Download presentation
Presentation is loading. Please wait.
1
Managing User and Service Accounts
20411B 4: Managing User and Service Accounts Presentation: 60 minutes Lab: 45 minutes After completing this module, students will be able to: Manage user and service accounts. Configure password-policy and user-account lockout settings. Configuring managed service accounts. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 20411B_04.pptx. Important: We recommend that you use PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations. Practice performing the labs. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. As you prepare for this class, it is imperative that you complete the labs yourself so that you understand how they work and the concepts that are covered in each. This will allow you to provide meaningful hints to students who may get stuck in a lab, and it also will help guide your lecture to ensure that you cover the concepts that the labs cover. Module 4 Managing User and Service Accounts
2
Configuring Managed Service Accounts
20411B Module Overview 4: Managing User and Service Accounts Configuring Managed Service Accounts
3
Lesson 1: Automating User Account Management
20411B Lesson 1: Automating User Account Management 4: Managing User and Service Accounts Demonstration: Demonstration: Importing User Accounts with Windows PowerShell
4
20411B Demonstration: Exporting Users Accounts with Comma-Separated Values Data Exchange Tool 4: Managing User and Service Accounts Export Active Directory filename.csv CSVDE.exe Preparation Steps You require the 20411B-LON-DC1 virtual machine for this demonstration. Log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd. Demonstration Steps On LON-DC1, click to the Start screen. From the Start screen, type cmd, and then press Enter. In the command prompt window, type the following command, and then press Enter: csvde -f E:\Labfiles\Mod04\UsersNamedRex.csv -r "(name=Rex*)" -l DN,objectClass,sAMAccountName,sn,givenName,userPrincipalName Open E:\LABFILES\Mod04\UsersNamedRex.csv in Notepad. Examine the file, and then close Notepad. Close all open windows on LON-DC1. CSV (comma-separated value, or comma-delimited text) Can be edited with simple text editors such as Notepad or Microsoft Office Excel CSVDE.exe csvde -f filename -d RootDN -p SearchScope -r Filter -l ListOfAttributes RootDN. Start of export (default = domain) SearchScope. Scope of export (Base,OneLevel,Subtree) Filter. Filter within the scope (LDAP query language) ListOfAttributes. Use the LDAP name
5
20411B Demonstration: Importing User Accounts with the Comma-Separated Values Data Exchange Tool 4: Managing User and Service Accounts filename.csv Active Directory CSVDE.exe Preparation Steps You require the 20411B-LON-DC1 virtual machine for this demonstration. If necessary, log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd. Demonstration Steps On LON-DC1, on the taskbar, click Windows Explorer. In Windows Explorer, in the navigation pane, expand Computer, expand Allfiles (E:), expand Labfiles, and then click Mod04. In Windows Explorer, right-click NewUsers.csv, and then click Open With. In the Open With window, click Notepad. In Notepad, view the contents of NewUsers.csv. Note the user names and the location specified for the users, which is the IT organizational unit (OU). Close Notepad. On LON-DC1, click to the Start screen, From the Start screen, type cmd, and then press Enter. In the Command Prompt window, type the following command, and then press Enter: csvde -i -f E:\Labfiles\Mod04\NewUsers.csv –k On the taskbar, click Server Manager. In the Server Manager window, click Tools, and then click Active Directory Users and Computers. In Active Directory Users and Computers window, expand Adatum.com, and then click IT OU. Ensure that Albert Carter and Steven Meadows have been imported into the IT OU. Right-click Albert Carter, and then click Reset Password. Import CSVDE.exe csvde –i -f filename [-k] i. Import–default mode is export k. Continue past errors (such as Object Already Exists) Cannot import passwords, so users are created as disabled Cannot modify existing users (More notes on the next slide)
6
4: Managing User and Service Accounts
20411B 4: Managing User and Service Accounts In the Reset Password window, type Pa$$w0rd in the New password and Confirm password fields, and then click OK. Click OK in the confirmation window. In Active Directory Users and Computers, right-click Albert Carter, and then click Enable Account. Click OK in the confirmation window. Repeat steps 14 through 17 for Steven Meadows. Close all open windows on LON-DC1.
