Managing and Maintaining a Microsoft-based Server Infrastructure

  • 7/31/2014
This chapter from Exam Ref 70-414: Implementing an Advanced Server Infrastructure discusses objectives surrounding server infrastructure management, including designing an administrative model, designing a monitoring strategy, and planning and implementing automated remediation.

The 70-414 exam looks to stretch your understanding of planning, implementation, and management of an advanced Microsoft-based infrastructure. The tools and products included in the exam are used in enterprise-level networks and emphasize automation, high availability, and self-service. The first chapter of this book discusses objectives surrounding server infrastructure management. Within this chapter and indeed the entire book, you’ll find hands-on examples that directly tie to the exam objectives, and you’ll find numerous links to more information on TechNet.

Objectives in this chapter:

  • Objective 1.1: Design an administrative model
  • Objective 1.2: Design a monitoring strategy
  • Objective 1.3: Plan and implement automated remediation

Objective 1.1: Design an administrative model

Designing an administrative model for an enterprise network involves a large amount of planning, especially in complex or highly structured enterprises. A good administrative model will enable delegation of authority while also enforcing the principle of least privilege. Many organizations have unique needs, but the overall administrative model can follow a common pattern. For example, an organization that’s geographically dispersed may allow personnel at remote locations to change passwords for users at that remote site.

Understanding administrative model design considerations

Typical enterprise administrative and privilege models use groups to assign and delegate permissions. Groups save time and administration overhead by combining similar users and computers into one entity that can then be assigned permissions.

Groups can have users and computers and are created as a security group or a distribution group. The security group type is covered in this chapter; distribution groups are typically used to create email distribution lists and aren’t covered in this book. Groups are also scoped, which means that they can apply locally to a computer, to a domain, or to an entire forest. Table 1-1 describes the three types of group scopes available in AD DS.

TABLE 1-1 Active Directory Domain Services group scope

Group Scope

Description

Domain Local

Members in a Domain Local scoped group can have permissions within the same domain where the Domain Local group is located and can contain any combination of groups with domain local, global, or universal scope.

Global

Members of groups with a Global scope can have permissions in any domain within a forest, but members can come from only the domain within which the group is defined.

Universal

Members of groups with Universal scope can have permissions in any domain or forest and can originate from any domain or forest.

User rights

Before looking at user rights, it’s important to agree on the definition of a user right. You can find a definition all the way back to Windows NT Server 4.0 in the “NT Server 4.0 Concepts and Planning Manual” on TechNet, where a right is defined as something that “authorized a user to perform certain actions on a computer system.” See http://technet.microsoft.com/en-us/library/cc751446.aspx for more discussion on the definition.

What’s important to realize is the distinction between a right and a permission. A right defines what a user can do on a computer system, whereas permissions apply to objects. Rights can override permissions in certain instances. For example, if a user is a member of a group that has the right to back up a computer or has the Back Up Files and Directories right, that user inherently has read access to the files on the computer, even if permissions would normally deny such access. More specifically, the Back Up Files and Directories right has the following permissions:

  • Traverse Folder/Execute File
  • List Folder/Read Data
  • Read Attributes
  • Read Extended Attributes
  • Read Permissions

The Back Up Files and Directories right is just one example of this concept. Table 1-2 shows several other security-related user rights available with Windows Server 2012. An abbreviated constant name applies to each of the rights described in Table 1-2. The constant names are used for logging and can also be used for Windows PowerShell, as discussed later in this section.

TABLE 1-2 Additional security-related user rights

User Right

Description

Constant Name

Access Credential Manager as a trusted caller

Applies to Credential Manager during backup-related processes. This privilege is assigned to the Winlogon service only and should not be assigned to the account.

SeTrustedCredManAccessPrivilege

Access this computer from the network

Determines whether a user can utilize protocols related to accessing a given computer, such as Service Message Block (SMB), NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+).

SeNetworkLogonRight

Act as part of the operating system

Applies to processes to determine whether they can use a user’s identity to gain access to the privileges granted to that user.

