1 / 32

Managing Active Directory Objects

User Accounts. A user account consists ofUsername and password Group membershipRights and permissions to access resourcesWindows Server 2003 Computer configured as a Domain Controller with Active Directory User accounts are managed by Active Directory Users and computersWindows Server 2003 computer member Server (not a Domain Controller) and Windows XP workstationsUser accounts are managed by Local Users and Groups.

jud
Download Presentation

Managing Active Directory Objects

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Managing Active Directory Objects When you first install Active Directory, a number of Containers are created to hold built-in users and groups, as well as computer accounts by default Organizational Units (OUs) allow the assignment of Group Policy and delegation of administrative control to junior administrators User accounts are best arranged into Organizational Units and have certain management functions that can be delegated at the OU level and inherited by lower levels

    2. User Accounts A user account consists of Username and password Group membership Rights and permissions to access resources Windows Server 2003 Computer configured as a Domain Controller with Active Directory User accounts are managed by Active Directory Users and computers Windows Server 2003 computer member Server (not a Domain Controller) and Windows XP workstations User accounts are managed by Local Users and Groups

    3. User Authentication When a user or group account is created, a unique, non-reusable security identifier - SID is created The SID is incorporated into a user ticket known as Ticket Granting Ticket (TGT) A User ticket is used to construct session tickets for any resource access When a user logs on, the security subsystem uses the SID internally to identify the user or group account During the logon process (logging on to a domain), the first available domain controller validates the user and grants access to resources anywhere on the network Replication of Active Directory Data store occurs by default One can create a user account on any domain controller in the domain

    4. Types of User Accounts Created User Account Required for each user on a Domain Resource access is associated with the account Built-in Accounts - During Installation of Active Directory on Windows 2003 Domain Controller, two accounts are automatically created Administrator Account – member of the domain’s administrator group, cannot be disabled or deleted but can be renamed Guest Account - cannot be deleted but can be renamed, by default it is disabled Other Built-in Accounts are created on Windows Server 2003 by default when certain services are installed

    5. Two Built-in Accounts Administrator Account creates and manages User and groups accounts Manages security policies Manages access to File and Print resources Guest Account (disabled by default) Used for occasional access - Temporary Employees Always assign a password Limited access to resources Create a new Organizational Unit (OU) and then create a user accounts in that OU to manage them by using separate group policies

    6. Configuring and Managing User Account Properties Once you create a user account by using a New Object – User Wizard, you need to configure it A set of default properties is associated with each user account which can be modified and which can be used to search for users in the Active Directory Data store The Properties dialog box allows the Administrator to configure various properties for a specific user By default this box has 13 tabs - General, Address, Account, Profile, Telephones, Organization, Remote control, Terminal Service Profile, COM+, Member Of, Dial-in, Environment and Sessions

    7. Naming Conventions User Accounts Name must be Unique Domain accounts must be unique to the domain Local accounts must be unique to the computer User Names (which are referred to as User Logon Names in Active Directory Users and Computers) can contain up to 20 characters and are not case sensitive Create a set of rules for Naming Convention Consider a Naming Convention that: Accommodates duplicate employee names Identify temporary employees

    8. Passwords, Logon Hours, and Workstation Restrictions Educate Users on how to protect Passwords Avoid Birth Days, family and pet names Do not share or write down passwords Passwords can be up to 127-128 characters. Use long passwords (minimum 7-8 characters recommended), also use combination of uppercase lowercase letters and non-alphanumeric characters (Password Complexity Requirements – By default)

    9. Passwords, Logon Hours, and Workstation Restrictions Passwords are case sensitive Usernames are not (but preserve the entered case) Use a long password with combination of uppercase, lowercase letters, numerals and symbols Set Logon Hours to a User’s Work Hours Require Users to Logon from their own computers, by default they can log on from any computers in a domain Set an account expiration on Temporary Employees

    10. Configuring and Managing User Account Properties Account options User must change password at next logon select if you want the user to choose a new password the next time the user logs on User cannot change password Select if you want to manage user’s password or if you have more than one person using the same domain user account (such as guest) Password never expires Select if you want the password to never change Account expires Never end of

    11. Dial-in and other tabs To configure RAS permissions for users, in Dail-In Tab Allow access Deny access Call back options: No Call Back Set By Caller Always call back to Terminal Services Profile Tab, The Environment Tab, The Remote Control Tab, and The Sessions Tab are for configuring Terminal Services

