creating and managing users l.
Skip this Video
Loading SlideShow in 5 Seconds..
Creating and Managing Users PowerPoint Presentation
Download Presentation
Creating and Managing Users

Loading in 2 Seconds...

play fullscreen
1 / 58

Creating and Managing Users - PowerPoint PPT Presentation

  • Uploaded on

Creating and Managing Users Server 2003 User Accounts Domain user accounts Local user accounts Built-in user accounts Introduction to User Accounts A user account is an Active Directory object Used for user authentication

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Creating and Managing Users

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
server 2003 user accounts
Server 2003 User Accounts
  • Domain user accounts
  • Local user accounts
  • Built-in user accounts
introduction to user accounts
Introduction to User Accounts
  • A user account is an Active Directory object
  • Used for user authentication
    • Information that defines a user (first name, last name, password, etc.)
    • Various configuration settings
  • Required for anyone using resources on network
  • Assists in administration and security
  • Must follow organizational standards
user account templates
User Account Templates
  • A user account that is pre-configured with common settings
  • Can be copied to create new user accounts with pre-defined settings
  • New account is then configured with detailed individual settings
local user accounts
Local User Accounts
  • Allow users to log on to and gain access to resources on the computer where they log in
  • Created in the computer’s security database
  • Not replicated to domain controllers
built in user accounts
Built-In User Accounts
  • Administrator
    • Rename
    • Create new account with administrator privleges
    • runas /user:<domain name>\<username> prog
  • Guest
    • Disabled by default
naming conventions
Naming Conventions
  • The naming convention establishes how users are identified in the domain.
  • Several considerations
    • User account Naming
    • Password requirements
      • Length
      • Complexity
      • History
      • Expiration
    • Account options
      • Logon hours
      • Computer restrictions
    • Etc – additional attributes require replication
logon name
Must be uniques within the OU

20 characters max

/ \ [ ] : ; | = + * < > invalid

Not case sensitive

How will you deal with duplicates

Services may require an account name to run

Logon Name
password requirements
Password Requirements
  • Always assign a password for the Administrator account.
  • Determine whether the administrator or the users will control passwords.
  • Use passwords that are hard to guess.
  • Passwords can be up to 128 characters; a minimum length of eight characters is recommended.
  • Use both uppercase and lowercase letters, numerals, and valid non-alphanumeric characters.
creating and managing user accounts
Creating and Managing User Accounts
  • Standard tool is AD Users and Computers
    • Can be run from command line (dsa.msc)
    • Can add, modify, move, delete, search for user accounts
    • Can configure multiple objects simultaneously
  • Also a number of command line tools and utilities
domain user accounts
Domain User Accounts
  • Allow users to log on to the domain and gain access to resources anywhere on the network
  • Created in an OU in the Active Directory store
  • Replicated to all domain controllers
overview of modifying properties
Overview of Modifying Properties
  • A set of default properties is associated with each user account.
  • Properties defined for a domain user account can be used to search for users in the Active Directory store.
  • Several properties should be configured for each domain user account.
  • You can use the Active Directory Users And Computers snap-in to modify a domain user account.
  • You can use the Local Users And Groups snap-in to modify a local user account.
administering user accounts
Administering User Accounts
  • Managing user profiles
  • Modifying user accounts
  • Creating home folders
user account properties
User Account Properties
  • Primary tool for creating and managing accounts is Active Directory Users and Computers
  • Active Directory is extensible so additional tabs may be added to property pages
  • Major account properties that can be set include:
    • General – generic info about user
    • Address – address info
    • Account – logon name, password options, Logon hours
    • Profile – Home dir, Profile path, Logon script
    • Sessions – Terminal services config
user authentication
User Authentication
  • The process by which a user’s identity is validated
  • Used to grant or deny access to network resources
  • From a client operating system
    • Name, password, resource required (domain or local computer)
  • In Active Directory environment
    • Domain controller authenticates
  • In a workgroup
    • Local SAM database authenticates
authentication methods
Authentication Methods
  • Two main processes
    • Interactive authentication
      • User account information is supplied in Logon To
      • Smart Card support
    • Network authentication
      • User’s credentials are confirmed for network access
      • When browsing for a resource
authentication protocols
Authentication Protocols
  • Windows Server 2003 supports two main authentication protocols:
    • Kerberos version 5 (Kerberos v5)
    • NT LAN Manager (NTLM)
  • Kerberos v5 is primary protocol for Active Directory environments but is not supported on all client systems
  • NTLM is primary protocol for older Microsoft operating systems
kerberos protocol
Kerberos Protocol
  • Kerberos is the default authentication provider in Windows Server 2003
    • the primary security protocol.
  • Kerberos verifies the identity of the user and the integrity of the session data.
  • Kerberos operates
    • as a trusted third party
    • generate session keys
    • grants tickets for specific client/server sessions.
  • A ticket, it contains
    • Session key
    • Name
    • Expiration etc
features of the kerberos protocol
Features of the Kerberos Protocol
  • Mature open standard
  • Faster connection authentication
    • No pass through required
  • Mutual authentication
    • Authenticates both client and server
    • NTLM only authenticates client
  • Delegation of authentication
  • Transitive trust
kerberos terminology
Kerberos Terminology
  • Principal – user, client or server
  • Realm – security boundary
  • Secret key
    • used to encrypt info between KDC and Client
    • Usually a hash of user password
  • Session key
    • Temporary encryption key used between principals
  • Authenticator
  • Key distribution center (KDC) – Every Domain Contrller
  • Privilege attribute certificate (PAC)
    • Contains the user’s SID
  • Ticket
    • Allows the client to authenticate to a server
  • Ticket granting ticket (TGT)
    • Contains a random session key

