70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 - PowerPoint PPT Presentation

Loading...

PPT – 70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 PowerPoint presentation | free to download - id: 222c74-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003

Description:

Accesses user name and password information stored in Active Directory ... used to import and export settings to and from LDIF and CSV text files, respectively ... – PowerPoint PPT presentation

Number of Views:186
Avg rating:3.0/5.0
Slides: 53
Provided by: academic26
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: 70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003


1
70-270, 70-290 MCSE/MCSA Guide to Installing and
Managing Microsoft Windows XP Professional and
Windows Server 2003
  • Chapter Seven
  • Creating and Managing Domain User and Group
    Accounts

2
Objectives
  • Explain the purpose of domain user accounts
  • Describe the domain user authentication process
  • Create and manage user accounts
  • Configure roaming and mandatory user profiles

3
Objectives (continued)
  • Troubleshoot user account and authentication
    problems
  • Use domain group accounts to simplify
    administration
  • Use command-line utilities to work with domain
    accounts

4
Introduction to Domain User Accounts
  • Domain user account Active Directory object
  • Gives domain controllers access to user
    information
  • Make it possible to
  • Require authentication for users
  • Control access to network resources
  • Monitor access to resources
  • Standards for elements of user objects
  • Establishing a naming convention
  • Controlling password policy and ownership
  • Including additional required attributes

5
User Account Properties
  • Active Directory Users and Computers Primary
    tool for creating and managing user accounts
  • Properties that can be set for a user account
  • General
  • Address
  • Account
  • Profile
  • Telephones
  • Organization
  • Member Of
  • Dial-in

6
User Account Properties (continued)
  • Properties that can be set for a user account
    (continued)
  • Environment
  • Sessions
  • Remote control
  • Terminal Services Profile
  • COM
  • Activity 7-1 Reviewing User Account Properties
  • Objective Review the properties of a user account

7
User Account Properties (continued)
Figure 7-1 Properties of a domain user account
8
User Authentication
  • Authentication Process of validating a users
    identity
  • Unique access token created for user
  • Users enter user names and passwords
  • In Active Directory environment, users generally
    log on to a domain
  • Authenticated by domain controller
  • In a workgroup, local computers SAM database
    handles authentication

9
Authentication Methods
  • Two main processes
  • Interactive authentication Users enter user
    names and passwords
  • Network authentication Network resource or
    service confirms users identity
  • Process differs depending on whether logging on
    to a domain or a local computer

10
Authentication Protocols Kerberos v5
  • Kerberos v5 Primary authentication protocol used
    in Active Directory domain environments
  • Key Distribution Center (KDC) Service running on
    a Windows Server 2003 domain controller
  • Accesses user name and password information
    stored in Active Directory to authenticate users
  • Ticket-granting ticket (TGT) Data packet
    containing encrypted user identification
    information
  • Client presents TGT to KDC to requests service
    ticket for resources

11
Authentication Protocols NTLM
  • Challenge-and-response protocol
  • Used for authentication purposes with OSs running
    Windows NT 4.0 or earlier
  • Down-level operating systems
  • Most commonly used when
  • Windows Server 2003 system attempts to
    authenticate to a Windows NT 4.0 domain
    controller
  • Windows NT 4.0 Workstation system attempts to
    authenticate to a Windows 2000 or Windows Server
    2003 domain controller

12
Creating and Managing Domain User Accounts
  • Windows Server 2003 supports many methods and
    tools for creating user account objects
  • Primary tool is Active Directory
  • Makes it possible for administrators to work in
    environment they feel most comfortable or is most
    appropriate for situation

13
Using Active Directory Users and Computers
Figure 7-2 Active Directory Users and Computers
14
Using Active Directory Users and Computers
(continued)
Figure 7-3 The New Object - User dialog box
15
Using Active Directory Users and Computers
(continued)
  • Activity 7-2 Creating User Accounts with Active
    Directory Users and Computers
  • Objective Use Active Directory Users and
    Computers to create user accounts
  • To increase security, default policy on server is
    to restrict logging on at server console to
    Administrators, Account Operators, Print Operators

16
Using Active Directory Users and Computers
(continued)
Figure 7-4 Configuring an initial password for a
new user object
17
Using Active Directory Users and Computers
(continued)
  • Activity 7-3 Modifying the Server Logon Policy
  • Description In this activity, you use Control
    Panel on your Windows Server 2003 system to allow
    all your users to log on from the server console
  • Activity 7-4 Testing Your User Accounts
  • Objective Test logging on for the user accounts
    you created
  • Multiple user accounts often have common property
    setting

