Managing and Maintaining a Microsoft-based Server Infrastructure
- 7/31/2014
- Objective 1.1: Design an administrative model
- Objective 1.2: Design a monitoring strategy
- Objective 1.3: Plan and implement automated remediation
- Answers
The 70-414 exam looks to stretch your understanding of planning, implementation, and management of an advanced Microsoft-based infrastructure. The tools and products included in the exam are used in enterprise-level networks and emphasize automation, high availability, and self-service. The first chapter of this book discusses objectives surrounding server infrastructure management. Within this chapter and indeed the entire book, you’ll find hands-on examples that directly tie to the exam objectives, and you’ll find numerous links to more information on TechNet.
Objectives in this chapter:
- Objective 1.1: Design an administrative model
- Objective 1.2: Design a monitoring strategy
- Objective 1.3: Plan and implement automated remediation
Objective 1.1: Design an administrative model
Designing an administrative model for an enterprise network involves a large amount of planning, especially in complex or highly structured enterprises. A good administrative model will enable delegation of authority while also enforcing the principle of least privilege. Many organizations have unique needs, but the overall administrative model can follow a common pattern. For example, an organization that’s geographically dispersed may allow personnel at remote locations to change passwords for users at that remote site.
Understanding administrative model design considerations
Typical enterprise administrative and privilege models use groups to assign and delegate permissions. Groups save time and administration overhead by combining similar users and computers into one entity that can then be assigned permissions.
Groups can have users and computers and are created as a security group or a distribution group. The security group type is covered in this chapter; distribution groups are typically used to create email distribution lists and aren’t covered in this book. Groups are also scoped, which means that they can apply locally to a computer, to a domain, or to an entire forest. Table 1-1 describes the three types of group scopes available in AD DS.
TABLE 1-1 Active Directory Domain Services group scope
Group Scope |
Description |
Domain Local |
Members in a Domain Local scoped group can have permissions within the same domain where the Domain Local group is located and can contain any combination of groups with domain local, global, or universal scope. |
Global |
Members of groups with a Global scope can have permissions in any domain within a forest, but members can come from only the domain within which the group is defined. |
Universal |
Members of groups with Universal scope can have permissions in any domain or forest and can originate from any domain or forest. |
User rights
Before looking at user rights, it’s important to agree on the definition of a user right. You can find a definition all the way back to Windows NT Server 4.0 in the “NT Server 4.0 Concepts and Planning Manual” on TechNet, where a right is defined as something that “authorized a user to perform certain actions on a computer system.” See http://technet.microsoft.com/en-us/library/cc751446.aspx for more discussion on the definition.
What’s important to realize is the distinction between a right and a permission. A right defines what a user can do on a computer system, whereas permissions apply to objects. Rights can override permissions in certain instances. For example, if a user is a member of a group that has the right to back up a computer or has the Back Up Files and Directories right, that user inherently has read access to the files on the computer, even if permissions would normally deny such access. More specifically, the Back Up Files and Directories right has the following permissions:
- Traverse Folder/Execute File
- List Folder/Read Data
- Read Attributes
- Read Extended Attributes
- Read Permissions
The Back Up Files and Directories right is just one example of this concept. Table 1-2 shows several other security-related user rights available with Windows Server 2012. An abbreviated constant name applies to each of the rights described in Table 1-2. The constant names are used for logging and can also be used for Windows PowerShell, as discussed later in this section.
