1 / 21

Chapter 3 – Creating and Managing User Accounts

Chapter 3 – Creating and Managing User Accounts. MIS 431 – Created Spring 2006. Introduction. User account – object in Active Directory Requires authentication to connect Control access to network resources Monitor access by auditing resources (logs) Create account

clark
Download Presentation

Chapter 3 – Creating and Managing User Accounts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 3 – Creating and Managing User Accounts MIS 431 – Created Spring 2006

  2. Introduction • User account – object in Active Directory • Requires authentication to connect • Control access to network resources • Monitor access by auditing resources (logs) • Create account • Use standard naming structures • Control password policy and ownership • Include additional attributes such as phone number, email address as required elements MIS 431

  3. User Account Properties MIS 431

  4. AD Added Properties • The default Users and Groups dialog box in offers standard choices. • AD Users and Computers adds • Directory information • Special login restrictions • Domain information • Much more MIS 431

  5. User Authentication • Users must first be authenticated by a domain controller before gaining access to the network (e.g., they log in as we do Novell) • Process has two parts • Interactive authentication (to the client PC) • User can choose full network log in or just log in to the local workstation • Network authentication • User’s credentials are passed on to the network resource or service and checked MIS 431

  6. Authentication Protocols • Kerberos 5 (primary AD method) • Supported by Windows 2000, XP; WS03 • Method is transparent to the user • NTLM – • Used for OS that don’t support Kerberos • Ex: NT Server MIS 431

  7. Where user’s unique settings are stored Customized desktop Favorites Start button Cookies My Documents My Recent Documents NetHood PrintHood More items… Send to list Templates Application data Local settings Stored in the Documents and Settings folder for each user Types – local and roaming User Profiles MIS 431

  8. Local Profiles • Created when a new user logs in first time • Settings are copied from a standard folder called Default User in Documents & Settings • THUS changing the settings in Default User will cause those settings to be created for each subsequent new user • Change this in System Properties Advanced tab • Whenever a user makes a change to settings, they are stored in their local profile • Subsequent logins will use just those settings for that user MIS 431

  9. Roaming Profiles • Stored on the server, these are used by the client when the user authenticates to the network • Replaces the local profile with the one used on that particular client workstation • Helpful when users move between computers • Can convert a local profile to a roaming profile • Universal Naming Convention (UNC) format: \\serverXX\profile\username MIS 431

  10. Creating AD Users and Computers • Active Directory Users and Computers tool • In Administrative Tools menu • Can also be added to a custom MMC • Select an object, right click, New, click User • Shortcut: click on the User icon in the toolbar • Shortcut: click on the Group icon in toolbar • User can be moved to another object by • dragging (new since WS00) • Or using rt-click and Move command MIS 431

  11. New User Parameters • For nearly every user, will specify • User logon name • Full name (F, M, L) • Password • Password properties (cannot change, change at first login, password never expires, etc) • Account expires (Never, End of xxx) MIS 431

  12. More User Parameters • General tab – directory type information • Address tab – more directory information • Account – user name, logon hours, account options (password, expiration) • Member Of – which groups, set primary group • Dial-In – allow remote access or VPN • Other tabs: Environment, Sessions, Profile, Telephones, Profile, Remote control, etc. MIS 431

  13. User Account Templates • Create a template and all users configured through it will have same settings! (time saver) • Can modify the profile for user specific settings • To create, in the first name box start it with underscore, as _MIS431 Template • Do all of the settings you want • To use it, copy this template and then modify as desired MIS 431

  14. Command Line Utilities • Can create user accounts from command line • Quicker • But, fewer choices can be set easily here • Commands • DSADD – adds objects • DSMOD – modify object settings • DSQUERY – queries for objects • DSMOVE – moves objects to a different location • DSRM – remove an object from directory MIS 431

  15. Command Line contd. • Parameters for commands • -pwd – password • -memberof – groups user is member of • -email – email address for new user • -profile – profiel path for the user • -disabled – whether acct is enable or disabled • EX: dsadd user “cn=Paul Kohut,cn=Users,dc=dovercorp,dc=net” –pwd Password01 –memberof “cn=domain guests,cn=users,dc=domain01,dc=dovercorp,dc=net” –email paul@dovercorp –profile \\server01\profiles\paul kohut - disabled no MIS 431

  16. Bulk Import/Export • Used when transitioning from one directory service to another for large companies • Can also populate a secondary database such as an HRM application • Two utilities • CSVDE – supports import/export to CSV file • LDIFDE – same but in LDAP interchange format (LDIF) MIS 431

  17. Account Policies • A node in Group Policy (more in Ch. 11) • These can cause trouble with a user logging in • Find Group Policy object at domain level called Default Domain Policy • Rt click the domain object (domain controller) in AD Users and Computers and choose Properties • Click on Group Policy tab MIS 431

  18. Password Policy settings • Enforce password history - # of passwords to remember before a user can reuse an old password • Maximum password age – # days when it must be changed • Minimum password age - # days before it can be changed • Minimum password length - # characters (1-14) • Password complexity requirement – cannot include account name, at least 6 characters long, include 3 of 4 elements: uppercase, lowercase, numbers, symbol • Store password using reversible encryption – clear text MIS 431

  19. Account Lockout settings • When the user fails to enter proper user name and password within X times • Account lockout duration – how long before can log in again • Account lockout threshold - # of incorrect login attempts before lock out occurs • Reset account lockout counter after - # of minutes before the lockout counter is reset to zero. MIS 431

  20. Auditing Authentication • Auditing appears in more detail in Ch 14 • Be default, WS03 DC audits success logon events only – appears in security log • Can turn on “failure” logon events to track attempts to log in – shown in Security log • Access Audit Policy node which is available in Computer Configuration – Windows Settings – Security Settings – Local Policies (Fig 3-33. p. 134) MIS 431

  21. If a user cannot log in, check the list on p. 135 Incorrect user name or password Account lockout Account disabled Logon hour restriction Workstation restriction Domain controller (cannot locate one) Client time settings Down-level client issues UPN logon issues Users unable to log on locally to specific server Remote access logon issues (dial up/VPN) Terminal Services logon issues Authentication Troubleshooting MIS 431

More Related