Chapter03 Creating And Managing User Accounts


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Chapter03 Creating And Managing User Accounts

  1. 1. Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts
  2. 2. Objectives <ul><li>Understand the purpose of user accounts </li></ul><ul><li>Understand the user authentication process </li></ul><ul><li>Understand and configure local, roaming, and mandatory user profiles </li></ul><ul><li>Configure and modify user accounts using different methods </li></ul><ul><li>Troubleshoot user account and authentication problems </li></ul>
  3. 3. Introduction to User Accounts <ul><li>A user account is an Active Directory object </li></ul><ul><li>Represents information that defines a user with access to network (first name, last name, password, etc.) </li></ul><ul><li>Required for anyone using resources on network </li></ul><ul><li>Assists in administration and security </li></ul><ul><li>Must follow organizational standards </li></ul>
  4. 4. User Account Properties <ul><li>Primary tool for creating and managing accounts is Active Directory Users and Computers </li></ul><ul><li>Active Directory is extensible so additional tabs may be added to property pages </li></ul><ul><li>Major account properties that can be set include: </li></ul><ul><ul><li>General </li></ul></ul><ul><ul><li>Address </li></ul></ul><ul><ul><li>Account </li></ul></ul><ul><ul><li>Profile </li></ul></ul><ul><ul><li>Sessions </li></ul></ul>
  5. 5. Activity 3-1: Reviewing User Account Properties <ul><li>Objective is to review properties of user accounts through main tabs of Active Directory Users and Computers </li></ul><ul><li>Start  Administrative Tools  Active Directory Users and Computers  Users  AdminXX account  Properties </li></ul><ul><li>Explore tabs and values as directed </li></ul>
  6. 6. The Account Tab of Properties
  7. 7. User Authentication <ul><li>The process by which a user’s identity is validated </li></ul><ul><li>Used to grant or deny access to network resources </li></ul><ul><li>From a client operating system </li></ul><ul><ul><li>Name, password, resource required </li></ul></ul><ul><li>In Active Directory environment </li></ul><ul><ul><li>Domain controller authenticates </li></ul></ul><ul><li>In a workgroup </li></ul><ul><ul><li>Local SAM database authenticates </li></ul></ul>
  8. 8. Authentication Methods <ul><li>Two main processes </li></ul><ul><ul><li>Interactive authentication </li></ul></ul><ul><ul><ul><li>User account information is supplied at log on </li></ul></ul></ul><ul><ul><li>Network authentication </li></ul></ul><ul><ul><ul><li>User’s credentials are confirmed for network access </li></ul></ul></ul>
  9. 9. Interactive Authentication <ul><li>The process by which a user provides a user name and password for authentication </li></ul><ul><li>For domain logon, credentials compared to centralized Active Directory database </li></ul><ul><li>For local logon, credentials compared to local SAM database </li></ul><ul><li>In domain environments, users normally don’t have local accounts </li></ul>
  10. 10. Network Authentication <ul><li>The process by which a network service confirms the identify of a user </li></ul><ul><li>For a user who logs on to domain, network authentication is transparent </li></ul><ul><ul><li>Credentials from interactive authentication valid for network resources </li></ul></ul><ul><li>A user who logs on to local computer will be prompted to log on to network resource separately </li></ul>
  11. 11. Authentication Protocols <ul><li>Windows Server 2003 supports two main authentication protocols: </li></ul><ul><ul><li>Kerberos version 5 (Kerberos v5) </li></ul></ul><ul><ul><li>NT LAN Manager (NTLM) </li></ul></ul><ul><li>Kerberos v5 is primary protocol for Active Directory environments but is not supported on all client systems </li></ul><ul><li>NTLM is primary protocol for older Microsoft operating systems </li></ul>
  12. 12. Kerberos v5 <ul><li>Primary authentication protocol used in Active Directory domain environments </li></ul><ul><li>Supported by Windows 2000, Windows XP, Windows Server 2003 </li></ul><ul><li>Protocol followed: </li></ul><ul><ul><li>Log on request passed to Key Distribution Center (KDC), a Windows Server 2003 domain controller </li></ul></ul><ul><ul><li>KDC authenticates user and, if valid, issues a ticket-granting ticket (TGT) to client system </li></ul></ul>