    12. Creating and Managing Multiple User Accounts Create a generic user object called User Template and configure the properties common to all new users and copy Can modify properties of multiple users by selecting each user and then properties and Action menu Can move user objects by selecting and then from Action menu select move – drag and drop

    13. Renaming & Deleting User Accounts The user account after it is renamed, retains all of its properties, including group memberships, permissions and user rights Rename a user account when a new staff member replaces an employee with similar account properties When you delete a user account, it is permanently removed, and all of its group memberships, permissions, and user rights are lost – SID is deleted Later if you create a new account with the same name, the new account will not have the same privileges as the old, deleted account

    14. User Profiles A User Profile is a collection of data that includes a user’s current desktop settings, printer and network connections Administrator does not need to create user profiles for users, as Windows Server 2003 automatically creates a user profile for each user, however, he can manually assigns a roaming or mandatory user profile When a user logs on to a computer for the first time, Windows Server 20003 creates a new user profile for the user by coping the entire contents of the local Default User profile folder to a new folder on the local computer named after the user’s account

    15. Managing the User Work Environment Roaming user profiles are user profiles stored centrally on a network server rather than on the user’s local computer and can be changed by the user When a user logs on, Windows Server 2003 copies the roaming user profile from the network server to the client computer Roaming user profiles are implemented by first creating a shared folder on a network server computer and then assigning a server-based user profile path to a user account - \\Server name\Share name\logon_name Can type the variable %username% for logon name

    16. Managing the User Work Environment Roaming Personal User Profile Assign to one user User can modify Roaming user profiles are named Ntuser.dat Roaming Mandatory User Profile Mandatory user profiles are roaming profiles that are created for the user and cannot be changed by the user Assign to one or many users Mandatory user profiles require an .man extension

    17. Monitoring And Troubleshooting User Authentication There are three types of Account policies that monitor, troubleshoot and provide security for user authentication process over the network Account Lockout policies Password policies Kerberos policies Account policies are sets of rules that apply to all users in a domain Only a member of the Administrators group can manage account policies

    18. Account Policies To configure and manage Account policies: On a Domain Controller, click start, point to Administrative Tools, and click Group Policy Management to open the Group Policy management console Expand the Domains node, and double-click the name your domain Right-click Default Domain Policy, and click Edit to open the Group Policy Object Editor snap-in In the console tree, in the Computer Configuration node, double-click the Windows Settings node to expand it Double-click Security Settings Double-click Account Policies

    19. Account Lockout Policy Account Lockout Policy - dictates how to treat a user account after several successive unsuccessful logon attempts have occurred Account Lockout Threshold This setting specifies the number of invalid tries that a user (or intruder) gets to enter in an incorrect password before the account becomes locked out 0 to 999 invalid logon attempts The default setting is 0 A strong setting is 10 attempts for medium to high security environments

    20. Account Lockout Policy Account Lockout Duration This setting specifies how long a user account is locked out after the specified number of bad logon attempts occurs (the LockoutDuration Registry value) 0 to 99.999 minutes The default setting is not defined as it is only useful in conjunction with the Account Lockout Threshold Policy A low setting of 5 to 15 minutes is ok You can also set the value 0 to lock the account indefinitely until the Administrator unlocks it

    21. Account Lockout Policies Reset Account Lockout Counter After This setting specifies the number of minutes that must pass after an invalid logon attempt (bad logon attempt) before the Account lockout counter is reset to zero (the ObservationWindow Registry value) 1 to 99,999 minutes, must be less than or equal to the value of the Account Lockout Duration

    22. Password Policies Six configurable password policy settings: Enforce Password history This setting governs how many different passwords must be used before the user can reuse one of them (old password) 0 to 24 settings - default value is 24 Maximum Password Age This settings controls how long a password is good before a user is forced to pick a new one 0 to 999 settings - default value is 42 days - normal settings between 30 and 90 days Minimum Password Age This setting controls how long a new password must be used before it can be changed 0 to 998 settings – default value is 1 day - configure at least 1 day less than the Maximum Age

    23. Password Policies Minimum Password Length This setting controls the minimum number of characters the operating system permits in user-supplied passwords 0 to 14 settings - default value is 7 to 8 characters Password Must Meet Complexity Requirements This setting specifies that a strong password must contain >6 characters, no duplication of all or part of user’s account name (including Administrator’s account) and inclusion of characters from at least three of the following four categories: Upper case letters Lower case letters Numbers Special characters (e.g.: $,#, or punctuation characters such as ? or !).

