5.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts User account A form of identification for a user on a Windows Server 2003 network Used to build the user ticket (also known as a TGT, or Ticket Granting Ticket) Contains a list of the Security IDs (SIDs) associated with the user account and all groups to which that user account is a member Used to prove that the user account is valid and to construct session tickets (Skill 1) Planning Strategies for Creating User Accounts
5.2 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts When the user wants to access a resource, the OS sends the user ticket to the domain controller with a special Kerberos request The session ticket is presented to the specific computer controlling the resources as a form of identification The resource server compares the SIDs in the token or ticket to a Discretionary Access Control List (DACL) on the resource Planning Strategies for Creating User Accounts (2) (Skill 1)
5.3 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts DACLs are composed of Access Control Entries (ACEs) Each ACE contains the SID for a user account or group and the permissions applied to it Through this mechanism, a resource determines what level of access each user account should have, and grants an access token to the user for the user’s specific access level Planning Strategies for Creating User Accounts (3) (Skill 1)
5.4 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts You can create user accounts manually or by writing scripts To create accounts manually, you use the Active Directory Users and Computers console To script a user account, you need to be familiar with at least one scripting language, such as VBScript or JScript Planning Strategies for Creating User Accounts (4) (Skill 1)
5.5 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts It is very important to plan your user accounts before you actually create them Parameters you need to consider while planning Naming conventions Password requirements Account options Planning Strategies for Creating User Accounts (5) (Skill 1)
5.6 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Naming conventions A good naming convention makes it easy for users to remember their logon names Also provides for cases in which two users have the same name Password requirements Each user account will typically be assigned a password Passwords prevent unauthorized access to a domain or a computer Planning Strategies for Creating User Accounts (6) (Skill 1)
5.7 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Account options It is also important to consider certain properties before you create user accounts Log On To option specifies the computers to which a user can log on Logon Hours section allows you to specify which hours of the day and days of the week a user can log on Account Expires section allows you to predefine when a user account will expire Planning Strategies for Creating User Accounts (7) (Skill 1)
5.8 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-1 Setting user account properties (Skill 1)
5.9 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Active Directory Services Interfaces (ADSI) You can use ADSI to create scripts ADSI is a fully programmable automation object available for administrators You can also create user accounts in batches from a.csv or an.ldif file using the Csvde.exe or Ldifde.exe utilities Planning Strategies for Creating User Accounts (9) (Skill 1)
5.10 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Local user accounts Are created so that users can log on only to a specific computer and access the resources on only that computer In order for a user using a local user account to access resources on other computers, a local user account must be created with the same name and password on all computers that the user needs to access This is because local user accounts are stored only in the computer’s local security database Creating a Local User Account (Skill 2)
5.11 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Local user accounts Are not replicated to domain controllers When a user logs on to a computer, the operating system uses its local security database to authenticate the local user account Similarly, when a user attempts to access a workgroup resource, the computer providing the resource uses its local accounts database to authenticate the user account Creating a Local User Account (2) (Skill 2)
5.12 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Local user accounts If you create a local user account on a computer that requires access to domain resources, the user cannot access the resources in the domain unless an identical domain user account is created In this situation, the domain does not recognize local user accounts Furthermore, the domain administrator cannot manage local user account properties or assign access permissions to the user for domain resources using the local computer Creating a Local User Account (3) (Skill 2)
5.13 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Local user accounts If you have administrative rights, you can use the Local Users and Groups snap-in in the Computer Management console From this console, you can create, delete, or disable local user accounts on a local computer Creating a Local User Account (4) (Skill 2)
5.14 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-2 Local security database (Skill 2)
5.15 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-3 Creating a local user account (Skill 2)
5.16 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts You use a domain user account to log on to a domain and access network resources You can create a domain user account in an OU on a domain controller The domain controller then replicates the new user account information to all other domain controllers in the domain After replication, all domain controllers in the domain will be able to authenticate the user Creating a Domain User Account (Skill 3)
5.17 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts In addition, all trusting domains can now allow the user account to gain access to their resources You use the Active Directory Users and Computers console to create domain user accounts Creating a Domain User Account (2) (Skill 3)
