Module 4: Implementing User, Group, and Computer Accounts

Overview Introduction to Accounts Creating and Managing Multiple Accounts Implementing User Principal Name Suffixes Moving Objects in Active Directory Planning a User, Group, and Computer Account Strategy Planning an Active Directory Audit Strategy

Lesson: Introduction to Accounts Types of Accounts Types of Groups What Are Domain Local Groups? What Are Global Groups? What Are Universal Groups?

Types of Accounts User accounts Computer accounts Group accounts Enables a single sign-on for a user Provides access to resources Computer accounts Enables authentication and auditing of computer access to resources Group accounts Helps simplify administration

Types of Groups Distribution groups Security groups Used only with e-mail applications Not security-enabled Security groups Used to assign rights and permissions to groups of users and computers Used most effectively when nested The functional level determines the type of groups that you can create

What Are Domain Local Groups? A security or distribution group that can contain: Universal groups, global groups, and other domain local groups from its own domain Accounts from any domain in the forest

What Are Global Groups? A security or distribution group that can contain users, groups, and computers as members from its own domain

What Are Universal Groups? A security or distribution group that can contain users, groups, and computers as members from any domain in its forest

Lesson: Creating and Managing Multiple Accounts Tools for Creating and Managing Multiple Accounts How to Create Accounts Using the Csvde Tool How to Create and Manage Accounts Using the Ldifde Tool How to Create and Manage Accounts Using Windows Script Host

Tools for Creating and Managing Multiple Accounts Active Directory Users and Computers Directory Service Tools Dsadd Dsmod Dsrm Csvde and Ldifde Tools Windows Script Host

How to Create Accounts Using the Csvde Tool Your instructor will demonstrate how to create accounts by using the Csvde command-line tool

How to Create and Manage Accounts Using the Ldifde Tool Your instructor will demonstrate how to create and manage accounts by using the Ldifde command-line tool

How to Create and Manage Accounts Using the Windows Script Host Your instructor will demonstrate how to create and manage accounts by using Windows Script Host

Practice: Creating User Accounts In this practice you will create and run a script file that contains commands to create a user account and then you will verify that the user account was created

Lesson: Implementing User Principal Name Suffixes What Is a User Principal Name? Multimedia: How Name Suffix Routing Works How Name Suffix Conflicts Are Detected and Resolved How to Create and Remove a UPN Suffix How to Enable and Disable Name Suffix Routing in Forest Trusts

What Is a User Principal Name? A logon name that is used only for logging on to a Windows Server 2003 network Advantages Unique in Active Directory Can be the same as a user’s e-mail address suzanf@contoso.msft

Multimedia: How Name Suffix Routing Works contoso.msft adatum.msft Trust john@contoso.msft

How Name Suffix Conflicts Are Detected and Resolved Name suffix conflicts occur when A DNS name is already in use A NetBIOS name is already in use A domain SID conflicts with another name suffix SID Name suffix conflicts in a domain cause access to that domain from outside the forest to be denied

How to Create and Remove a UPN Suffix Your instructor will demonstrate how to create and remove a UPN suffix

How to Enable and Disable Name Suffix Routing in Forest Trusts Your instructor will demonstrate how to enable and disable name suffix routing in forest trusts

Practice: Creating UPN Suffixes In this practice, you will create a name suffix for a second-level domain, and then enable name suffix routing between two forests

Lesson: Moving Objects in Active Directory What Is SID History? Implications of Moving Objects How to Move Objects Within a Domain How to Move Objects Between Domains How to Use LDP to View Properties of Moved Objects

What Is SID History? SID History Is a list of all SIDs that were assigned to a user account Provides a migrated user account with continuity of access to resources

Implications of Moving Objects Within a domain No change to SID or GUID Within a forest New SID SID history Same GUID Across forests New GUID

How to Move Objects Within a Domain Your instructor will demonstrate how to move Active Directory objects within a domain

How to Move Objects Between Domains Your instructor will demonstrate how to move objects between domains

How to Use LDP to View Properties of Moved Objects Your instructor will demonstrate how to view the properties of objects by using the LDP utility

Practice: Moving Objects In this practice, you will use Ldp.exe to: Examine the SID, SIDHistory, and GUID of a user object. Move a user object to another organizational unit in the same domain. View any changes to the SID, SIDHistory, and GUID of the user object.

Lesson: Planning a User, Group, and Computer Account Strategy Guidelines for Naming Accounts Guidelines for Setting a Password Policy Guidelines for Authenticating, Authorizing, and Administering Accounts Guidelines for Planning a Group Strategy

Guidelines for Naming Accounts Define naming conventions for: User account names that identify the user Computers that identify the owner, location, and computer type Groups that identify the group type, its location, and the purpose of the group

Guidelines for Setting a Password Policy Set Enforce password history to at least 24 passwords remembered Set the maximum password age to no more than 42 days Set the minimum password age to at least 2 days Set password length to at least 8 characters Enable the setting Password must meet complexity requirements

Guidelines for Authenticating, Authorizing, and Administering Accounts Set the account lockout threshold policy setting to a high value Protect administrative accounts Use multifactor authentication Implement a role-based security model for granting permissions Disable the Administrator account and apply a least privilege policy to accounts

Guidelines for Planning a Group Strategy Assign users with common job responsibilities to global groups Create a domain local group for sharing resources Add global groups that require access to resources to domain local groups Use universal groups to grant access to resources in multiple domains Use universal groups when membership is static

Practice: Planning an Account Strategy In this practice, you will determine: An account naming strategy A password policy An authentication, authorization, and administration strategy A group strategy for your forest

Lesson: Planning an Active Directory Audit Strategy Why Audit Access to Active Directory? Guidelines for Monitoring Changes to Active Directory

Why Audit Access to Active Directory? To record all successful changes to Active Directory To track access to a resource or by a specific account To detect and log failed access attempts

Guidelines for Monitoring Changes to Active Directory Enable: Auditing of account management events Success auditing of policy changes Failure auditing for system events Failure auditing of policy change events and account management events when necessary

Practice: Planning an Audit Strategy In this practice, you will determine which audit policies to enable for Active Directory

Lab A: Implementing an Account and Audit Strategy Planning an Account and Audit Strategy Creating Accounts by Using the Csvde Tool Creating a UPN Suffix Moving a Group of Users