TABLE 1-2 Additional security-related user rights
User Right |
Description |
Constant Name |
Access Credential Manager as a trusted caller |
Applies to Credential Manager during backup-related processes. This privilege is assigned to the Winlogon service only and should not be assigned to the account. |
SeTrustedCredManAccessPrivilege |
Access this computer from the network |
Determines whether a user can utilize protocols related to accessing a given computer, such as Service Message Block (SMB), NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+). |
SeNetworkLogonRight |
Act as part of the operating system |
Applies to processes to determine whether they can use a user’s identity to gain access to the privileges granted to that user. |
SeTcbPrivilege |
Add workstations to domain |
Enables a user to add a computer to a domain. |
SeMachineAccountPrivilege |
Adjust memory quotas for a process |
Enables a user to change the memory used by a process. |
SeIncreaseQuotaPrivilege |
Allow logon locally |
Enables a user to start an interactive session. |
SeInteractiveLogonRight |
Allow logon through Remote Desktop Services |
Enables a user to log on using Remote Desktop Services. |
SeRemoteInteractiveLogonRight |
Back up files and directories |
Enables an account to bypass permissions for backup purposes. |
SeBackupPrivilege |
Bypass traverse checking |
Enables an account to traverse an NTFS file system without needing to check the Traverse Folder permission. |
SeChangeNotifyPrivilege |
Change the system time |
Enables a user to change the time on the local computer. |
SeSystemtimePrivilege |
Change the time zone |
Enables a user to change the time zone on the local computer. |
SeTimeZonePrivilege |
Create a pagefile |
Enables a user to change settings around the pagefile, including its size. |
SeCreatePagefilePrivilege |
Create a token object |
Enables a process to create a token using the privileged account. |
SeCreateTokenPrivilege |
Create global objects |
Enables creation of global objects. |
SeCreateGlobalPrivilege |
Create permanent shared objects |
Enables creation of directory objects. |
SeCreatePermanentPrivilege |
Create symbolic links |
Enables an account to create a file system symbolic link. |
SeCreateSymbolicLinkPrivilege |
Debug programs |
Enables a user to attach to a process for debugging. |
SeDebugPrivilege |
Deny access to this computer from the network |
Prevents users from accessing the computer. |
SeDenyNetworkLogonRight |
Deny logon as a batch job |
Prevents an account from logging on using batch-related methods. |
SeDenyBatchLogonRight |
Deny logon as a service |
Prevents an account from logging on as a service. |
SeDenyServiceLogonRight |
Deny logon locally |
Prevents an account from logging on locally at a computer console. |
SeDenyInteractiveLogonRight |
Deny logon through Remote Desktop Services |
Prevents users from logging on to a computer using Remote Desktop Services. |
SeDenyRemoteInteractiveLogonRight |
Enable computer and user accounts to be trusted for delegation |
Enables a user to set the Trusted for Delegation setting. |
SeEnableDelegationPrivilege |
Force shutdown from a remote system |
Allows a user to shut down a computer when connected remotely. |
SeRemoteShutdownPrivilege |
Generate security audits |
Enables an account to generate audit records in the security log. |
SeAuditPrivilege |
Impersonate a client after authentication |
Enables a program to impersonate a user or account and act on behalf of that user or account. |
SeImpersonatePrivilege |
Increase a process working set |
Enables a user to increase the size of a working set of a process. |
SeIncreaseWorkingSetPrivilege |
Increase scheduling priority |
Enables a user to increase the base priority of a process. |
SeIncreaseBasePriorityPrivilege |
Load and unload device drivers |
Enables a user to dynamically load or unload device drivers. |
SeLoadDriverPackage |
Lock pages in memory |
Enables an account to keep data from a process in physical memory. |
SeLockMemoryPrivilege |
Log on as a batch job |
Enables an account to log on using batch-related methods, including Task Scheduler. |
SeBatchLogonRight |
Log on as a service |
Enables a service account to register a process. |
SeServiceLogonRight |
Manage auditing and security log |
Enables a user to work with auditing and security log. |
SeSecurityPrivilege |
Modify an object label |
Enables an account to modify integrity labels used by Windows Integrity Controls (WIC). |
SeRelabelPrivilege |
Modify firmware environment values |
Enables a user to modify non-volatile RAM (NVRAM) settings. |
SeSystemEnvironmentPrivilege |
Perform volume maintenance tasks |
Enables a user to do volume- and disk management–related tasks. |
SeManageVolumePrivilege |
Profile single process |
Enables a user to view performance aspects of a process. |
SeProfileSingleProcessPrivilege |
Profile system performance |
Enables a user to use the Windows Performance Monitor tools. |
SeSystemProfilePrivilege |
Remove computer from docking station |
Enables a user to undock a computer without logging on. |
SeUndockPrivilege |
Replace a process level token |
Enables a process to replace an access token of a child process. |
SeAssignPrimaryTokenPrivilege |
Restore files and directories |
Enables a user to bypass the normal permission checks when restoring. |
SeRestorePrivilege |
Shut down the system |
Enables a local user to shut down the system. |
SeShutdownPrivilege |
Synchronize directory service data |
Enables a user to synchronize service data, such as LDAP directory synchronization. |
SeSyncAgentPrivilege |
Take ownership of files or other objects |
Enables an account to take ownership of objects in the computer. |
SeTakeOwnershipPrivilege |
The constant name described in Table 1-2 can be used with Windows PowerShell cmdlets related to privileges:
- Get-Privilege
- Grant-Privilege
- Revoke-Privilege
- Test-Privilege
As described in Table 1-2, user rights generally shouldn’t be applied to accounts directly, but rather should be granted through the use of groups.
