Home > Articles

This chapter is from the book

This chapter is from the book

Getting Familiar with AD DS Features in Windows Server 2016

Improvements in the functionality and reliability of AD DS are of key importance to the development team at Microsoft. Windows Server 2016 inherits many sophisticated features in AD DS and then some.

File Replication Service (FRS) and the Windows Server 2003 functional levels were deprecated in Windows Server 2012 R2. However, with Windows Server 2016, it’s important to remember that Windows Server 2003 operating system is no longer supported. If you still have domain controllers running Windows Server 2003, they need to be taken out of the domain.

Also raise all domains and forest functional levels to Windows Server 2008 and later. This will prevent a domain controller still running Windows Server 2003 from being added to your domain.

Windows Server 2008 itself introduced multiple changes to AD DS functionality above and beyond the Windows Server 2003 and Windows Server 2003 R2 Active Directory versions. Windows Server 2012 and 2012 R2 then introduced additional features and functionalities above those introduced with the RTM version of Windows Server 2008 and the later Windows Server 2008 R2 version. The bullet list that follows here is the accumulation of many features that are now part of Windows Server 2016:

  • Privileged access management (PAM)—helps protect Active Directory against credential theft such pass-the-hash, spear phishing, and so on. Using Microsoft Identity Manager (MIM), PAM provides means of setting up a so-called bastion Active Directory forest. The bastion forest establishes a special PAM trust with an existing forest. What you get is a new Active Directory environment free of any malicious code and made available to privileged accounts. PAM also introduces the ability to request administrative privileges, along with new workflows based on the approval of requests, shadow security principals (groups) and time-bound membership in a shadow group. In other words, users can be added to groups for just enough time required to perform an administrative task. PAM needs MIM and a domain functional level of at least Windows Server 2012 R2.

  • Azure Active Directory Join—Enterprise, business, and EDU users can join their systems to Azure AD for advanced and improved capabilities for both corporate and personal devices. This new feature lets Oxygen Services users operate without the need of a personal Microsoft account. With Oxygen Services working on PCs that are joined to corporate on-premises Windows domain, and PCs and devices that are “joined” to your Azure AD tenant (“cloud domain”), you set up features like roaming or personalization, accessibility settings and credentials, Backup and Restore, Live tiles and notifications, and so on.

  • Virtualization support—The ability to create DCs based on virtual machine templates. Microsoft safeguards AD DS by protecting DCs from mistakes made with virtual machine snapshotting. This concept is discussed in step-by-step detail in Chapter 7.

  • Dynamic access control—Dynamic access control creates a new central access policy (CAP) model that allows for file classification information to be used in authorization decisions. This allows for business intent to be more readily apparent when examining the security that is set on file servers. This model is supported on Windows Server 2016 and Windows Server 2102/R2 DCs, assuming the file servers also are running the same versions of the operating systems.

  • Kerberos security improvements—Microsoft supports the industry standard Flexible Authentication Secure Tunneling (FAST) feature in Kerberos to reduce the likelihood of Kerberos errors being spoofed by hacking attacks. This is often referred to as Kerberos armoring.

  • Better fine-grained password policy control and AD Recycle Bin interfaces—Microsoft makes it much easier to implement either fine-grained password policy controls or the AD Recycle Bin, both features that were previously difficult to implement.

  • Active Directory deployment—Features such as Active Directory Based Activation (AD BA) allow for server licenses to be more easily activated, while improvements to off-premises domain join functionality have been added. ADPrep functionality is also found in the deployment tools, and the entire process to join a DC to a domain or create a new forest is supported in PowerShell.

  • Active Directory Federation Services (AD FS) improvements—AD FS 4.0 is the latest iteration included natively in Windows Server, and supports AD DS claims directly, allowing for the population of SAML tokens with user and device claims taken directly from the Kerberos ticket. It now also provides access control and single sign-on to the cloud, into systems and applications such as Office 365, and cloud-based Software as a Service (SaaS) applications.

