Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts - PowerPoint PPT Presentation

omer
managing a microsoft windows server 2003 environment chapter 3 creating and managing user accounts l.
Skip this Video
Loading SlideShow in 5 Seconds..
Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts PowerPoint Presentation
Download Presentation
Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts

play fullscreen
1 / 50
Download Presentation
Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts
441 Views
Download Presentation

Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Managing a Microsoft Windows Server 2003 EnvironmentChapter 3:Creating and Managing User Accounts

  2. Objectives • Understand the purpose of user accounts • Understand the user authentication process • Understand and configure local, roaming, and mandatory user profiles • Configure and modify user accounts using different methods • Troubleshoot user account and authentication problems

  3. Introduction to User Accounts • A user account is an Active Directory object • Represents information that defines a user with access to network (first name, last name, password, etc.) • Required for anyone using resources on network • Assists in administration and security • Must follow organizational standards

  4. User Account Properties • Primary tool for creating and managing accounts is Active Directory Users and Computers • Active Directory is extensible so additional tabs may be added to property pages • Major account properties that can be set include: • General • Address • Account • Profile • Sessions

  5. Activity 3-1: Reviewing User Account Properties • Objective is to review properties of user accounts through main tabs of Active Directory Users and Computers • Start  Administrative Tools  Active Directory Users and Computers  Users  AdminXX account  Properties • Explore tabs and values as directed

  6. The Account Tab of Properties

  7. User Authentication • The process by which a user’s identity is validated • Used to grant or deny access to network resources • From a client operating system • Name, password, resource required • In Active Directory environment • Domain controller authenticates • In a workgroup • Local SAM database authenticates

  8. Authentication Methods • Two main processes • Interactive authentication • User account information is supplied at log on • Network authentication • User’s credentials are confirmed for network access

  9. Interactive Authentication • The process by which a user provides a user name and password for authentication • For domain logon, credentials compared to centralized Active Directory database • For local logon, credentials compared to local SAM database • In domain environments, users normally don’t have local accounts

  10. Network Authentication • The process by which a network service confirms the identify of a user • For a user who logs on to domain, network authentication is transparent • Credentials from interactive authentication valid for network resources • A user who logs on to local computer will be prompted to log on to network resource separately

  11. Authentication Protocols • Windows Server 2003 supports two main authentication protocols: • Kerberos version 5 (Kerberos v5) • NT LAN Manager (NTLM) • Kerberos v5 is primary protocol for Active Directory environments but is not supported on all client systems • NTLM is primary protocol for older Microsoft operating systems

  12. Kerberos v5 • Primary authentication protocol used in Active Directory domain environments • Supported by Windows 2000, Windows XP, Windows Server 2003 • Protocol followed: • Log on request passed to Key Distribution Center (KDC), a Windows Server 2003 domain controller • KDC authenticates user and, if valid, issues a ticket-granting ticket (TGT) to client system

  13. Kerberos v5 (continued) • When client requests a network resource, it presents the TGT to KDC • KDC issues a service ticket to client • Client presents service ticket to host server for network resource • Every domain controller in Active Directory environment holds role of KDC • Not all clients follow this protocol

  14. NTLM • A challenge-response protocol • Used with operating systems running Windows NT 4.0 or earlier or with Windows 2000 or Server 2003 when necessary • Protocol followed: • User logs in, client calculates cryptographic hash of password • Client sends user name to domain controller

  15. NTLM (continued) • Domain controller generates random challenge and sends it to client • Client encrypts challenge with hash of password and sends to domain controller • Domain controller calculates expected value to be returned from client and compares to actual value • After successful authentication, domain controller generates a token for user for network access

  16. User Profiles • A collection of settings specific to a particular user • Stored locally by default • Do not follow user logging on to different computers • Can create a roaming profile • Does follow user logging on to different computers • Administrator can create a mandatory profile • User cannot alter it