Built-in groups
Built-in groups, also called default groups, are added with the operating system. Many of the default groups have user rights assigned already. Certain rights also apply depending on the type of computer on which the right is being exercised. For example, the Allow Logon Locally right is granted to the following groups for logging on to workstations and servers:
- Administrators
- Backup Operators
- Users
By contrast, the following groups have the Allow Logon Locally right for domain controllers:
- Account Operators
- Administrators
- Backup Operators
- Print Operators
- Server Operators
Table 1-3 shows the local groups for a computer and the user rights granted to them by default.
TABLE 1-3 User rights for local groups
Group |
User Rights |
Administrators |
Access this computer from the network Adjust memory quotas for a process Allow logon locally Allow logon through Remote Desktop Services Back up files and directories Bypass traverse checking Change the system time Change the time zone Create a page file Create global objects Create symbolic links Debug programs Force shutdown from a remote system Impersonate a client after authentication Increase scheduling priority Load and unload device drivers Log on as a batch job Manage auditing and security log Modify firmware environment variables Perform volume maintenance tasks Profile system performance Remove computer from docking station Restore files and directories Shut down the system Take ownership of files or other objects |
Backup Operators |
Access this computer from the network Allow logon locally Back up files and directories Bypass traverse checking Log on as a batch job Restore file and directories Shut down the system |
Cryptographic Operators |
No user rights granted by default |
Distributed COM Users |
No user rights granted by default |
Guests |
No user rights granted by default |
IIS_IUSRS |
No user rights granted by default |
Network Configuration Operators |
No user rights granted by default |
Performance Log Users |
No user rights granted by default |
Performance Monitor Users |
No user rights granted by default |
Power Users |
No user rights granted by default |
Remote Desktop Users |
Allow logon through Remote Desktop Services |
Replicators |
No user rights granted by default |
Users |
Access this computer from the network Allow logon locally Bypass traverse checking Change the time zone Increase a process working set Remove the computer from a docking station Shut down the system |
Offer Remote Assistance Helpers |
No user rights granted by default |
AD DS also contains default groups. These groups are placed into either the Builtin or Users container.
Table 1-4 describes the groups in the Builtin container.
TABLE 1-4 Groups in the Builtin container
Group |
User Rights |
Account Operators |
Allow logon locally Shut down the system |
Administrator |
Access this computer from the network Adjust memory quotas for a process Back up files and directories Bypass traverse checking Change the system time Create a pagefile Debug programs Enable computer and user accounts to be trusted for delegation Force a shutdown from a remote system Increase scheduling priority Load and unload device drivers Allow logon locally Manage auditing and security log Modify firmware environment values Profile single process Profile system performance Remove computer from docking station Restore files and directories Shut down the system Take ownership of files or other objects |
Backup Operators |
Back up files and directories Allow logon locally Restore files and directories Shut down the system |
Guests |
No user rights granted by default |
Incoming Forest Trust Builders |
No user rights granted by default; applicable to forest root domain only |
Network Configuration Operators |
No user rights granted by default |
Performance Monitor Users |
No user rights granted by default |
Performance Log Users |
No user rights granted by default |
Pre-Windows 2000 Compatible Access |
Access this computer from the network Bypass traverse checking |
Print Operators |
Allow logon locally Shut down the system |
Remote Desktop Users |
No user rights granted by default |
Replicator |
No user rights granted by default |
Server Operators |
Back up files and directories Change the system time Force shutdown from a remote system Allow logon locally Restore files and directories Shut down the system |
Users |
No user rights granted by default |
Table 1-5 describes the groups in the Users container.