  • Group Managed Service Accounts (gMSA)—Group Managed Service Accounts allows for managed service accounts to be used by services that need to share a single security principal, such as clusters.

  • Enhanced PowerShell support—A whole host of new PowerShell commandlets for Windows Server 2016 AD DS has been designed, allowing for nearly all operations to be automated from the command line.

These features are in addition to the features introduced in Windows Server 2008 R2 and later, which included the following:

  • Active Directory Recycle Bin—Enables you to restore deleted AD DS objects.

  • Offline domain join—Allows for prestaging of the act of joining a workstation to the AD DS domain.

  • Managed Service Accounts—Provides a mechanism for controlling and managing AD DS service accounts.

  • Authentication mechanism assurance—Enables administrators to grant access to resources differently based on whether a user logs in with a smart card or multifactor authentication source or whether the user logs in via traditional techniques.

  • Enhanced administrative tools—This includes newly designed and powerful utilities such as Active Directory Web Services, Active Directory Administrative Center, Active Directory Best Practice Analyzer, a new AD DS Management Pack, and an Active Directory Module for Windows PowerShell.

The previous version of AD DS, from Windows Server 2008 and later, included the following key features that are still available with Windows Server 2016. If you are upgrading from any of the previous versions of Active Directory, all of these new features will be made available:

  • Ability to create multiple fine-grained password policies per domain—Lifts the restrictions of a single password policy per domain.

  • Ability to restart AD DS on a domain controller—Allows for maintenance of an AD DS database without shutting the machine down.

  • Enhanced AD DS auditing capabilities—Provides useful and detailed item-level auditing capabilities in AD DS without an overwhelming number of logs generated.

Restoring Deleted AD DS Objects Using the Active Directory Recycle Bin

In Windows Server 2016, the AD Recycle Bin functionality is built in to the Active Directory Administration Center (ADAC) and need only be enabled to start using the functionality. A few prerequisites must be satisfied, however, before the AD Recycle Bin can be enabled:

  • The AD DS forest and domain must be at least at Windows Server 2008 R2 or higher functional level (or at Windows Server 2016 functional level).

  • Membership in the Enterprise Administrators group is required to enable the AD Recycle Bin.

  • The process of enabling the AD Recycle Bin is nonreversible.

Enabling the AD Recycle Bin

To enable the Active Directory Recycle Bin, follow these steps:

  1. Right-click Windows PowerShell, and then select Run as Administrator.

  2. From the PowerShell prompt, type in dsac.exe to start the ADAC.

  3. Click Manage—Add Navigation Nodes, and then select the target domain and click OK.

  4. Next, select the target domain and then under Tasks, click Enable Recycle Bin, and then click OK and OK twice to accept the changes, as shown in Figure 4.9. Click F5 to refresh ADAC.

    FIGURE 4.9

    FIGURE 4.9 Enabling the AD Recycle Bin.

  5. To validate that the Recycle Bin is enabled, go to the CN=Partitions container, using an editor such as ADSIEdit. In the details pane, find the msDS-EnabledFeature attribute and confirm that the value includes the Recycle Bin DN that you typed above.

Alternatively, you can enable the AD Recycle Bin by using the following PowerShell command. Replace companyabc.com and DC=companyabc,DC=com with the appropriate name of the domain where the AD Recycle bin will be enabled.

Enable-ADOptionalFeature–Identity 'CN=Recycle Bin Feature,CN=Optional Features,
CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=companyabc,DC=com'–Scope ForestOrConfiguration
Set–Target 'companyabc.com'

Recovering Deleted Items Using the AD Recycle Bin

Deleted objects can be restored directly from ADAC, by looking in the Deleted Objects folder, which should be displayed in the root of the domain. Just right-click the object and select Restore, as shown in Figure 4.10.