SeTcbPrivilege

Add workstations to domain

Enables a user to add a computer to a domain.

SeMachineAccountPrivilege

Adjust memory quotas for a process

Enables a user to change the memory used by a process.

SeIncreaseQuotaPrivilege

Allow logon locally

Enables a user to start an interactive session.

SeInteractiveLogonRight

Allow logon through Remote Desktop Services

Enables a user to log on using Remote Desktop Services.

SeRemoteInteractiveLogonRight

Back up files and directories

Enables an account to bypass permissions for backup purposes.

SeBackupPrivilege

Bypass traverse checking

Enables an account to traverse an NTFS file system without needing to check the Traverse Folder permission.

SeChangeNotifyPrivilege

Change the system time

Enables a user to change the time on the local computer.

SeSystemtimePrivilege

Change the time zone

Enables a user to change the time zone on the local computer.

SeTimeZonePrivilege

Create a pagefile

Enables a user to change settings around the pagefile, including its size.

SeCreatePagefilePrivilege

Create a token object

Enables a process to create a token using the privileged account.

SeCreateTokenPrivilege

Create global objects

Enables creation of global objects.

SeCreateGlobalPrivilege

Create permanent shared objects

Enables creation of directory objects.

SeCreatePermanentPrivilege

Create symbolic links

Enables an account to create a file system symbolic link.

SeCreateSymbolicLinkPrivilege

Debug programs

Enables a user to attach to a process for debugging.

SeDebugPrivilege

Deny access to this computer from the network

Prevents users from accessing the computer.

SeDenyNetworkLogonRight

Deny logon as a batch job

Prevents an account from logging on using batch-related methods.

SeDenyBatchLogonRight

Deny logon as a service

Prevents an account from logging on as a service.

SeDenyServiceLogonRight

Deny logon locally

Prevents an account from logging on locally at a computer console.

SeDenyInteractiveLogonRight

Deny logon through Remote Desktop Services

Prevents users from logging on to a computer using Remote Desktop Services.

SeDenyRemoteInteractiveLogonRight

Enable computer and user accounts to be trusted for delegation

Enables a user to set the Trusted for Delegation setting.

SeEnableDelegationPrivilege

Force shutdown from a remote system

Allows a user to shut down a computer when connected remotely.

SeRemoteShutdownPrivilege

Generate security audits

Enables an account to generate audit records in the security log.

SeAuditPrivilege

Impersonate a client after authentication

Enables a program to impersonate a user or account and act on behalf of that user or account.

SeImpersonatePrivilege

Increase a process working set

Enables a user to increase the size of a working set of a process.

SeIncreaseWorkingSetPrivilege

Increase scheduling priority

Enables a user to increase the base priority of a process.

SeIncreaseBasePriorityPrivilege

Load and unload device drivers

Enables a user to dynamically load or unload device drivers.

SeLoadDriverPackage

Lock pages in memory

Enables an account to keep data from a process in physical memory.

SeLockMemoryPrivilege

Log on as a batch job

Enables an account to log on using batch-related methods, including Task Scheduler.

SeBatchLogonRight

Log on as a service

Enables a service account to register a process.

SeServiceLogonRight

Manage auditing and security log

Enables a user to work with auditing and security log.

SeSecurityPrivilege

Modify an object label

Enables an account to modify integrity labels used by Windows Integrity Controls (WIC).

SeRelabelPrivilege

Modify firmware environment values

Enables a user to modify non-volatile RAM (NVRAM) settings.

SeSystemEnvironmentPrivilege

Perform volume maintenance tasks

Enables a user to do volume- and disk management–related tasks.

SeManageVolumePrivilege

Profile single process

Enables a user to view performance aspects of a process.

SeProfileSingleProcessPrivilege

Profile system performance

Enables a user to use the Windows Performance Monitor tools.

SeSystemProfilePrivilege

Remove computer from docking station

Enables a user to undock a computer without logging on.