5.18 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Logon process A user provides a logon name and password (or inserts a smart card and provides a PIN) Windows Server 2003 uses this information to authenticate the user and build a user ticket that contains the user’s identification and security settings The purpose of the user ticket is to identify the user account in order to build session tickets, which are then used to identify the user to the domain member computers An access token is generated to allow the user specific levels of access Creating a Domain User Account (3) (Skill 3)
5.19 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Active Directory domain names are usually the full DNS name of the domain For backward compatibility, each domain also has a pre-Windows 2000 name that is used by computers running pre-Windows 2000 operating systems This name can be used to log on to a Windows 2000 or Windows Server 2003 domain from computers running Windows 2000 or XP operating systems Creating a Domain User Account (4) (Skill 3)
5.20 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-4 Domain user account (Skill 3)
5.21 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-5 Creating a domain user account (Skill 3)
5.22 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-6 Setting a password for a new domain user account (Skill 3)
5.23 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Built-in user accounts are created by default during the installation of Windows Server 2003 Administrator built-in user account Used to perform administrative tasks Creating and managing user accounts Setting account properties Assigning permissions to user accounts to access resources Used to gain access to network resources Creating a Domain User Account (5) (Skill 3)
5.24 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Built-in Guest account Used to give users access to resources for a short time Is disabled by default Creating a Domain User Account (6) (Skill 3)
5.25 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-7 Summary screen for a new domain user account (Skill 3)
5.26 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Every user account you create has a set of default properties you can configure Including personal information, logon settings, dial-in settings, and Terminal Services settings for a user The personal properties you define for a domain user account are useful when conducting user searches based on very specific information Setting User Account Properties (Skill 4)
5.27 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Logon settings are used to specify the logon hours for a user Dial-in settings for a user account are used to specify if and how a user can make a dial- connection from a remote location Terminal Services properties provide the ability to connect to a server from a remote location Setting User Account Properties (2) (Skill 4)
5.28 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts You can save a lot of time by filling out the common fields shared between user accounts in a “template” account A template account is a disabled account that is used as a model for creating other accounts After filling out the appropriate fields, you can right-click the account and select Copy to create a new account with most of your pre-defined fields already filled in Setting User Account Properties (4) (Skill 4)
5.29 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-9 Setting user account properties (Skill 4)
5.30 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-10 Specifying logon hours for a user account (Skill 4)
5.31 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts A user profile is a collection of data User’s personal data Desktop settings Printer connections Network connections User profiles help to provide a consistent desktop environment each time a user logs on to the computer Introducing User Profiles (Skill 5)
5.32 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts User profiles enable multiple users to work from the same computer or a single user to work from multiple computers on a network without changing any of the settings User profiles can be stored on a server so that users can use them on any computer running Microsoft Windows NT 4.0 or later They also store the application settings for applications that comply with Microsoft’s software development guidelines Introducing User Profiles (2) (Skill 5)
5.33 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts User profiles are stored in the Documents and Settings folder, by default, with the sole exception of servers and clients upgraded from Windows NT or Windows 9x, in which case they are stored in a \Profiles folder Introducing User Profiles (3) (Skill 5)
5.34 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts There are three types of user profiles Local user profiles Roaming user profiles Mandatory user profiles Introducing User Profiles (4) (Skill 5)
5.35 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Local user profiles Is limited to the computer you log on to and is stored on the system’s local hard disk Is created the first time you log on to a computer by copying the settings in the Default User profile, and it is the default type of profile Any changes you make to your local user profile are also specific to the computer on which you made the changes Introducing User Profiles (5) (Skill 5)
5.36 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Local user profiles are stored in the folder %Systemdrive%:\Documents and Settings\user_logon_name systemdrive is the system drive letter user_logon_name is the name the user uses to log on to the system Introducing User Profiles (6) (Skill 5)
5.37 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-11 A sample user profile folder (Skill 5)
5.38 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Roaming user profile A profile that is stored on a network server and retrieved at user logon They are useful when users have to work on multiple computers on a network, because they can have a uniform desktop on all computers they use Introducing User Profiles (7) (Skill 5)