7
Demonstration: Importing User Accounts with LDIFDE
20411B Demonstration: Importing User Accounts with LDIFDE 4: Managing User and Service Accounts Export filename.ldf Active Directory LDIFDE.exe Preparation Steps You require the 20411B-LON-DC1 virtual machine for this demonstration. If necessary, log on to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd. Demonstration Steps On LON-DC1, on the taskbar, click Windows Explorer. In Windows Explorer, in the navigation pane, expand Computer, expand Allfiles (E:), expand Labfiles, and then click Mod04. In Windows Explorer, right-click NewUsers.ldf, and then click Open With. Click the Try an app on this PC link. In the Open With window, click Notepad. In Notepad, view the contents of NewUsers.ldf. Note the user names and the location specified for the users (the IT OU). Close Notepad. On LON-DC1, click to the Start screen. From the Start screen, type cmd, and then press Enter. In the command prompt window, type the following command, and then press Enter: ldifde -i -f E:\Labfiles\Mod04\NewUsers.ldf -k On the taskbar, click Server Manager. In the Server Manager window, click Tools, and then click Active Directory Users and Computers. In the Active Directory Users and Computers window, expand Adatum.com, and then click IT OU. Ensure that Darryl Hamilton and Amandeep Patel have been imported into the IT OU. Import LDAP Data Interchange Format (LDIF) LDIFDE.exe ldifde [-i] [-f filename] [-k] i. Import–default mode is export k. Continue past errors (such as Object Already Exists) Cannot import passwords, so users are created as disabled Can modify or remove existing users (More notes on the next slide)
8
4: Managing User and Service Accounts
20411B 4: Managing User and Service Accounts Right-click Darryl Hamilton, and then click Reset Password. In the Reset Password window, type Pa$$w0rd in the New password and Confirm password fields, and then click OK. Click OK in the confirmation window. In Active Directory Users and Computers, right-click Darryl Hamilton, and then click Enable Account. Click OK in the confirmation window. Repeat steps 15 through 18 for Amandeep Patel. Close all open windows on LON-DC1. Question What advantages does LDIFDE have over the Comma-Separated Values Data Exchange tool when managing user accounts in an AD DS environment? Answer LDIFDE is capable of modifying data as well as performing the import and export of data.
9
Demonstration: Importing User Accounts with Windows PowerShell
20411B Demonstration: Importing User Accounts with Windows PowerShell 4: Managing User and Service Accounts Export filename.csv Active Directory Windows PowerShell Demonstration Steps On LON-DC1, on the taskbar, click Server Manager. In Server Manager, click Tools, and then click Active Directory Users and Computers. In Active Directory Users and Computers, right-click Adatum.com, click New, and then click Organizational Unit. In the Name field, type Import Users. Click OK. Close Active Directory Users and Computers. On the taskbar, click Windows Explorer. In Windows Explorer, in the navigation pane, expand Computer, expand Allfiles (E:), expand Labfiles, and then click Mod04. In Windows Explorer, right-click ImportUsers.ps1, and then click Open With. In the Open With window, click Notepad. In Notepad, view the contents of ImportUsers.ps1. Next to $impfile, change path and filename to csv to E:\Labfiles\Mod04\ImportUsers.csv, and then save the file. Close Notepad. In Server Manager, click Tools, and then click Active Directory Module for Windows PowerShell. In the Active Directory module for Windows PowerShell window, type the following commands, and then press Enter after each command. When prompted to change the execution policy press Enter to accept the default option of Y: Set-ExecutionPolicy remotesigned E:\Labfiles\Mod04\importusers.ps1 Import Use the following cmdlets Import-CSV New-ADUser (More notes on the next slide)
10
4: Managing User and Service Accounts
20411B 4: Managing User and Service Accounts At the password prompt, type Pa$$w0rd, and then press Enter. Close the Active Directory module for Windows PowerShell window. In Server Manager, click Tools, and then click Active Directory Users and Computers. In the Active Directory Users and Computers window, expand Adatum.com, and then click the ImportUsers OU. Ensure that Todd Rowe and Seth Grossman have been imported into the ImportUsers OU. Close all open windows on LON-DC1.
