Module 2 Creating Active Directory ® Domain Services User and Computer Objects

Module Overview Managing User Accounts Creating Computer Accounts Automating AD DS Object Management Using Queries to Locate Objects in AD DS

Lesson 1: Managing User Accounts What Is a User Account? Names Associated with Domain User Accounts User Account Password Options Standard User Management Tools for Configuring User Accounts What Is a User Account Template?

A user account can be stored: In AD DS (AD DS account) On the local computer (local account) What Is a User Account? Creating a user account also creates a Security ID (SID) A user account is an object that enables authentication and access to local and network resources AD DS accounts enable log on to domains and provide access to shared network resources Local accounts enable log on to a single computer and local resources

Naming options for domain user accounts: Names Associated with Domain User Accounts Object NamesExample Uniqueness requirement User logon nameGregory Must be unique within domain User logon name (pre-Microsoft ® Windows ® 2000) Woodgrove\Gregory Must be unique within domain User principal name (UPN) m Must be unique within forest LDAP distinguished name CN=Gregory,OU=IT,DC= WoodgroveBank,DC=com Will be globally unique, combining RDN, container name, and domain names Relative distinguished name (RDN) CN=GregoryMust be unique in OU

User Account Password Options User object passwords are a significant aspect of network security and can have options configured for: Password history Length Complexity By default, Windows Server® 2008 domain passwords must meet three out of the following four complexity requirements: Uppercase Lowercase Special characters Numbers

Standard User Management Standard User management activities include: Updating group membership: provides user group membership and access rights Resetting user passwords: resets security authentication used to access domain computer Setting user expiration: sets expiration date on how long user can access domain Setting logon hours: sets the hours in which users can log on to the domain Assigning profiles and setting home folders: Assign user profiles and home folders to regulate access to resources

You use different tools for creating and managing local and domain user accounts: Tools for Configuring User Accounts AccountTools Local computer account Windows XP and Windows Vista®: User Accounts Domain account Windows Server 2003/2008: Active Directory Users and Computers Command-line utilities: dsadd, Windows PowerShell™, CSVDE, LDIFDE

Demonstration: Configuring User Accounts In this demonstration, you will see how to: Create a new user account using Active Directory Users and Computers Rename user accounts View complexity requirements

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

What Is a User Account Template? User accounts templates take advantage of similarity between user accounts To use user templates: Create several typical users reflecting various groups within your organization Copy the user account most like the new account you want to create Modify the attributes: names, address, logon name, etc. A user account template is an account with common properties already configured

Demonstration: Creating and Using a User Account Template In this demonstration, you will see how to: Create and use a User Account Template

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

Lesson 2: Creating Computer Accounts What Is a Computer Account? Options for Creating Computer Accounts Managing Computer Accounts

Computer accounts: What Is a Computer Account? Are required for authentication and auditing A computer account is an object in AD DS that identifies a computer in a domain A computer account is an object in AD DS that identifies a computer in a domain Enable managing computer by using group policies Are required for all computers running Windows NT or later

Options for Creating Computer Accounts ScenarioProcess Adding individual computers to a domain Add the computer to the domain through computer system properties Account will be created by default in Computers container Creating multiple computer accounts in preparation for automating an operating system and software deployment 1. Create an OU for each department 2. Pre-stage new computer accounts 3. Add the computer to the domain

Managing Computer Accounts Computer management activities include: Adding computer accounts: provides computer name and specifies management option Disabling computer accounts: maintains account, but prevents log on from the account Resetting the computer account: resets the security association between the domain and the client computer (re-join necessary) Deleting computer accounts: removes computer from all domain services Configuring group policies: manages software or computer desktop environments

Demonstration: Configuring Computer Accounts In this demonstration, you will see how to: Pre-stage a computer account Configure computer account settings Disable and reset a computer account

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

Lesson 3: Automating AD DS Object Management Tools for Automating AD DS Object Management Configuring AD DS Objects Using Command-Line Tools Managing User Objects with LDIFDE Managing User Objects with CSVDE What Is Windows PowerShell? Windows PowerShell Cmdlets

Tools for Automating AD DS Object Management Active Directory Users and Computers Directory Service Tools Dsadd Dsmod Dsrm Csvde and Ldifde ToolsWindows PowerShell

Configuring AD DS Objects Using Command-Line Tools Command-line tools: Dsadd - Add objects to AD DS Dsmod - Modify objects in AD DS Dsrm - Remove objects from AD DS Dsget - Locate objects in AD DS net user - Add or modify user accounts Net group - Add or modify group access Net computer - Add or remove computer objects from AD DS

filename.ldf Managing User Objects with LDIFDE Active Directory import export LDIFDE.exe

Managing User Objects with CSVDE filename.csv Active Directory import export CSVDE.exe HR Application

What Is Windows PowerShell? Windows PowerShell is a scripting and command-line technology that you can use to manage AD DS and other Windows components Windows PowerShell features include: Powerful single line cmdlets Aliases Variables Pipelining Scripting support Access to all cmd.exe commands

Results from one cmdlet can be pipelined to another Windows PowerShell Cmdlets Windows PowerShell cmdlets all use the same syntax Noun Verb Date ParametersExample Get Get-Date Start Service W3SVC Start-Service W3SVC Get-Service W3svc | format-list Get-Service | sort-object name Get-Service |where-object {$_.status –eq “running”} | sort-object name

Demonstration: Configuring Active Directory Objects Using Windows PowerShell In this demonstration, you will see how to: Configure Active Directory Objects using Windows PowerShell

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

Lesson 4: Using Queries to Locate Objects in AD DS Options for Locating Objects in AD DS What Is a Saved Query?

Options for Locating Objects in AD DS Sorting: use column headings in Active Directory Users and Computers to find the objects based on the columns Searching: provide the criteria for which you want to search Command-line: dsquery parameter

Demonstration: Searching AD DS In this demonstration, you will see how to: Search AD DS for user accounts

What Is a Saved Query? Saved queries provide: A quick and consistent way to access a common set of directory objects to monitor or to perform specific tasks A saved query is a way to save search criteria Options for searching attributes (e.g. last logon date)

Demonstration: Using a Saved Query In this demonstration, you will see how to: Create a saved query

Lab: Creating AD DS User and Computer Accounts Exercise 1: Creating and Configuring User Accounts Exercise 2: Creating and Configuring Computer Accounts Exercise 3: Automating the Management of AD DS Objects Logon information Virtual computers 6419A-NYC-DC1, 6419A-NYC-CL1 User nameAdministrator Password Pa$$w0rd Estimated time: 45 minutes

Lab Scenario Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. Woodgrove Bank has deployed AD DS for Windows Server As one of the network administrators, one of your primary tasks will be to create and manage user and computer accounts.

Lab Review In order for the searches like the ones used in this lab to return accurate results, what do you have to do when creating the user accounts? Your organization has a group of desktop support technicians who need to be able to add all computers to the AD DS domain. How can you ensure that these technicians can add more than 10 computers to the domain without granting them more permissions than required?

Module Review and Takeaways Review Questions Considerations for Managing AD DS User and Computer Accounts

Module Review and Takeaways - Notes Review Questions Considerations for Managing AD DS User and Computer Accounts