04fig10.jpg

FIGURE 4.10 Restoring a deleted AD object from the AD Recycle Bin.

Restarting AD DS on a Domain Controller

Windows Server 2016 allows administrators to start or stop directory services running on a DC without having to shut it down. This enables administrators to perform maintenance or recovery on the Active Directory database without having to reboot into Directory Services Restore Mode.

In addition to allowing for maintenance and recovery, turning off the DC functionality on an AD DC essentially turns that DC into a member server, allowing for a server to be quickly brought out of DC mode if necessary. In addition, with RODCs, Microsoft has removed the need for local administrators on the DC to have Domain Admin rights as well, which improves overall security in places where administration of the DC server is required but full Domain Admin rights are not needed.

To take a Windows Server 2016 DC offline, follow these steps:

  1. Open up the Services MMC (Start, All Programs, Administrative Tools, Services).

  2. From the Services MMC, select the Active Directory Domain Services service, as shown in Figure 4.11. Right-click it and choose Stop.

    04fig11.jpg

    FIGURE 4.11 Restarting AD DS on a Domain Controller.

  3. When prompted that stopping AD DS will stop other associated services such as DNS, DFS, Kerberos, and Intersite Messaging, choose Yes to continue.

  4. To restart AD DS, right-click the AD DS service and choose Start.

Implementing Multiple Password Policies per Domain

You also have the ability to implement granular password policies across a single domain. Previously, this was only an option with third-party password-change utilities installed on the DCs in a forest. You can also define which users have more complex password policies and which will be able to use more lenient policies.

You need to understand a few key points about this technology before implementing it, as follows:

  • Domain mode must be set to a level of Windows Server 2008 and later.

  • Fine-grained password policies always win over a domain password policy.

  • Password policies can be applied to groups, but they must be global security groups.

  • Fine-grained password policies applied to a user always win over settings applied to a group.

  • The Password Settings objects (PSOs) are stored in the Password Settings Container in AD (that is, CN=Password Settings Container,CN=System,DC=companyabc,DC=com).

  • Only one set of password policies can apply to a user. If multiple password policies are applied, the policy with the lower-number precedence wins.

To create a custom password policy for a specific user, a PSO must be created using ADAC.

To create a new PSO, open ADAC and follow these steps:

  1. Navigate to domain rootSystemPasswords Settings Container.

  2. Under Tasks, select NewPassword Settings.

  3. Enter the information into the dialog box, shown in Figure 4.12, using Table 4.1 as a reference.

    04fig12.jpg

    FIGURE 4.12 Creating a PSO.

  4. Click OK to finalize the creation of the PSO.

TABLE 4.1 PSO Attributes

Attribute Description Sample Value
Name The unique name of the password policy. PasswordPolicy forAdmins
Precedence The priority of the policy. Lower number “wins.” Leave space on both sides of the number to reprioritize if necessary. 10
Enforce password history: Number of passwords remembered The number of passwords “remembered” by the system. 24
Password must meet complexity requirements The policy that sets whether password complexity is enabled. Password complexity enforces whether users should be forced to include a combination of numbers, uppercase letters, lowercase letters, and special characters as part of their password. Enabling complexity forces them to include at least three of the four types in their passwords. Checked
Enforce minimum password length The policy setting that enforces the minimum password character length. 8
Enforce minimum password age: User cannot change the password within (days) The minimum number of days that must be waited before resetting the password to something different. This disallows users from simply “cycling through” password changes to keep the same password. Expressed in a format of Days:Hours:Minutes:Seconds. For example, 3:00:00:00 equals 3 days. 1
Enforce maximum password age: User must change the password within (days) The maximum number of days that a password is valid for. Expressed in a format of Days:Hours:Minutes:Seconds. 42
Enforce account lockout policy: Number of failed logon attempts allowed: The number of invalid password attempts that can be made before locking out the account. 5
Reset failed logon attempts count after (mins) The length of time (expressed in minutes) before the invalid password attempt counter is reset. 30
Accounts will be locked out The length of time (expressed in an account remains locked out. 30
Directly Applies To: The user or group of users to which the PSO applies. Group or User Account selected from AD that the PSO applies to
msDS-PasswordReversible EncryptionEnabled The policy used for specific circumstances where a user’s password needs to be able to be decrypted. Normally set to False. Not available in the GUI, but can be set with ADSIEdit. False

Auditing Changes Made to AD Objects

You can also audit changes made to Active Directory objects. You can determine when AD objects were modified, moved, or deleted.