TABLE 1-5 Groups in the Users container
Group |
User Rights |
Cert Publishers |
No user rights granted by default |
DnsAdmins |
No user rights granted by default; installed as part of DNS |
DnsUpdateProxy |
No user rights granted by default; installed as part of DNS |
Domain Admins |
Access this computer from the network Adjust memory quotas for a process Back up files and directories Bypass traverse checking Change the system time Create a pagefile Debug programs Enable computer and user accounts to be trusted for delegation Force a shutdown from a remote system Increase scheduling priority Load and unload device drivers Allow logon locally Manage auditing and security log Modify firmware environment values Profile single process Profile system performance Remove computer from docking station Restore files and directories Shut down the system Take ownership of files or other objects |
Domain Computers |
No user rights granted by default |
Domain Controllers |
No user rights granted by default |
Domain Guests |
No user rights granted by default |
Domain Users |
No user rights granted by default |
Enterprise Admins |
Note: Permissions are applicable to forest root domain only Access this computer from the network Adjust memory quotas for a process Back up files and directories Bypass traverse checking Change the system time Create a pagefile Debug programs Enable computer and user accounts to be trusted for delegation Force a shutdown from a remote system Increase scheduling priority Load and unload device drivers Allow logon locally Manage auditing and security log Modify firmware environment values Profile single process Profile system performance Remove computer from docking station Restore files and directories Shut down the system Take ownership of files or other objects |
Group Policy Creator Owners |
No user rights granted by default |
IIS_WPG |
No user rights granted by default; installed with IIS |
RAS and IAS Servers |
No user rights granted by default |
Schema Admins |
No user rights granted by default; applicable to forest root domain only |
Built-in groups are different from special identities. A special identity is a group for which membership cannot be modified, such as the Everyone group. Special identities include those in Table 1-6.
TABLE 1-6 Special identities
Identity |
Description |
Anonymous Logon |
Used for anonymous access to services and resources |
Everyone |
All network users, with the exception of the Anonymous Logon group |
Interactive |
Users who are logged on locally to the computer |
Network |
Users who are accessing a computer’s resources over the network |
Understanding delegation in System Center 2012 R2
Microsoft System Center 2012 R2 consists of several products, including Configuration Manager, Operations Manager, Data Protection Manager, Service Manager, AppController, and Virtual Machine Manager (VMM). The products used in the organization determine the delegation structure. For example, certain roles are only applicable for Virtual Machine Manager and others are applicable for Configuration Manager. If the organization doesn’t use VMM, then those roles wouldn’t be used. However, the concepts of delegated authority and role-based administration are applicable no matter what products are being used. This section examines delegation for Configuration Manager and Operations Manager. Other products such as Virtual Machine Manager and Data Protection Manager are covered in other objectives in this chapter.
Role-based administration
System Center 2012 R2 uses role-based administration to facilitate the structure needed in many organizations. Using role-based administration you can limit the authority and scope of permissions to the least amount necessary in order to complete a task. For example, an organization may grant the ability to change passwords for normal users to help desk staff. This scenario can be accomplished by granting the limited privileges to the help desk personnel. An important concept surrounding role-based administration in System Center is administrative scope. Administrative scope defines the permissions that a given user has on objects within the scope’s control. Administrative scopes consist of:
- Security roles
- Collections
- Security scopes
Security Roles
Security roles, which you might think of like a group in Active Directory, are used to grant sets of permissions to users based on their role. For example, the Asset Analyst role is granted certain permissions to view Asset Intelligence and inventory information. Users can then be given the Asset Analyst role to do their job.