18
Using Active Directory Users and Computers
(continued)
Figure 7-5 Configuring properties for multiple
user objects simultaneously
19
Using User Account Templates
  • User account template User account set up with
    common settings associated with particular type
    of user
  • Activity 7-5 Creating a User Account Template
  • Objective Create a user account template and use
    that template to create a new user account

20
Working With User Profiles
Figure 7-6 The Documents and Settings folder
21
Roaming Profiles
  • Make it possible to have profiles follow users to
    different computers
  • Store user desktop settings in single,
    centralized location
  • Configured in Profiles tab of user accounts
    Properties dialog box via Active Directory Users
    and Computers
  • Activity 7-6 Configuring and Testing a Roaming
    Profile
  • Objective Configure and test a roaming user
    profile

22
Mandatory Profiles
  • Allow users to change their profiles while logged
    on, but changes not permanently saved
  • Roaming and local user profiles can be configured
    as mandatory profiles
  • Renaming Ntuser.dat file stored in profile to
    Ntuser.man
  • Activity 7-7 Configuring a Mandatory Profile
  • Objective Configure and test a mandatory user
    profile

23
Troubleshooting User Account and Authentication
Problems
  • Number of issues can affect users ability to log
    on to a Windows Server 2003 Active Directory
    network
  • Some related to configuring a user account
  • e.g., Account lockout
  • Some related to policy settings

24
Solving User Logon Problems
  • Common logon problems
  • Incorrect user name or password Reset password
  • Account lockout Unlocked manually
  • Account disabled Use Active Directory Users and
    Computers or Dsmod User command
  • Logon hour restrictions Reconfigure
  • Workstation restrictions Change users
    permissions
  • Domain controllers Make sure DNS settings
    correct
  • Client time settings Synchronize with domain
    controller

25
Solving User Logon Problems (continued)
  • Common logon problems (continued)
  • Down-level client issues Consider installing
    Active Directory Client Extensions
  • UPN logon issues Ensure that global catalog
    server configured and accessible
  • Users unable to log on locally Grant rights to
    log on locally in policy settings on server
  • Remote access logon issues Ensure account
    configured to allow access
  • Terminal Services logon issues Ensure Allow
    logon to terminal server check box selected in
    Terminal Services Profile tab

26
Solving Problems Associated with Computer Accounts
  • If users unable to log on from XP client, check
    event log to determine whether account must be
    reset
  • Event IDs of 3210 or 5722

27
Working with Domain Group Accounts
  • Group Active Directory object used to organize
    collection of users, computers, contacts, or
    other groups into single security principal
  • Simplify administration by assigning rights and
    resource permissions to group rather than to
    individual users

28
Group Types
  • Defines how group can be used in Active Directory
    domain or forest
  • Security groups Usually most common group type
    in an Active Directory environment
  • Defined by SID that allows them to be assigned
    permissions for resources in discretionary access
    control lists (DACLs)
  • Any group that will be assigned permissions or
    rights must be a security group
  • Can be e-mail entities

29
Group Types (continued)
  • Distribution groups For use with e-mail
    applications
  • No SID
  • Dont affect user authentication process
    unnecessarily

30
Group Scope
  • Logical boundary within which a group can be
    assigned permissions to a specific resource in an
    Active Directory domain or forest
  • Domain functional levels
  • Windows 2000 mixed
  • Windows 2000 native
  • Windows Server 2003

31
Group Scope (continued)
Table 7-1 Windows Server 2003 group summary
32
Built-in Groups
Table 7-2 Domain local groups in the Builtin
container
33
Built-in Groups (continued)
Table 7-2 (continued) Domain local groups in the
Builtin container
34
Built-in Groups (continued)
Table 7-3 Domain local and global groups in the
Users container
35
Planning and Implementing Security Groups
  • Mnemonic A-G-U-DL-P
  • Creating Group Objects New group accounts can be
    created in any of the built-in containers in
    Active Directory Users and Computers
  • Also in root of domain object
  • Often created with custom OU objects
  • Created in Active Directory Users and Computers
    by right-clicking container or OU
  • Properties for group accounts General, Members,
    Member of, and Managed By

36
Planning and Implementing Security Groups
(continued)
  • Activity 7-8 Creating and Adding Members to
    Global Groups
  • Objective Use Active Directory Users and
    Computers to create global groups
  • Activity 7-9 Creating and Adding Members to
    Domain Local Groups
  • Objective Use Active Directory Users and
    Computers to create domain local groups

