Creating and managing users
1 / 58

- PowerPoint PPT Presentation

  • Updated On :

Creating and Managing Users Server 2003 User Accounts Domain user accounts Local user accounts Built-in user accounts Introduction to User Accounts A user account is an Active Directory object Used for user authentication

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '' - liam

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Creating and managing users l.jpg

CreatingandManaging Users

Server 2003 user accounts l.jpg
Server 2003 User Accounts

  • Domain user accounts

  • Local user accounts

  • Built-in user accounts

Introduction to user accounts l.jpg
Introduction to User Accounts

  • A user account is an Active Directory object

  • Used for user authentication

    • Information that defines a user (first name, last name, password, etc.)

    • Various configuration settings

  • Required for anyone using resources on network

  • Assists in administration and security

  • Must follow organizational standards

User account templates l.jpg
User Account Templates

  • A user account that is pre-configured with common settings

  • Can be copied to create new user accounts with pre-defined settings

  • New account is then configured with detailed individual settings

Local user accounts l.jpg
Local User Accounts

  • Allow users to log on to and gain access to resources on the computer where they log in

  • Created in the computer’s security database

  • Not replicated to domain controllers

Built in user accounts l.jpg
Built-In User Accounts

  • Administrator

    • Rename

    • Create new account with administrator privleges

    • runas /user:<domain name>\<username> prog

  • Guest

    • Disabled by default

Naming conventions l.jpg
Naming Conventions

  • The naming convention establishes how users are identified in the domain.

  • Several considerations

    • User account Naming

    • Password requirements

      • Length

      • Complexity

      • History

      • Expiration

    • Account options

      • Logon hours

      • Computer restrictions

    • Etc – additional attributes require replication

Logon name l.jpg

Must be uniques within the OU

20 characters max

/ \ [ ] : ; | = + * < > invalid

Not case sensitive

How will you deal with duplicates

Services may require an account name to run

Logon Name

Password requirements l.jpg
Password Requirements

  • Always assign a password for the Administrator account.

  • Determine whether the administrator or the users will control passwords.

  • Use passwords that are hard to guess.

  • Passwords can be up to 128 characters; a minimum length of eight characters is recommended.

  • Use both uppercase and lowercase letters, numerals, and valid non-alphanumeric characters.

Creating and managing user accounts l.jpg
Creating and Managing User Accounts

  • Standard tool is AD Users and Computers

    • Can be run from command line (dsa.msc)

    • Can add, modify, move, delete, search for user accounts

    • Can configure multiple objects simultaneously

  • Also a number of command line tools and utilities

Domain user accounts l.jpg
Domain User Accounts

  • Allow users to log on to the domain and gain access to resources anywhere on the network

  • Created in an OU in the Active Directory store

  • Replicated to all domain controllers

Overview of modifying properties l.jpg
Overview of Modifying Properties

  • A set of default properties is associated with each user account.

  • Properties defined for a domain user account can be used to search for users in the Active Directory store.

  • Several properties should be configured for each domain user account.

  • You can use the Active Directory Users And Computers snap-in to modify a domain user account.

  • You can use the Local Users And Groups snap-in to modify a local user account.

Administering user accounts l.jpg
Administering User Accounts

  • Managing user profiles

  • Modifying user accounts

  • Creating home folders

User account properties l.jpg
User Account Properties

  • Primary tool for creating and managing accounts is Active Directory Users and Computers

  • Active Directory is extensible so additional tabs may be added to property pages

  • Major account properties that can be set include:

    • General – generic info about user

    • Address – address info

    • Account – logon name, password options, Logon hours

    • Profile – Home dir, Profile path, Logon script

    • Sessions – Terminal services config

User authentication l.jpg
User Authentication

  • The process by which a user’s identity is validated

  • Used to grant or deny access to network resources

  • From a client operating system

    • Name, password, resource required (domain or local computer)

  • In Active Directory environment

    • Domain controller authenticates

  • In a workgroup

    • Local SAM database authenticates

Authentication methods l.jpg
Authentication Methods

  • Two main processes

    • Interactive authentication

      • User account information is supplied in Logon To

      • Smart Card support

    • Network authentication

      • User’s credentials are confirmed for network access

      • When browsing for a resource

Authentication protocols l.jpg
Authentication Protocols

  • Windows Server 2003 supports two main authentication protocols:

    • Kerberos version 5 (Kerberos v5)

    • NT LAN Manager (NTLM)

  • Kerberos v5 is primary protocol for Active Directory environments but is not supported on all client systems

  • NTLM is primary protocol for older Microsoft operating systems

Kerberos protocol l.jpg
Kerberos Protocol

  • Kerberos is the default authentication provider in Windows Server 2003

    • the primary security protocol.

  • Kerberos verifies the identity of the user and the integrity of the session data.

  • Kerberos operates

    • as a trusted third party

    • generate session keys

    • grants tickets for specific client/server sessions.

