slide1
Download
Skip this Video
Download Presentation
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Account

Loading in 2 Seconds...

play fullscreen
1 / 50

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Account - PowerPoint PPT Presentation


  • 536 Views
  • Uploaded on

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts. Objectives. Understand the purpose of user accounts Understand the user authentication process Understand and configure local, roaming, and mandatory user profiles

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Account' - Ava


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 EnvironmentChapter 3:Creating and Managing User Accounts

objectives
Objectives
  • Understand the purpose of user accounts
  • Understand the user authentication process
  • Understand and configure local, roaming, and mandatory user profiles
  • Configure and modify user accounts using different methods
  • Troubleshoot user account and authentication problems

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

introduction to user accounts
Introduction to User Accounts
  • A user account is an Active Directory object
  • Represents information that defines a user with access to network (first name, last name, password, etc.)
  • Required for anyone using resources on network
  • Assists in administration and security
  • Must follow organizational standards

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

user account properties
User Account Properties
  • Primary tool for creating and managing accounts is Active Directory Users and Computers
  • Active Directory is extensible so additional tabs may be added to property pages
  • Major account properties that can be set include:
    • General
    • Address
    • Account
    • Profile
    • Sessions

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

activity 3 1 reviewing user account properties
Activity 3-1: Reviewing User Account Properties
  • Objective is to review properties of user accounts through main tabs of Active Directory Users and Computers
  • Start  Administrative Tools  Active Directory Users and Computers  Users  AdminXX account  Properties
  • Explore tabs and values as directed

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

the account tab of properties
The Account Tab of Properties

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

user authentication
User Authentication
  • The process by which a user’s identity is validated
  • Used to grant or deny access to network resources
  • From a client operating system
    • Name, password, resource required
  • In Active Directory environment
    • Domain controller authenticates
  • In a workgroup
    • Local SAM database authenticates

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

authentication methods
Authentication Methods
  • Two main processes
    • Interactive authentication
      • User account information is supplied at log on
    • Network authentication
      • User’s credentials are confirmed for network access

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

interactive authentication
Interactive Authentication
  • The process by which a user provides a user name and password for authentication
  • For domain logon, credentials compared to centralized Active Directory database
  • For local logon, credentials compared to local SAM database
  • In domain environments, users normally don’t have local accounts

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

network authentication
Network Authentication
  • The process by which a network service confirms the identify of a user
  • For a user who logs on to domain, network authentication is transparent
    • Credentials from interactive authentication valid for network resources
  • A user who logs on to local computer will be prompted to log on to network resource separately

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

authentication protocols
Authentication Protocols
  • Windows Server 2003 supports two main authentication protocols:
    • Kerberos version 5 (Kerberos v5)
    • NT LAN Manager (NTLM)
  • Kerberos v5 is primary protocol for Active Directory environments but is not supported on all client systems
  • NTLM is primary protocol for older Microsoft operating systems

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

kerberos v5
Kerberos v5
  • Primary authentication protocol used in Active Directory domain environments
  • Supported by Windows 2000, Windows XP, Windows Server 2003
  • Protocol followed:
    • Log on request passed to Key Distribution Center (KDC), a Windows Server 2003 domain controller
    • KDC authenticates user and, if valid, issues a ticket-granting ticket (TGT) to client system

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

kerberos v5 continued
Kerberos v5 (continued)
    • When client requests a network resource, it presents the TGT to KDC
    • KDC issues a service ticket to client
    • Client presents service ticket to host server for network resource
  • Every domain controller in Active Directory environment holds role of KDC
  • Not all clients follow this protocol

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

slide14
NTLM
  • A challenge-response protocol
  • Used with operating systems running Windows NT 4.0 or earlier or with Windows 2000 or Server 2003 when necessary
  • Protocol followed:
    • User logs in, client calculates cryptographic hash of password
    • Client sends user name to domain controller

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

ntlm continued
NTLM (continued)
    • Domain controller generates random challenge and sends it to client
    • Client encrypts challenge with hash of password and sends to domain controller
    • Domain controller calculates expected value to be returned from client and compares to actual value
  • After successful authentication, domain controller generates a token for user for network access

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

user profiles
User Profiles
  • A collection of settings specific to a particular user
  • Stored locally by default
    • Do not follow user logging on to different computers
  • Can create a roaming profile
    • Does follow user logging on to different computers
  • Administrator can create a mandatory profile
    • User cannot alter it

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

user profile folders and contents
User Profile Folders and Contents

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

local profiles
Local Profiles
  • New profiles are created from Default User profile folder
  • User can change local profile and changes are stored uniquely to that user
  • Administrator can manage various elements of profile
    • Change Type
    • Delete
    • Copy To