11
Configuring Password Settings Objects
Lesson 2: Configuring Password-Policy and User-Account Lockout Settings 4: Managing User and Service Accounts Configuring Password Settings Objects
12
Understanding User-Account Policies
20411B Understanding User-Account Policies 4: Managing User and Service Accounts Set password requirements by using the following settings: Enforce password history Maximum password age Minimum password age Minimum password length Password complexity requirements Account lockout duration Account lockout threshold Introduce user-account policies. Ensure that students are aware of both local policy and domain-based Group Policy settings. Explain each setting and how it affects user account behavior.
13
Configuring User Account Policies
20411B Configuring User Account Policies 4: Managing User and Service Accounts Local Security Policy account settings: Configured with secpol.msc Apply to local user accounts Group Policy account settings Configured with the Group Policy Management console Apply to all accounts in AD DS and local accounts on computers joined to the domain Can only be applied once, in Default Domain Policy Take precedence over Local Security Policy settings Explain how both local and Group Policy settings are configured. Ensure that students are aware that domain-based Group Policy settings take precedence over Local Security Policy settings. Consider opening secpol.msc and the Group Policy Management Editor on 20411B-LON-DC1 to show the students the two locations in which they can configure these settings. Question Why would you use secpol.msc to configure local account policy settings for a Windows Server computer instead of using domain- based Group Policy account-policy settings? Answer Local security policy settings provide enhanced account security if a Windows Server 2012 computer is not joined to a domain, and therefore unable to apply Group Policy-based domain account-policy settings. This may be a permanent solution, or you can use it to protect a computer between the time when Windows Server 2012 is installed, and when it joins the domain and has the domain-based account policy settings applied.
14
What Are Password Settings Objects?
4: Managing User and Service Accounts You can use fine-grained password policies to specify multiple password policies within a single domain Fine-grained password policies: Apply only to user objects (or inetOrgPerson objects) and global security groups Cannot be applied to an OU directly Do not interfere with custom password filters that you might use in the same domain Introduce and explain Password Settings Objects. Ensure students understand that Password Settings Objects provide multiple sets of account-policy settings in a single domain. Consider using the following example to illustrate their purpose: Within your domain, you have three account types: Standard. Standard user accounts which have limited access and require relatively infrequent password changes. Finance. Finance department accounts often have access to sensitive corporate data. Administrative. Administrative have domain-wide privileges and must be protected by requiring more frequent password changes and longer passwords. Without Password Settings Objects, you are forced to compromise and set only one policy for all accounts. With Password Settings Objects, you can create three Password Settings Objects that enable you to set the max password age for standard user accounts to 120 days, manager accounts to 90 days, and administrative accounts to 45 days, satisfying the password age requirements for all three accounts.
15
Configuring Password Settings Objects
4: Managing User and Service Accounts Windows Server 2012 provides two tools for configuring PSOs Windows PowerShell cmdlets New-ADFineGrainedPasswordPolicy Add-FineGrainedPasswordPolicySubject Active Directory Administrative Center Graphical user interface Uses Windows PowerShell cmdlets to create and manage PSOs Identify and explain the methods for managing Password Settings Objects in Windows Server 2012. Consider demonstrating the steps in the student handbook for Active Directory® Administrative Center, as this functionality is new in Windows Server 2012.
16
Lesson 3: Configuring Managed Service Accounts
20411B Lesson 3: Configuring Managed Service Accounts 4: Managing User and Service Accounts What Are Group Managed Service Accounts?
