70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts - PowerPoint PPT Presentation

Loading...

PPT – 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts PowerPoint presentation | free to download - id: 224df5-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts

Description:

... that defines a user with access to network (first name, last name, password, etc. ... Industry standard for information in LDAP directories ... – PowerPoint PPT presentation

Number of Views:95
Avg rating:3.0/5.0
Slides: 51
Provided by: facult54
Learn more at: http://faculty.ccri.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts


1
70-290 MCSE Guide to Managing a Microsoft
Windows Server 2003 EnvironmentChapter
3Creating and Managing User Accounts
2
Objectives
  • Understand the purpose of user accounts
  • Understand the user authentication process
  • Understand and configure local, roaming, and
    mandatory user profiles
  • Configure and modify user accounts using
    different methods
  • Troubleshoot user account and authentication
    problems

3
Introduction to User Accounts
  • A user account is an Active Directory object
  • Represents information that defines a user with
    access to network (first name, last name,
    password, etc.)
  • Required for anyone using resources on network
  • Assists in administration and security
  • Must follow organizational standards

4
User Account Properties
  • Primary tool for creating and managing accounts
    is Active Directory Users and Computers
  • Active Directory is extensible so additional tabs
    may be added to property pages
  • Major account properties that can be set include
  • General
  • Address
  • Account
  • Profile
  • Sessions

5
Activity 3-1 Reviewing User Account Properties
  • Objective is to review properties of user
    accounts through main tabs of Active Directory
    Users and Computers
  • Start ? Administrative Tools ? Active Directory
    Users and Computers ? Users ? AdminXX account ?
    Properties
  • Explore tabs and values as directed

6
The Account Tab of Properties
7
User Authentication
  • The process by which a users identity is
    validated
  • Used to grant or deny access to network resources
  • From a client operating system
  • Name, password, resource required
  • In Active Directory environment
  • Domain controller authenticates
  • In a workgroup
  • Local SAM database authenticates

8
Authentication Methods
  • Two main processes
  • Interactive authentication
  • User account information is supplied at log on
  • Network authentication
  • Users credentials are confirmed for network
    access

9
Interactive Authentication
  • The process by which a user provides a user name
    and password for authentication
  • For domain logon, credentials compared to
    centralized Active Directory database
  • For local logon, credentials compared to local
    SAM database
  • In domain environments, users normally dont have
    local accounts

10
Network Authentication
  • The process by which a network service confirms
    the identify of a user
  • For a user who logs on to domain, network
    authentication is transparent
  • Credentials from interactive authentication valid
    for network resources
  • A user who logs on to local computer will be
    prompted to log on to network resource separately

11
Authentication Protocols
  • Windows Server 2003 supports two main
    authentication protocols
  • Kerberos version 5 (Kerberos v5)
  • NT LAN Manager (NTLM)
  • Kerberos v5 is primary protocol for Active
    Directory environments but is not supported on
    all client systems
  • NTLM is primary protocol for older Microsoft
    operating systems

12
Kerberos v5
  • Primary authentication protocol used in Active
    Directory domain environments
  • Supported by Windows 2000, Windows XP, Windows
    Server 2003
  • Protocol followed
  • Log on request passed to Key Distribution Center
    (KDC), a Windows Server 2003 domain controller
  • KDC authenticates user and, if valid, issues a
    ticket-granting ticket (TGT) to client system

13
Kerberos v5 (continued)
  • When client requests a network resource, it
    presents the TGT to KDC
  • KDC issues a service ticket to client
  • Client presents service ticket to host server for
    network resource
  • Every domain controller in Active Directory
    environment holds role of KDC
  • Not all clients follow this protocol

14
NTLM
  • A challenge-response protocol
  • Used with operating systems running Windows NT
    4.0 or earlier or with Windows 2000 or Server
    2003 when necessary
  • Protocol followed
  • User logs in, client calculates cryptographic
    hash of password
  • Client sends user name to domain controller

15
NTLM (continued)
  • Domain controller generates random challenge and
    sends it to client
  • Client encrypts challenge with hash of password
    and sends to domain controller
  • Domain controller calculates expected value to be
    returned from client and compares to actual value
  • After successful authentication, domain
    controller generates a token for user for network
    access

16
User Profiles
  • A collection of settings specific to a particular
    user
  • Stored locally by default
  • Do not follow user logging on to different
    computers
  • Can create a roaming profile
  • Does follow user logging on to different
    computers
  • Administrator can create a mandatory profile
  • User cannot alter it

