Managing a microsoft windows server 2003 environment chapter 3 creating and managing user accounts
Download
1 / 50

Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts - PowerPoint PPT Presentation


  • 426 Views
  • Updated On :

Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts Objectives Understand the purpose of user accounts Understand the user authentication process Understand and configure local, roaming, and mandatory user profiles

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts' - omer


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Managing a microsoft windows server 2003 environment chapter 3 creating and managing user accounts l.jpg

Managing a Microsoft Windows Server 2003 EnvironmentChapter 3:Creating and Managing User Accounts


Objectives l.jpg
Objectives

  • Understand the purpose of user accounts

  • Understand the user authentication process

  • Understand and configure local, roaming, and mandatory user profiles

  • Configure and modify user accounts using different methods

  • Troubleshoot user account and authentication problems


Introduction to user accounts l.jpg
Introduction to User Accounts

  • A user account is an Active Directory object

  • Represents information that defines a user with access to network (first name, last name, password, etc.)

  • Required for anyone using resources on network

  • Assists in administration and security

  • Must follow organizational standards


User account properties l.jpg
User Account Properties

  • Primary tool for creating and managing accounts is Active Directory Users and Computers

  • Active Directory is extensible so additional tabs may be added to property pages

  • Major account properties that can be set include:

    • General

    • Address

    • Account

    • Profile

    • Sessions


Activity 3 1 reviewing user account properties l.jpg
Activity 3-1: Reviewing User Account Properties

  • Objective is to review properties of user accounts through main tabs of Active Directory Users and Computers

  • Start  Administrative Tools  Active Directory Users and Computers  Users  AdminXX account  Properties

  • Explore tabs and values as directed



User authentication l.jpg
User Authentication

  • The process by which a user’s identity is validated

  • Used to grant or deny access to network resources

  • From a client operating system

    • Name, password, resource required

  • In Active Directory environment

    • Domain controller authenticates

  • In a workgroup

    • Local SAM database authenticates


Authentication methods l.jpg
Authentication Methods

  • Two main processes

    • Interactive authentication

      • User account information is supplied at log on

    • Network authentication

      • User’s credentials are confirmed for network access


Interactive authentication l.jpg
Interactive Authentication

  • The process by which a user provides a user name and password for authentication

  • For domain logon, credentials compared to centralized Active Directory database

  • For local logon, credentials compared to local SAM database

  • In domain environments, users normally don’t have local accounts


Network authentication l.jpg
Network Authentication

  • The process by which a network service confirms the identify of a user

  • For a user who logs on to domain, network authentication is transparent

    • Credentials from interactive authentication valid for network resources

  • A user who logs on to local computer will be prompted to log on to network resource separately


Authentication protocols l.jpg
Authentication Protocols

  • Windows Server 2003 supports two main authentication protocols:

    • Kerberos version 5 (Kerberos v5)

    • NT LAN Manager (NTLM)

  • Kerberos v5 is primary protocol for Active Directory environments but is not supported on all client systems

  • NTLM is primary protocol for older Microsoft operating systems


Kerberos v5 l.jpg
Kerberos v5

  • Primary authentication protocol used in Active Directory domain environments

  • Supported by Windows 2000, Windows XP, Windows Server 2003

  • Protocol followed:

    • Log on request passed to Key Distribution Center (KDC), a Windows Server 2003 domain controller

    • KDC authenticates user and, if valid, issues a ticket-granting ticket (TGT) to client system


Kerberos v5 continued l.jpg
Kerberos v5 (continued)

  • When client requests a network resource, it presents the TGT to KDC

  • KDC issues a service ticket to client

  • Client presents service ticket to host server for network resource

  • Every domain controller in Active Directory environment holds role of KDC

  • Not all clients follow this protocol


  • Slide14 l.jpg
    NTLM

    • A challenge-response protocol

    • Used with operating systems running Windows NT 4.0 or earlier or with Windows 2000 or Server 2003 when necessary

    • Protocol followed:

      • User logs in, client calculates cryptographic hash of password

      • Client sends user name to domain controller


    Ntlm continued l.jpg
    NTLM (continued)

    • Domain controller generates random challenge and sends it to client

    • Client encrypts challenge with hash of password and sends to domain controller

    • Domain controller calculates expected value to be returned from client and compares to actual value

  • After successful authentication, domain controller generates a token for user for network access


  • User profiles l.jpg
    User Profiles

    • A collection of settings specific to a particular user

    • Stored locally by default

      • Do not follow user logging on to different computers

    • Can create a roaming profile

      • Does follow user logging on to different computers

    • Administrator can create a mandatory profile

      • User cannot alter it



    Local profiles l.jpg
    Local Profiles

    • New profiles are created from Default User profile folder

    • User can change local profile and changes are stored uniquely to that user

    • Administrator can manage various elements of profile

      • Change Type

      • Delete

      • Copy To


    Activity 3 2 testing local profile settings l.jpg
    Activity 3-2: Testing Local Profile Settings

