70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts.

Slides:



Advertisements
Similar presentations
Chapter Five Users, Groups, Profiles, and Policies.
Advertisements

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies
Module 4: Implementing User, Group, and Computer Accounts
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 8 Chapter 8: Managing Accounts and Client Connectivity.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 5: Account Management.
12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Administering Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Chapter 3 – Creating and Managing User Accounts MIS 431 – Created Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW  Describe the process of adding a computer to.
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Guide to MCSE , Enhanced 1 Activity 10-1: Restarting Windows Server 2003 Objective: to restart Windows Server 2003 Start  Shut Down  Restart Configure.
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.
Module 2 Creating Active Directory ® Domain Services User and Computer Objects.
70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Using Group Policy to Manage User Environments. Overview Introduction to Managing User Environments Introduction to Administrative Templates Assigning.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.
Guide to Operating System Security Chapter 4 Account-based Security.
6.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 6: Administering User Accounts.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 10: Managing Users, Groups, Computers and Resources.
Designing Active Directory for Security
Windows Server 2003 Overview 1 Windows 2003 Server Overview Ayaz
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 UNDERSTANDING USER ACCOUNTS  Local user accounts  stored in the Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
8.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
Module 2: Managing User and Computer Accounts. Overview Creating User Accounts Creating Computer Accounts Modifying User and Computer Account Properties.
Introduction to Microsoft Management Console (MMC) MMC is a common console framework for management applications. MMC provides a common environment for.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
Module 2 Creating Active Directory ® Domain Services User and Computer Objects.
Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Guide to MCSE , Enhanced 1 Activity 3-1: Reviewing User Account Properties Objective is to review properties of user accounts through main tabs of.
Module 7: Implementing Security Using Group Policy.
NetTech Solutions Security and Security Permissions Lesson Nine.
Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Configuring the User and Computer Environment Using Group Policy Lesson 8.
ACTIVE DIRECTORY ADMINISTRATION
ACTIVE DIRECTORY ADMINISTRATION
Active Directory Administration
Objectives Differentiate between the different editions of Windows Server 2003 Explain Windows Server 2003 network models and server roles Identify concepts.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Implementing and Managing Group and Computer Accounts
Presentation transcript:

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 2 Objectives Understand the purpose of user accounts Understand the user authentication process Understand and configure local, roaming, and mandatory user profiles Configure and modify user accounts using different methods Troubleshoot user account and authentication problems

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 3 Introduction to User Accounts A user account is an Active Directory object Represents information that defines a user with access to network (first name, last name, password, etc.) Required for anyone using resources on network Assists in administration and security Must follow organizational standards

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 4 User Account Properties Primary tool for creating and managing accounts is Active Directory Users and Computers Active Directory is extensible so additional tabs may be added to property pages Major account properties that can be set include: General Address Account Profile Sessions

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 5 Activity 3-1: Reviewing User Account Properties Objective is to review properties of user accounts through main tabs of Active Directory Users and Computers Start  Administrative Tools  Active Directory Users and Computers  Users  AdminXX account  Properties Explore tabs and values as directed

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 6 The Account Tab of Properties

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 7 User Authentication The process by which a user’s identity is validated Used to grant or deny access to network resources From a client operating system Name, password, resource required In Active Directory environment Domain controller authenticates In a workgroup Local SAM database authenticates

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 8 Authentication Methods Two main processes Interactive authentication User account information is supplied at log on Network authentication User’s credentials are confirmed for network access

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 9 Interactive Authentication The process by which a user provides a user name and password for authentication For domain logon, credentials compared to centralized Active Directory database For local logon, credentials compared to local SAM database In domain environments, users normally don’t have local accounts

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 10 Network Authentication The process by which a network service confirms the identify of a user For a user who logs on to domain, network authentication is transparent Credentials from interactive authentication valid for network resources A user who logs on to local computer will be prompted to log on to network resource separately

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 11 Authentication Protocols Windows Server 2003 supports two main authentication protocols: Kerberos version 5 (Kerberos v5) NT LAN Manager (NTLM) Kerberos v5 is primary protocol for Active Directory environments but is not supported on all client systems NTLM is primary protocol for older Microsoft operating systems

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 12 Kerberos v5 Primary authentication protocol used in Active Directory domain environments Supported by Windows 2000, Windows XP, Windows Server 2003 Protocol followed: Log on request passed to Key Distribution Center (KDC), a Windows Server 2003 domain controller KDC authenticates user and, if valid, issues a ticket- granting ticket (TGT) to client system