SeUndockPrivilege

Replace a process level token

Enables a process to replace an access token of a child process.

SeAssignPrimaryTokenPrivilege

Restore files and directories

Enables a user to bypass the normal permission checks when restoring.

SeRestorePrivilege

Shut down the system

Enables a local user to shut down the system.

SeShutdownPrivilege

Synchronize directory service data

Enables a user to synchronize service data, such as LDAP directory synchronization.

SeSyncAgentPrivilege

Take ownership of files or other objects

Enables an account to take ownership of objects in the computer.

SeTakeOwnershipPrivilege

The constant name described in Table 1-2 can be used with Windows PowerShell cmdlets related to privileges:

  • Get-Privilege
  • Grant-Privilege
  • Revoke-Privilege
  • Test-Privilege

As described in Table 1-2, user rights generally shouldn’t be applied to accounts directly, but rather should be granted through the use of groups.

Built-in groups

Built-in groups, also called default groups, are added with the operating system. Many of the default groups have user rights assigned already. Certain rights also apply depending on the type of computer on which the right is being exercised. For example, the Allow Logon Locally right is granted to the following groups for logging on to workstations and servers:

  • Administrators
  • Backup Operators
  • Users

By contrast, the following groups have the Allow Logon Locally right for domain controllers:

  • Account Operators
  • Administrators
  • Backup Operators
  • Print Operators
  • Server Operators

Table 1-3 shows the local groups for a computer and the user rights granted to them by default.

TABLE 1-3 User rights for local groups

Group

User Rights

Administrators

Access this computer from the network

Adjust memory quotas for a process

Allow logon locally

Allow logon through Remote Desktop Services

Back up files and directories

Bypass traverse checking

Change the system time

Change the time zone

Create a page file

Create global objects

Create symbolic links

Debug programs

Force shutdown from a remote system

Impersonate a client after authentication

Increase scheduling priority

Load and unload device drivers

Log on as a batch job

Manage auditing and security log

Modify firmware environment variables

Perform volume maintenance tasks

Profile system performance

Remove computer from docking station

Restore files and directories

Shut down the system

Take ownership of files or other objects

Backup Operators

Access this computer from the network

Allow logon locally

Back up files and directories

Bypass traverse checking

Log on as a batch job

Restore file and directories

Shut down the system

Cryptographic Operators

No user rights granted by default

Distributed COM Users

No user rights granted by default

Guests

No user rights granted by default

IIS_IUSRS

No user rights granted by default

Network Configuration Operators

No user rights granted by default

Performance Log Users

No user rights granted by default

Performance Monitor Users

No user rights granted by default

Power Users

No user rights granted by default

Remote Desktop Users

Allow logon through Remote Desktop Services

Replicators

No user rights granted by default

Users

Access this computer from the network

Allow logon locally

Bypass traverse checking

Change the time zone

Increase a process working set

Remove the computer from a docking station

Shut down the system

Offer Remote Assistance Helpers

No user rights granted by default

AD DS also contains default groups. These groups are placed into either the Builtin or Users container.

Table 1-4 describes the groups in the Builtin container.

TABLE 1-4 Groups in the Builtin container

Group

User Rights

Account Operators

Allow logon locally

Shut down the system

Administrator

Access this computer from the network

Adjust memory quotas for a process

Back up files and directories

Bypass traverse checking

Change the system time

Create a pagefile

Debug programs

Enable computer and user accounts to be trusted for delegation

Force a shutdown from a remote system

Increase scheduling priority

Load and unload device drivers

Allow logon locally

Manage auditing and security log

Modify firmware environment values

Profile single process

Profile system performance

Remove computer from docking station

Restore files and directories

Shut down the system

Take ownership of files or other objects

Backup Operators

Back up files and directories

Allow logon locally

Restore files and directories

Shut down the system

Guests

No user rights granted by default

Incoming Forest Trust Builders

No user rights granted by default; applicable to forest root domain only

Network Configuration Operators

No user rights granted by default

Performance Monitor Users

No user rights granted by default

Performance Log Users

No user rights granted by default

Pre-Windows 2000 Compatible Access

Access this computer from the network

Bypass traverse checking

Print Operators

Allow logon locally

Shut down the system

Remote Desktop Users

No user rights granted by default

Replicator

No user rights granted by default

Server Operators

Back up files and directories

Change the system time

Force shutdown from a remote system

Allow logon locally

Restore files and directories

Shut down the system

Users

No user rights granted by default

Table 1-5 describes the groups in the Users container.