    • Objective is to configure and test a local user profile

    • Start  Administrative Tools  Active Directory Users and Computers  Users  New  User

    • Follow directions to create a new user profile

    • Explore and configure properties

    • Test by logging in as new user


    Roaming profiles l.jpg
    Roaming Profiles

    • Roaming profiles

      • Allow a profile to be stored on a central server and follow the user

      • Provide advantage of a single centralized location (helpful for backup)

    • Configured from Profiles page of Active Directory Users and Computers

    • Changing a profile from local to roaming requires care – should copy first


    Activity 3 3 configuring and testing a roaming profile l.jpg
    Activity 3-3: Configuring and Testing a Roaming Profile

    • Objective: To configure and test a roaming user profile

    • Create a shared folder, copy a local profile to folder, and configure properties of user account to use roaming folder

    • Follow directions in book to create, configure, and test the new roaming profile


    Mandatory profiles l.jpg
    Mandatory Profiles

    • Local and roaming profiles allow users to make permanent changes

    • Mandatory profiles allow changes only for a single session

    • Local and roaming profiles can both be configured as mandatory

      • ntuser.dat  ntuser.man


    Activity 3 4 configuring a mandatory profile l.jpg
    Activity 3-4: Configuring a Mandatory Profile

    • Objective: To configure and test a mandatory user profile

    • Start  My Computer

    • Follow directions to make previously created test profile mandatory by renaming file

    • Test that no permanent changes can be made by user


    Creating and managing user accounts l.jpg
    Creating and Managing User Accounts

    • Standard tool is Active Directory Users and Computers

    • Also a number of command line tools and utilities


    Active directory users and computers l.jpg
    Active Directory Users and Computers

    • Available from Administrative Tools menu

    • Can be added to a Microsoft Management Console

    • Can be run from command line (dsa.msc)

    • Graphical tool

      • Can add, modify, move, delete, search for user accounts

    • Can configure multiple objects simultaneously


    Activity 3 5 creating user accounts using active directory users and computers l.jpg
    Activity 3-5: Creating User Accounts Using Active Directory Users and Computers

    • Objective: Use Active Directory Users and Computers to create user accounts

    • Start  Administrative Tools  Active Directory Users and Computers

    • Follow directions to create a number of new user accounts


    User account templates l.jpg
    User Account Templates Users and Computers

    • A user account that is pre-configured with common settings

    • Can be copied to create new user accounts with pre-defined settings

    • New account is then configured with detailed individual settings


    Activity 3 6 creating a user account template l.jpg
    Activity 3-6: Creating a User Account Template Users and Computers

    • Objective: Create a user account template and use the template to create a new user account

    • Start  Administrative Tools  Active Directory Users and Computers

    • Create a new user account template

    • Use a variable that will automatically populate the profile path with the name of user account

    • Follow directions to create and explore a new user account from template


    Command line utilities l.jpg
    Command Line Utilities Users and Computers

    • Some administrators prefer working from command line

    • Can be used to automate creation or management of accounts more flexibly


    Dsadd l.jpg
    DSADD Users and Computers

    • Allows object types to be added to directory

      • Computer accounts, contacts, quotas, OUs, users, etc.

    • Syntax for user account is

      • DSADD USER distinguished-name switches

    • Switches include

      • -pwd (password), -memberof, -email, -profile, -disabled


    Activity 3 7 creating user accounts using dsadd l.jpg
    Activity 3-7: Creating User Accounts Using DSADD Users and Computers

    • Objective: Use the DSADD USER command to create new user accounts

    • Start  Run

    • Follow directions to enter DSADD command

    • Check using Active Directory Computers and Users

    • Enter new DSADD command and again check results


    Dsmod l.jpg
    DSMOD Users and Computers

    • Allows object types to be modified from the command line

      • Computer accounts, users, quotas, OUs, servers, etc.

    • Syntax for modifying user account is

      • DSMOD USER distinguished-name+ switches+

    • Can modify multiple accounts simultaneously


    Activity 3 8 modifying user accounts using dsmod l.jpg
    Activity 3-8: Modifying User Accounts Using DSMOD Users and Computers

    • Objective is to modify existing user account properties using the DSMOD USER command

    • Start  Run

    • Follow directions to enter DSMOD command for a single user

    • Check using Active Directory Comp. and Users

    • Enter new DSMOD command for multiple users

    • Check results using Active Directory


    Dsquery l.jpg
    DSQUERY Users and Computers

    • Allows various object types to be queried from command line

    • Supports wildcard (*)

    • Output can be redirected to another command (piped)

    • Example: return all user accounts that have not changed passwords in 14 days

      • dsquery user domainroot –name * -stalepwd 14


    Dsmove l.jpg
    DSMOVE Users and Computers

    • Allows various object types to be moved from current location to a new location

    • Allows various object types to be renamed

    • Only moves within the same domain (otherwise use MOVETREE)

