slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
User account A form of identification for a user on a Windows Server 2003 network PowerPoint Presentation
Download Presentation
User account A form of identification for a user on a Windows Server 2003 network

Loading in 2 Seconds...

play fullscreen
1 / 74

User account A form of identification for a user on a Windows Server 2003 network - PowerPoint PPT Presentation


  • 357 Views
  • Uploaded on

(Skill 1) Planning Strategies for Creating User Accounts User account A form of identification for a user on a Windows Server 2003 network Used to build the user ticket (also known as a TGT, or Ticket Granting Ticket)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'User account A form of identification for a user on a Windows Server 2003 network' - jaden


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

(Skill 1)

Planning Strategies for Creating User Accounts

  • User account
    • A form of identification for a user on a Windows Server 2003 network
    • Used to build the user ticket (also known as a TGT, or Ticket Granting Ticket)
      • Contains a list of the Security IDs (SIDs) associated with the user account and all groups to which that user account is a member
      • Used to prove that the user account is valid and to construct session tickets
slide2

(Skill 1)

Planning Strategies for Creating User Accounts (2)

  • When the user wants to access a resource, the OS sends the user ticket to the domain controller with a special Kerberos request
  • The session ticket is presented to the specific computer controlling the resources as a form of identification
  • The resource server compares the SIDs in the token or ticket to a Discretionary Access Control List (DACL)on the resource
slide3

(Skill 1)

Planning Strategies for Creating User Accounts (3)

  • DACLs are composed of Access Control Entries (ACEs)
    • Each ACE contains the SID for a user account or group and the permissions applied to it
    • Through this mechanism, a resource determines what level of access each user account should have, and grants an access token to the user for the user’s specific access level
slide4

(Skill 1)

Planning Strategies for Creating User Accounts (4)

  • You can create user accounts manually or by writing scripts
    • To create accounts manually, you use the Active Directory Users and Computers console
    • To script a user account, you need to be familiar with at least one scripting language, such as VBScript or JScript
slide5

(Skill 1)

Planning Strategies for Creating User Accounts (5)

  • It is very important to plan your user accounts before you actually create them
  • Parameters you need to consider while planning
    • Naming conventions
    • Password requirements
    • Account options
slide6

(Skill 1)

Planning Strategies for Creating User Accounts (6)

  • Naming conventions
    • A good naming convention makes it easy for users to remember their logon names
    • Also provides for cases in which two users have the same name
  • Password requirements
    • Each user account will typically be assigned a password
    • Passwords prevent unauthorized access to a domain or a computer
slide7

(Skill 1)

Planning Strategies for Creating User Accounts (7)

  • Account options
    • It is also important to consider certain properties before you create user accounts
      • Log On To option specifies the computers to which a user can log on
      • Logon Hours section allows you to specify which hours of the day and days of the week a user can log on
      • Account Expiressection allows you to predefine when a user account will expire
slide8

(Skill 1)

Figure 5-1 Setting user account properties

slide9

(Skill 1)

Planning Strategies for Creating User Accounts (9)

  • Active Directory Services Interfaces (ADSI)
    • You can use ADSI to create scripts
    • ADSI is a fully programmable automation object available for administrators
  • You can also create user accounts in batches from a .csv or an .ldif file using the Csvde.exe or Ldifde.exe utilities
slide10

(Skill 2)

Creating a Local User Account

  • Local user accounts
    • Are created so that users can log on only to a specific computer and access the resources on only that computer
    • In order for a user using a local user account to access resources on other computers, a local user account must be created with the same name and password on all computers that the user needs to access
    • This is because local user accounts are stored only in the computer’s local security database
slide11

(Skill 2)

Creating a Local User Account (2)

  • Local user accounts
    • Are not replicated to domain controllers
    • When a user logs on to a computer, the operating system uses its local security database to authenticate the local user account
    • Similarly, when a user attempts to access a workgroup resource, the computer providing the resource uses its local accounts database to authenticate the user account
slide12

(Skill 2)

Creating a Local User Account (3)

  • Local user accounts
    • If you create a local user account on a computer that requires access to domain resources, the user cannot access the resources in the domain unless an identical domain user account is created
    • In this situation, the domain does not recognize local user accounts
    • Furthermore, the domain administrator cannot manage local user account properties or assign access permissions to the user for domain resources using the local computer
slide13

(Skill 2)

Creating a Local User Account (4)

  • Local user accounts
    • If you have administrative rights, you can use the Local Users and Groups snap-in in the Computer Management console
    • From this console, you can create, delete, or disable local user accounts on a local computer
slide14

(Skill 2)

Figure 5-2 Local security database

slide15

(Skill 2)

Figure 5-3 Creating a local user account

slide16

(Skill 3)