TABLE 1-5 Groups in the Users container

Group

User Rights

Cert Publishers

No user rights granted by default

DnsAdmins

No user rights granted by default; installed as part of DNS

DnsUpdateProxy

No user rights granted by default; installed as part of DNS

Domain Admins

Access this computer from the network

Adjust memory quotas for a process

Back up files and directories

Bypass traverse checking

Change the system time

Create a pagefile

Debug programs

Enable computer and user accounts to be trusted for delegation

Force a shutdown from a remote system

Increase scheduling priority

Load and unload device drivers

Allow logon locally

Manage auditing and security log

Modify firmware environment values

Profile single process

Profile system performance

Remove computer from docking station

Restore files and directories

Shut down the system

Take ownership of files or other objects

Domain Computers

No user rights granted by default

Domain Controllers

No user rights granted by default

Domain Guests

No user rights granted by default

Domain Users

No user rights granted by default

Enterprise Admins

Note: Permissions are applicable to forest root domain only

Access this computer from the network

Adjust memory quotas for a process

Back up files and directories

Bypass traverse checking

Change the system time

Create a pagefile

Debug programs

Enable computer and user accounts to be trusted for delegation

Force a shutdown from a remote system

Increase scheduling priority

Load and unload device drivers

Allow logon locally

Manage auditing and security log

Modify firmware environment values

Profile single process

Profile system performance

Remove computer from docking station

Restore files and directories

Shut down the system

Take ownership of files or other objects

Group Policy Creator Owners

No user rights granted by default

IIS_WPG

No user rights granted by default; installed with IIS

RAS and IAS Servers

No user rights granted by default

Schema Admins

No user rights granted by default; applicable to forest root domain only

Built-in groups are different from special identities. A special identity is a group for which membership cannot be modified, such as the Everyone group. Special identities include those in Table 1-6.

TABLE 1-6 Special identities

Identity

Description

Anonymous Logon

Used for anonymous access to services and resources

Everyone

All network users, with the exception of the Anonymous Logon group

Interactive

Users who are logged on locally to the computer

Network

Users who are accessing a computer’s resources over the network

Understanding delegation in System Center 2012 R2

Microsoft System Center 2012 R2 consists of several products, including Configuration Manager, Operations Manager, Data Protection Manager, Service Manager, AppController, and Virtual Machine Manager (VMM). The products used in the organization determine the delegation structure. For example, certain roles are only applicable for Virtual Machine Manager and others are applicable for Configuration Manager. If the organization doesn’t use VMM, then those roles wouldn’t be used. However, the concepts of delegated authority and role-based administration are applicable no matter what products are being used. This section examines delegation for Configuration Manager and Operations Manager. Other products such as Virtual Machine Manager and Data Protection Manager are covered in other objectives in this chapter.

Role-based administration

System Center 2012 R2 uses role-based administration to facilitate the structure needed in many organizations. Using role-based administration you can limit the authority and scope of permissions to the least amount necessary in order to complete a task. For example, an organization may grant the ability to change passwords for normal users to help desk staff. This scenario can be accomplished by granting the limited privileges to the help desk personnel. An important concept surrounding role-based administration in System Center is administrative scope. Administrative scope defines the permissions that a given user has on objects within the scope’s control. Administrative scopes consist of:

  • Security roles
  • Collections
  • Security scopes
Security Roles

Security roles, which you might think of like a group in Active Directory, are used to grant sets of permissions to users based on their role. For example, the Asset Analyst role is granted certain permissions to view Asset Intelligence and inventory information. Users can then be given the Asset Analyst role to do their job.

