70290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Ma

1
70-290 MCSE Guide to Managing a Microsoft
Windows Server 2003 EnvironmentChapter
3Creating and Managing User Accounts
2
Objectives

• Understand the purpose of user accounts
• Understand the user authentication process
• Understand and configure local, roaming, and
  mandatory user profiles
• Configure and modify user accounts using
  different methods
• Troubleshoot user account and authentication
  problems

3
Introduction to User Accounts

• A user account is an Active Directory object
• Represents information that defines a user with
  access to network (first name, last name,
  password, etc.)
• Required for anyone using resources on network
• Assists in administration and security
• Must follow organizational standards

4
User Account Properties

• Primary tool for creating and managing accounts
  is Active Directory Users and Computers
• Active Directory is extensible so additional tabs
  may be added to property pages
• Major account properties that can be set include
• General
• Address
• Account
• Profile
• Sessions

5
Activity 3-1 Reviewing User Account Properties

• Objective is to review properties of user
  accounts through main tabs of Active Directory
  Users and Computers
• Start ? Administrative Tools ? Active Directory
  Users and Computers ? Users ? AdminXX account ?
  Properties
• Explore tabs and values as directed

6
The Account Tab of Properties
7
User Authentication

• The process by which a users identity is
  validated
• Used to grant or deny access to network resources
• From a client operating system
• Name, password, resource required
• In Active Directory environment
• Domain controller authenticates
• In a workgroup
• Local SAM database authenticates

8
Authentication Methods

• Two main processes
• Interactive authentication
• User account information is supplied at log on
• Network authentication
• Users credentials are confirmed for network
  access

9
Interactive Authentication

• The process by which a user provides a user name
  and password for authentication
• For domain logon, credentials compared to
  centralized Active Directory database
• For local logon, credentials compared to local
  SAM database
• In domain environments, users normally dont have
  local accounts

10
Network Authentication

• The process by which a network service confirms
  the identify of a user
• For a user who logs on to domain, network
  authentication is transparent
• Credentials from interactive authentication valid
  for network resources
• A user who logs on to local computer will be
  prompted to log on to network resource separately

11
Authentication Protocols

• Windows Server 2003 supports two main
  authentication protocols
• Kerberos version 5 (Kerberos v5)
• NT LAN Manager (NTLM)
• Kerberos v5 is primary protocol for Active
  Directory environments but is not supported on
  all client systems
• NTLM is primary protocol for older Microsoft
  operating systems

12
Kerberos v5

• Primary authentication protocol used in Active
  Directory domain environments
• Supported by Windows 2000, Windows XP, Windows
  Server 2003
• Protocol followed
• Log on request passed to Key Distribution Center
  (KDC), a Windows Server 2003 domain controller
• KDC authenticates user and, if valid, issues a
  ticket-granting ticket (TGT) to client system

13
Kerberos v5 (continued)

• When client requests a network resource, it
  presents the TGT to KDC
• KDC issues a service ticket to client
• Client presents service ticket to host server for
  network resource
• Every domain controller in Active Directory
  environment holds role of KDC
• Not all clients follow this protocol

14
NTLM

• A challenge-response protocol
• Used with operating systems running Windows NT
  4.0 or earlier or with Windows 2000 or Server
  2003 when necessary
• Protocol followed
• User logs in, client calculates cryptographic
  hash of password
• Client sends user name to domain controller

15
NTLM (continued)

• Domain controller generates random challenge and
  sends it to client
• Client encrypts challenge with hash of password
  and sends to domain controller
• Domain controller calculates expected value to be
  returned from client and compares to actual value
• After successful authentication, domain
  controller generates a token for user for network
  access

16
User Profiles

• A collection of settings specific to a particular
  user
• Stored locally by default
• Do not follow user logging on to different
  computers
• Can create a roaming profile
• Does follow user logging on to different
  computers
• Administrator can create a mandatory profile
• User cannot alter it

17
User Profile Folders and Contents
18
Local Profiles

• New profiles are created from Default User
  profile folder
• User can change local profile and changes are
  stored uniquely to that user
• Administrator can manage various elements of
  profile
• Change Type
• Delete
• Copy To