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 13 Kerberos v5 (continued) When client requests a network resource, it presents the TGT to KDC KDC issues a service ticket to client Client presents service ticket to host server for network resource Every domain controller in Active Directory environment holds role of KDC Not all clients follow this protocol

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 14 NTLM A challenge-response protocol Used with operating systems running Windows NT 4.0 or earlier or with Windows 2000 or Server 2003 when necessary Protocol followed: User logs in, client calculates cryptographic hash of password Client sends user name to domain controller

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 15 NTLM (continued) Domain controller generates random challenge and sends it to client Client encrypts challenge with hash of password and sends to domain controller Domain controller calculates expected value to be returned from client and compares to actual value After successful authentication, domain controller generates a token for user for network access

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 16 User Profiles A collection of settings specific to a particular user Stored locally by default Do not follow user logging on to different computers Can create a roaming profile Does follow user logging on to different computers Administrator can create a mandatory profile User cannot alter it

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 17 User Profile Folders and Contents

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 18 Local Profiles New profiles are created from Default User profile folder User can change local profile and changes are stored uniquely to that user Administrator can manage various elements of profile Change Type Delete Copy To

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 19 Activity 3-2: Testing Local Profile Settings Objective is to configure and test a local user profile Start  Administrative Tools  Active Directory Users and Computers  Users  New  User Follow directions to create a new user profile Explore and configure properties Test by logging in as new user

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 20 Roaming Profiles Roaming profiles Allow a profile to be stored on a central server and follow the user Provide advantage of a single centralized location (helpful for backup) Configured from Profiles page of Active Directory Users and Computers Changing a profile from local to roaming requires care – should copy first

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 21 Activity 3-3: Configuring and Testing a Roaming Profile Objective: To configure and test a roaming user profile Create a shared folder, copy a local profile to folder, and configure properties of user account to use roaming folder Follow directions in book to create, configure, and test the new roaming profile

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 22 Mandatory Profiles Local and roaming profiles allow users to make permanent changes Mandatory profiles allow changes only for a single session Local and roaming profiles can both be configured as mandatory ntuser.dat  ntuser.man

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 23 Activity 3-4: Configuring a Mandatory Profile Objective: To configure and test a mandatory user profile Start  My Computer Follow directions to make previously created test profile mandatory by renaming file Test that no permanent changes can be made by user

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 24 Creating and Managing User Accounts Standard tool is Active Directory Users and Computers Also a number of command line tools and utilities

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 25 Active Directory Users and Computers Available from Administrative Tools menu Can be added to a Microsoft Management Console Can be run from command line (dsa.msc) Graphical tool Can add, modify, move, delete, search for user accounts Can configure multiple objects simultaneously

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 26 Activity 3-5: Creating User Accounts Using Active Directory Users and Computers Objective: Use Active Directory Users and Computers to create user accounts Start  Administrative Tools  Active Directory Users and Computers Follow directions to create a number of new user accounts

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 27 User Account Templates A user account that is pre-configured with common settings Can be copied to create new user accounts with pre-defined settings New account is then configured with detailed individual settings

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 28 Activity 3-6: Creating a User Account Template Objective: Create a user account template and use the template to create a new user account Start  Administrative Tools  Active Directory Users and Computers Create a new user account template Use a variable that will automatically populate the profile path with the name of user account Follow directions to create and explore a new user account from template

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 29 Command Line Utilities Some administrators prefer working from command line Can be used to automate creation or management of accounts more flexibly

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 30 DSADD Allows object types to be added to directory Computer accounts, contacts, quotas, OUs, users, etc. Syntax for user account is DSADD USER distinguished-name switches Switches include -pwd (password), -memberof, - , -profile, -disabled

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 31 Activity 3-7: Creating User Accounts Using DSADD Objective: Use the DSADD USER command to create new user accounts Start  Run Follow directions to enter DSADD command Check using Active Directory Computers and Users Enter new DSADD command and again check results

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 32 DSMOD Allows object types to be modified from the command line Computer accounts, users, quotas, OUs, servers, etc. Syntax for modifying user account is DSMOD USER distinguished-name + switches + Can modify multiple accounts simultaneously