5.39 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Roaming user profile To enable a roaming profile, you must configure a network path to the roaming profile in the Properties dialog box for the user account The profile is then available to the user from all computers in the domain Any changes the user makes to the roaming user profile are also updated on the server Introducing User Profiles (8) (Skill 5)
5.40 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Roaming user profile Users can view their individual settings on any computer on the network When the user logs on to a network computer for the first time, the operating system copies the roaming user profile from the network server to the local user profile and temporarily applies the roaming user profile settings to that computer The profile files are copied to the local profile at logon, and the changes are transferred back to the server at log off Introducing User Profiles (9) (Skill 5)
5.41 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Roaming user profile In the User Profiles dialog box on the local computer (which is accessed by clicking the Change Type button on the Advanced tab in the System Properties dialog box), the user’s profile is automatically set to Roaming Subsequently, when that user logs on again, Windows Server 2003 copies only the files that have changed since the last time the user logged on Introducing User Profiles (10) (Skill 5)
5.42 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Roaming user profile When the user logs off, Windows Server 2003 copies the changes made to the local copy of the roaming user profile back to the network server Roaming profiles consume large amounts of network bandwidth This is due to creating folder structures either on the desktop or in the My Documents folder and placing large quantities of data in these locations Introducing User Profiles (11) (Skill 5)
5.43 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Mandatory user profile A type of roaming profile used to specify particular settings for individuals or a group It does not permanently save the desktop settings made by a user The settings are applied to the local computer each time the user logs on This profile helps you to create a default user profile that is suited specifically for a user’s tasks Introducing User Profiles (12) (Skill 5)
5.44 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Mandatory user profile Set up a mandatory user profile for specific users These users will be able to modify the desktop settings while they are logged on None of these changes will be retained when they log off Creating a mandatory user profile Involves the same steps as creating a roaming profile, with one exception After creating a roaming profile, go to the appropriate network share point and rename the ntuser.dat file, ntuser.man Introducing User Profiles (13) (Skill 5)
5.45 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts The All Users folder in %Systemdrive%:\Documents and Settings is used to modify all profiles applied to an individual computer Any changes made to the All Users folder will apply to every profile for every user that logs on to this computer Introducing User Profiles (14) (Skill 5)
5.46 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-13 Contents of the All Users folder (Skill 5)
5.47 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Suggested practices Always create standard roaming user profiles on the file server that you back up most frequently This helps you to track copies of the latest roaming user profiles Creating a Roaming User Profile (2) (Skill 6)
5.48 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Standard roaming user profiles provide certain benefits and streamline troubleshooting For example, you can provide a standard desktop environment to multiple users with similar job profiles As another example, the system support team can identify solutions for problems more efficiently (because the team is familiar with the user profile settings) Creating a Roaming User Profile (4) (Skill 6)
5.49 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts To create a standard roaming user profile Create a shared folder on the server Create a user profile template with the appropriate configuration Copy the user profile template to the shared folder on the server and specify the users who will have access to the profile Specify the path to the profile template in the user account Creating a Roaming User Profile (5) (Skill 6)
5.50 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-14 Assigning Full Control to the Authenticated Users Group (Skill 6)
5.51 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-16 The User Profiles dialog box (Skill 6)
5.52 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-17 Copying the user profile template to the shared folder (Skill 6)
5.53 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-18 Selecting the user who will be permitted to use the profile (Skill 6)
5.54 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-19 Specifying the path to the roaming user profile (Skill 6)
5.55 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts The My Documents folder is the default location for users to store their data You can specify a different Home folder as the default storage location instead A Home folder is generally used when users want to store data in a folder that is not computer-dependent and that is easily accessible from any computer on the network It usually exists on a server, which means that it is typically backed up nightly as part of the server backup schedule Creating a Home Folder on a Server (Skill 7)
5.56 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Ideally, you can store the Home folders for all users on a network server because this provides certain benefits You can centralize the administration of user documents Users can access their Home folders from any computer on the network Users can locate their Home folders from a client computer that is running any Microsoft operating system Creating a Home Folder on a Server (2) (Skill 7)