  13. 13. Kerberos v5 (continued) <ul><ul><li>When client requests a network resource, it presents the TGT to KDC </li></ul></ul><ul><ul><li>KDC issues a service ticket to client </li></ul></ul><ul><ul><li>Client presents service ticket to host server for network resource </li></ul></ul><ul><li>Every domain controller in Active Directory environment holds role of KDC </li></ul><ul><li>Not all clients follow this protocol </li></ul>
  14. 14. NTLM <ul><li>A challenge-response protocol </li></ul><ul><li>Used with operating systems running Windows NT 4.0 or earlier or with Windows 2000 or Server 2003 when necessary </li></ul><ul><li>Protocol followed: </li></ul><ul><ul><li>User logs in, client calculates cryptographic hash of password </li></ul></ul><ul><ul><li>Client sends user name to domain controller </li></ul></ul>
  15. 15. NTLM (continued) <ul><ul><li>Domain controller generates random challenge and sends it to client </li></ul></ul><ul><ul><li>Client encrypts challenge with hash of password and sends to domain controller </li></ul></ul><ul><ul><li>Domain controller calculates expected value to be returned from client and compares to actual value </li></ul></ul><ul><li>After successful authentication, domain controller generates a token for user for network access </li></ul>
  16. 16. User Profiles <ul><li>A collection of settings specific to a particular user </li></ul><ul><li>Stored locally by default </li></ul><ul><ul><li>Do not follow user logging on to different computers </li></ul></ul><ul><li>Can create a roaming profile </li></ul><ul><ul><li>Does follow user logging on to different computers </li></ul></ul><ul><li>Administrator can create a mandatory profile </li></ul><ul><ul><li>User cannot alter it </li></ul></ul>
  17. 17. User Profile Folders and Contents
  18. 18. Local Profiles <ul><li>New profiles are created from Default User profile folder </li></ul><ul><li>User can change local profile and changes are stored uniquely to that user </li></ul><ul><li>Administrator can manage various elements of profile </li></ul><ul><ul><li>Change Type </li></ul></ul><ul><ul><li>Delete </li></ul></ul><ul><ul><li>Copy To </li></ul></ul>
  19. 19. Activity 3-2: Testing Local Profile Settings <ul><li>Objective is to configure and test a local user profile </li></ul><ul><li>Start  Administrative Tools  Active Directory Users and Computers  Users  New  User </li></ul><ul><li>Follow directions to create a new user profile </li></ul><ul><li>Explore and configure properties </li></ul><ul><li>Test by logging in as new user </li></ul>
  20. 20. Roaming Profiles <ul><li>Roaming profiles </li></ul><ul><ul><li>Allow a profile to be stored on a central server and follow the user </li></ul></ul><ul><ul><li>Provide advantage of a single centralized location (helpful for backup) </li></ul></ul><ul><li>Configured from Profiles page of Active Directory Users and Computers </li></ul><ul><li>Changing a profile from local to roaming requires care – should copy first </li></ul>
  21. 21. Activity 3-3: Configuring and Testing a Roaming Profile <ul><li>Objective: To configure and test a roaming user profile </li></ul><ul><li>Create a shared folder, copy a local profile to folder, and configure properties of user account to use roaming folder </li></ul><ul><li>Follow directions in book to create, configure, and test the new roaming profile </li></ul>
  22. 22. Mandatory Profiles <ul><li>Local and roaming profiles allow users to make permanent changes </li></ul><ul><li>Mandatory profiles allow changes only for a single session </li></ul><ul><li>Local and roaming profiles can both be configured as mandatory </li></ul><ul><ul><li>ntuser.dat  </li></ul></ul>
  23. 23. Activity 3-4: Configuring a Mandatory Profile <ul><li>Objective: To configure and test a mandatory user profile </li></ul><ul><li>Start  My Computer </li></ul><ul><li>Follow directions to make previously created test profile mandatory by renaming file </li></ul><ul><li>Test that no permanent changes can be made by user </li></ul>
  24. 24. Creating and Managing User Accounts <ul><li>Standard tool is Active Directory Users and Computers </li></ul><ul><li>Also a number of command line tools and utilities </li></ul>
  25. 25. Active Directory Users and Computers <ul><li>Available from Administrative Tools menu </li></ul><ul><li>Can be added to a Microsoft Management Console </li></ul><ul><li>Can be run from command line (dsa.msc) </li></ul><ul><li>Graphical tool </li></ul><ul><ul><li>Can add, modify, move, delete, search for user accounts </li></ul></ul><ul><li>Can configure multiple objects simultaneously </li></ul>