Each security role is granted specific permissions, such as Approve, Create, Delete, Modify, and so on. The permissions apply to specific object types within System Center. There are several built-in security roles that come with Configuration Manager and with other System Center products. The permissions granted to these roles can’t be changed. However, the roles can be copied, and a new role can be built and modified as needed.
The general steps for planning security roles are:
- Identify tasks. Examine the responsibilities for administrators. For example, you might have administrators that are responsible for client security while others are responsible for software updates.
- Map tasks to roles. Determine how the responsibilities connect to built-in security roles.
- Assign roles. Assign roles to users. If a user has responsibilities across multiple roles, assign that user to multiple roles.
- Create new roles (optional). Create new roles if the responsibilities don’t map to one or more of the built-in roles.
Collections
Computers and users are grouped into collections in Configuration Manager. Collections are important in the hierarchical delegation of administration for Configuration Manager. Collections can be created to meet the needs of the organization. For example, you might create a collection for each physical location in an organization, or you might create a functional collection that includes all servers or all client computers. Like security roles, there are several built-in collections that can’t be modified. Collections become very useful when you want to distribute software, provide reporting, or ensure configuration changes are consistent across the devices within the collection.
Security Scopes
Security scopes can be used to grant access to securable objects by type. Security scopes provide granular access control. However, security scopes can’t be nested or used in a hierarchical manner. Security scopes are useful for segregating objects of the same type so that different levels of access can be granted to them. For instance, if a set of administrators should be granted full access only to non-production servers, the servers can be scoped to separate production from development servers.
There are two built-in security scopes:
- All Includes all scopes. Objects cannot be added to this scope.
- Default Installed with Configuration Manager, the default scope also includes all objects.
Certain objects can’t be secured by security scopes. Instead, access to these objects is granted using security roles. Objects that can’t be included in security scopes are:
- Active Directory forests
- Administrative users
- Alerts
- Boundaries
- Computer associations
- Default client settings
- Deployment templates
- Device drivers
- Exchange server connectors
- Migration site-to-site mappings
- Mobile device enrollment profiles
- Security roles
- Security scopes
- Site addresses
- Site system roles
- Software titles
- Software updates
- Status messages
- User device affinities
Delegation design
Hierarchical structure is important for designing a delegated administration for System Center. When it is properly structured, you can delegate responsibilities merely by using scopes and security roles. However, as the organization’s needs change, so too will the needs for delegated administration. For example, if a merger takes place, the newly merged company may need to manage its own site.
Designing delegation involves determining the following:
- Who Who is responsible for managing a given client computer or server? Determine the various tasks involved in administration, whether that’s software updates, security, or anything else that System Center can do. These tasks will map to security roles.
- Which and Where Which computers, servers, or other objects will those people manage, based on their roles? Where are those objects located, both physically and logically? For instance, there may be different responsibilities based on physical location or logical location (production versus test). Collections are used to group the objects together in Configuration Manager, and security scopes can be used to provide more granular control over the objects.
- What What permissions do administrators need on a given object? Permissions can be changed within the security roles, and their scope can be limited through security scopes.
Configuration Manager
System Center 2012 R2 Configuration Manager is an important piece of enterprise IT management. Configuration Manager provides a unified solution for management of operating systems, devices, software updates, asset inventory, and more. Using Configuration Manager, an enterprise can deliver software to devices within the organization and ensure consistency of updates and configurations. Configuration Manager also integrates with other System Center products and with other services like Windows Intune.
Configuration Manager can be configured as a standalone set of services or in a hierarchy, known as primary site and central administration site, respectively. The primary site-only scenario is useful for small implementations or small networks, whereas the central administration site scenario is useful for larger enterprises, especially those that need hierarchical or delegated management.