17
User Profile Folders and Contents
18
Local Profiles
  • New profiles are created from Default User
    profile folder
  • User can change local profile and changes are
    stored uniquely to that user
  • Administrator can manage various elements of
    profile
  • Change Type
  • Delete
  • Copy To

19
Activity 3-2 Testing Local Profile Settings
  • Objective is to configure and test a local user
    profile
  • Start ? Administrative Tools ? Active Directory
    Users and Computers ? Users ? New ? User
  • Follow directions to create a new user profile
  • Explore and configure properties
  • Test by logging in as new user

20
Roaming Profiles
  • Roaming profiles
  • Allow a profile to be stored on a central server
    and follow the user
  • Provide advantage of a single centralized
    location (helpful for backup)
  • Configured from Profiles page of Active Directory
    Users and Computers
  • Changing a profile from local to roaming requires
    care should copy first

21
Activity 3-3 Configuring and Testing a Roaming
Profile
  • Objective To configure and test a roaming user
    profile
  • Create a shared folder, copy a local profile to
    folder, and configure properties of user account
    to use roaming folder
  • Follow directions in book to create, configure,
    and test the new roaming profile

22
Mandatory Profiles
  • Local and roaming profiles allow users to make
    permanent changes
  • Mandatory profiles allow changes only for a
    single session
  • Local and roaming profiles can both be configured
    as mandatory
  • ntuser.dat ? ntuser.man

23
Activity 3-4 Configuring a Mandatory Profile
  • Objective To configure and test a mandatory user
    profile
  • Start ? My Computer
  • Follow directions to make previously created test
    profile mandatory by renaming file
  • Test that no permanent changes can be made by user

24
Creating and Managing User Accounts
  • Standard tool is Active Directory Users and
    Computers
  • Also a number of command line tools and utilities

25
Active Directory Users and Computers
  • Available from Administrative Tools menu
  • Can be added to a Microsoft Management Console
  • Can be run from command line (dsa.msc)
  • Graphical tool
  • Can add, modify, move, delete, search for user
    accounts
  • Can configure multiple objects simultaneously

26
Activity 3-5 Creating User Accounts Using Active
Directory Users and Computers
  • Objective Use Active Directory Users and
    Computers to create user accounts
  • Start ? Administrative Tools ? Active Directory
    Users and Computers
  • Follow directions to create a number of new user
    accounts

27
User Account Templates
  • A user account that is pre-configured with common
    settings
  • Can be copied to create new user accounts with
    pre-defined settings
  • New account is then configured with detailed
    individual settings

28
Activity 3-6 Creating a User Account Template
  • Objective Create a user account template and use
    the template to create a new user account
  • Start ? Administrative Tools ? Active Directory
    Users and Computers
  • Create a new user account template
  • Use a variable that will automatically populate
    the profile path with the name of user account
  • Follow directions to create and explore a new
    user account from template

29
Command Line Utilities
  • Some administrators prefer working from command
    line
  • Can be used to automate creation or management of
    accounts more flexibly

30
DSADD
  • Allows object types to be added to directory
  • Computer accounts, contacts, quotas, OUs, users,
    etc.
  • Syntax for user account is
  • DSADD USER distinguished-name switches
  • Switches include
  • -pwd (password), -memberof, -email, -profile,
    -disabled

31
Activity 3-7 Creating User Accounts Using DSADD
  • Objective Use the DSADD USER command to create
    new user accounts
  • Start ? Run
  • Follow directions to enter DSADD command
  • Check using Active Directory Computers and Users
  • Enter new DSADD command and again check results

32
DSMOD
  • Allows object types to be modified from the
    command line
  • Computer accounts, users, quotas, OUs, servers,
    etc.
  • Syntax for modifying user account is
  • DSMOD USER distinguished-name switches
  • Can modify multiple accounts simultaneously

33
Activity 3-8 Modifying User Accounts Using DSMOD
  • Objective is to modify existing user account
    properties using the DSMOD USER command
  • Start ? Run
  • Follow directions to enter DSMOD command for a
    single user
  • Check using Active Directory Comp. and Users
  • Enter new DSMOD command for multiple users
  • Check results using Active Directory

34
DSQUERY
  • Allows various object types to be queried from
    command line
  • Supports wildcard ()
  • Output can be redirected to another command
    (piped)
  • Example return all user accounts that have not
    changed passwords in 14 days
  • dsquery user domainroot name -stalepwd 14