  • A ticket, it contains

    • Session key

    • Name

    • Expiration etc

Features of the kerberos protocol l.jpg
Features of the Kerberos Protocol

  • Mature open standard

  • Faster connection authentication

    • No pass through required

  • Mutual authentication

    • Authenticates both client and server

    • NTLM only authenticates client

  • Delegation of authentication

  • Transitive trust

Kerberos terminology l.jpg
Kerberos Terminology

  • Principal – user, client or server

  • Realm – security boundary

  • Secret key

    • used to encrypt info between KDC and Client

    • Usually a hash of user password

  • Session key

    • Temporary encryption key used between principals

  • Authenticator

  • Key distribution center (KDC) – Every Domain Contrller

  • Privilege attribute certificate (PAC)

    • Contains the user’s SID

  • Ticket

    • Allows the client to authenticate to a server

  • Ticket granting ticket (TGT)

    • Contains a random session key

Slide25 l.jpg

Domain Authentication and Resource Access

1. Request a ticket for TGS


Service (AS)

2. Return TGT to client

3. Send TGT and request for ticket to \\AppServ



Service (TGS)

4. Return ticket for \\AppServ



5. Send session ticket to \\AppServ

6. (Optional) Send confirmation of identity to client

Windows 2003

domain controller



Kerberos v5 recap l.jpg
Kerberos v5 - Recap

  • Log on request passed to Key Distribution Center (KDC), a Windows Server 2003 domain controller

  • KDC authenticates user and, if valid, issues a ticket-granting ticket (TGT) to client system

  • When client requests a network resource, it presents the TGT to KDC

  • KDC issues a service ticket to client

  • Client presents service ticket to host server for network resource

Kerberos policy l.jpg
Kerberos Policy

  • Kerberos Policy SettingsOn a domain controller in your domain in Administrative Tools, click Domain Security Policy, click Windows Settings, click Security Settings, click Account Policies, and then click Kerberos Policy.

    • Enforce logon restrictions: Yes

    • Maximum lifetime that a user ticket can be renewed:7 days

    • Maximum service ticket lifetime: 60 minutes

    • Maximum tolerance for synchronization of computer clocks: 5 minutes

    • Maximum TGT lifetime: 10 hours

Slide28 l.jpg

  • A challenge-response protocol

  • Used with operating systems running Windows NT 4.0 or earlier or with Windows 2000 or Server 2003 when necessary

  • Protocol followed:

    • User logs in, client calculates cryptographic hash of password

    • Client sends user name to domain controller

Ntlm continued l.jpg
NTLM (continued)

  • Domain controller generates random challenge and sends it to client

  • Client encrypts challenge with hash of password and sends to domain controller

  • Domain controller calculates expected value to be returned from client and compares to actual value

  • After successful authentication, domain controller generates a token for user for network access

  • Challenge response sequence l.jpg
    Challenge/Response sequence

    Request to connect

    Respond with a challenge code

    Send an encrypted password

    Reply with the result of authentication

    User profiles l.jpg
    User Profiles

    • A collection of settings specific to a particular user

    • Stored locally by default

      • Do not follow user logging on to different computers

    • Can create a roaming profile

      • Does follow user logging on to different computers

    • Administrator can create a mandatory profile

      • User cannot alter it

    Managing user profiles l.jpg
    Managing User Profiles

    • A user profile is a collection of folders and data that stores your current desktop environment and application settings as well as personal data.

    • Microsoft Windows 2000+ creates a local user profile the first time you log on at a computer.

    • User profiles operate in a specific manner.

    • Stored in

      • %systemdrive%\Documents and Settings\<logon name>

      • <%systemdrive>\profiles

    Profiles l.jpg

    • Customizable

      • ntuser.dat

    • Mandatory


    • Local

      • Stored on the local machine

      • In folder Documents and Settings

    • Roaming

      • Stored in a shared folder on a server

    Local profiles l.jpg
    Local Profiles

    • New profiles are created from Default User profile folder

    • User can change local profile and changes are stored uniquely to that user

    • Administrator can manage various elements of profile

      • Change Type

      • Delete

      • Copy To

    Roaming profiles l.jpg
    Roaming Profiles

    • Roaming profiles

      • Allow a profile to be stored on a central server and follow the user

      • Provide advantage of a single centralized location (helpful for backup)

    • Assigned from Profiles Tab of Account properties

    • Changing a profile from local to roaming requires care – should copy first

    Mandatory profiles l.jpg
    Mandatory Profiles

    • Local and roaming profiles allow users to make permanent changes

    • Mandatory profiles allow changes only for a single session

    • Local and roaming profiles can both be configured as mandatory

      • ntuser.dat 

    Command line utilities l.jpg
    Command Line Utilities

    • Some administrators prefer working from command line

    • Can be used to automate creation or management of accounts more flexibly

    Dsadd l.jpg

    • Allows object types to be added to directory

      • Computer accounts, contacts, quotas, OUs, users, etc.