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

activity 3 2 testing local profile settings
Activity 3-2: Testing Local Profile Settings
  • Objective is to configure and test a local user profile
  • Start  Administrative Tools  Active Directory Users and Computers  Users  New  User
  • Follow directions to create a new user profile
  • Explore and configure properties
  • Test by logging in as new user

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

roaming profiles
Roaming Profiles
  • Roaming profiles
    • Allow a profile to be stored on a central server and follow the user
    • Provide advantage of a single centralized location (helpful for backup)
  • Configured from Profiles page of Active Directory Users and Computers
  • Changing a profile from local to roaming requires care – should copy first

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

activity 3 3 configuring and testing a roaming profile
Activity 3-3: Configuring and Testing a Roaming Profile
  • Objective: To configure and test a roaming user profile
  • Create a shared folder, copy a local profile to folder, and configure properties of user account to use roaming folder
  • Follow directions in book to create, configure, and test the new roaming profile

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

mandatory profiles
Mandatory Profiles
  • Local and roaming profiles allow users to make permanent changes
  • Mandatory profiles allow changes only for a single session
  • Local and roaming profiles can both be configured as mandatory
    • ntuser.dat  ntuser.man

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

activity 3 4 configuring a mandatory profile
Activity 3-4: Configuring a Mandatory Profile
  • Objective: To configure and test a mandatory user profile
  • Start  My Computer
  • Follow directions to make previously created test profile mandatory by renaming file
  • Test that no permanent changes can be made by user

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

creating and managing user accounts
Creating and Managing User Accounts
  • Standard tool is Active Directory Users and Computers
  • Also a number of command line tools and utilities

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

active directory users and computers
Active Directory Users and Computers
  • Available from Administrative Tools menu
  • Can be added to a Microsoft Management Console
  • Can be run from command line (dsa.msc)
  • Graphical tool
    • Can add, modify, move, delete, search for user accounts
  • Can configure multiple objects simultaneously

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

activity 3 5 creating user accounts using active directory users and computers
Activity 3-5: Creating User Accounts Using Active Directory Users and Computers
  • Objective: Use Active Directory Users and Computers to create user accounts
  • Start  Administrative Tools  Active Directory Users and Computers
  • Follow directions to create a number of new user accounts

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

user account templates
User Account Templates
  • A user account that is pre-configured with common settings
  • Can be copied to create new user accounts with pre-defined settings
  • New account is then configured with detailed individual settings

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

activity 3 6 creating a user account template
Activity 3-6: Creating a User Account Template
  • Objective: Create a user account template and use the template to create a new user account
  • Start  Administrative Tools  Active Directory Users and Computers
  • Create a new user account template
  • Use a variable that will automatically populate the profile path with the name of user account
  • Follow directions to create and explore a new user account from template

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

command line utilities
Command Line Utilities
  • Some administrators prefer working from command line
  • Can be used to automate creation or management of accounts more flexibly

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

dsadd
DSADD
  • Allows object types to be added to directory
    • Computer accounts, contacts, quotas, OUs, users, etc.
  • Syntax for user account is
    • DSADD USER distinguished-name switches
  • Switches include
    • -pwd (password), -memberof, -email, -profile, -disabled

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

activity 3 7 creating user accounts using dsadd
Activity 3-7: Creating User Accounts Using DSADD
  • Objective: Use the DSADD USER command to create new user accounts
  • Start  Run
  • Follow directions to enter DSADD command
  • Check using Active Directory Computers and Users
  • Enter new DSADD command and again check results

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

dsmod
DSMOD
  • Allows object types to be modified from the command line
    • Computer accounts, users, quotas, OUs, servers, etc.
  • Syntax for modifying user account is
    • DSMOD USER distinguished-name+ switches+
  • Can modify multiple accounts simultaneously

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

activity 3 8 modifying user accounts using dsmod
Activity 3-8: Modifying User Accounts Using DSMOD
  • Objective is to modify existing user account properties using the DSMOD USER command
  • Start  Run
  • Follow directions to enter DSMOD command for a single user
  • Check using Active Directory Comp. and Users
  • Enter new DSMOD command for multiple users
  • Check results using Active Directory

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

dsquery
DSQUERY
  • Allows various object types to be queried from command line
  • Supports wildcard (*)
  • Output can be redirected to another command (piped)
  • Example: return all user accounts that have not changed passwords in 14 days
    • dsquery user domainroot –name * -stalepwd 14

