ADDITIONAL INFORMATION FOR PRESENTER: Para encontrar los títulos más recientes, visite

56 Publicaciones de terceros Complementarias para profesionales de informática
KEY MESSAGE: Third Party Books SLIDE BUILDS: 3 SLIDE SCRIPT: [BUILD1] Microsoft Windows Server 2003 Delta Guide by Don Jones, Mark Rouse. Why should new versions of mission-critical technologies mean starting from scratch? If you already know how to use Microsoft Windows Server 2000, leverage those skills to quickly become an expert on Microsoft Windows Server Microsoft Windows Server 2003 Delta Guide skips the basics and moves straight to what's new and what's changed. [BUILD2] Inside Windows Server 2003 by William Boswell. Written for systems administrators, architects, and designers, this guide outlines an approach to deploying and administering Windows 2003, with guidelines on installation, configuration, and management. [BUILD3] Mastering Active Directory for Windows Server 2003 by Robert King, Robert R. King. Provides instructions on how to use Active Directory, the Windows Server 2003 component enabling you to manage all network resources through a single native environment. SLIDE TRANSITION: Microsoft also offers instructor lead courses to expand your knowledge on these topics. ADDITIONAL INFORMATION FOR PRESENTER: Estos libros se pueden encontrar y adquirir en todas las librerías de prestigio y con los proveedores en línea

57 Microsoft Learning Recursos de capacitación para profesionales de informática
Cargo Disponible 2274 Administrar un ambiente Microsoft Windows Server 2003 Actual 2275 Mantener un ambiente Microsoft Windows Server 2003 KEY MESSAGE: Talk about the E-Learning Course SLIDE BUILDS: 0 SLIDE SCRIPT: Microsoft Learning (formerly MS Training & Certification and MS Press) develops courseware called Microsoft Official Curriculum (MOC), which includes eLearning, MS Press Books, Workshops, Clinics, and Microsoft Skills Assessment. MOC is offered in instructor-led environments; it offers comprehensive training courses for IT professionals, support, and implement solutions using Microsoft products and technologies. The courses that best supports this session are Managing a Microsoft Windows Server 2003 Environment and Maintaining a Microsoft Windows Server 2003 Environment both of which are available now. For more information please visit SLIDE TRANSITION: There is also an assessment program available that can help you test you knowledge. ADDITIONAL INFORMATION FOR PRESENTER: Para ver el programa detallado o para encontrar un proveedor de capacitación, visite

58 Evaluar su Preparación Evaluación de habilidades de Microsoft
¿Qué es la evaluación de habilidades de Microsoft? Una herramienta de aprendizaje de auto estudio para evaluar la preparación respecto a las soluciones de productos y tecnología, en lugar de roles de trabajo (certificación) Windows Server 2003, Exchange Server 2003, Windows Storage Server 2003, Visual Studio .NET, Office 2003 Sin costo, en línea, sin supervisión y disponibles para cualquiera Responde a la pregunta: “¿Estoy listo?” Determina las diferencias en habilidades y proporciona planes de estudio con cursos de Microsoft Official Curriculum Coloque su Calificación más alta para ver cómo se compara con los demás visite KEY MESSAGE: Microsoft Learning provides a free online learning tool SLIDE BUILDS: 0 SLIDE SCRIPT: Microsoft Skills Assessment is a free online learning tool. It’s an easy way for IT professionals to check your skills. You can quickly check your skills for implementing or managing Microsoft product or business solutions. Just take a short, 30 question assessment and see how well you know your stuff. The Skills Assessment includes a Personalized Learning Plan, which includes links to Microsoft Official Curriculum, specific TechNet articles, Microsoft Press books, and other Microsoft learning content. There’s also a way to measure how well you did compared with others who took the same assessment. Microsoft Skills Assessment is an expanding learning platform. Available now are assessments for Windows Server 2003, including security and patch management; Exchange Server 2003; Windows Storage Server; Office 2003; and Visual Studio .NET. SLIDE TRANSITION: If you want to take your skills assessment to the next level, there are a number of Certification programs available. ADDITIONAL INFORMATION FOR PRESENTER:

59 Suscripciones a TechNet ¿Ya se enteró de lo más reciente?
¡Software sin límites de tiempo! El software para evaluación de la versión completa proporciona una mayor flexibilidad a los suscriptores a TechNet Plus. Soporte técnico complementario. Los dos incidentes gratuitos de soporte técnico que se incluyen con todas las suscripciones a TechNet Plus le ahorran tiempo al resolver problemas de misión crítica. Tenga a la mano los recursos más actuales para evaluar, implementar y brindar soporte a las soluciones de Microsoft, que se ofrecen mensualmente en CD o en DVD, sin depender de una conectividad a Internet ni de los firewalls. Ahorre al realizar su compra antes del 1 de marzo del 2005 KEY MESSAGE: TechNet Subscriptions SLIDE BUILDS: 0 SLIDE SCRIPT: Many of you may be familiar with the Microsoft TechNet events and the Web site, but have you heard the news about valuable benefits for TechNet Plus subscribers? Developed in response to customer feedback, TechNet Plus v2.0 is the most convenient and reliable source for evaluating, managing, and supporting Microsoft products. With TechNet Plus you can: Evaluate Microsoft software without time limits. This is a huge benefit and allows IT pros to try products such as Microsoft Office System and Windows Server System software without the worry of timing-out. Save time resolving mission-critical systems issues. TechNet Plus subscriptions include two complimentary technical support incidents to help IT pros resolve mission-critical issues fast. And, in countries where pay-per-incident support is offered, TechNet Plus subscribers receive a 20% discount on any additional support calls. TechNet Plus ensures there are resources available to address your technical issues, and that you have the most current resources on hand for evaluating, implementing, and supporting Microsoft solutions. For details on this visit SLIDE TRANSITION: TechNet also provides a number of community resources ADDITIONAL INFORMATION FOR PRESENTER:

60 KEY MESSAGE: Tag line SLIDE BUILDS: 0 SLIDE SCRIPT: SLIDE TRANSITION: ADDITIONAL INFORMATION FOR PRESENTER:

61 Preguntas


Descargar ppt "TNT4-04 KEY MESSAGE: Entry Slide SLIDE BUILDS: 0 SLIDE SCRIPT:"

Presentaciones similares


Anuncios Google