Domain Authentication and Resource Access

1. Request a ticket for TGS


Service (AS)

2. Return TGT to client

3. Send TGT and request for ticket to \\AppServ



Service (TGS)

4. Return ticket for \\AppServ



5. Send session ticket to \\AppServ

6. (Optional) Send confirmation of identity to client

Windows 2003

domain controller



kerberos v5 recap
Kerberos v5 - Recap
  • Log on request passed to Key Distribution Center (KDC), a Windows Server 2003 domain controller
  • KDC authenticates user and, if valid, issues a ticket-granting ticket (TGT) to client system
  • When client requests a network resource, it presents the TGT to KDC
  • KDC issues a service ticket to client
  • Client presents service ticket to host server for network resource
kerberos policy
Kerberos Policy
  • Kerberos Policy SettingsOn a domain controller in your domain in Administrative Tools, click Domain Security Policy, click Windows Settings, click Security Settings, click Account Policies, and then click Kerberos Policy.
    • Enforce logon restrictions: Yes
    • Maximum lifetime that a user ticket can be renewed:7 days
    • Maximum service ticket lifetime: 60 minutes
    • Maximum tolerance for synchronization of computer clocks: 5 minutes
    • Maximum TGT lifetime: 10 hours
  • A challenge-response protocol
  • Used with operating systems running Windows NT 4.0 or earlier or with Windows 2000 or Server 2003 when necessary
  • Protocol followed:
    • User logs in, client calculates cryptographic hash of password
    • Client sends user name to domain controller
ntlm continued
NTLM (continued)
    • Domain controller generates random challenge and sends it to client
    • Client encrypts challenge with hash of password and sends to domain controller
    • Domain controller calculates expected value to be returned from client and compares to actual value
  • After successful authentication, domain controller generates a token for user for network access
challenge response sequence
Challenge/Response sequence

