Chapter 3 – Creating and Managing User Accounts MIS 431 – Created Spring 2006

MIS 4312 Introduction User account – object in Active Directory Requires authentication to connect Control access to network resources Monitor access by auditing resources (logs) Create account Use standard naming structures Control password policy and ownership Include additional attributes such as phone number, address as required elements

MIS 4313 User Account Properties

MIS 4314 AD Added Properties The default Users and Groups dialog box in offers standard choices. AD Users and Computers adds Directory information Special login restrictions Domain information Much more

MIS 4315 User Authentication Users must first be authenticated by a domain controller before gaining access to the network (e.g., they log in as we do Novell) Process has two parts Interactive authentication (to the client PC) User can choose full network log in or just log in to the local workstation Network authentication User’s credentials are passed on to the network resource or service and checked

MIS 4316 Authentication Protocols Kerberos 5 (primary AD method) Supported by Windows 2000, XP; WS03 Method is transparent to the user NTLM – Used for OS that don’t support Kerberos Ex: NT Server

MIS 4317 User Profiles Where user’s unique settings are stored Customized desktop Favorites Start button Cookies My Documents My Recent Documents NetHood PrintHood More items… Send to list Templates Application data Local settings Stored in the Documents and Settings folder for each user Types – local and roaming

MIS 4318 Local Profiles Created when a new user logs in first time Settings are copied from a standard folder called Default User in Documents & Settings THUS changing the settings in Default User will cause those settings to be created for each subsequent new user Change this in System Properties Advanced tab Whenever a user makes a change to settings, they are stored in their local profile Subsequent logins will use just those settings for that user

MIS 4319 Roaming Profiles Stored on the server, these are used by the client when the user authenticates to the network Replaces the local profile with the one used on that particular client workstation Helpful when users move between computers Can convert a local profile to a roaming profile Universal Naming Convention (UNC) format: \\serverXX\profile\username \\serverXX\profile\username

MIS Creating AD Users and Computers Active Directory Users and Computers tool In Administrative Tools menu Can also be added to a custom MMC Select an object, right click, New, click User Shortcut: click on the User icon in the toolbar Shortcut: click on the Group icon in toolbar User can be moved to another object by dragging (new since WS00) Or using rt-click and Move command

MIS New User Parameters For nearly every user, will specify User logon name Full name (F, M, L) Password Password properties (cannot change, change at first login, password never expires, etc) Account expires (Never, End of xxx)

MIS More User Parameters General tab – directory type information Address tab – more directory information Account – user name, logon hours, account options (password, expiration) Member Of – which groups, set primary group Dial-In – allow remote access or VPN Other tabs: Environment, Sessions, Profile, Telephones, Profile, Remote control, etc.

MIS User Account Templates Create a template and all users configured through it will have same settings! (time saver) Can modify the profile for user specific settings To create, in the first name box start it with underscore, as _MIS431 Template Do all of the settings you want To use it, copy this template and then modify as desired

MIS Command Line Utilities Can create user accounts from command line Quicker But, fewer choices can be set easily here Commands DSADD – adds objects DSMOD – modify object settings DSQUERY – queries for objects DSMOVE – moves objects to a different location DSRM – remove an object from directory

MIS Command Line contd. Parameters for commands -pwd – password -memberof – groups user is member of - – address for new user -profile – profiel path for the user -disabled – whether acct is enable or disabled EX: dsadd user “cn=Paul Kohut,cn=Users,dc=dovercorp,dc=net” –pwd Password01 –memberof “cn=domain guests,cn=users,dc=domain01,dc=dovercorp,dc=net ” – –profile \\server01\profiles\paul kohut - disabled no \\server01\profiles\paul kohut

MIS Bulk Import/Export Used when transitioning from one directory service to another for large companies Can also populate a secondary database such as an HRM application Two utilities CSVDE – supports import/export to CSV file LDIFDE – same but in LDAP interchange format (LDIF)

MIS Account Policies A node in Group Policy (more in Ch. 11) These can cause trouble with a user logging in Find Group Policy object at domain level called Default Domain Policy Rt click the domain object (domain controller) in AD Users and Computers and choose Properties Click on Group Policy tab

MIS Password Policy settings Enforce password history - # of passwords to remember before a user can reuse an old password Maximum password age – # days when it must be changed Minimum password age - # days before it can be changed Minimum password length - # characters (1-14) Password complexity requirement – cannot include account name, at least 6 characters long, include 3 of 4 elements: uppercase, lowercase, numbers, symbol Store password using reversible encryption – clear text

MIS Account Lockout settings When the user fails to enter proper user name and password within X times Account lockout duration – how long before can log in again Account lockout threshold - # of incorrect login attempts before lock out occurs Reset account lockout counter after - # of minutes before the lockout counter is reset to zero.

MIS Auditing Authentication Auditing appears in more detail in Ch 14 Be default, WS03 DC audits success logon events only – appears in security log Can turn on “failure” logon events to track attempts to log in – shown in Security log Access Audit Policy node which is available in Computer Configuration – Windows Settings – Security Settings – Local Policies (Fig p. 134)

MIS Authentication Troubleshooting If a user cannot log in, check the list on p. 135 Incorrect user name or password Account lockout Account disabled Logon hour restriction Workstation restriction Domain controller (cannot locate one) Client time settings Down-level client issues UPN logon issues Users unable to log on locally to specific server Remote access logon issues (dial up/VPN) Terminal Services logon issues