Managing User and Service Accounts

Slides:



Advertisements
Similar presentations
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Advertisements

Module 4: Implementing User, Group, and Computer Accounts
Chapter 13 Securing Windows Server 2008
Chapter 8 Chapter 8: Managing Accounts and Client Connectivity.
12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.
Adding a Module The Import-Module cmdlet  Can be used to load any external module into PowerShell.  Uses the following syntax to add the ActiveDirectory.
Module 1: Installing Active Directory Domain Services
Module 2 Creating Active Directory ® Domain Services User and Computer Objects.
Deploying and Managing Windows Server 2012
Managing Active Directory Domain Services Objects
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Module 6: Designing Active Directory Security in Windows Server 2008.
Designing Active Directory for Security
Managing User and Service Accounts
Windows Server 2003 Overview 1 Windows 2003 Server Overview Ayaz
Module 2 Designing Microsoft® Exchange Server 2010 Integration with the Current Infrastructure.
Module 15: Manage the Windows ® Small Business Server 2008 Environment Using Group Policy.
Fall 2011 Nassau Community College ITE153 – Operating Systems Session 22 Local Security Polcies 1.
Securing AD DS Module A 3: Securing AD DS
Module 7: Fundamentals of Administering Windows Server 2008.
Microsoft ® Virtual Academy Module 3 Understanding Security Policies Christopher Chapman | Content PM, Microsoft Thomas Willingham | Content Developer,
8.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning.
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
Maintaining Active Directory Domain Services
Configuring Active Directory Objects and Trusts
Module 3: Configuring Active Directory Objects and Trusts.
Microsoft ® Official Course Module 3 Managing Active Directory Domain Services Objects.
CHAPTER Creating and Managing Users and Groups. Chapter Objectives Explain the use of Local Users and Groups Tool in the Systems Tools Option to create.
Module 8: Implementing an Active Directory Domain ® Services Monitoring Plan.
Module 1: Implementing Active Directory ® Domain Services.
Fall 2011 Nassau Community College ITE153 – Operating Systems Session 21 Administering User Accounts and Groups 1.
Module 7: Implementing Security Using Group Policy.
NetTech Solutions Security and Security Permissions Lesson Nine.
Week 4 Objectives Overview of Group Policy Group Policy Processing Implementing a Central Store for Administrative Templates.
Implementing a Group Policy Infrastructure
Module 10: Implementing Administrative Templates and Audit Policy.
Module 7: Designing Security for Accounts and Services.
AuthenticationService Application DelegationKerberos.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Overview Microsoft Windows XP Pro (SP2) Microsoft Windows Server 2003 User accounts and groups File sharing and file permissions Password/Lockout Policy.
Configuring the User and Computer Environment Using Group Policy Lesson 8.
Module 2: Implementing an Active Directory Forest and Domain Structure.
Managing User Desktops with Group Policy
Configuring Encryption and Advanced Auditing
Understanding Security Policies
Monitoring Windows Server 2012
Nassau Community College
Lesson 6: Configuring Servers for Remote Management
Implementing Update Management
Configuring Windows Firewall with Advanced Security
Implementing Active Directory Domain Services
Deploying and Maintaining Server Images
Active Directory Fundamentals
Unit 3 NT1330 Client-Server Networking II Date: 1/6/2016
Unit 8 NT1330 Client-Server Networking II Date: 8/2/2016
Unit 7 NT1330 Client-Server Networking II Date: 7/26/2016
Network Administration
Active Directory Service Accounts
BACHELOR’S THESIS DEFENSE
Greta Mameniskyte IV course 3rd group
Windows Active Directory Environment
Understanding Security Policies
PLANNING A SECURE BASELINE INSTALLATION
Managing Passwords with Group Policy
Chapter 8: Managing Accounts and Client Connectivity
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Presentation transcript:

Managing User and Service Accounts Module 3 Managing User and Service Accounts (More notes on the next slide)

Configuring Managed Service Accounts Module Overview 3: Managing User and Service Accounts Configuring Managed Service Accounts

Configuring Password Policy and User Account Lockout Settings

Demonstration: Configuring PSOs Lesson 1: Configuring Password Policy and User Account Lockout Settings 3: Managing User and Service Accounts Demonstration: Configuring PSOs

Set password requirements by using the following settings: 20411C User Account Policies 3: Managing User and Service Accounts Set password requirements by using the following settings: Enforce password history Maximum password age Minimum password age Minimum password length Password complexity requirements Account lockout duration Account lockout threshold