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

dsmove
DSMOVE
  • Allows various object types to be moved from current location to a new location
  • Allows various object types to be renamed
  • Only moves within the same domain (otherwise use MOVETREE)
  • Example: to move a user account into a marketing OU
    • dsmove "cn=Paul Kohut,cn=users,dc=domain01, dc=dovercorp,dc=net" –newparent "ou=marketing, dc=domain01,dc=dovercorp,dc=net"

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

slide36
DSRM
  • Allows objects to be deleted from directory
  • Can delete single object or entire subtree
  • Has a confirm option that can be overridden
  • Example: to delete the Marketing OU and all its contained objects without a confirm prompt:
    • dsrm –subtree –noprompt –c "ou=marketing, dc=domain01,dc=dovercorp,dc=net "

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

bulk import and export
Bulk Import and Export
  • Allows an organization to import existing stores of data rather than recreating from scratch
  • Allows an organization to export data that is already structured in Active Directory to secondary databases
  • Two command line utilities for import and export
    • CSVDE
    • LDIFDE

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

csvde
CSVDE
  • Command-line tool to bulk export and import Active Directory data to and from comma-separated value (CSV) files
  • CSV files can be created/edited using text-based editors
  • Example:
    • csvde –f output.csv

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

ldifde
LDIFDE
  • Command-line tool to bulk export and import Active Directory data to and from LDIF files
    • LDAP Interchange Format
    • Industry standard for information in LDAP directories
    • Each attribute/value on a separate line with blank lines between objects
  • Can be read in text-based editors
  • Common uses: extending AD schemas, importing bulk data to populate AD, manipulating user and group objects

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

activity 3 9 exporting active directory users using ldifde
Activity 3-9: Exporting Active Directory Users Using LDIFDE
  • Objective is to export Active Directory user accounts using LDIFDE
  • Start  Run
  • Follow directions to enter LDIFDE command
  • Check exported results using Notepad editor

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

troubleshooting user account and authentication issues
Troubleshooting User Account and Authentication Issues
  • Normally creating and configuring user accounts is straightforward
  • Issues do arise related to
    • Configuration of account
    • Policy settings

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

account policies
Account Policies
  • Authentication-related policy settings
    • Configured in Account Policies node of Group Policy objects at domain level
    • Account lockout, passwords, Kerberos
  • Default Domain Policy
    • Accessed from Active Directory Computers and Users
    • Configures policies for all domain users

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

password policy
Password Policy
  • Configuration settings
    • Password history and reuse
    • Maximum password age
    • Minimum password age
    • Minimum password length
    • Complexity requirements
    • Encryption policy

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

account lockout settings
Account Lockout Settings
  • Configuration settings
    • Account lockout duration
    • Account lockout threshold
    • Reset account lockout counter after

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

kerberos policy
Kerberos Policy
  • Configuration settings
    • Enforce user logon restrictions
    • Maximum lifetime for service ticket
    • Maximum lifetime for user ticket
    • Maximum lifetime for user ticket renewal
    • Maximum tolerance for computer clock synchronization

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

auditing authentication
Auditing Authentication
  • Audit account logon event
    • Configured in Group Policy object linked to Domain Controllers OU (Default Domain Controllers Policy)
  • Default is to log only successful logons
  • Event viewable in Security log (use Event Viewer)
  • Can choose to edit failed logons
    • May be helpful for troubleshooting
    • Codes provide information about type of failure

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

resolving logon issues
Resolving Logon Issues
  • Some common logon issues (and fixes)
    • Incorrect user name or password (administrative reset)
    • Account lockout (manual unlock)
    • Account disabled (administrative enable)
    • Logon hour restrictions (check account restrictions)
    • Workstation restrictions (check account restrictions)
    • Domain controllers (check configured DNS settings)
    • Client time settings (check client clock synchronization)

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

resolving logon issues continued
Resolving Logon Issues (continued)
  • Down-level client issues (install Active Directory Client Extensions)
  • UPN logon issues (check Global Catalog server)
  • Unable to log on locally (set policy on local server)
  • Remote access logon issues (check access on Dial-up properties)
  • Terminal services logon issues (check allow logon to terminal server permission)

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

summary
Summary
  • A user account is an object stored in Active Directory
    • Information that defines user and access to network
  • Primary tools to create and manage user accounts
    • Active Directory Users and Computers
    • Command line utilities (DSADD, DSMOD, DSQUERY, DSMOVE, DSRM)
  • Two main authentication processes
    • Interactive authentication
    • Network authentication

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

summary continued
Summary (continued)
  • Two main authentication protocols
    • Kerberos v5, NTLM
  • User profiles used to configure and customize desktop environment
    • Local, roaming, mandatory
  • Utilities for bulk importing and exporting user data to and from Active Directory
    • LDIFDE and CSVDE

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment

ad