5.57 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts By storing a Home folder in a shared folder on a file server, administrative tasks, such as backing up user documents, are also centralized The size of the Home folder does not affect network traffic during logon because the Home folder does not belong to any roaming user profile Creating a Home Folder on a Server (3) (Skill 7)
5.58 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-20 Specifying the path of the Home folder (Skill 7)
5.59 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-21 Home folder for a user (Skill 7)
5.60 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts As a network administrator, you must maintain user accounts based on the needs of your organization Typical user account maintenance tasks Modifying user accounts Resetting passwords Unlocking user accounts Maintaining User Accounts (Skill 8)
5.61 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts You can modify user accounts in many ways Rename a user account Disable or enable a user account Delete a user account To modify user accounts, you need at least the Write permission for the user account Maintaining User Accounts (2) (Skill 8)
5.62 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts You can reset passwords when a user’s password expires before the user has a chance to change it In some cases, users might even forget their passwords You do not need to know the old password in order to reset a password After the administrator or the user sets a password for a user account, the password is not viewable to anyone, including the administrator Maintaining User Accounts (3) (Skill 8)
5.63 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Windows Server 2003 can lock user accounts for users who violate the account lockout policy In such cases, the user can either wait until the lockout period expires (usually 30 minutes), or contact an administrator to unlock the user account Maintaining User Accounts (4) (Skill 8)
5.64 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts To unlock a user account Open the Account tab on the Properties dialog box for the user account Clear the Account is locked out check box It is important to understand that the Account is locked out check box will be active only when the system has locked out a user account You cannot manually lock out a user account Maintaining User Accounts (5) (Skill 8)
5.65 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-26 Unlocking a locked out account (Skill 8)
5.66 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Managing users is a huge part of the network administrator's job Tasks such as disabling accounts, renaming accounts, and changing passwords are fairly common on production networks Other user account management tasks include moving accounts within a domain, mapping certificates to user accounts, and changing UPN suffixes Managing Users (Skill 9)
5.67 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Moving accounts within a domain You move an account within a domain to change the OU or container in which the account is currently located This allows different delegated permissions and Group Policies to apply to the account In Windows Server 2003, you can use the Shift or Control key to select and move multiple user objects at once Managing Users (2) (Skill 9)
5.68 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Planning password policy You use Group Policy to set the Password policy for your network Passwords should be memorable to your users, yet be completely unrelated to them personally They should consist of uppercase and lowercase letters, numbers, and special characters The length of the password is also extremely important, as a longer password takes longer to hack using a dictionary or brute force techniques Managing Users (11) (Skill 9)
5.69 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Planning password policy Understanding UPNs and their effect on logins with your user accounts UPNs are easy to remember logons that can be used in Windows XP, Windows 2000, and Windows Server 2003 They are in the format of The idea behind a UPN is to reduce the amount of memorization a user has to perform to log on Managing Users (12) (Skill 9)
5.70 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Planning password policy Understanding UPNs and their effect on logins with your user accounts UPNs allow the user to type their address and password, and have the domain automatically selected based on this information The only problem is that your domain may not match your actual Windows domain name Make sure that the user account has the correct UPN suffix to match the address Managing Users (13) (Skill 9)
5.71 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Planning password policy Understanding UPNs and their effect on logins with your user accounts To make sure that the user account has the correct UPN suffix to match the address Open the Active Directory Domains and Trusts console and add the UPN suffix In the Properties dialog box for the user account (in the Active Directory Users and Computers console), modify the UPN suffix applied to the account Managing Users (14) (Skill 9)
5.72 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Planning password policy Since UPN suffixes have no relation to the domain, a global catalog server must be reached to determine the correct domain for the user When users log on using their UPN, they determine which domain to log on to by contacting a global catalog server and looking up the UPN This is one of the reasons that global catalog servers should be placed strategically so that if there is any single point of failure, a global catalog server can always be contacted Managing Users (15) (Skill 9)
5.73 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-28 Adding a UPN suffix (Skill 9)
5.74 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Lesson 5: Administering User Accounts Figure 5-29 Configuring a user account to use a UPN suffix (Skill 9)