Each security role is granted specific permissions, such as Approve, Create, Delete, Modify, and so on. The permissions apply to specific object types within System Center. There are several built-in security roles that come with Configuration Manager and with other System Center products. The permissions granted to these roles can’t be changed. However, the roles can be copied, and a new role can be built and modified as needed.

The general steps for planning security roles are:

  1. Identify tasks. Examine the responsibilities for administrators. For example, you might have administrators that are responsible for client security while others are responsible for software updates.
  2. Map tasks to roles. Determine how the responsibilities connect to built-in security roles.
  3. Assign roles. Assign roles to users. If a user has responsibilities across multiple roles, assign that user to multiple roles.
  4. Create new roles (optional). Create new roles if the responsibilities don’t map to one or more of the built-in roles.
Collections

Computers and users are grouped into collections in Configuration Manager. Collections are important in the hierarchical delegation of administration for Configuration Manager. Collections can be created to meet the needs of the organization. For example, you might create a collection for each physical location in an organization, or you might create a functional collection that includes all servers or all client computers. Like security roles, there are several built-in collections that can’t be modified. Collections become very useful when you want to distribute software, provide reporting, or ensure configuration changes are consistent across the devices within the collection.

Security Scopes

Security scopes can be used to grant access to securable objects by type. Security scopes provide granular access control. However, security scopes can’t be nested or used in a hierarchical manner. Security scopes are useful for segregating objects of the same type so that different levels of access can be granted to them. For instance, if a set of administrators should be granted full access only to non-production servers, the servers can be scoped to separate production from development servers.

There are two built-in security scopes:

  • All Includes all scopes. Objects cannot be added to this scope.
  • Default Installed with Configuration Manager, the default scope also includes all objects.

Certain objects can’t be secured by security scopes. Instead, access to these objects is granted using security roles. Objects that can’t be included in security scopes are:

  • Active Directory forests
  • Administrative users
  • Alerts
  • Boundaries
  • Computer associations
  • Default client settings
  • Deployment templates
  • Device drivers
  • Exchange server connectors
  • Migration site-to-site mappings
  • Mobile device enrollment profiles
  • Security roles
  • Security scopes
  • Site addresses
  • Site system roles
  • Software titles
  • Software updates
  • Status messages
  • User device affinities

Delegation design

Hierarchical structure is important for designing a delegated administration for System Center. When it is properly structured, you can delegate responsibilities merely by using scopes and security roles. However, as the organization’s needs change, so too will the needs for delegated administration. For example, if a merger takes place, the newly merged company may need to manage its own site.

Designing delegation involves determining the following:

  • Who Who is responsible for managing a given client computer or server? Determine the various tasks involved in administration, whether that’s software updates, security, or anything else that System Center can do. These tasks will map to security roles.
  • Which and Where Which computers, servers, or other objects will those people manage, based on their roles? Where are those objects located, both physically and logically? For instance, there may be different responsibilities based on physical location or logical location (production versus test). Collections are used to group the objects together in Configuration Manager, and security scopes can be used to provide more granular control over the objects.
  • What What permissions do administrators need on a given object? Permissions can be changed within the security roles, and their scope can be limited through security scopes.

Configuration Manager

System Center 2012 R2 Configuration Manager is an important piece of enterprise IT management. Configuration Manager provides a unified solution for management of operating systems, devices, software updates, asset inventory, and more. Using Configuration Manager, an enterprise can deliver software to devices within the organization and ensure consistency of updates and configurations. Configuration Manager also integrates with other System Center products and with other services like Windows Intune.

Configuration Manager can be configured as a standalone set of services or in a hierarchy, known as primary site and central administration site, respectively. The primary site-only scenario is useful for small implementations or small networks, whereas the central administration site scenario is useful for larger enterprises, especially those that need hierarchical or delegated management.