Site system roles
Within Configuration Manager, site system roles are used to define what tasks the various servers perform within a site. Site system roles shouldn’t be confused with role-based administration, which is also covered in this section. Table 1-7 describes some of the typical site system roles.
TABLE 1-7 Core site system roles
Role |
Description |
Component server |
A basic service that is responsible for running Configuration Manager services. This role is automatically installed for all roles except the distribution point role. |
Site database server |
The server that runs the SQL Server database and is used to store information and data related to the Configuration Manager deployment. |
Site server |
The server from which the core functionality of Configuration Manager is provided. |
Site system |
The site system role is a basic role installed on any computer hosting a site system. |
SMS Provider |
Provides the interface between the Configuration Manager console and the site database. Note that the SMS Provider role can be used only on computers that are in the same domain as the site server. |
Multiple site system roles typically run on a single server, especially in new or small implementations of Configuration Manager. Additional servers can be deployed as distribution points to ensure availability of software packages and related files or to provide those files at strategic locations. For example, you might place a distribution point close to a large number of client computers.
Aside from the core site system roles, other site system roles may be used. Table 1-8 describes some other site system roles.
TABLE 1-8 Additional site system roles
Role |
Description |
Application Catalog web service point |
Responsible for providing information from the Software Library to the Application Catalog website. |
Application Catalog website point |
A website that displays available software from the Application Catalog. |
Asset Intelligence synchronization point |
Exchanges Asset Intelligence information with Microsoft. |
Certificate registration point |
New for System Center 2012 R2, this role provides for communication for devices using Simple Certificate Enrollment Protocol (SCEP) with Network Device Enrollment Service. This role cannot exist on the same server as the computer running Network Device Enrollment Service. |
Distribution point |
A role that holds software packages, updates, system images, and other files for clients to download. |
Endpoint Protection point |
Accepts Endpoint Protection license terms and configures default membership for Microsoft Active Protection Service. |
Enrollment point |
Enrolls mobile devices and Mac computers using public key infrastructure and also provisions Intel Active Management Technology computers. |
Enrollment point proxy |
Manages enrollment requests for mobile devices and Mac computers. |
Fallback status point |
Monitors client installation and identifies clients that can’t communicate with their management point. |
Management point |
A role that interacts with client computers to receive configuration data and send policy and service location information. |
Out of band service point |
Configures Intel AMT computers for out of band management. |
Reporting services point |
A role that creates and manages Configuration Manager reports. This role works with SQL Server Reporting Services. |
Software update point |
Together with Windows Software Update Services (WSUS), this role provides software updates to clients. |
State migration point |
Holds client user state data during migration to a new operating system. |
System Health Validator point |
Validates Network Access Protection (NAP) policies. The role must be installed on a NAP health policy server. |
Windows Intune connector |
Manages mobile devices with Windows Intune through the Configuration Manager console. This role is available with Service Pack 1 (SP1). |
Operations Manager
System Center 2012 R2 Operations Manager provides monitoring capabilities to computers across an enterprise. The roles necessary within Operations Manager include those to create monitoring configurations, view and edit reports, and provide overall administration, among others.
Operations Manager uses many of the same concepts as other System Center products for rights delegation. Operations Manager uses user roles and role profiles which are then combined with a scope to produce the user role. For example, Operations Manager has several built-in user roles, called profiles in Operations Manager:
- Administrator
- Advanced Operator
- Application Monitoring Operator
- Author
- Operator
- Read-only Operator
- Report Operator
- Report Security Administrator
Each of these built-in user roles can be changed through its properties settings. The scopes can be changed, as can the tasks and dashboards and views available to the user role. This is illustrated in Figure 1-1.
FIGURE 1-1 Changing the dashboards and views available to one of the built-in user roles in Operations Manager
Each of the built-in user roles can contain one or more local or Active Directory–based groups or users. For example, the Operations Manager Administrators user role (shown in Figure 1-1) contains the BUILTIN\Administrators group.