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 33 Activity 3-8: Modifying User Accounts Using DSMOD Objective is to modify existing user account properties using the DSMOD USER command Start  Run Follow directions to enter DSMOD command for a single user Check using Active Directory Comp. and Users Enter new DSMOD command for multiple users Check results using Active Directory

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 34 DSQUERY Allows various object types to be queried from command line Supports wildcard (*) Output can be redirected to another command (piped) Example: return all user accounts that have not changed passwords in 14 days dsquery user domainroot –name * -stalepwd 14

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 35 DSMOVE Allows various object types to be moved from current location to a new location Allows various object types to be renamed Only moves within the same domain (otherwise use MOVETREE) Example: to move a user account into a marketing OU dsmove "cn=Paul Kohut,cn=users,dc=domain01, dc=dovercorp,dc=net" –newparent "ou=marketing, dc=domain01,dc=dovercorp,dc=net"

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 36 DSRM Allows objects to be deleted from directory Can delete single object or entire subtree Has a confirm option that can be overridden Example: to delete the Marketing OU and all its contained objects without a confirm prompt: dsrm –subtree –noprompt –c "ou=marketing, dc=domain01,dc=dovercorp,dc=net "

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 37 Bulk Import and Export Allows an organization to import existing stores of data rather than recreating from scratch Allows an organization to export data that is already structured in Active Directory to secondary databases Two command line utilities for import and export CSVDE LDIFDE

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 38 CSVDE Command-line tool to bulk export and import Active Directory data to and from comma- separated value (CSV) files CSV files can be created/edited using text-based editors Example: csvde –f output.csv

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 39 LDIFDE Command-line tool to bulk export and import Active Directory data to and from LDIF files LDAP Interchange Format Industry standard for information in LDAP directories Each attribute/value on a separate line with blank lines between objects Can be read in text-based editors Common uses: extending AD schemas, importing bulk data to populate AD, manipulating user and group objects

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 40 Activity 3-9: Exporting Active Directory Users Using LDIFDE Objective is to export Active Directory user accounts using LDIFDE Start  Run Follow directions to enter LDIFDE command Check exported results using Notepad editor

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 41 Troubleshooting User Account and Authentication Issues Normally creating and configuring user accounts is straightforward Issues do arise related to Configuration of account Policy settings

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 42 Account Policies Authentication-related policy settings Configured in Account Policies node of Group Policy objects at domain level Account lockout, passwords, Kerberos Default Domain Policy Accessed from Active Directory Computers and Users Configures policies for all domain users

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 43 Password Policy Configuration settings Password history and reuse Maximum password age Minimum password age Minimum password length Complexity requirements Encryption policy

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 44 Account Lockout Settings Configuration settings Account lockout duration Account lockout threshold Reset account lockout counter after

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 45 Kerberos Policy Configuration settings Enforce user logon restrictions Maximum lifetime for service ticket Maximum lifetime for user ticket Maximum lifetime for user ticket renewal Maximum tolerance for computer clock synchronization

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 46 Auditing Authentication Audit account logon event Configured in Group Policy object linked to Domain Controllers OU (Default Domain Controllers Policy) Default is to log only successful logons Event viewable in Security log (use Event Viewer) Can choose to edit failed logons May be helpful for troubleshooting Codes provide information about type of failure

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 47 Resolving Logon Issues Some common logon issues (and fixes) Incorrect user name or password (administrative reset) Account lockout (manual unlock) Account disabled (administrative enable) Logon hour restrictions (check account restrictions) Workstation restrictions (check account restrictions) Domain controllers (check configured DNS settings) Client time settings (check client clock synchronization)

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 48 Resolving Logon Issues (continued) Down-level client issues (install Active Directory Client Extensions) UPN logon issues (check Global Catalog server) Unable to log on locally (set policy on local server) Remote access logon issues (check access on Dial- up properties) Terminal services logon issues (check allow logon to terminal server permission)

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 49 Summary A user account is an object stored in Active Directory Information that defines user and access to network Primary tools to create and manage user accounts Active Directory Users and Computers Command line utilities (DSADD, DSMOD, DSQUERY, DSMOVE, DSRM) Two main authentication processes Interactive authentication Network authentication

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment 50 Summary (continued) Two main authentication protocols Kerberos v5, NTLM User profiles used to configure and customize desktop environment Local, roaming, mandatory Utilities for bulk importing and exporting user data to and from Active Directory LDIFDE and CSVDE