Site system roles

Within Configuration Manager, site system roles are used to define what tasks the various servers perform within a site. Site system roles shouldn’t be confused with role-based administration, which is also covered in this section. Table 1-7 describes some of the typical site system roles.

TABLE 1-7 Core site system roles

Role

Description

Component server

A basic service that is responsible for running Configuration Manager services. This role is automatically installed for all roles except the distribution point role.

Site database server

The server that runs the SQL Server database and is used to store information and data related to the Configuration Manager deployment.

Site server

The server from which the core functionality of Configuration Manager is provided.

Site system

The site system role is a basic role installed on any computer hosting a site system.

SMS Provider

Provides the interface between the Configuration Manager console and the site database. Note that the SMS Provider role can be used only on computers that are in the same domain as the site server.

Multiple site system roles typically run on a single server, especially in new or small implementations of Configuration Manager. Additional servers can be deployed as distribution points to ensure availability of software packages and related files or to provide those files at strategic locations. For example, you might place a distribution point close to a large number of client computers.

Aside from the core site system roles, other site system roles may be used. Table 1-8 describes some other site system roles.

TABLE 1-8 Additional site system roles

Role

Description

Application Catalog web service point

Responsible for providing information from the Software Library to the Application Catalog website.

Application Catalog website point

A website that displays available software from the Application Catalog.

Asset Intelligence synchronization point

Exchanges Asset Intelligence information with Microsoft.

Certificate registration point

New for System Center 2012 R2, this role provides for communication for devices using Simple Certificate Enrollment Protocol (SCEP) with Network Device Enrollment Service. This role cannot exist on the same server as the computer running Network Device Enrollment Service.

Distribution point

A role that holds software packages, updates, system images, and other files for clients to download.

Endpoint Protection point

Accepts Endpoint Protection license terms and configures default membership for Microsoft Active Protection Service.

Enrollment point

Enrolls mobile devices and Mac computers using public key infrastructure and also provisions Intel Active Management Technology computers.

Enrollment point proxy

Manages enrollment requests for mobile devices and Mac computers.

Fallback status point

Monitors client installation and identifies clients that can’t communicate with their management point.

Management point

A role that interacts with client computers to receive configuration data and send policy and service location information.

Out of band service point

Configures Intel AMT computers for out of band management.

Reporting services point

A role that creates and manages Configuration Manager reports. This role works with SQL Server Reporting Services.

Software update point

Together with Windows Software Update Services (WSUS), this role provides software updates to clients.

State migration point

Holds client user state data during migration to a new operating system.

System Health Validator point

Validates Network Access Protection (NAP) policies. The role must be installed on a NAP health policy server.

Windows Intune connector

Manages mobile devices with Windows Intune through the Configuration Manager console. This role is available with Service Pack 1 (SP1).

Operations Manager

System Center 2012 R2 Operations Manager provides monitoring capabilities to computers across an enterprise. The roles necessary within Operations Manager include those to create monitoring configurations, view and edit reports, and provide overall administration, among others.

Operations Manager uses many of the same concepts as other System Center products for rights delegation. Operations Manager uses user roles and role profiles which are then combined with a scope to produce the user role. For example, Operations Manager has several built-in user roles, called profiles in Operations Manager:

  • Administrator
  • Advanced Operator
  • Application Monitoring Operator
  • Author
  • Operator
  • Read-only Operator
  • Report Operator
  • Report Security Administrator

Each of these built-in user roles can be changed through its properties settings. The scopes can be changed, as can the tasks and dashboards and views available to the user role. This is illustrated in Figure 1-1.

FIGURE 1-1

FIGURE 1-1 Changing the dashboards and views available to one of the built-in user roles in Operations Manager

Each of the built-in user roles can contain one or more local or Active Directory–based groups or users. For example, the Operations Manager Administrators user role (shown in Figure 1-1) contains the BUILTIN\Administrators group.

You can also create user roles within Operations Manager by using the Create User Role Wizard. When creating a new user role you first choose the type of user role on which the new user role will be based from among these choices:

  • Operator
  • Read-Only Operator
  • Author
  • Advanced Operator

Each of these profiles provides certain privileges that are connected to that profile. For example, the Author profile contains privileges specific to creating monitoring configurations.

