Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing User and Service Accounts

Published byBartholomew McDaniel Modified over 6 years ago

Similar presentations

Presentation on theme: "Managing User and Service Accounts"— Presentation transcript:

1 Managing User and Service Accounts
Module 3 Managing User and Service Accounts (More notes on the next slide)

2 Configuring Managed Service Accounts
Module Overview 3: Managing User and Service Accounts Configuring Managed Service Accounts

3 Configuring Password Policy and User Account Lockout Settings

4 Demonstration: Configuring PSOs
Lesson 1: Configuring Password Policy and User Account Lockout Settings 3: Managing User and Service Accounts Demonstration: Configuring PSOs

5 Set password requirements by using the following settings:
20411C User Account Policies 3: Managing User and Service Accounts Set password requirements by using the following settings: Enforce password history Maximum password age Minimum password age Minimum password length Password complexity requirements Account lockout duration Account lockout threshold

6 20411C Kerberos Policies 3: Managing User and Service Accounts Kerberos policy settings determine timing for Kerberos tickets and other events Setting Default Enforce user logon restrictions Enabled Maximum lifetime for service ticket 600 minutes Maximum lifetime for user ticket 10 hours Maximum lifetime for user ticket renewal 7 days Maximum tolerance for computer clock synchronization 5 minutes Kerberos claims and compound authentication for DAC requires Windows Server 2012 domain controllers

7 Configuring User Account Policies
3: Managing User and Service Accounts Local Security Policy account settings: Configured with secpol.msc Apply to local user accounts Group Policy account settings Configured with the Group Policy Management console Apply to all accounts in AD DS and local accounts on computers joined to the domain Can only be applied once, in Default Domain Policy Take precedence over Local Security Policy settings

8 What Are Password Settings Objects?
3: Managing User and Service Accounts You can use fine-grained password policies to specify multiple password policies within a single domain Fine-grained password policies: Apply only to user objects (or inetOrgPerson objects) and global security groups Cannot be applied to an OU directly Do not interfere with custom password filters that you might use in the same domain

9 Windows Server 2012 provides two tools for configuring PSOs:
3: Managing User and Service Accounts Windows Server 2012 provides two tools for configuring PSOs: Windows PowerShell cmdlets New-ADFineGrainedPasswordPolicy Add-FineGrainedPasswordPolicySubject Active Directory Administrative Center Graphical user interface Uses Windows PowerShell cmdlets to create and manage PSOs

10 Demonstration: Configuring PSOs
3: Managing User and Service Accounts In this demonstration, you will see how to create a Password Settings Object for the ITAdmins group (More notes on the next slide)

11 Configuring Managed Service Accounts

12 Lesson 2: Configuring Managed Service Accounts
3: Managing User and Service Accounts Kerberos Delegation and Service Principal Names

13 Service Account Overview
3: Managing User and Service Accounts Applications need resource access Can create domain or local accounts to manage such access, but can potentially compromise security Use Service Accounts Instead Local System Most privileged, still vulnerable if compromised Local Service Least privileged, may not have enough permissions to access all required resources, Network Service Can access network resources with proper credentials

14 Challenges of Using Standard User Accounts for Services
3: Managing User and Service Accounts Challenges to using standard user accounts for services include: Extra administration effort to manage the service account password Difficulty in determining where a domain-based account is used as a service account Extra administration effort to mange the SPN

15 Managed Service Account and Virtual Accounts
3: Managing User and Service Accounts Use managed service accounts to automate password and SPN management for service accounts used by services and applications Requires a Windows Server 2008 R2 or Windows Server 2012 server installed with: .NET Framework 3.5.x Active Directory module for Windows PowerShell Recommended to run with AD DS configured at the Windows Server R2 functional level or higher Can be used in a Windows Server 2003 or 2008 AD DS environment: With Windows Server 2008 R2 schema updates With Active Directory Management Gateway Service

16 What Are Group Managed Service Accounts?
3: Managing User and Service Accounts Group managed service accounts extend the capability of standard managed service accounts by: Enabling an MSA to be used on more than one computer in the domain Storing MSA authentication information on domain controllers Group MSA requirements: Must have at least one Windows Server 2012 domain controller Must have a KDS root key created for the domain

17 How-To: Configuring Group Managed Service Accounts
3: Managing User and Service Accounts Commands to configure a Group Managed Service Account Create the KDS root key for the domain Create and associate a managed service account 1) Add-KDSRootKey -EffectiveImmediately 2) New-ADServiceAccount –Name <managed account name> –DNSHostname <dns host name> -PrincipalsAllowedToRetrieveManagedPassword <servers allowed to retrieve password> 3) Add-ADComputerServiceAccount –identity <server> –ServiceAccount <managed account name> 4) Get-ADServiceAccount -Filter * 5) Verify that the service account is listed (More notes on the next slide)

18 Kerberos Delegation and Service Principal Names
3: Managing User and Service Accounts Kerberos delegation of authentication Services can delegate service tickets issued to them by the KDC to another service Constrained delegation Allows administrators to define which services can use service tickets issued to other services SPNs help identify services uniquely Windows 2012 allows Constrained delegation across domains Ability of service administrators to configure constrained delegation

19 Additional Resources & Next Steps
Instructor-Led Courses 20411C: Administering Windows Server 2012 Books Exam Ref : Administering Windows Server 2012 Exams & Certifications Exam : Administering Windows Server 2012

Download ppt "Managing User and Service Accounts"

Similar presentations

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Chapter 13 Securing Windows Server 2008

Chapter 13 Securing Windows Server 2008
Chapter 8 Chapter 8: Managing Accounts and Client Connectivity.

Chapter 8 Chapter 8: Managing Accounts and Client Connectivity.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.
Adding a Module The Import-Module cmdlet  Can be used to load any external module into PowerShell.  Uses the following syntax to add the ActiveDirectory.

Adding a Module The Import-Module cmdlet  Can be used to load any external module into PowerShell.  Uses the following syntax to add the ActiveDirectory.
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
Module 2 Creating Active Directory ® Domain Services User and Computer Objects.

Module 2 Creating Active Directory ® Domain Services User and Computer Objects.
Deploying and Managing Windows Server 2012

Deploying and Managing Windows Server 2012
Managing Active Directory Domain Services Objects

Managing Active Directory Domain Services Objects
Hands-On Microsoft Windows Server 20081 Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Module 6: Designing Active Directory Security in Windows Server 2008.

Module 6: Designing Active Directory Security in Windows Server 2008.
Designing Active Directory for Security

Designing Active Directory for Security
Managing User and Service Accounts

Managing User and Service Accounts
Windows Server 2003 Overview 1 Windows 2003 Server Overview Ayaz 23-01-12.

Windows Server 2003 Overview 1 Windows 2003 Server Overview Ayaz
Module 2 Designing Microsoft® Exchange Server 2010 Integration with the Current Infrastructure.

Module 2 Designing Microsoft® Exchange Server 2010 Integration with the Current Infrastructure.
Module 15: Manage the Windows ® Small Business Server 2008 Environment Using Group Policy.

Module 15: Manage the Windows ® Small Business Server 2008 Environment Using Group Policy.

Similar presentations

Ads by Google