    24. Kerberos Policies Kerberos Policy - Kerberos V5 ticket-based authentication Protocol is implemented through Key Distribution Centre (KDC) that runs on each Windows Server 2003 domain controller Clients obtains Kerberos tickets (client’s network credentials) from the Key Distribution Centre (KDC) These tickets allow them to gain access to servers The default Kerberos Policy values that are set by the Default Domain Policy are suitable for most networks

    25. Active Directory Clients Windows Server 2003 operating system includes Active Directory client capabilities for Windows 2000 Professional, Windows 2000 Server and Windows XP clients Can interact and enjoy access to many features of Active directory such as Find and Search objects, Distributed File System (Dfs), NT LAN Manager (NTLM) version 2 authentication, etc. Windows 95, 98, Me, and NT clients cannot use Kerberos V5 authentication protocol, Internet Protocol Security (IPSec), Layer 2 Tunneling protocol, Group Policy, etc. To function as Active Directory clients, install Active Directory client software from Microsoft’s Web site

    26. Tracking Windows Server 2003 Activities with Audit Policy Auditing is used to track user activities and object access on the computers on a network - Define an Audit Policy No auditing is set up by default except on Windows Server 2003 domain controllers – minimum auditing level Administrator can enable auditing only on NTFS partition Examine security logs on all domain controllers for success or failed user logon events (Account Logon Events) Configure Auditing of administrative activities for a user who has been assigned Administrative rights (Audit Account Management) Audit local computers for local accounts and on domain controllers for network accounts ( Audit Logon Events)

    27. Understanding Computer Accounts Computer accounts are used to identify computers in a domain with their security principles - SID A user with a valid user account and a password in Active Directory can not log on to a domain, if the computer is not represented in that domain Each Windows Server 2003 computer, Windows XP, Windows 2000 Server and Professional computer, Windows NT Server and workstation computer must have a computer account in an Active Directory - Domain Controller (DC) to participate in a domain Windows 95, 98, Me computers must install Active Directory Client software to participate in a domain Computer account password is generated automatically by the operating system and kept hidden

    28. Understanding Computer Accounts Computer accounts are created and stored in the Active Directory like User and group accounts Like users and group accounts, computer accounts have their own specific attributes or properties by which they can be searched and identified in the Active Directory They can be members of security or distribution groups and inherit permissions from group objects They inherit group policy settings from container objects such as domains, sites and Organizational Units (OUs) You can not apply Group Policy Objects (GPOs) to four of the built-in containers in the A D : Users, Computers, Foreign Security Principals, and Built-in Create a separate new organization unit and create computer accounts in that Organization Unit (OU) Apply Group Policy Object (GPO) to that OU

    29. Who can create Computer Accounts To create computer accounts, user must be granted the Add workstation to Domain right or must have the create computer objects permission on the container, in which the computer account is created By default, the Authenticated Users group has the Add workstation to Domain right to create 10 computer Accounts in the domain Enterprise admin, Domain Admin, and Account Operator groups can create unlimited number of computer accounts in the domain

    30. How to create Computer Accounts There are two ways to create computer accounts in an Active Directory Create a new computer objects in advance, assigning the name, using Active Directory so a Domain Controller can locate the existing objects when they join the domain Begin the joining process first, and allow a computer to create its own computer object – the operating system contacts a domain controller, establishes a trust relationship, locates (or creates) a computer object corresponding to the computer’s name, and modifies its group memberships

    31. Creating Computer Objects Using Active Directory Users and Computers Create a Container object in Active Directory (A D) for computer accounts Create and place computer accounts in that Container by selecting the Container object From the Action menu, point to New and select Computer The New Object – Computer wizard appears Follow instructions and create Computer objects in selected Container After creating Computer Objects, configure their properties

    32. Joining Computers to a Domain The joining of a new computer to a domain must always be performed at the computer itself, either by an administrator or by the end user with add workstation to domain right Log on to a client computer as an Administrator Go to System Properties dialog box and select the Network Identification tab Click properties to open identification changes dialog box Select Domain option button and type correct domain name Click ok. The Domain Username and password dialog box will open. Type your Administrator account name and password and click ok A Welcome to <domain name> dialog box will appear, click ok to close the message box Click ok to close the System Properties dialog box Click ok to restart the computer

    33. Common Problems and Troubleshooting Messages at log on : The domain controller can not be contacted The computer account might be missing The trust between the computer and the domain has been lost Incorrect password or Failed relationship with a domain or DC Apply following four rules for troubleshooting Reset the computer account If computer account is missing, create it Remove computer from the domain by changing its membership to workgroup Rejoin the computer to the domain, join a new computer with the same name as the old computer account

More Related