Creating a Domain User Account

  • You use a domain user account to log on to a domain and access network resources
    • You can create a domain user account in an OU on a domain controller
    • The domain controller then replicates the new user account information to all other domain controllers in the domain
    • After replication, all domain controllers in the domain will be able to authenticate the user
slide17

(Skill 3)

Creating a Domain User Account (2)

  • In addition, all trusting domains can now allow the user account to gain access to their resources
  • You use the Active Directory Users and Computers console to create domain user accounts
slide18

(Skill 3)

Creating a Domain User Account (3)

  • Logon process
    • A user provides a logon name and password (or inserts a smart card and provides a PIN)
    • Windows Server 2003 uses this information to authenticate the user and build a user ticket that contains the user’s identification and security settings
    • The purpose of the user ticket is to identify the user account in order to build session tickets, which are then used to identify the user to the domain member computers
    • An access token is generated to allow the user specific levels of access
slide19

(Skill 3)

Creating a Domain User Account (4)

  • Active Directory domain names are usually the full DNSname of the domain
  • For backward compatibility, each domain also has a pre-Windows 2000 name that is used by computers running pre-Windows 2000 operating systems
  • This name can be used to log on to a Windows 2000 or Windows Server 2003 domain from computers running Windows 2000 or XP operating systems
slide20

(Skill 3)

Figure 5-4 Domain user account

slide21

(Skill 3)

Figure 5-5 Creating a domain user account

slide22

(Skill 3)

Figure 5-6 Setting a password for a new domain user account

slide23

(Skill 3)

Creating a Domain User Account (5)

  • Built-in user accounts are created by default during the installation of Windows Server 2003
  • Administrator built-in user account
    • Used to perform administrative tasks
      • Creating and managing user accounts
      • Setting account properties
      • Assigning permissions to user accounts to access resources
    • Used to gain access to network resources
slide24

(Skill 3)

Creating a Domain User Account (6)

  • Built-in Guest account
    • Used to give users access to resources for a short time
    • Is disabled by default
slide25

(Skill 3)

Figure 5-7 Summary screen for a new domain user account

slide26

(Skill 4)

Setting User Account Properties

  • Every user account you create has a set of default properties you can configure
    • Including personal information, logon settings, dial-in settings, and Terminal Services settings for a user
    • The personal properties you define for a domain user account are useful when conducting user searches based on very specific information
slide27

(Skill 4)

Setting User Account Properties (2)

  • Logon settings are used to specify the logon hours for a user
  • Dial-in settings for a user account are used to specify if and how a user can make a dial-connection from a remote location
  • Terminal Services properties provide the ability to connect to a server from a remote location
slide28

(Skill 4)

Setting User Account Properties (4)

  • You can save a lot of time by filling out the common fields shared between user accounts in a “template” account
    • A template account is a disabled account that is used as a model for creating other accounts
    • After filling out the appropriate fields, you can right-click the account and select Copyto create a new account with most of your pre-defined fields already filled in
slide29

(Skill 4)

Figure 5-9 Setting user account properties

slide30

(Skill 4)

Figure 5-10 Specifying logon hours for a user account

slide31

(Skill 5)

Introducing User Profiles

  • A user profileis a collection of data
    • User’s personal data
    • Desktop settings
    • Printer connections
    • Network connections
  • User profiles help to provide a consistent desktop environment each time a user logs on to the computer
slide32

(Skill 5)

Introducing User Profiles (2)

  • User profiles enable multiple users to work from the same computer or a single user to work from multiple computers on a network without changing any of the settings
    • User profiles can be stored on a server so that users can use them on any computer running Microsoft Windows NT 4.0 or later
    • They also store the application settings for applications that comply with Microsoft’s software development guidelines
slide33

(Skill 5)

Introducing User Profiles (3)

  • User profiles are stored in the Documents and Settings folder, by default, with the sole exception of servers and clients upgraded from Windows NT or Windows 9x, in which case they are stored in a \Profiles folder
slide34

(Skill 5)

Introducing User Profiles (4)

  • There are three types of user profiles
    • Local user profiles
    • Roaming user profiles
    • Mandatory user profiles
slide35

(Skill 5)

Introducing User Profiles (5)

  • Local user profiles
    • Is limited to the computer you log on to and is stored on the system’s local hard disk
    • Is created the first time you log on to a computer by copying the settings in the Default User profile, and it is the default type of profile
    • Any changes you make to your local user profile are also specific to the computer on which you made the changes
slide36

(Skill 5)

Introducing User Profiles (6)

  • Local user profiles are stored in the folder %Systemdrive%:\Documents and Settings\user_logon_name
    • systemdrive is the system drive letter
    • user_logon_name is the name the user uses to log on to the system
slide37