17
What Are the Challenges of Using Standard User Accounts For Services?
20411B What Are the Challenges of Using Standard User Accounts For Services? 4: Managing User and Service Accounts Challenges to using standard user accounts for services include: Extra administration effort to manage the service account password Difficulty in determining where a domain-based account is used as a service account Extra administration effort to mange the SPN Discuss with the students the following: What types of applications do they use that have service accounts? How do they manage service accounts? You can manage service accounts to password management, changes to the server\account name, and similar tasks. What challenges have they encountered with service accounts?
18
What Is A Managed Service Account?
20411B What Is A Managed Service Account? 4: Managing User and Service Accounts Use to automate password and SPN management for service accounts used by services and applications Requires a Windows Server 2008 R2 or Windows Server server installed with: .NET Framework 3.5.x Active Directory module for Windows PowerShell Recommended to run with AD DS configured at the Windows Server 2008 R2 functional level or higher Can be used in a Windows Server 2003 or 2008 AD DS environment: With Windows Server 2008 R2 schema updates With Active Directory Management Gateway Service Describe the concept of managed service accounts.
19
In this demonstration, you will see how to:
20411B Demonstration: Configuring Managed Service Accounts by Using Windows PowerShell 4: Managing User and Service Accounts In this demonstration, you will see how to: Create the KDS root key for the domain Create and associate a managed service account Preparation Steps Start the 20411B-LON-SVR1 virtual machine, and then log on as Adatum\Administrator with the password Pa$$w0rd B-LON-DC1 should be running from the preceding demonstration. Demonstration Steps Create the Key Distribution Services (KDS) root key for the domain On LON-DC1, from Server Manager, open the Active Directory Module for Windows Powershell console. At the prompt, type the following command, and then press Enter: Add-KDSRootKey –EffectiveTime ((Get-Date).AddHours(-10)) Create and associate a managed service account New-ADServiceAccount –Name SampleApp_SVR1 –DNSHostname LON-DC1.Adatum.com - PrincipalsAllowedToRetrieveManagedPassword LON-SVR1$ Add-ADComputerServiceAccount –identity LON-SVR1 –ServiceAccount SampleApp_SVR1 Get-ADServiceAccount -Filter * Verify that the SampleApp_SVR1 service account is listed. (More notes on the next slide)
20
4: Managing User and Service Accounts
20411B 4: Managing User and Service Accounts Install a managed service account On LON-SVR1, from Server Manager, open the Active Directory Module for Windows PowerShell console. At the prompt, type the following command, and then press Enter: Install-ADServiceAccount -Identity SampleApp_SVR1 Click the Server Manager shortcut on the Windows Taskbar. In Server Manager, on the Menu toolbar, click Tools, and then click Services. In the Services console, right-click Application Identity, and then click Properties. Note: The Application Identity service is used as an example. In a production environment, you would use the actual service that should be assigned the managed service account. In the Application Identity Properties dialog box, click the Log On tab. On the Log On tab, click This account, and then type Adatum\SampleApp_SVR1$. Clear the password for both the Password and Confirm password boxes, and then click OK. Click OK at all prompts.
21
What Are Group Managed Service Accounts?
20411B What Are Group Managed Service Accounts? 4: Managing User and Service Accounts Group managed service accounts extend the capability of standard managed service accounts by: Enabling an MSA to be used on more than one computer in the domain Storing MSA authentication information on domain controllers Group MSA requirements: Must have at least one Windows Server 2012 domain controller Must have a KDS root key created for the domain Explain group Managed Service Accounts, and how they overcome the one-server limitation of standard Managed Service Accounts by storing computer authentication and membership information on domain controllers. Explain that, by default, all Managed Service Accounts created on Windows Server® 2012 DCs are created as group Managed Service Accounts.