  26. 26. Activity 3-5: Creating User Accounts Using Active Directory Users and Computers <ul><li>Objective: Use Active Directory Users and Computers to create user accounts </li></ul><ul><li>Start  Administrative Tools  Active Directory Users and Computers </li></ul><ul><li>Follow directions to create a number of new user accounts </li></ul>
  27. 27. User Account Templates <ul><li>A user account that is pre-configured with common settings </li></ul><ul><li>Can be copied to create new user accounts with pre-defined settings </li></ul><ul><li>New account is then configured with detailed individual settings </li></ul>
  28. 28. Activity 3-6: Creating a User Account Template <ul><li>Objective: Create a user account template and use the template to create a new user account </li></ul><ul><li>Start  Administrative Tools  Active Directory Users and Computers </li></ul><ul><li>Create a new user account template </li></ul><ul><li>Use a variable that will automatically populate the profile path with the name of user account </li></ul><ul><li>Follow directions to create and explore a new user account from template </li></ul>
  29. 29. Command Line Utilities <ul><li>Some administrators prefer working from command line </li></ul><ul><li>Can be used to automate creation or management of accounts more flexibly </li></ul>
  30. 30. DSADD <ul><li>Allows object types to be added to directory </li></ul><ul><ul><li>Computer accounts, contacts, quotas, OUs, users, etc. </li></ul></ul><ul><li>Syntax for user account is </li></ul><ul><ul><li>DSADD USER distinguished-name switches </li></ul></ul><ul><li>Switches include </li></ul><ul><ul><li>-pwd (password), -memberof, -email, -profile, -disabled </li></ul></ul>
  31. 31. Activity 3-7: Creating User Accounts Using DSADD <ul><li>Objective: Use the DSADD USER command to create new user accounts </li></ul><ul><li>Start  Run </li></ul><ul><li>Follow directions to enter DSADD command </li></ul><ul><li>Check using Active Directory Computers and Users </li></ul><ul><li>Enter new DSADD command and again check results </li></ul>
  32. 32. DSMOD <ul><li>Allows object types to be modified from the command line </li></ul><ul><ul><li>Computer accounts, users, quotas, OUs, servers, etc. </li></ul></ul><ul><li>Syntax for modifying user account is </li></ul><ul><ul><li>DSMOD USER distinguished-name + switches + </li></ul></ul><ul><li>Can modify multiple accounts simultaneously </li></ul>
  33. 33. Activity 3-8: Modifying User Accounts Using DSMOD <ul><li>Objective is to modify existing user account properties using the DSMOD USER command </li></ul><ul><li>Start  Run </li></ul><ul><li>Follow directions to enter DSMOD command for a single user </li></ul><ul><li>Check using Active Directory Comp. and Users </li></ul><ul><li>Enter new DSMOD command for multiple users </li></ul><ul><li>Check results using Active Directory </li></ul>
  34. 34. DSQUERY <ul><li>Allows various object types to be queried from command line </li></ul><ul><li>Supports wildcard (*) </li></ul><ul><li>Output can be redirected to another command (piped) </li></ul><ul><li>Example: return all user accounts that have not changed passwords in 14 days </li></ul><ul><ul><li>dsquery user domainroot –name * -stalepwd 14 </li></ul></ul>
  35. 35. DSMOVE <ul><li>Allows various object types to be moved from current location to a new location </li></ul><ul><li>Allows various object types to be renamed </li></ul><ul><li>Only moves within the same domain (otherwise use MOVETREE) </li></ul><ul><li>Example: to move a user account into a marketing OU </li></ul><ul><ul><li>dsmove &quot; cn=Paul Kohut,cn=users,dc=domain01, dc=dovercorp,dc=net &quot; –newparent &quot; ou=marketing, dc=domain01,dc=dovercorp,dc=net &quot; </li></ul></ul>
  36. 36. DSRM <ul><li>Allows objects to be deleted from directory </li></ul><ul><li>Can delete single object or entire subtree </li></ul><ul><li>Has a confirm option that can be overridden </li></ul><ul><li>Example: to delete the Marketing OU and all its contained objects without a confirm prompt: </li></ul><ul><ul><li>dsrm –subtree –noprompt –c &quot; ou=marketing, dc=domain01,dc=dovercorp,dc=net &quot; </li></ul></ul>