To enable AD object auditing on a Windows Server 2016 DC, follow these steps:

  1. From Server Manager, click Tools, Group Policy Management.

  2. Navigate to forest name, Domains, domain name, Domain Controllers, Default Domain Controllers Policy.

  3. Right-click the Default Domain Controllers Policy and click Edit.

  4. In the GPO window, navigate to Preferences, Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy.

  5. Under the Audit Policy setting, right-click Audit Directory Service Access and click Properties.

  6. Check the Define These Policy Settings check box, and then check the Success and Failure check boxes, as shown in Figure 4.13.

    04fig13.jpg

    FIGURE 4.13 Enabling AD DS object auditing.

  7. Click OK to save the settings.

Global AD DS auditing on all DCs will subsequently be turned on. Audit event IDs will be displayed as Event ID 5136, 5137, 5138, or 5139, depending on whether the operation is a modify, create, undelete, or move, respectively.

Reviewing Additional Active Directory Services

Five separate technologies in Windows Server 2016 contain the Active Directory moniker in their title. Some of the technologies previously existed as separate products, but they have all come under the global AD umbrella. These technologies are as follows:

  • Active Directory Lightweight Directory Services (AD LDS)—AD LDS, previously referred to as Active Directory in Application Mode (ADAM), is a smaller-scale directory service that can be used by applications that require a separate directory. It can be used in situations when a separate directory is needed but the overhead and cost of setting up a separate AD DS forest is not warranted. You can find detailed information about AD LDS in Chapter 8, “Creating Federated Forests and Lightweight Directories.”

  • Active Directory Federation Services (AD FS)—AD FS 3.0, included in Windows Server 2016 provides for Single Sign-On technology to allow for a user logon to be passed to multiple web applications within a single session. You can find more information about AD FS in Chapter 8.

  • Active Directory Certificate Services (AD CS)—AD CS provides for the ability to create a public key infrastructure (PKI) environment and assign PKI certificates to AD users and machines. These certificates can be used for encryption of traffic, content, or logon credentials. You can find more information about deploying AD CS in Chapter 14, “Transport-Level Security.”

  • Active Directory Rights Management Services (AD RMS)—AD RMS is the evolution of the older Windows Rights Management Server technology. AD RMS is a service that protects confidential information from data leakage by controlling what can be done to that data. For example, restrictions can be placed on documents, disallowing them from being printed or programmatically accessed (such as by cutting/pasting of content). Chapter 13 covers this Active Directory technology in more detail.

Examining Additional Windows Server 2016 AD DS Features

In addition to the changes listed in the preceding sections, AD DS in Windows Server 2016 supports the following features:

  • Read-only domain controller (RODC) support—Windows Server 2016 includes the ability to deploy DCs with read-only copies of the domain. This is useful for remote branch office scenarios where security might not be tight. This scenario is covered in detail in Chapter 7.

  • Group Policy central store—Administrative templates for group policies are stored in the SYSVOL on the PDC emulator in Windows Server 2016, resulting in reduced replication and reduced SYSVOL size.

  • DFS-R replication of the SYSVOL—A Windows Server 2008 RTM/R2 functional domain uses the improved Distributed File System Replication (DFS-R) technology rather than the older, problematic File Replication Service (FRS) to replicate the SYSVOL.