35
DSMOVE
  • Allows various object types to be moved from
    current location to a new location
  • Allows various object types to be renamed
  • Only moves within the same domain (otherwise use
    MOVETREE)
  • Example to move a user account into a marketing
    OU
  • dsmove "cnPaul Kohut,cnusers,dcdomain01,
    dcdovercorp,dcnet" newparent "oumarketing,
    dcdomain01,dcdovercorp,dcnet"

36
DSRM
  • Allows objects to be deleted from directory
  • Can delete single object or entire subtree
  • Has a confirm option that can be overridden
  • Example to delete the Marketing OU and all its
    contained objects without a confirm prompt
  • dsrm subtree noprompt c "oumarketing,
    dcdomain01,dcdovercorp,dcnet "

37
Bulk Import and Export
  • Allows an organization to import existing stores
    of data rather than recreating from scratch
  • Allows an organization to export data that is
    already structured in Active Directory to
    secondary databases
  • Two command line utilities for import and export
  • CSVDE
  • LDIFDE

38
CSVDE
  • Command-line tool to bulk export and import
    Active Directory data to and from comma-separated
    value (CSV) files
  • CSV files can be created/edited using text-based
    editors
  • Example
  • csvde f output.csv

39
LDIFDE
  • Command-line tool to bulk export and import
    Active Directory data to and from LDIF files
  • LDAP Interchange Format
  • Industry standard for information in LDAP
    directories
  • Each attribute/value on a separate line with
    blank lines between objects
  • Can be read in text-based editors
  • Common uses extending AD schemas, importing bulk
    data to populate AD, manipulating user and group
    objects

40
Activity 3-9 Exporting Active Directory Users
Using LDIFDE
  • Objective is to export Active Directory user
    accounts using LDIFDE
  • Start ? Run
  • Follow directions to enter LDIFDE command
  • Check exported results using Notepad editor

41
Troubleshooting User Account and Authentication
Issues
  • Normally creating and configuring user accounts
    is straightforward
  • Issues do arise related to
  • Configuration of account
  • Policy settings

42
Account Policies
  • Authentication-related policy settings
  • Configured in Account Policies node of Group
    Policy objects at domain level
  • Account lockout, passwords, Kerberos
  • Default Domain Policy
  • Accessed from Active Directory Computers and
    Users
  • Configures policies for all domain users

43
Password Policy
  • Configuration settings
  • Password history and reuse
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Complexity requirements
  • Encryption policy

44
Account Lockout Settings
  • Configuration settings
  • Account lockout duration
  • Account lockout threshold
  • Reset account lockout counter after

45
Kerberos Policy
  • Configuration settings
  • Enforce user logon restrictions
  • Maximum lifetime for service ticket
  • Maximum lifetime for user ticket
  • Maximum lifetime for user ticket renewal
  • Maximum tolerance for computer clock
    synchronization

46
Auditing Authentication
  • Audit account logon event
  • Configured in Group Policy object linked to
    Domain Controllers OU (Default Domain Controllers
    Policy)
  • Default is to log only successful logons
  • Event viewable in Security log (use Event Viewer)
  • Can choose to edit failed logons
  • May be helpful for troubleshooting
  • Codes provide information about type of failure

47
Resolving Logon Issues
  • Some common logon issues (and fixes)
  • Incorrect user name or password (administrative
    reset)
  • Account lockout (manual unlock)
  • Account disabled (administrative enable)
  • Logon hour restrictions (check account
    restrictions)
  • Workstation restrictions (check account
    restrictions)
  • Domain controllers (check configured DNS
    settings)
  • Client time settings (check client clock
    synchronization)

48
Resolving Logon Issues (continued)
  • Down-level client issues (install Active
    Directory Client Extensions)
  • UPN logon issues (check Global Catalog server)
  • Unable to log on locally (set policy on local
    server)
  • Remote access logon issues (check access on
    Dial-up properties)
  • Terminal services logon issues (check allow logon
    to terminal server permission)

49
Summary
  • A user account is an object stored in Active
    Directory
  • Information that defines user and access to
    network
  • Primary tools to create and manage user accounts
  • Active Directory Users and Computers
  • Command line utilities (DSADD, DSMOD, DSQUERY,
    DSMOVE, DSRM)
  • Two main authentication processes
  • Interactive authentication
  • Network authentication

50
Summary (continued)
  • Two main authentication protocols
  • Kerberos v5, NTLM
  • User profiles used to configure and customize
    desktop environment
  • Local, roaming, mandatory
  • Utilities for bulk importing and exporting user
    data to and from Active Directory
  • LDIFDE and CSVDE
About PowerShow.com