210 likes | 398 Views
Windows Server 2003 使用者及電腦帳號管理. 林寶森 jeffl@ms11.hinet.net. Local User Accounts. Enable users to log on and access resources on a specific computer Reside in SAM. Domain User Accounts. Enable users to log on to the domain to gain access to network resources Reside in Active Directory.
E N D
Windows Server 2003使用者及電腦帳號管理 林寶森 jeffl@ms11.hinet.net
Local User Accounts • Enable users to log on and access resources on a specific computer • Reside in SAM Domain User Accounts • Enable users to log on to the domain to gain access to network resources • Reside in Active Directory Introduction to User Accounts Built-in User Accounts • Enable users to perform administrative tasks or gain temporary access to network resources • Reside in SAM (local built-in user accounts) • Reside in Active Directory (domain built-in user accounts) Administrator and Guest
New User User name: Full name: Description: Password: Confirm: ********** Jonathan Young ********** JYoung User must change password at next logon User cannot change password Password never expires Account is disabled Close Create Creating Local User Accounts
New Object - (User) Create in: samerica1.nwtraders.msft/Ohio First name: Last name: Full name: User logon name: @ samerica1.nwtraders.msft User logon name (pre-Windows 2000): SAMER\ <Back Next> Cancel Creating Domain User Accounts New Object - User Create in: nwtraders.msft/Users Password: ******** Confirm Password: ******** User must change password at next logon User cannot change password Password never expires Account is disabled < Back Next > Cancel
suzanf@contoso.msft Prefix Suffix @ contoso suzanf domain user name + Introduction to User Logon Names • User Principal Name • The suffix defaults to thename of the root domain, but it can be changed and others added • User Logon Name (Pre-Windows 2000) • A user selects the domain when logging on • User Logon Name Uniqueness Rules • Full name must be unique within the container • User principal name is unique within the forest • User logon name (pre-Windows 2000) is unique within the domain
Active Directory Domains and Trusts Properties Active Directory Domains and Trusts UPN Suffixes Action View The names of the current domain and the root domain are the default user principal name (UPN) suffixes. Adding alternative domain names provides additional logon security and simplifies user logon names. Name Type Tree contoso.msft nwtraders.msft domain.DNS domain.DNS Active Directory Domains and Trusts contoso.msft nwtraders.msft If you want alternative UPN suffixes to appear during user creation, add them to the following list. Connect to Domain Controller… Operations Master… Alternative UPN suffixes: View contoso.msft Add Refresh Export List… Remove Add New Suffixes Properties Help Opens property sheet for the current selection. OK Cancel Apply Creating a User Principal Name Suffix
Student 01 Properties Remote control Terminal Services Profile Member Of Dial-in Environment Sessions General Address Account Profile Organization Telephones User01 Setting Personal Properties • Add Personal Information About Users As Stored in Active Directory • Use Personal Properties to Search Active Directory Active Directory
When to Reset User Passwords • Reset a password when a user forgets his or her password • After resetting a password, a user can no longer access some types of information, including: • E-mail that is encrypted with the user’s public key • Internet passwords that are saved on the computer • Files that the user has encrypted
What Is a User Account Template? • A user account template is a user account that contains the properties that apply to users with common requirements • User account templates make creating user accounts with standardized configurations more efficient User AccountTemplate
Active Directory Users and Computers Console Window Help Action View Tree Users 28 objects Name Type Description Active Directory Users and Compu _Sales Template User nwtraders.msft Copy… Administrator ount f Builtin Add members to a group… Casablanca Cert Publishers certifi Enable Account Computers DHCP Administrators o hav Reset Password… Denver OU DHCP Users o hav Move… Domain Controllers DnsAdmins strato Open home page ForeignSecurityPrincipals DnsUpdateProxy who Send mail Copy Object - User Portland Domain Admins admi Seattle All Tasks Domain Computers ions StudentOU Domain Controllers ontro Delete Tunis Create in: nwtraders.msft/Users Domain Guests uest Users Rename Domain Users aser Vancouver OU Refresh Enterprise Admins admi Group 01 First name: sales Initials: Properties user1 Help Last name: Creates a new user, copying information from the selected user. Full name: sales user1 User logon name: salesuser1 @nwtraders.msft User logon name (pre-Windows 2000): salesuser1 NWTRADERS\ Next > Cancel < Back Creating User Account Templates • Set Up a User Account as a Template Account • Create a User Account by Coping the Template Account
Guidelines for Creating User Account Templates • Create a separate classification for each department • Create a separate group for short-term and temporary employees • Set user account expiration dates for short-term and temporary employees • Disable the account template • Identify the account template
Display Display Regional Settings Regional Settings Modify Save Mouse Mouse Sounds Sounds Customizing User Settings with User Profiles • Default User Profile • Serves as the bases for alluser profiles • Local User Profile • Created the First Time a User Logs on to a Computer • Stored on a Computer's Local Hard Disk User Profile Profile Windows 2000 Professional • Roaming User Profile • Created by the System Administrator • Stored on a server • Mandatory User Profile • Created by the System Administrator • Stored on a server Profile Server Windows XP Professional Windows Server 2003
Rename the Administrator Account Create a User Account with Administrative Rights Create a User Account for Non-Administrative Tasks Enable the Guest Account Only in Low Security Networks Create Random Initial Passwords Require New Users to Change Their Passwords Set Account Expiration Dates for Temporary Employees Best Practices
What Is a Computer Account? • Identifies a computer in a domain • Provides a means for authenticating and auditing computer access to the network and to domain resources • Is required for every computer running: • Windows Server 2003 • Windows XP Professional • Windows 2000 • Windows NT
Computers that join a domain are created in the Computers container Computer accounts can be moved to or created in other organizational units Where Computer Accounts Are Created in a Domain
When to Reset Computer Accounts Reset computer accounts when: • Computers fail to authenticate to the domain • Passwords need to be synchronized
Csvde and Ldifde Tools Windows Script Host Active Directory Users and Computers Directory Service Tools • Dsadd • Dsmod • Dsrm Tools for Creating and Managing Accounts
Search entire Active Directory, a specific domain, or an OU Find Users, Contacts, and Groups File Edit View Help Users,Contacts,andGroups Entire Directory Find: In: Browse... Entire Directory Users,Contacts,andGroups Advanced contoso Accounting Find Now Field Stop Select attributes for searching Set condition Specify value of the attribute Clear All Add Remove <Add criteria from above to this list> Administer user accounts in the results box Name Type Description Joe Pak Don Hall Anne Paper User User User 31 item(s) found Locating Accounts