  • Active Directory database mounting tool—The Active Directory database mounting tool (DSAMain.exe) enables administrators to view snapshots of data within an AD DS or AD LDS database. This can be used to compare data within databases, which can prove useful when performing AD DS data restores.

  • GlobalNames DNS zone—Windows Server 2016 DNS allows for creation of the concept of the GlobalNames DNS zone. This type of DNS zone allows for a global namespace to be spread across multiple subdomains. For example, a client in the asia.companyabc.com subdomain would resolve the DNS name portal.asia .companyabc.com to the same IP address as a client in a different subdomain resolving portal.europe.companyabc.com. This can improve DNS resolution in multizone environments. You can read more about this technology in Chapter 10.

Reviewing Legacy Windows Server Active Directory Improvements

It is important to understand that AD DS is a product that has been in constant development since its release with Windows 2000. From humble beginnings, Active Directory as a product has developed and improved over the years. The first major set of improvements to AD was released with the Windows Server 2003 product. Many of the improvements made with Windows Server 2003 AD still exist today in Windows Server 2016 AD DS. Therefore, it is important to understand what functionality in AD was born from Windows Server 2003. The following key improvements were made in this time frame:

  • Windows Server 2003 Active Directory Domain Rename Tool—Windows Server 2003 originally introduced the concept of domain rename, which has continued to be supported in Windows Server 2016. This enables administrators to prune, splice, and rename AD DS domains. Given the nature of corporations, with restructuring, acquisitions, and name changes occurring constantly, the ability of AD DS to be flexible in naming and structure is of utmost importance. The Active Directory Domain Rename Tool was devised to address this very need.

    • Before AD DS domains can be renamed, several key prerequisites must be in place before the domain structure can be modified. First, and probably the most important, all DCs in the entire forest must be upgraded from Windows Server 2003 to Windows Server 2008 or later. In addition, the domains and the forest must be upgraded to at least Windows Server 2008 functional level before any consideration to upgrade servers and domain controllers to Windows Server 2016. Finally, comprehensive backups of the environment should be performed before undertaking the rename.

    • The domain rename process is complex and should never be considered as routine. After the process, each DC must be rebooted and each member computer across the entire forest must also be rebooted (twice). For a greater understanding of the Domain Rename Tool and process, see Chapter 5.

  • Cross-forest transitive trust capabilities—Windows Server 2003 Active Directory introduced the capability to establish cross-forest transitive trusts between two disparate AD DS forests. This capability allows two companies to share resources more easily, without actually merging the forests. This support continues for all versions later than Windows Server 2003. Forests must be running the same functional levels for the transitive portion of this trust to function properly.

  • AD DS replication compression disable support—You have the ability to turn off replication compression to increase DC performance. This would normally be an option only for organizations with very fast connections between all their DCs.

  • Schema attribute deactivation—Developers who write applications for AD DS continue to have the ability to deactivate schema attributes, allowing custom-built applications to use custom attributes without fear of conflict. In addition, attributes can be deactivated to reduce replication traffic.

  • Incremental universal group membership replication—Windows 2000 Active Directory had a major drawback in the use of universal groups. Membership in those groups was stored in a single, multivalued attribute in AD DS. Essentially, what this meant was that any changes to membership in a universal group required a complete re-replication of all membership. In other words, if you had a universal group with 5,000 users, adding number 5,001 would require a major replication effort because all 5,001 users would be re-replicated across the forest. Windows Server 2003 and 2008 simplify this process and allow for incremental replication of universal group membership. In essence, only the 5,001st member is replicated in Windows Server 2003/2008.

  • AD-integrated DNS zones in application partitions—DNS replication was enhanced by storing DNS zones in the application partition. This basically meant that fewer objects needed to be stored in AD, reducing replication concerns with DNS.

  • AD lingering objects removal—Another major improvement originally introduced with Windows Server 2003 and still supported now is the ability to remove lingering objects from the directory that no longer exist.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020