37
Planning and Implementing Security Groups
(continued)
Figure 7-7 The New Object - Group dialog box
38
Planning and Implementing Security Groups
(continued)
Figure 7-9 The Members tab in the Properties
dialog box of a global group
39
Planning and Implementing Security Groups
(continued)
  • Activity 7-10 Changing a Domains Functional
    Level and Creating and Adding Members to
    Universal Groups
  • Objective Change the functional level of a
    domain to Windows Server 2003 and use Active
    Directory Users and Computers to create universal
    groups
  • Converting Group Types Domain must be configured
    at least Windows 2000 native
  • Activity 7-11 Converting Group Types
  • Objective Use Active Directory Users and
    Computers to change group types

40
Planning and Implementing Security Groups
(continued)
Figure 7-12 Creating a universal group
41
Planning and Implementing Security Groups
(continued)
  • Converting Group Scopes Domain functional level
    must be at least Windows 2000 native
  • Global to universal If not a member of other
    global groups
  • Domain local to universal If does not have other
    domain local groups as members
  • Universal to global If does no universal groups
    are members
  • Universal to domain local No restrictions
  • Activity 7-12 Converting Group Scopes
  • Objective Use Active Directory Users and
    Computers to change group scopes

42
Planning and Implementing Security Groups
(continued)
  • Determining Group Membership Any Windows Server
    2003 network administrator must ensure that users
    are members of correct groups
  • Incorrect groups can lead to problems with
  • User access to required resources
  • Ability to access resources at all
  • Easiest method Via Member Of tab Properties
    dialog box

43
Using Command-line Utilities
  • Dsadd command Allows object types to be added to
    the directory
  • Computer accounts, contacts, quotas, groups, OUs,
    and users
  • Activity 7-13 Creating Groups with Dsadd Group
  • Objective Use the Dsadd Group command to add
    groups of different types and scopes
  • Dsget command Determine a users group
    memberships

44
Using Command-line Utilities (continued)
  • Dsmod command Allows object types to be modified
    from command line
  • Activity 7-14 Modifying User Accounts with Dsmod
  • Objective Modify existing user account
    properties with the Dsmod User command
  • Activity 7-15 Modifying a Group Description with
    Dsmod
  • Objective Use the Dsmod Group command to modify
    group accounts

45
Using Command-line Utilities (continued)
  • Dsquery command Query for object types
  • Computer accounts, contacts, quotas, groups, OUs,
    servers, partitions, and users
  • Supports wildcard characters

Figure 7-14 Piping the output of Dsquery User to
the Dsmod User command
46
Using Command-line Utilities (continued)
  • Dsmove command Allows object types to be moved
    from current location to new location
  • Or renamed the object
  • Can be used only to move objects within same
    domain
  • Dsrm command Delete objects from directory
  • Supports deleting entire subtrees
  • Can delete an existing object and its contents

47
Using Command-line Utilities (continued)
  • Bulk Import and Export Give administrators
    flexibility to import and export data to or from
    Active Directory
  • CSVDE Utility Supports bulk export and import of
    Active Directory data to and from comma-separated
    value (CSV) files
  • LDIFDE utility Same purpose as CSVDE utility,
    but uses LDIF file format
  • Industry-standard method for formatting
    information imported to or exported from LDAP
    directories

48
Using Command-line Utilities (continued)
  • Activity 7-16 Exporting Active Directory Users
    with LDIFDE
  • Objective Export Active Directory data with the
    LDIFDE utility

Figure 7-15 Data exported with CSVDE
49
Using Command-line Utilities (continued)
Figure 7-16 User data exported with LDIFDE
50
Summary
  • The two primary authentication protocols used in
    Windows Server 2003 Active Directory environments
    are Kerberos v5 and NTLM
  • Windows Server 2003 supports three different
    types of user profiles local, roaming, and
    mandatory
  • The primary tool for creating and managing user
    and groups accounts in a Windows Active Directory
    environment is Active Directory Users and
    Computers

51
Summary (continued)
  • Windows Server 2003 supports two group types
    security groups and distribution groups
  • Windows Server 2003 supports three different
    group scopes global, domain local, and universal
  • The most scalable method of managing security
    groups to assign rights and permissions is
    following the A-G-U-DL-P method
  • The primary tools for gathering group membership
    information are the Member Of and Members tabs in
    the Properties dialog boxes of objects and the
    Dsget command

52
Summary (continued)
  • Windows Server 2003 Active Directory includes a
    number of built-in global and domain local groups
    in both the Users and Builtin containers
  • Computers running Windows NT 4.0,Windows
    2000,Windows XP, and Windows Server 2003 require
    computer accounts in Active Directory
  • There are a number of command line tools for
    creating and managing user and group accounts
  • The LDIFDE and CSVDE command-line utilities can
    be used to import and export settings to and from
    LDIF and CSV text files, respectively
About PowerShow.com