  17. User Profile Folders and Contents

  18. Local Profiles • New profiles are created from Default User profile folder • User can change local profile and changes are stored uniquely to that user • Administrator can manage various elements of profile • Change Type • Delete • Copy To

  19. Activity 3-2: Testing Local Profile Settings • Objective is to configure and test a local user profile • Start  Administrative Tools  Active Directory Users and Computers  Users  New  User • Follow directions to create a new user profile • Explore and configure properties • Test by logging in as new user

  20. Roaming Profiles • Roaming profiles • Allow a profile to be stored on a central server and follow the user • Provide advantage of a single centralized location (helpful for backup) • Configured from Profiles page of Active Directory Users and Computers • Changing a profile from local to roaming requires care – should copy first

  21. Activity 3-3: Configuring and Testing a Roaming Profile • Objective: To configure and test a roaming user profile • Create a shared folder, copy a local profile to folder, and configure properties of user account to use roaming folder • Follow directions in book to create, configure, and test the new roaming profile

  22. Mandatory Profiles • Local and roaming profiles allow users to make permanent changes • Mandatory profiles allow changes only for a single session • Local and roaming profiles can both be configured as mandatory • ntuser.dat  ntuser.man

  23. Activity 3-4: Configuring a Mandatory Profile • Objective: To configure and test a mandatory user profile • Start  My Computer • Follow directions to make previously created test profile mandatory by renaming file • Test that no permanent changes can be made by user

  24. Creating and Managing User Accounts • Standard tool is Active Directory Users and Computers • Also a number of command line tools and utilities

  25. Active Directory Users and Computers • Available from Administrative Tools menu • Can be added to a Microsoft Management Console • Can be run from command line (dsa.msc) • Graphical tool • Can add, modify, move, delete, search for user accounts • Can configure multiple objects simultaneously

  26. Activity 3-5: Creating User Accounts Using Active Directory Users and Computers • Objective: Use Active Directory Users and Computers to create user accounts • Start  Administrative Tools  Active Directory Users and Computers • Follow directions to create a number of new user accounts

  27. User Account Templates • A user account that is pre-configured with common settings • Can be copied to create new user accounts with pre-defined settings • New account is then configured with detailed individual settings

  28. Activity 3-6: Creating a User Account Template • Objective: Create a user account template and use the template to create a new user account • Start  Administrative Tools  Active Directory Users and Computers • Create a new user account template • Use a variable that will automatically populate the profile path with the name of user account • Follow directions to create and explore a new user account from template

  29. Command Line Utilities • Some administrators prefer working from command line • Can be used to automate creation or management of accounts more flexibly

  30. DSADD • Allows object types to be added to directory • Computer accounts, contacts, quotas, OUs, users, etc. • Syntax for user account is • DSADD USER distinguished-name switches • Switches include • -pwd (password), -memberof, -email, -profile, -disabled

  31. Activity 3-7: Creating User Accounts Using DSADD • Objective: Use the DSADD USER command to create new user accounts • Start  Run • Follow directions to enter DSADD command • Check using Active Directory Computers and Users • Enter new DSADD command and again check results

  32. DSMOD • Allows object types to be modified from the command line • Computer accounts, users, quotas, OUs, servers, etc. • Syntax for modifying user account is • DSMOD USER distinguished-name+ switches+ • Can modify multiple accounts simultaneously

  33. Activity 3-8: Modifying User Accounts Using DSMOD • Objective is to modify existing user account properties using the DSMOD USER command • Start  Run • Follow directions to enter DSMOD command for a single user • Check using Active Directory Comp. and Users • Enter new DSMOD command for multiple users • Check results using Active Directory

  34. DSQUERY • Allows various object types to be queried from command line • Supports wildcard (*) • Output can be redirected to another command (piped) • Example: return all user accounts that have not changed passwords in 14 days • dsquery user domainroot –name * -stalepwd 14

