Managing Active Directory Objects

1
Managing Active Directory Objects

• When you first install Active Directory, a number
  of Containers are created to hold built-in users
  and groups, as well as computer accounts by
  default
• Organizational Units (OUs) allow the assignment
  of Group Policy and delegation of administrative
  control to junior administrators
• User accounts are best arranged into
  Organizational Units and have certain management
  functions that can be delegated at the OU level
  and inherited by lower levels

2
User Accounts

• A user account consists of
• Username and password
• Group membership
• Rights and permissions to access resources
• Windows Server 2003 Computer configured as a
  Domain Controller with Active Directory
• User accounts are managed by Active Directory
  Users and computers
• Windows Server 2003 computer member Server (not a
  Domain Controller) and Windows XP workstations
• User accounts are managed by Local Users and
  Groups

3
User Authentication

• When a user or group account is created, a
  unique, non-reusable security identifier - SID is
  created
• The SID is incorporated into a user ticket known
  as Ticket Granting Ticket (TGT)
• A User ticket is used to construct session
  tickets for any resource access
• When a user logs on, the security subsystem uses
  the SID internally to identify the user or group
  account
• During the logon process (logging on to a
  domain), the first available domain controller
  validates the user and grants access to resources
  anywhere on the network
• Replication of Active Directory Data store occurs
  by default
• One can create a user account on any domain
  controller in the domain

4
Types of User Accounts

• Created User Account
• Required for each user on a Domain
• Resource access is associated with the account
• Built-in Accounts - During Installation of Active
  Directory on Windows 2003 Domain Controller, two
  accounts are automatically created
• Administrator Account member of the domains
  administrator group, cannot be disabled or
  deleted but can be renamed
• Guest Account - cannot be deleted but can be
  renamed, by default it is disabled
• Other Built-in Accounts are created on Windows
  Server 2003 by default when certain services are
  installed

5
Two Built-in Accounts

• Administrator Account creates and manages
• User and groups accounts
• Manages security policies
• Manages access to File and Print resources
• Guest Account (disabled by default)
• Used for occasional access - Temporary Employees
• Always assign a password
• Limited access to resources
• Create a new Organizational Unit (OU) and then
  create a user accounts in that OU to manage them
  by using separate group policies

6
Configuring and Managing User Account Properties

• Once you create a user account by using a New
  Object User Wizard, you need to configure it
• A set of default properties is associated with
  each user account which can be modified and which
  can be used to search for users in the Active
  Directory Data store
• The Properties dialog box allows the
  Administrator to configure various properties for
  a specific user
• By default this box has 13 tabs - General,
  Address, Account, Profile, Telephones,
  Organization, Remote control, Terminal Service
  Profile, COM, Member Of, Dial-in, Environment
  and Sessions

7
Naming Conventions

• User Accounts Name must be Unique
• Domain accounts must be unique to the domain
• Local accounts must be unique to the computer
• User Names (which are referred to as User Logon
  Names in Active Directory Users and Computers)
  can contain up to 20 characters and are not case
  sensitive
• Create a set of rules for Naming Convention
• Consider a Naming Convention that
• Accommodates duplicate employee names
• Identify temporary employees

8
Passwords, Logon Hours, and Workstation
Restrictions

• Educate Users on how to protect Passwords
• Avoid Birth Days, family and pet names
• Do not share or write down passwords
• Passwords can be up to 127-128 characters. Use
  long passwords (minimum 7-8 characters
  recommended), also use combination of uppercase
  lowercase letters and non-alphanumeric
  characters (Password Complexity Requirements By
  default)

9
Passwords, Logon Hours, and Workstation
Restrictions

• Passwords are case sensitive
• Usernames are not (but preserve the entered case)
• Use a long password with combination of
  uppercase, lowercase letters, numerals and
  symbols
• Set Logon Hours to a Users Work Hours
• Require Users to Logon from their own computers,
  by default they can log on from any computers in
  a domain
• Set an account expiration on Temporary Employees

10
Configuring and Managing User Account Properties

• Account options
• User must change password at next logon
• select if you want the user to choose a new
  password the next time the user logs on
• User cannot change password
• Select if you want to manage users password or
  if you have more than one person using the same
  domain user account (such as guest)
• Password never expires
• Select if you want the password to never change
• Account expires
• Never
• end of

11
Dial-in and other tabs

• To configure RAS permissions for users, in
  Dail-In Tab
• Allow access
• Deny access
• Call back options
• No Call Back
• Set By Caller
• Always call back to
• Terminal Services Profile Tab, The Environment
  Tab, The Remote Control Tab, and The Sessions Tab
  are for configuring Terminal Services

12
Creating and Managing Multiple User Accounts

• Create a generic user object called User
  Template and configure the properties common to
  all new users and copy
• Can modify properties of multiple users by
  selecting each user and then properties and
  Action menu
• Can move user objects by selecting and then from
  Action menu select move drag and drop