    • Example: to move a user account into a marketing OU

      • dsmove "cn=Paul Kohut,cn=users,dc=domain01, dc=dovercorp,dc=net" –newparent "ou=marketing, dc=domain01,dc=dovercorp,dc=net"


    Slide36 l.jpg
    DSRM Users and Computers

    • Allows objects to be deleted from directory

    • Can delete single object or entire subtree

    • Has a confirm option that can be overridden

    • Example: to delete the Marketing OU and all its contained objects without a confirm prompt:

      • dsrm –subtree –noprompt –c "ou=marketing, dc=domain01,dc=dovercorp,dc=net "


    Bulk import and export l.jpg
    Bulk Import and Export Users and Computers

    • Allows an organization to import existing stores of data rather than recreating from scratch

    • Allows an organization to export data that is already structured in Active Directory to secondary databases

    • Two command line utilities for import and export

      • CSVDE

      • LDIFDE


    Csvde l.jpg
    CSVDE Users and Computers

    • Command-line tool to bulk export and import Active Directory data to and from comma-separated value (CSV) files

    • CSV files can be created/edited using text-based editors

    • Example:

      • csvde –f output.csv


    Ldifde l.jpg
    LDIFDE Users and Computers

    • Command-line tool to bulk export and import Active Directory data to and from LDIF files

      • LDAP Interchange Format

      • Industry standard for information in LDAP directories

      • Each attribute/value on a separate line with blank lines between objects

    • Can be read in text-based editors

    • Common uses: extending AD schemas, importing bulk data to populate AD, manipulating user and group objects


    Activity 3 9 exporting active directory users using ldifde l.jpg
    Activity 3-9: Exporting Active Directory Users Using LDIFDE Users and Computers

    • Objective is to export Active Directory user accounts using LDIFDE

    • Start  Run

    • Follow directions to enter LDIFDE command

    • Check exported results using Notepad editor


    Troubleshooting user account and authentication issues l.jpg
    Troubleshooting User Account and Authentication Issues Users and Computers

    • Normally creating and configuring user accounts is straightforward

    • Issues do arise related to

      • Configuration of account

      • Policy settings


    Account policies l.jpg
    Account Policies Users and Computers

    • Authentication-related policy settings

      • Configured in Account Policies node of Group Policy objects at domain level

      • Account lockout, passwords, Kerberos

    • Default Domain Policy

      • Accessed from Active Directory Computers and Users

      • Configures policies for all domain users


    Password policy l.jpg
    Password Policy Users and Computers

    • Configuration settings

      • Password history and reuse

      • Maximum password age

      • Minimum password age

      • Minimum password length

      • Complexity requirements

      • Encryption policy


    Account lockout settings l.jpg
    Account Lockout Settings Users and Computers

    • Configuration settings

      • Account lockout duration

      • Account lockout threshold

      • Reset account lockout counter after


    Kerberos policy l.jpg
    Kerberos Policy Users and Computers

    • Configuration settings

      • Enforce user logon restrictions

      • Maximum lifetime for service ticket

      • Maximum lifetime for user ticket

      • Maximum lifetime for user ticket renewal

      • Maximum tolerance for computer clock synchronization


    Auditing authentication l.jpg
    Auditing Authentication Users and Computers

    • Audit account logon event

      • Configured in Group Policy object linked to Domain Controllers OU (Default Domain Controllers Policy)

    • Default is to log only successful logons

    • Event viewable in Security log (use Event Viewer)

    • Can choose to edit failed logons

      • May be helpful for troubleshooting

      • Codes provide information about type of failure


    Resolving logon issues l.jpg
    Resolving Logon Issues Users and Computers

    • Some common logon issues (and fixes)

      • Incorrect user name or password (administrative reset)

      • Account lockout (manual unlock)

      • Account disabled (administrative enable)

      • Logon hour restrictions (check account restrictions)

      • Workstation restrictions (check account restrictions)

      • Domain controllers (check configured DNS settings)

      • Client time settings (check client clock synchronization)


    Resolving logon issues continued l.jpg
    Resolving Logon Issues (continued) Users and Computers

    • Down-level client issues (install Active Directory Client Extensions)

    • UPN logon issues (check Global Catalog server)

    • Unable to log on locally (set policy on local server)

    • Remote access logon issues (check access on Dial-up properties)

    • Terminal services logon issues (check allow logon to terminal server permission)


    Summary l.jpg
    Summary Users and Computers

    • A user account is an object stored in Active Directory

      • Information that defines user and access to network

    • Primary tools to create and manage user accounts

      • Active Directory Users and Computers

      • Command line utilities (DSADD, DSMOD, DSQUERY, DSMOVE, DSRM)

    • Two main authentication processes

      • Interactive authentication

      • Network authentication


    Summary continued l.jpg
    Summary (continued) Users and Computers

    • Two main authentication protocols

      • Kerberos v5, NTLM

    • User profiles used to configure and customize desktop environment

      • Local, roaming, mandatory

    • Utilities for bulk importing and exporting user data to and from Active Directory

      • LDIFDE and CSVDE