  35. DSMOVE • Allows various object types to be moved from current location to a new location • Allows various object types to be renamed • Only moves within the same domain (otherwise use MOVETREE) • Example: to move a user account into a marketing OU • dsmove "cn=Paul Kohut,cn=users,dc=domain01, dc=dovercorp,dc=net" –newparent "ou=marketing, dc=domain01,dc=dovercorp,dc=net"

  36. DSRM • Allows objects to be deleted from directory • Can delete single object or entire subtree • Has a confirm option that can be overridden • Example: to delete the Marketing OU and all its contained objects without a confirm prompt: • dsrm –subtree –noprompt –c "ou=marketing, dc=domain01,dc=dovercorp,dc=net "

  37. Bulk Import and Export • Allows an organization to import existing stores of data rather than recreating from scratch • Allows an organization to export data that is already structured in Active Directory to secondary databases • Two command line utilities for import and export • CSVDE • LDIFDE

  38. CSVDE • Command-line tool to bulk export and import Active Directory data to and from comma-separated value (CSV) files • CSV files can be created/edited using text-based editors • Example: • csvde –f output.csv

  39. LDIFDE • Command-line tool to bulk export and import Active Directory data to and from LDIF files • LDAP Interchange Format • Industry standard for information in LDAP directories • Each attribute/value on a separate line with blank lines between objects • Can be read in text-based editors • Common uses: extending AD schemas, importing bulk data to populate AD, manipulating user and group objects

  40. Activity 3-9: Exporting Active Directory Users Using LDIFDE • Objective is to export Active Directory user accounts using LDIFDE • Start  Run • Follow directions to enter LDIFDE command • Check exported results using Notepad editor

  41. Troubleshooting User Account and Authentication Issues • Normally creating and configuring user accounts is straightforward • Issues do arise related to • Configuration of account • Policy settings

  42. Account Policies • Authentication-related policy settings • Configured in Account Policies node of Group Policy objects at domain level • Account lockout, passwords, Kerberos • Default Domain Policy • Accessed from Active Directory Computers and Users • Configures policies for all domain users

  43. Password Policy • Configuration settings • Password history and reuse • Maximum password age • Minimum password age • Minimum password length • Complexity requirements • Encryption policy

  44. Account Lockout Settings • Configuration settings • Account lockout duration • Account lockout threshold • Reset account lockout counter after

  45. Kerberos Policy • Configuration settings • Enforce user logon restrictions • Maximum lifetime for service ticket • Maximum lifetime for user ticket • Maximum lifetime for user ticket renewal • Maximum tolerance for computer clock synchronization

  46. Auditing Authentication • Audit account logon event • Configured in Group Policy object linked to Domain Controllers OU (Default Domain Controllers Policy) • Default is to log only successful logons • Event viewable in Security log (use Event Viewer) • Can choose to edit failed logons • May be helpful for troubleshooting • Codes provide information about type of failure

  47. Resolving Logon Issues • Some common logon issues (and fixes) • Incorrect user name or password (administrative reset) • Account lockout (manual unlock) • Account disabled (administrative enable) • Logon hour restrictions (check account restrictions) • Workstation restrictions (check account restrictions) • Domain controllers (check configured DNS settings) • Client time settings (check client clock synchronization)

  48. Resolving Logon Issues (continued) • Down-level client issues (install Active Directory Client Extensions) • UPN logon issues (check Global Catalog server) • Unable to log on locally (set policy on local server) • Remote access logon issues (check access on Dial-up properties) • Terminal services logon issues (check allow logon to terminal server permission)

  49. Summary • A user account is an object stored in Active Directory • Information that defines user and access to network • Primary tools to create and manage user accounts • Active Directory Users and Computers • Command line utilities (DSADD, DSMOD, DSQUERY, DSMOVE, DSRM) • Two main authentication processes • Interactive authentication • Network authentication

  50. Summary (continued) • Two main authentication protocols • Kerberos v5, NTLM • User profiles used to configure and customize desktop environment • Local, roaming, mandatory • Utilities for bulk importing and exporting user data to and from Active Directory • LDIFDE and CSVDE