    • Syntax for user account is

      • DSADD USER distinguished-name switches

    • Switches include

      • -pwd (password), -memberof, -email, -profile, -disabled

    Dsmod l.jpg

    • Allows object types to be modified from the command line

      • Computer accounts, users, quotas, OUs, servers, etc.

    • Syntax for modifying user account is

      • DSMOD USER distinguished-name+ switches+

    • Can modify multiple accounts simultaneously

    Dsquery l.jpg

    • Allows various object types to be queried from command line

    • Supports wildcard (*)

    • Output can be redirected to another command (piped)

    • Example: return all user accounts that have not changed passwords in 14 days

      • dsquery user domainroot –name * -stalepwd 14

    Dsmove l.jpg

    • Allows various object types to be moved from current location to a new location

    • Allows various object types to be renamed

    • Only moves within the same domain (otherwise use MOVETREE)

    • Example: to move a user account into a marketing OU

      • dsmove "cn=Paul Kohut,cn=users,dc=domain01, dc=dovercorp,dc=net" –newparent "ou=marketing, dc=domain01,dc=dovercorp,dc=net"

    Slide46 l.jpg

    • Allows objects to be deleted from directory

    • Can delete single object or entire subtree

    • Has a confirm option that can be overridden

    • Example: to delete the Marketing OU and all its contained objects without a confirm prompt:

      • dsrm –subtree –noprompt –c "ou=marketing, dc=domain01,dc=dovercorp,dc=net "

    Bulk import and export l.jpg
    Bulk Import and Export

    • Allows an organization to import existing stores of data rather than recreating from scratch

    • Allows an organization to export data that is already structured in Active Directory to secondary databases

    • Two command line utilities for import and export

      • CSVDE

      • LDIFDE

    Csvde l.jpg

    • Command-line tool to bulk export and import Active Directory data to and from comma-separated value (CSV) files

    • CSV files can be created/edited using text-based editors

    • Example:

      • csvde –f output.csv --- export

      • Csvde –i –f input.c

    Ldifde l.jpg

    • Command-line tool to bulk export and import Active Directory data to and from LDIF files

      • LDAP Interchange Format

      • Industry standard for information in LDAP directories

      • Each attribute/value on a separate line with blank lines between objects

    • Can be read in text-based editors

    • Common uses: extending AD schemas, importing bulk data to populate AD, manipulating user and group objects

    Troubleshooting user account and authentication issues l.jpg
    Troubleshooting User Account and Authentication Issues

    • Normally creating and configuring user accounts is straightforward

    • Issues do arise related to

      • Configuration of account

      • Policy settings

    Account policies l.jpg
    Account Policies

    • Authentication-related policy settings

      • Configured in Account Policies node of Group Policy objects at domain level

      • Account lockout, passwords, Kerberos

    • Default Domain Policy

      • Accessed from Active Directory Computers and Users

      • Configures policies for all domain users

    Password policy l.jpg
    Password Policy

    • Configuration settings

      • Password history and reuse

      • Maximum password age

      • Minimum password age

      • Minimum password length

      • Complexity requirements

      • Encryption policy

    Account lockout settings l.jpg
    Account Lockout Settings

    • Configuration settings

      • Account lockout duration

      • Account lockout threshold

      • Reset account lockout counter after

    Auditing authentication l.jpg
    Auditing Authentication

    • Audit account logon event

      • Configured in Group Policy object linked to Domain Controllers OU (Default Domain Controllers Policy)

    • Default is to log only successful logons

    • Event viewable in Security log (use Event Viewer)

    • Can choose to edit failed logons

      • May be helpful for troubleshooting

      • Codes provide information about type of failure

    Resolving logon issues l.jpg
    Resolving Logon Issues

    • Some common logon issues (and fixes)

      • Incorrect user name or password (administrative reset)

      • Account lockout (manual unlock)

      • Account disabled (administrative enable)

      • Logon hour restrictions (check account restrictions)

      • Workstation restrictions (check account restrictions)

      • Domain controllers (check configured DNS settings)

      • Client time settings (check client clock synchronization)

    Resolving logon issues continued l.jpg
    Resolving Logon Issues (continued)

    • Down-level client issues (install Active Directory Client Extensions)

    • UPN logon issues (check Global Catalog server)

    • Unable to log on locally (set policy on local server)

    • Remote access logon issues (check access on Dial-up properties)

    • Terminal services logon issues (check allow logon to terminal server permission)

    Summary l.jpg

    • A user account is an object stored in Active Directory

      • Information that defines user and access to network

    • Primary tools to create and manage user accounts

      • Active Directory Users and Computers

      • Command line utilities (DSADD, DSMOD, DSQUERY, DSMOVE, DSRM)

    • Two main authentication processes

      • Interactive authentication

      • Network authentication

    Summary continued l.jpg
    Summary (continued)

    • Two main authentication protocols

      • Kerberos v5, NTLM

    • User profiles used to configure and customize desktop environment

      • Local, roaming, mandatory

    • Utilities for bulk importing and exporting user data to and from Active Directory

      • LDIFDE and CSVDE