(Skill 5)

Figure 5-11 A sample user profile folder

slide38

(Skill 5)

Introducing User Profiles (7)

  • Roaming user profile
    • A profile that is stored on a network server and retrieved at user logon
    • They are useful when users have to work on multiple computers on a network, because they can have a uniform desktop on all computers they use
slide39

(Skill 5)

Introducing User Profiles (8)

  • Roaming user profile
    • To enable a roaming profile, you must configure a network path to the roaming profile in the Properties dialog box for the user account
    • The profile is then available to the user from all computers in the domain
    • Any changes the user makes to the roaming user profile are also updated on the server
slide40

(Skill 5)

Introducing User Profiles (9)

  • Roaming user profile
    • Users can view their individual settings on any computer on the network
    • When the user logs on to a network computer for the first time, the operating system copies the roaming user profile from the network server to the local user profile and temporarily applies the roaming user profile settings to that computer
    • The profile files are copied to the local profile at logon, and the changes are transferred back to the server at log off
slide41

(Skill 5)

Introducing User Profiles (10)

  • Roaming user profile
    • In the User Profiles dialog box on the local computer (which is accessed by clicking the Change Type button on the Advanced tab in the System Properties dialog box), the user’s profile is automatically set to Roaming
    • Subsequently, when that user logs on again, Windows Server 2003 copies only the files that have changed since the last time the user logged on
slide42

(Skill 5)

Introducing User Profiles (11)

  • Roaming user profile
    • When the user logs off, Windows Server 2003 copies the changes made to the local copy of the roaming user profile back to the network server
    • Roaming profiles consume large amounts of network bandwidth
    • This is due to creating folder structures either on the desktop or in the My Documents folder and placing large quantities of data in these locations
slide43

(Skill 5)

Introducing User Profiles (12)

  • Mandatory user profile
    • A type of roaming profile used to specify particular settings for individuals or a group
    • It does not permanently save the desktop settings made by a user
    • The settings are applied to the local computer each time the user logs on
    • This profile helps you to create a default user profile that is suited specifically for a user’s tasks
slide44

(Skill 5)

Introducing User Profiles (13)

  • Mandatory user profile
    • Set up a mandatory user profile for specific users
      • These users will be able to modify the desktop settings while they are logged on
      • None of these changes will be retained when they log off
    • Creating a mandatory user profile
      • Involves the same steps as creating a roaming profile, with one exception
      • After creating a roaming profile, go to the appropriate network share point and rename the ntuser.dat file, ntuser.man
slide45

(Skill 5)

Introducing User Profiles (14)

  • The All Users folder in %Systemdrive%:\Documents and Settings is used to modify all profiles applied to an individual computer
  • Any changes made to the All Users folder will apply to every profile for every user that logs on to this computer
slide46

(Skill 5)

Figure 5-13 Contents of the All Users folder

slide47

(Skill 6)

Creating a Roaming User Profile (2)

  • Suggested practices
    • Always create standard roaming user profiles on the file server that you back up most frequently
    • This helps you to track copies of the latest roaming user profiles
slide48

(Skill 6)

Creating a Roaming User Profile (4)

  • Standard roaming user profiles provide certain benefits and streamline troubleshooting
    • For example, you can provide a standard desktop environment to multiple users with similar job profiles
    • As another example, the system support team can identify solutions for problems more efficiently (because the team is familiar with the user profile settings)
slide49

(Skill 6)

Creating a Roaming User Profile (5)

  • To create a standard roaming user profile
    • Create a shared folder on the server
    • Create a user profile template with the appropriate configuration
    • Copy the user profile template to the shared folder on the server and specify the users who will have access to the profile
    • Specify the path to the profile template in the user account
slide50

(Skill 6)

Figure 5-14 Assigning Full Control to the Authenticated Users Group

slide51

(Skill 6)

Figure 5-16 The User Profiles dialog box

slide52

(Skill 6)

Figure 5-17 Copying the user profile template to the shared folder

slide53

(Skill 6)

Figure 5-18 Selecting the user who will be permitted to use the profile

slide54

(Skill 6)

Figure 5-19 Specifying the path to the roaming user profile

slide55

(Skill 7)

Creating a Home Folder on a Server

  • The My Documents folder is the default location for users to store their data
  • You can specify a different Home folder as the default storage location instead
    • A Home folderis generally used when users want to store data in a folder that is not computer-dependent and that is easily accessible from any computer on the network
    • It usually exists on a server, which means that it is typically backed up nightly as part of the server backup schedule
slide56

(Skill 7)

Creating a Home Folder on a Server (2)