13
Renaming Deleting User Accounts

• The user account after it is renamed, retains all
  of its properties, including group memberships,
  permissions and user rights
• Rename a user account when a new staff member
  replaces an employee with similar account
  properties
• When you delete a user account, it is permanently
  removed, and all of its group memberships,
  permissions, and user rights are lost SID is
  deleted
• Later if you create a new account with the same
  name, the new account will not have the same
  privileges as the old, deleted account

14
User Profiles

• A User Profile is a collection of data that
  includes a users current desktop settings,
  printer and network connections
• Administrator does not need to create user
  profiles for users, as Windows Server 2003
  automatically creates a user profile for each
  user, however, he can manually assigns a roaming
  or mandatory user profile
• When a user logs on to a computer for the first
  time, Windows Server 20003 creates a new user
  profile for the user by coping the entire
  contents of the local Default User profile
  folder to a new folder on the local computer
  named after the users account

15
Managing the User Work Environment

• Roaming user profiles are user profiles stored
  centrally on a network server rather than on the
  users local computer and can be changed by the
  user
• When a user logs on, Windows Server 2003 copies
  the roaming user profile from the network server
  to the client computer
• Roaming user profiles are implemented by first
  creating a shared folder on a network server
  computer and then assigning a server-based user
  profile path to a user account - \\Server
  name\Share name\logon_name
• Can type the variable username for logon name

16
Managing the User Work Environment

• Roaming Personal User Profile
• Assign to one user
• User can modify
• Roaming user profiles are named Ntuser.dat
• Roaming Mandatory User Profile
• Mandatory user profiles are roaming profiles that
  are created for the user and cannot be changed by
  the user
• Assign to one or many users
• Mandatory user profiles require an .man extension

17
Monitoring And TroubleshootingUser Authentication

• There are three types of Account policies that
  monitor, troubleshoot and provide security for
  user authentication process over the network
• Account Lockout policies
• Password policies
• Kerberos policies
• Account policies are sets of rules that apply to
  all users in a domain
• Only a member of the Administrators group can
  manage account policies

18
Account Policies

• To configure and manage Account policies
• On a Domain Controller, click start, point to
  Administrative Tools, and click Group Policy
  Management to open the Group Policy management
  console
• Expand the Domains node, and double-click the
  name your domain
• Right-click Default Domain Policy, and click Edit
  to open the Group Policy Object Editor snap-in
• In the console tree, in the Computer
  Configuration node, double-click the Windows
  Settings node to expand it
• Double-click Security Settings
• Double-click Account Policies

19
Account Lockout Policy

• Account Lockout Policy - dictates how to treat a
  user account after several successive
  unsuccessful logon attempts have occurred
• Account Lockout ThresholdThis setting specifies
  the number of invalid tries that a user (or
  intruder) gets to enter in an incorrect password
  before the account becomes locked out
• 0 to 999 invalid logon attempts
• The default setting is 0
• A strong setting is 10 attempts for medium to
  high security environments

20
Account Lockout Policy

• Account Lockout DurationThis setting specifies
  how long a user account is locked out after the
  specified number of bad logon attempts occurs
  (the LockoutDuration Registry value)
• 0 to 99.999 minutes
• The default setting is not defined as it is only
  useful in conjunction with the Account Lockout
  Threshold Policy
• A low setting of 5 to 15 minutes is ok
• You can also set the value 0 to lock the account
  indefinitely until the Administrator unlocks it

21
Account Lockout Policies

• Reset Account Lockout Counter AfterThis setting
  specifies the number of minutes that must pass
  after an invalid logon attempt (bad logon
  attempt) before the Account lockout counter is
  reset to zero (the ObservationWindow Registry
  value)
• 1 to 99,999 minutes, must be less than or equal
  to the value of the Account Lockout Duration

22
Password Policies

• Six configurable password policy settings
• Enforce Password history
  This setting governs how
  many different passwords must be used before the
  user can reuse one of them (old password)
  0 to 24 settings - default value
  is 24
• Maximum Password Age
  This settings controls how long a
  password is good before a user is forced to pick
  a new one
  0 to 999 settings - default value is 42 days
  - normal settings between 30 and 90 days
• Minimum Password Age This setting controls how
  long a new password must be used before it can be
  changed 0 to 998 settings default value is 1
  day - configure at least 1 day less than the
  Maximum Age

23
Password Policies

• Minimum Password Length
  This setting controls the minimum
  number of characters the operating system permits
  in user-supplied passwords
  
  0 to 14 settings - default value is 7 to 8
  characters
• Password Must Meet Complexity Requirements
  This setting specifies that a strong password
  must contain gt6 characters, no duplication of all
  or part of users account name (including
  Administrators account) and inclusion of
  characters from at least three of the following
  four categories
• Upper case letters
• Lower case letters
• Numbers
• Special characters (e.g. ,, or punctuation
  characters such as ? or !).