You can also create user roles within Operations Manager by using the Create User Role Wizard. When creating a new user role you first choose the type of user role on which the new user role will be based from among these choices:
- Operator
- Read-Only Operator
- Author
- Advanced Operator
Each of these profiles provides certain privileges that are connected to that profile. For example, the Author profile contains privileges specific to creating monitoring configurations.
Understanding self-service portal design using Service Manager
Maintaining an enterprise server infrastructure can be accomplished in a number of ways, but when considering management solutions that scale to large environments, the System Center 2012 R2 family of products comes to the forefront. For example, with Service Manager, you can create a self-service portal for end users, among other things. Service Manager provides incident and configuration management while enabling visibility into current issues. Service Manager uses a Configuration Management Database (CMDB) to provide a master location for all changes, issues, and requests for an infrastructure. Service Manager integrates with other System Center 2012 R2 products to provide an end-to-end solution.
At a minimum, there are three components to a Service Manager implementation: a management server, a configuration management database server, and the management console. Additional components can be added for things like data warehousing, which then facilitates reporting.
Using the self-service portal, users can find answers to common support questions, change their passwords, create help-desk tickets, and request software. When designing a management structure, you should consider deployment of the self-service portal to ease the burden on IT and the help desk for common requests. The end-user self-service portal requires a Silverlight component to run on the client computer and thus is applicable only to those platforms that can run Silverlight through the browser.
Delegating rights for the private cloud
System Center 2012 Virtual Machine Manager provides a centralized management console for virtual machines, such as those managed by Hyper-V. VMM manages virtual machines, networks, and storage as resources, which are then configured within the organization. A VMM deployment consists of a management server, database, library (and library server), and console.
Another component of managing the private cloud is App Controller. App Controller looks at service provision from a service-oriented view rather than from a server or software view. In other words, using App Controller you can connect the components that make up a service to facilitate management.
User roles can be created to manage various aspects of private cloud-based virtualization infrastructure. Virtual Machine Manager can be used to create such a delegation, and then App Controller can be used to manage the private cloud.
Rights are managed within the User Roles area of the Security section in the Settings area of Virtual Machine Manager. User roles can be created using individual user accounts or using Active Directory groups. The scope of the user role can then be assigned to the private cloud, as shown in Figure 1-2.
FIGURE 1-2 Assigning a scope to a user role for private clouds in Virtual Machine Manager
Members that have been assigned to the new user role will be able to log on to App Controller and manage private clouds within the user role scope.
An alternate method to assign access is by clicking Assign Cloud from the VMs and Services section in Virtual Machine Manager. Doing so enables you to select the user role to be assigned privileges for a given cloud or to create a new user role for the private cloud, as shown in Figure 1-3.
FIGURE 1-3 Assigning a user role to a cloud in the Assign Cloud dialog box
Objective summary
- User rights and built-in groups can be used to provide a robust administrative model.
- Certain user rights shouldn’t be assigned to users or groups but are instead used by system processes and functions.
- Built-in groups have certain user rights inherently assigned to them.
- System Center 2012 R2 can utilize a delegated administration structure that enables separation of responsibilities within an infrastructure.
- Security roles, security scopes, and collections are all used to facilitate the delegated administration structure necessary.
- Determining who, which and where, and what can be helpful for designing a delegation of role structure.
- Service Manager is used to provide end-user self service.
- Service Manager requires at least three servers to run including a management server, configuration management database server, and console.
Objective review
Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
Which of the following permissions allows the currently logged on user to shut the computer down?
- SeShutdownComputer
- SeShutdownPrivilege
- SePrivilegeShutdown
- En_ShutdownComputerPermission
Which of the following is not a privilege of the built-in Backup Operators group?
- Shut down the system
- Create symbolic links
- Back up files and directories
- Allow logon locally
Which of the following roles provides the core functionality for System Center?
- Site server
- Component server
- Core server
- Site Core server
Which of the following are not built-in security scopes in Configuration Manager?
- All
- System
- Administrator
- Default