Understanding self-service portal design using Service Manager

Maintaining an enterprise server infrastructure can be accomplished in a number of ways, but when considering management solutions that scale to large environments, the System Center 2012 R2 family of products comes to the forefront. For example, with Service Manager, you can create a self-service portal for end users, among other things. Service Manager provides incident and configuration management while enabling visibility into current issues. Service Manager uses a Configuration Management Database (CMDB) to provide a master location for all changes, issues, and requests for an infrastructure. Service Manager integrates with other System Center 2012 R2 products to provide an end-to-end solution.

At a minimum, there are three components to a Service Manager implementation: a management server, a configuration management database server, and the management console. Additional components can be added for things like data warehousing, which then facilitates reporting.

Using the self-service portal, users can find answers to common support questions, change their passwords, create help-desk tickets, and request software. When designing a management structure, you should consider deployment of the self-service portal to ease the burden on IT and the help desk for common requests. The end-user self-service portal requires a Silverlight component to run on the client computer and thus is applicable only to those platforms that can run Silverlight through the browser.

Delegating rights for the private cloud

System Center 2012 Virtual Machine Manager provides a centralized management console for virtual machines, such as those managed by Hyper-V. VMM manages virtual machines, networks, and storage as resources, which are then configured within the organization. A VMM deployment consists of a management server, database, library (and library server), and console.

Another component of managing the private cloud is App Controller. App Controller looks at service provision from a service-oriented view rather than from a server or software view. In other words, using App Controller you can connect the components that make up a service to facilitate management.

User roles can be created to manage various aspects of private cloud-based virtualization infrastructure. Virtual Machine Manager can be used to create such a delegation, and then App Controller can be used to manage the private cloud.

Rights are managed within the User Roles area of the Security section in the Settings area of Virtual Machine Manager. User roles can be created using individual user accounts or using Active Directory groups. The scope of the user role can then be assigned to the private cloud, as shown in Figure 1-2.

FIGURE 1-2

FIGURE 1-2 Assigning a scope to a user role for private clouds in Virtual Machine Manager

Members that have been assigned to the new user role will be able to log on to App Controller and manage private clouds within the user role scope.

An alternate method to assign access is by clicking Assign Cloud from the VMs and Services section in Virtual Machine Manager. Doing so enables you to select the user role to be assigned privileges for a given cloud or to create a new user role for the private cloud, as shown in Figure 1-3.

FIGURE 1-3

FIGURE 1-3 Assigning a user role to a cloud in the Assign Cloud dialog box

Objective summary

  • User rights and built-in groups can be used to provide a robust administrative model.
  • Certain user rights shouldn’t be assigned to users or groups but are instead used by system processes and functions.
  • Built-in groups have certain user rights inherently assigned to them.
  • System Center 2012 R2 can utilize a delegated administration structure that enables separation of responsibilities within an infrastructure.
  • Security roles, security scopes, and collections are all used to facilitate the delegated administration structure necessary.
  • Determining who, which and where, and what can be helpful for designing a delegation of role structure.
  • Service Manager is used to provide end-user self service.
  • Service Manager requires at least three servers to run including a management server, configuration management database server, and console.

Objective review

Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.

  1. Which of the following permissions allows the currently logged on user to shut the computer down?

    1. SeShutdownComputer
    2. SeShutdownPrivilege
    3. SePrivilegeShutdown
    4. En_ShutdownComputerPermission
  2. Which of the following is not a privilege of the built-in Backup Operators group?

    1. Shut down the system
    2. Create symbolic links
    3. Back up files and directories
    4. Allow logon locally
  3. Which of the following roles provides the core functionality for System Center?

    1. Site server
    2. Component server
    3. Core server
    4. Site Core server
  4. Which of the following are not built-in security scopes in Configuration Manager?

    1. All
    2. System
    3. Administrator
    4. Default