19
Activity 3-2 Testing Local Profile Settings

• Objective is to configure and test a local user
  profile
• Start ? Administrative Tools ? Active Directory
  Users and Computers ? Users ? New ? User
• Follow directions to create a new user profile
• Explore and configure properties
• Test by logging in as new user

20
Roaming Profiles

• Roaming profiles
• Allow a profile to be stored on a central server
  and follow the user
• Provide advantage of a single centralized
  location (helpful for backup)
• Configured from Profiles page of Active Directory
  Users and Computers
• Changing a profile from local to roaming requires
  care should copy first

21
Activity 3-3 Configuring and Testing a Roaming
Profile

• Objective To configure and test a roaming user
  profile
• Create a shared folder, copy a local profile to
  folder, and configure properties of user account
  to use roaming folder
• Follow directions in book to create, configure,
  and test the new roaming profile

22
Mandatory Profiles

• Local and roaming profiles allow users to make
  permanent changes
• Mandatory profiles allow changes only for a
  single session
• Local and roaming profiles can both be configured
  as mandatory
• ntuser.dat ? ntuser.man

23
Activity 3-4 Configuring a Mandatory Profile

• Objective To configure and test a mandatory user
  profile
• Start ? My Computer
• Follow directions to make previously created test
  profile mandatory by renaming file
• Test that no permanent changes can be made by user

24
Creating and Managing User Accounts

• Standard tool is Active Directory Users and
  Computers
• Also a number of command line tools and utilities

25
Active Directory Users and Computers

• Available from Administrative Tools menu
• Can be added to a Microsoft Management Console
• Can be run from command line (dsa.msc)
• Graphical tool
• Can add, modify, move, delete, search for user
  accounts
• Can configure multiple objects simultaneously

26
Activity 3-5 Creating User Accounts Using Active
Directory Users and Computers

• Objective Use Active Directory Users and
  Computers to create user accounts
• Start ? Administrative Tools ? Active Directory
  Users and Computers
• Follow directions to create a number of new user
  accounts

27
User Account Templates

• A user account that is pre-configured with common
  settings
• Can be copied to create new user accounts with
  pre-defined settings
• New account is then configured with detailed
  individual settings

28
Activity 3-6 Creating a User Account Template

• Objective Create a user account template and use
  the template to create a new user account
• Start ? Administrative Tools ? Active Directory
  Users and Computers
• Create a new user account template
• Use a variable that will automatically populate
  the profile path with the name of user account
• Follow directions to create and explore a new
  user account from template

29
Command Line Utilities

• Some administrators prefer working from command
  line
• Can be used to automate creation or management of
  accounts more flexibly

30
DSADD

• Allows object types to be added to directory
• Computer accounts, contacts, quotas, OUs, users,
  etc.
• Syntax for user account is
• DSADD USER distinguished-name switches
• Switches include
• -pwd (password), -memberof, -email, -profile,
  -disabled

31
Activity 3-7 Creating User Accounts Using DSADD

• Objective Use the DSADD USER command to create
  new user accounts
• Start ? Run
• Follow directions to enter DSADD command
• Check using Active Directory Computers and Users
• Enter new DSADD command and again check results

32
DSMOD

• Allows object types to be modified from the
  command line
• Computer accounts, users, quotas, OUs, servers,
  etc.
• Syntax for modifying user account is
• DSMOD USER distinguished-name switches
• Can modify multiple accounts simultaneously

33
Activity 3-8 Modifying User Accounts Using DSMOD

• Objective is to modify existing user account
  properties using the DSMOD USER command
• Start ? Run
• Follow directions to enter DSMOD command for a
  single user
• Check using Active Directory Comp. and Users
• Enter new DSMOD command for multiple users
• Check results using Active Directory

34
DSQUERY

• Allows various object types to be queried from
  command line
• Supports wildcard ()
• Output can be redirected to another command
  (piped)
• Example return all user accounts that have not
  changed passwords in 14 days
• dsquery user domainroot name -stalepwd 14

35
DSMOVE

• Allows various object types to be moved from
  current location to a new location
• Allows various object types to be renamed
• Only moves within the same domain (otherwise use
  MOVETREE)
• Example to move a user account into a marketing
  OU
• dsmove "cnPaul Kohut,cnusers,dcdomain01,
  dcdovercorp,dcnet" newparent "oumarketing,
  dcdomain01,dcdovercorp,dcnet"