  • Ideally, you can store the Home folders for all users on a network server because this provides certain benefits
    • You can centralize the administration of user documents
    • Users can access their Home folders from any computer on the network
    • Users can locate their Home folders from a client computer that is running any Microsoft operating system
slide57

(Skill 7)

Creating a Home Folder on a Server (3)

  • By storing a Home folder in a shared folder on a file server, administrative tasks, such as backing up user documents, are also centralized
  • The size of the Home folder does not affect network traffic during logon because the Home folder does not belong to any roaming user profile
slide58

(Skill 7)

Figure 5-20 Specifying the path of the Home folder

slide59

(Skill 7)

Figure 5-21 Home folder for a user

slide60

(Skill 8)

Maintaining User Accounts

  • As a network administrator, you must maintain user accounts based on the needs of your organization
  • Typical user account maintenance tasks
    • Modifying user accounts
    • Resetting passwords
    • Unlocking user accounts
slide61

(Skill 8)

Maintaining User Accounts (2)

  • You can modify user accounts in many ways
    • Rename a user account
    • Disable or enable a user account
    • Delete a user account
  • To modify user accounts, you need at least the Write permission for the user account
slide62

(Skill 8)

Maintaining User Accounts (3)

  • You can reset passwords when a user’s password expires before the user has a chance to change it
  • In some cases, users might even forget their passwords
  • You do not need to know the old password in order to reset a password
  • After the administrator or the user sets a password for a user account, the password is not viewable to anyone, including the administrator
slide63

(Skill 8)

Maintaining User Accounts (4)

  • Windows Server 2003 can lock user accounts for users who violate the account lockout policy
  • In such cases, the user can either wait until the lockout period expires (usually 30 minutes), or contact an administrator to unlock the user account
slide64

(Skill 8)

Maintaining User Accounts (5)

  • To unlock a user account
    • Open the Account tab on the Properties dialog box for the user account
    • Clear the Account is locked out check box
    • It is important to understand that the Account is locked out check box will be active only when the system has locked out a user account
  • You cannot manually lock out a user account
slide65

(Skill 8)

Figure 5-26 Unlocking a locked out account

slide66

(Skill 9)

Managing Users

  • Managing users is a huge part of the network administrator's job
  • Tasks such as disabling accounts, renaming accounts, and changing passwords are fairly common on production networks
  • Other user account management tasks include moving accounts within a domain, mapping certificates to user accounts, and changing UPN suffixes
slide67

(Skill 9)

Managing Users (2)

  • Moving accounts within a domain
    • You move an account within a domain to change the OU or container in which the account is currently located
      • This allows different delegated permissions and Group Policies to apply to the account
      • In Windows Server 2003, you can use the Shift or Control key to select and move multiple user objects at once
slide68

(Skill 9)

Managing Users (11)

  • Planning password policy
    • You use Group Policy to set the Password policy for your network
    • Passwords should be memorable to your users, yet be completely unrelated to them personally
    • They should consist of uppercase and lowercase letters, numbers, and special characters
    • The length of the password is also extremely important, as a longer password takes longer to hack using a dictionary or brute force techniques
slide69

(Skill 9)

Managing Users (12)

  • Planning password policy
    • Understanding UPNs and their effect on logins with your user accounts
      • UPNs are easy to remember logons that can be used in Windows XP, Windows 2000, and Windows Server 2003
      • They are in the format of user@domain.com
      • The idea behind a UPN is to reduce the amount of memorization a user has to perform to log on
slide70

(Skill 9)

Managing Users (13)

  • Planning password policy
    • Understanding UPNs and their effect on logins with your user accounts
      • UPNs allow the user to type their e-mail address and password, and have the domain automatically selected based on this information
      • The only problem is that your e-mail domain may not match your actual Windows domain name
      • Make sure that the user account has the correct UPN suffix to match the e-mail address
slide71

(Skill 9)

Managing Users (14)

  • Planning password policy
    • Understanding UPNs and their effect on logins with your user accounts
      • To make sure that the user account has the correct UPN suffix to match the e-mail address
        • Open the Active Directory Domains and Trusts console and add the UPN suffix
        • In the Properties dialog box for the user account (in the Active Directory Users and Computers console), modify the UPN suffix applied to the account
slide72

(Skill 9)

Managing Users (15)

  • Planning password policy
    • Since UPN suffixes have no relation to the domain, a global catalog server must be reached to determine the correct domain for the user
    • When users log on using their UPN, they determine which domain to log on to by contacting a global catalog server and looking up the UPN
    • This is one of the reasons that global catalog servers should be placed strategically so that if there is any single point of failure, a global catalog server can always be contacted
slide73

(Skill 9)

Figure 5-28 Adding a UPN suffix

slide74

(Skill 9)

Figure 5-29 Configuring a user account to use a UPN suffix