24
Kerberos Policies

• Kerberos Policy - Kerberos V5 ticket-based
  authentication Protocol is implemented through
  Key Distribution Centre (KDC) that runs on each
  Windows Server 2003 domain controller
• Clients obtains Kerberos tickets (clients
  network credentials) from the Key Distribution
  Centre (KDC)
• These tickets allow them to gain access to
  servers
• The default Kerberos Policy values that are set
  by the Default Domain Policy are suitable for
  most networks

25
Active Directory Clients

• Windows Server 2003 operating system includes
  Active Directory client capabilities for Windows
  2000 Professional, Windows 2000 Server and
  Windows XP clients
• Can interact and enjoy access to many features of
  Active directory such as Find and Search objects,
  Distributed File System (Dfs), NT LAN Manager
  (NTLM) version 2 authentication, etc.
• Windows 95, 98, Me, and NT clients cannot use
  Kerberos V5 authentication protocol, Internet
  Protocol Security (IPSec), Layer 2 Tunneling
  protocol, Group Policy, etc.
• To function as Active Directory clients, install
  Active Directory client software from Microsofts
  Web site

26
Tracking Windows Server 2003 Activities with
Audit Policy

• Auditing is used to track user activities and
  object access on the computers on a network -
  Define an Audit Policy
• No auditing is set up by default except on
  Windows Server 2003 domain controllers minimum
  auditing level
• Administrator can enable auditing only on NTFS
  partition
• Examine security logs on all domain controllers
  for success or failed user logon events (Account
  Logon Events)
• Configure Auditing of administrative activities
  for a user who has been assigned Administrative
  rights (Audit Account Management)
• Audit local computers for local accounts and on
  domain controllers for network accounts ( Audit
  Logon Events)

27
Understanding Computer Accounts

• Computer accounts are used to identify computers
  in a domain with their security principles - SID
• A user with a valid user account and a password
  in Active Directory can not log on to a domain,
  if the computer is not represented in that
  domain
• Each Windows Server 2003 computer, Windows XP,
  Windows 2000 Server and Professional computer,
  Windows NT Server and workstation computer must
  have a computer account in an Active Directory -
  Domain Controller (DC) to participate in a
  domain
• Windows 95, 98, Me computers must install Active
  Directory Client software to participate in a
  domain
• Computer account password is generated
  automatically by the operating system and kept
  hidden

28
Understanding Computer Accounts

• Computer accounts are created and stored in the
  Active Directory like User and group accounts
• Like users and group accounts, computer accounts
  have their own specific attributes or properties
  by which they can be searched and identified in
  the Active Directory
• They can be members of security or distribution
  groups and inherit permissions from group objects
• They inherit group policy settings from container
  objects such as domains, sites and Organizational
  Units (OUs)
• You can not apply Group Policy Objects (GPOs) to
  four of the built-in containers in the A D
  Users, Computers, Foreign Security Principals,
  and Built-in
• Create a separate new organization unit and
  create computer accounts in that Organization
  Unit (OU)
• Apply Group Policy Object (GPO) to that OU

29
Who can create Computer Accounts

• To create computer accounts, user must be granted
  the Add workstation to Domain right or must have
  the create computer objects permission on the
  container, in which the computer account is
  created
• By default, the Authenticated Users group has the
  Add workstation to Domain right to create 10
  computer Accounts in the domain
• Enterprise admin, Domain Admin, and Account
  Operator groups can create unlimited number of
  computer accounts in the domain

30
How to create Computer Accounts

• There are two ways to create computer accounts in
  an Active Directory
• Create a new computer objects in advance,
  assigning the name, using Active Directory so a
  Domain Controller can locate the existing objects
  when they join the domain
• Begin the joining process first, and allow a
  computer to create its own computer object the
  operating system contacts a domain controller,
  establishes a trust relationship, locates (or
  creates) a computer object corresponding to the
  computers name, and modifies its group
  memberships

31
Creating Computer Objects Using Active Directory
Users and Computers

• Create a Container object in Active Directory (A
  D) for computer accounts
• Create and place computer accounts in that
  Container by selecting the Container object
• From the Action menu, point to New and select
  Computer
• The New Object Computer wizard appears
• Follow instructions and create Computer objects
  in selected Container
• After creating Computer Objects, configure their
  properties

32
Joining Computers to a Domain

• The joining of a new computer to a domain must
  always be performed at the computer itself,
  either by an administrator or by the end user
  with add workstation to domain right
• Log on to a client computer as an Administrator
• Go to System Properties dialog box and select the
  Network Identification tab
• Click properties to open identification changes
  dialog box
• Select Domain option button and type correct
  domain name
• Click ok. The Domain Username and password dialog
  box will open. Type your Administrator account
  name and password and click ok
• A Welcome to ltdomain namegt dialog box will
  appear, click ok to close the message box
• Click ok to close the System Properties dialog
  box
• Click ok to restart the computer

33
Common Problems and Troubleshooting

• Messages at log on
• The domain controller can not be contacted
• The computer account might be missing
• The trust between the computer and the domain has
  been lost
• Incorrect password or Failed relationship with a
  domain or DC
• Apply following four rules for troubleshooting
• Reset the computer account
• If computer account is missing, create it
• Remove computer from the domain by changing its
  membership to workgroup
• Rejoin the computer to the domain, join a new
  computer with the same name as the old computer
  account