22
Lab: Managing User and Service Accounts
Exercise 2: Creating and Associating a Managed Service Account Exercise 1: Configuring Password-Policy and Account-Lockout Settings A. Datum has recently completed a security review for passwords and account-lockout policies. You need to implement the recommendations contained in the report to control password complexity and length. You also need to configure appropriate account-lockout settings. Part of your password policy configuration will include a specific password policy to be assigned to the Managers security group. This group requires a different password policy than what has been applied at the domain level. The report has recommended that the following password settings should be applied to all accounts in the domain: Password history: 20 passwords Maximum password age: 45 days Minimum password age: 1 day Password length: 10 characters Complexity enabled: Yes Account Lockout duration: 30 minutes Account lockout threshold: 5 attempts Reset account lockout counter after: 15 minutes The report has also recommended that a separate policy be applied to users in the Managers group, due to the elevated privileges assigned to those user accounts. The policy applied to the Managers groups should contain the following settings: Maximum password age: 20 days Password length: 15 characters Logon Information Virtual machine: B-LON-DC1 User name: Administrator Password: Pa$$w0rd Estimated time: 45 minutes (More notes on the next slide)
23
4: Managing User and Service Accounts
20411B 4: Managing User and Service Accounts Complexity enabled: Yes Account Lockout duration: 0 minutes (An administrator will have to unlock the account) Account lockout threshold: 3 attempts Reset account lockout counter after: 30 minutes Exercise 2: Creating and Associating a Managed Service Account You need to configure a managed service account to support a new Web-based application that is being deployed to the DefaultAppPool Web service on LON-DC1. Using a managed service account will help maintain the password security requirements for the account.
24
20411B Lab Scenario 4: Managing User and Service Accounts A. Datum is a global engineering and manufacturing company with its head office in London, UK. An IT office and data center is located in London to support the London office and other locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure, and needs to implement changes to how user accounts are managed in the environment.
25
Module Review and Takeaways
20411B Module Review and Takeaways 4: Managing User and Service Accounts Common Issues and Troubleshooting Tips Review Questions Question In what scenario could a user have multiple Password Settings Objects applied to their account without actually having a Password Settings Objects linked to their user account? Answer Password Settings Objects can be linked to groups. If a user is a member of one or more groups to which Password Settings Objects are linked, any Password Settings Objects applied to those groups will be linked to the user account. However, only the Password Settings Objects with the lowest precedence value will apply its settings to the user’s account. What benefit do Managed Service Accounts provide compared to standard user accounts used for services? Managed Service Accounts provide managed password changes that do not require administrator intervention. Tools Tool What it is used for Where to find it Comma-Separated Values Data Exchange tool Importing and exporting users by using .csv files Command prompt: csvde.exe LDIFDE Importing, exporting, and modifying users by using .ldf files Command prompt: ldifde.exe Local Security Policy Configuring local account-policy settings Secpol.msc Group Policy Management console Configuring domain Group Policy account-policy settings Server Manager – Tools Active Directory Administrative Center Creating and managing Password Settings Objects (More notes on the next slide)
26
4: Managing User and Service Accounts
20411B 4: Managing User and Service Accounts Common Issues and Troubleshooting Tips Common Issue: User accounts contained in a .csv file fail to import when using the Comma-Separated Values Data Exchange tool. Troubleshooting Tip: Ensure the structure of the .csv file matches the syntax of your Comma-Separated Values Data Exchange tool command, especially if the .csv file is exported from a non-AD DS source. Common Issue: User password settings are not applying as expected. Troubleshooting Tip: Check for the application of Password Settings Objects. In the case of multiple Password Settings Objects, ensure that precedence is configured properly and that Password Settings Objects have been applied to the appropriate users and groups. Common Issue: The New-ADServiceAccount cmdlet fails with key-related messages. Troubleshooting Tip: Ensure that the KDS root key has been created by using the Add-KDSRootKey cmdlet, and the –EffectiveTime parameter for the key is at least 10 hours earlier than the current time.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.