20411C Kerberos Policies 3: Managing User and Service Accounts Kerberos policy settings determine timing for Kerberos tickets and other events Setting Default Enforce user logon restrictions Enabled Maximum lifetime for service ticket 600 minutes Maximum lifetime for user ticket 10 hours Maximum lifetime for user ticket renewal 7 days Maximum tolerance for computer clock synchronization 5 minutes Kerberos claims and compound authentication for DAC requires Windows Server 2012 domain controllers

Configuring User Account Policies 3: Managing User and Service Accounts Local Security Policy account settings: Configured with secpol.msc Apply to local user accounts Group Policy account settings Configured with the Group Policy Management console Apply to all accounts in AD DS and local accounts on computers joined to the domain Can only be applied once, in Default Domain Policy Take precedence over Local Security Policy settings

What Are Password Settings Objects? 3: Managing User and Service Accounts You can use fine-grained password policies to specify multiple password policies within a single domain Fine-grained password policies: Apply only to user objects (or inetOrgPerson objects) and global security groups Cannot be applied to an OU directly Do not interfere with custom password filters that you might use in the same domain

Windows Server 2012 provides two tools for configuring PSOs: 3: Managing User and Service Accounts Windows Server 2012 provides two tools for configuring PSOs: Windows PowerShell cmdlets New-ADFineGrainedPasswordPolicy Add-FineGrainedPasswordPolicySubject Active Directory Administrative Center Graphical user interface Uses Windows PowerShell cmdlets to create and manage PSOs

Demonstration: Configuring PSOs 3: Managing User and Service Accounts In this demonstration, you will see how to create a Password Settings Object for the ITAdmins group (More notes on the next slide)

Configuring Managed Service Accounts

Lesson 2: Configuring Managed Service Accounts 3: Managing User and Service Accounts Kerberos Delegation and Service Principal Names

Service Account Overview 3: Managing User and Service Accounts Applications need resource access Can create domain or local accounts to manage such access, but can potentially compromise security Use Service Accounts Instead Local System Most privileged, still vulnerable if compromised Local Service Least privileged, may not have enough permissions to access all required resources, Network Service Can access network resources with proper credentials

Challenges of Using Standard User Accounts for Services 3: Managing User and Service Accounts Challenges to using standard user accounts for services include: Extra administration effort to manage the service account password Difficulty in determining where a domain-based account is used as a service account Extra administration effort to mange the SPN

Managed Service Account and Virtual Accounts 3: Managing User and Service Accounts Use managed service accounts to automate password and SPN management for service accounts used by services and applications Requires a Windows Server 2008 R2 or Windows Server 2012 server installed with: .NET Framework 3.5.x Active Directory module for Windows PowerShell Recommended to run with AD DS configured at the Windows Server 2008 R2 functional level or higher Can be used in a Windows Server 2003 or 2008 AD DS environment: With Windows Server 2008 R2 schema updates With Active Directory Management Gateway Service

What Are Group Managed Service Accounts? 3: Managing User and Service Accounts Group managed service accounts extend the capability of standard managed service accounts by: Enabling an MSA to be used on more than one computer in the domain Storing MSA authentication information on domain controllers Group MSA requirements: Must have at least one Windows Server 2012 domain controller Must have a KDS root key created for the domain

How-To: Configuring Group Managed Service Accounts 3: Managing User and Service Accounts Commands to configure a Group Managed Service Account Create the KDS root key for the domain Create and associate a managed service account 1) Add-KDSRootKey -EffectiveImmediately 2) New-ADServiceAccount –Name <managed account name> –DNSHostname <dns host name> -PrincipalsAllowedToRetrieveManagedPassword <servers allowed to retrieve password> 3) Add-ADComputerServiceAccount –identity <server> –ServiceAccount <managed account name> 4) Get-ADServiceAccount -Filter * 5) Verify that the service account is listed (More notes on the next slide)

Kerberos Delegation and Service Principal Names 3: Managing User and Service Accounts Kerberos delegation of authentication Services can delegate service tickets issued to them by the KDC to another service Constrained delegation Allows administrators to define which services can use service tickets issued to other services SPNs help identify services uniquely Windows 2012 allows Constrained delegation across domains Ability of service administrators to configure constrained delegation

Additional Resources & Next Steps Instructor-Led Courses 20411C: Administering Windows Server 2012 Books Exam Ref 70-411: Administering Windows Server 2012 Exams & Certifications Exam 70-411: Administering Windows Server 2012

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.