Request to connect

Respond with a challenge code

Send an encrypted password

Reply with the result of authentication

user profiles
User Profiles
  • A collection of settings specific to a particular user
  • Stored locally by default
    • Do not follow user logging on to different computers
  • Can create a roaming profile
    • Does follow user logging on to different computers
  • Administrator can create a mandatory profile
    • User cannot alter it
managing user profiles
Managing User Profiles
  • A user profile is a collection of folders and data that stores your current desktop environment and application settings as well as personal data.
  • Microsoft Windows 2000+ creates a local user profile the first time you log on at a computer.
  • User profiles operate in a specific manner.
  • Stored in
    • %systemdrive%\Documents and Settings\<logon name>
    • <%systemdrive>\profiles
  • Customizable
    • ntuser.dat
  • Mandatory
  • Local
    • Stored on the local machine
    • In folder Documents and Settings
  • Roaming
    • Stored in a shared folder on a server
local profiles
Local Profiles
  • New profiles are created from Default User profile folder
  • User can change local profile and changes are stored uniquely to that user
  • Administrator can manage various elements of profile
    • Change Type
    • Delete
    • Copy To
roaming profiles
Roaming Profiles
  • Roaming profiles
    • Allow a profile to be stored on a central server and follow the user
    • Provide advantage of a single centralized location (helpful for backup)
  • Assigned from Profiles Tab of Account properties
  • Changing a profile from local to roaming requires care – should copy first
mandatory profiles
Mandatory Profiles
  • Local and roaming profiles allow users to make permanent changes
  • Mandatory profiles allow changes only for a single session
  • Local and roaming profiles can both be configured as mandatory
    • ntuser.dat 
command line utilities
Command Line Utilities
  • Some administrators prefer working from command line
  • Can be used to automate creation or management of accounts more flexibly
  • Allows object types to be added to directory
    • Computer accounts, contacts, quotas, OUs, users, etc.
  • Syntax for user account is
    • DSADD USER distinguished-name switches
  • Switches include
    • -pwd (password), -memberof, -email, -profile, -disabled
  • Allows object types to be modified from the command line
    • Computer accounts, users, quotas, OUs, servers, etc.
  • Syntax for modifying user account is
    • DSMOD USER distinguished-name+ switches+
  • Can modify multiple accounts simultaneously
  • Allows various object types to be queried from command line
  • Supports wildcard (*)
  • Output can be redirected to another command (piped)
  • Example: return all user accounts that have not changed passwords in 14 days
    • dsquery user domainroot –name * -stalepwd 14
  • Allows various object types to be moved from current location to a new location
  • Allows various object types to be renamed
  • Only moves within the same domain (otherwise use MOVETREE)
  • Example: to move a user account into a marketing OU
    • dsmove "cn=Paul Kohut,cn=users,dc=domain01, dc=dovercorp,dc=net" –newparent "ou=marketing, dc=domain01,dc=dovercorp,dc=net"
  • Allows objects to be deleted from directory
  • Can delete single object or entire subtree
  • Has a confirm option that can be overridden
  • Example: to delete the Marketing OU and all its contained objects without a confirm prompt:
    • dsrm –subtree –noprompt –c "ou=marketing, dc=domain01,dc=dovercorp,dc=net "
bulk import and export
Bulk Import and Export
  • Allows an organization to import existing stores of data rather than recreating from scratch
  • Allows an organization to export data that is already structured in Active Directory to secondary databases
  • Two command line utilities for import and export
    • CSVDE
    • LDIFDE
  • Command-line tool to bulk export and import Active Directory data to and from comma-separated value (CSV) files
  • CSV files can be created/edited using text-based editors
  • Example:
    • csvde –f output.csv --- export
    • Csvde –i –f input.c
  • Command-line tool to bulk export and import Active Directory data to and from LDIF files
    • LDAP Interchange Format
    • Industry standard for information in LDAP directories
    • Each attribute/value on a separate line with blank lines between objects
  • Can be read in text-based editors
  • Common uses: extending AD schemas, importing bulk data to populate AD, manipulating user and group objects
troubleshooting user account and authentication issues
Troubleshooting User Account and Authentication Issues
  • Normally creating and configuring user accounts is straightforward
  • Issues do arise related to
    • Configuration of account
    • Policy settings
account policies
Account Policies
  • Authentication-related policy settings
    • Configured in Account Policies node of Group Policy objects at domain level
    • Account lockout, passwords, Kerberos
  • Default Domain Policy
    • Accessed from Active Directory Computers and Users
    • Configures policies for all domain users
password policy
Password Policy
  • Configuration settings
    • Password history and reuse
    • Maximum password age
    • Minimum password age
    • Minimum password length
    • Complexity requirements
    • Encryption policy
account lockout settings
Account Lockout Settings
  • Configuration settings
    • Account lockout duration
    • Account lockout threshold
    • Reset account lockout counter after
auditing authentication
Auditing Authentication
  • Audit account logon event
    • Configured in Group Policy object linked to Domain Controllers OU (Default Domain Controllers Policy)
  • Default is to log only successful logons
  • Event viewable in Security log (use Event Viewer)
  • Can choose to edit failed logons
    • May be helpful for troubleshooting
    • Codes provide information about type of failure
resolving logon issues
Resolving Logon Issues
  • Some common logon issues (and fixes)
    • Incorrect user name or password (administrative reset)
    • Account lockout (manual unlock)
    • Account disabled (administrative enable)
    • Logon hour restrictions (check account restrictions)
    • Workstation restrictions (check account restrictions)
    • Domain controllers (check configured DNS settings)
    • Client time settings (check client clock synchronization)
resolving logon issues continued
Resolving Logon Issues (continued)
  • Down-level client issues (install Active Directory Client Extensions)
  • UPN logon issues (check Global Catalog server)
  • Unable to log on locally (set policy on local server)
  • Remote access logon issues (check access on Dial-up properties)
  • Terminal services logon issues (check allow logon to terminal server permission)
  • A user account is an object stored in Active Directory
    • Information that defines user and access to network
  • Primary tools to create and manage user accounts
    • Active Directory Users and Computers
    • Command line utilities (DSADD, DSMOD, DSQUERY, DSMOVE, DSRM)
  • Two main authentication processes
    • Interactive authentication
    • Network authentication
summary continued
Summary (continued)
  • Two main authentication protocols
    • Kerberos v5, NTLM
  • User profiles used to configure and customize desktop environment
    • Local, roaming, mandatory
  • Utilities for bulk importing and exporting user data to and from Active Directory
    • LDIFDE and CSVDE