36
DSRM

• Allows objects to be deleted from directory
• Can delete single object or entire subtree
• Has a confirm option that can be overridden
• Example to delete the Marketing OU and all its
  contained objects without a confirm prompt
• dsrm subtree noprompt c "oumarketing,
  dcdomain01,dcdovercorp,dcnet "

37
Bulk Import and Export

• Allows an organization to import existing stores
  of data rather than recreating from scratch
• Allows an organization to export data that is
  already structured in Active Directory to
  secondary databases
• Two command line utilities for import and export
• CSVDE
• LDIFDE

38
CSVDE

• Command-line tool to bulk export and import
  Active Directory data to and from comma-separated
  value (CSV) files
• CSV files can be created/edited using text-based
  editors
• Example
• csvde f output.csv

39
LDIFDE

• Command-line tool to bulk export and import
  Active Directory data to and from LDIF files
• LDAP Interchange Format
• Industry standard for information in LDAP
  directories
• Each attribute/value on a separate line with
  blank lines between objects
• Can be read in text-based editors
• Common uses extending AD schemas, importing bulk
  data to populate AD, manipulating user and group
  objects

40
Activity 3-9 Exporting Active Directory Users
Using LDIFDE

• Objective is to export Active Directory user
  accounts using LDIFDE
• Start ? Run
• Follow directions to enter LDIFDE command
• Check exported results using Notepad editor

41
Troubleshooting User Account and Authentication
Issues

• Normally creating and configuring user accounts
  is straightforward
• Issues do arise related to
• Configuration of account
• Policy settings

42
Account Policies

• Authentication-related policy settings
• Configured in Account Policies node of Group
  Policy objects at domain level
• Account lockout, passwords, Kerberos
• Default Domain Policy
• Accessed from Active Directory Computers and
  Users
• Configures policies for all domain users

43
Password Policy

• Configuration settings
• Password history and reuse
• Maximum password age
• Minimum password age
• Minimum password length
• Complexity requirements
• Encryption policy

44
Account Lockout Settings

• Configuration settings
• Account lockout duration
• Account lockout threshold
• Reset account lockout counter after

45
Kerberos Policy

• Configuration settings
• Enforce user logon restrictions
• Maximum lifetime for service ticket
• Maximum lifetime for user ticket
• Maximum lifetime for user ticket renewal
• Maximum tolerance for computer clock
  synchronization

46
Auditing Authentication

• Audit account logon event
• Configured in Group Policy object linked to
  Domain Controllers OU (Default Domain Controllers
  Policy)
• Default is to log only successful logons
• Event viewable in Security log (use Event Viewer)
• Can choose to edit failed logons
• May be helpful for troubleshooting
• Codes provide information about type of failure

47
Resolving Logon Issues

• Some common logon issues (and fixes)
• Incorrect user name or password (administrative
  reset)
• Account lockout (manual unlock)
• Account disabled (administrative enable)
• Logon hour restrictions (check account
  restrictions)
• Workstation restrictions (check account
  restrictions)
• Domain controllers (check configured DNS
  settings)
• Client time settings (check client clock
  synchronization)

48
Resolving Logon Issues (continued)

• Down-level client issues (install Active
  Directory Client Extensions)
• UPN logon issues (check Global Catalog server)
• Unable to log on locally (set policy on local
  server)
• Remote access logon issues (check access on
  Dial-up properties)
• Terminal services logon issues (check allow logon
  to terminal server permission)

49
Summary

• A user account is an object stored in Active
  Directory
• Information that defines user and access to
  network
• Primary tools to create and manage user accounts
• Active Directory Users and Computers
• Command line utilities (DSADD, DSMOD, DSQUERY,
  DSMOVE, DSRM)
• Two main authentication processes
• Interactive authentication
• Network authentication

50
Summary (continued)

• Two main authentication protocols
• Kerberos v5, NTLM
• User profiles used to configure and customize
  desktop environment
• Local, roaming, mandatory
• Utilities for bulk importing and exporting user
  data to and from Active Directory
• LDIFDE and CSVDE