  37. 37. Bulk Import and Export <ul><li>Allows an organization to import existing stores of data rather than recreating from scratch </li></ul><ul><li>Allows an organization to export data that is already structured in Active Directory to secondary databases </li></ul><ul><li>Two command line utilities for import and export </li></ul><ul><ul><li>CSVDE </li></ul></ul><ul><ul><li>LDIFDE </li></ul></ul>
  38. 38. CSVDE <ul><li>Command-line tool to bulk export and import Active Directory data to and from comma-separated value (CSV) files </li></ul><ul><li>CSV files can be created/edited using text-based editors </li></ul><ul><li>Example: </li></ul><ul><ul><li>csvde –f output.csv </li></ul></ul>
  39. 39. LDIFDE <ul><li>Command-line tool to bulk export and import Active Directory data to and from LDIF files </li></ul><ul><ul><li>LDAP Interchange Format </li></ul></ul><ul><ul><li>Industry standard for information in LDAP directories </li></ul></ul><ul><ul><li>Each attribute/value on a separate line with blank lines between objects </li></ul></ul><ul><li>Can be read in text-based editors </li></ul><ul><li>Common uses: extending AD schemas, importing bulk data to populate AD, manipulating user and group objects </li></ul>
  40. 40. Activity 3-9: Exporting Active Directory Users Using LDIFDE <ul><li>Objective is to export Active Directory user accounts using LDIFDE </li></ul><ul><li>Start  Run </li></ul><ul><li>Follow directions to enter LDIFDE command </li></ul><ul><li>Check exported results using Notepad editor </li></ul>
  41. 41. Troubleshooting User Account and Authentication Issues <ul><li>Normally creating and configuring user accounts is straightforward </li></ul><ul><li>Issues do arise related to </li></ul><ul><ul><li>Configuration of account </li></ul></ul><ul><ul><li>Policy settings </li></ul></ul>
  42. 42. Account Policies <ul><li>Authentication-related policy settings </li></ul><ul><ul><li>Configured in Account Policies node of Group Policy objects at domain level </li></ul></ul><ul><ul><li>Account lockout, passwords, Kerberos </li></ul></ul><ul><li>Default Domain Policy </li></ul><ul><ul><li>Accessed from Active Directory Computers and Users </li></ul></ul><ul><ul><li>Configures policies for all domain users </li></ul></ul>
  43. 43. Password Policy <ul><li>Configuration settings </li></ul><ul><ul><li>Password history and reuse </li></ul></ul><ul><ul><li>Maximum password age </li></ul></ul><ul><ul><li>Minimum password age </li></ul></ul><ul><ul><li>Minimum password length </li></ul></ul><ul><ul><li>Complexity requirements </li></ul></ul><ul><ul><li>Encryption policy </li></ul></ul>
  44. 44. Account Lockout Settings <ul><li>Configuration settings </li></ul><ul><ul><li>Account lockout duration </li></ul></ul><ul><ul><li>Account lockout threshold </li></ul></ul><ul><ul><li>Reset account lockout counter after </li></ul></ul>
  45. 45. Kerberos Policy <ul><li>Configuration settings </li></ul><ul><ul><li>Enforce user logon restrictions </li></ul></ul><ul><ul><li>Maximum lifetime for service ticket </li></ul></ul><ul><ul><li>Maximum lifetime for user ticket </li></ul></ul><ul><ul><li>Maximum lifetime for user ticket renewal </li></ul></ul><ul><ul><li>Maximum tolerance for computer clock synchronization </li></ul></ul>
  46. 46. Auditing Authentication <ul><li>Audit account logon event </li></ul><ul><ul><li>Configured in Group Policy object linked to Domain Controllers OU (Default Domain Controllers Policy) </li></ul></ul><ul><li>Default is to log only successful logons </li></ul><ul><li>Event viewable in Security log (use Event Viewer) </li></ul><ul><li>Can choose to edit failed logons </li></ul><ul><ul><li>May be helpful for troubleshooting </li></ul></ul><ul><ul><li>Codes provide information about type of failure </li></ul></ul>
  47. 47. Resolving Logon Issues <ul><li>Some common logon issues (and fixes) </li></ul><ul><ul><li>Incorrect user name or password (administrative reset) </li></ul></ul><ul><ul><li>Account lockout (manual unlock) </li></ul></ul><ul><ul><li>Account disabled (administrative enable) </li></ul></ul><ul><ul><li>Logon hour restrictions (check account restrictions) </li></ul></ul><ul><ul><li>Workstation restrictions (check account restrictions) </li></ul></ul><ul><ul><li>Domain controllers (check configured DNS settings) </li></ul></ul><ul><ul><li>Client time settings (check client clock synchronization) </li></ul></ul>
  48. 48. Resolving Logon Issues (continued) <ul><li>Down-level client issues (install Active Directory Client Extensions) </li></ul><ul><li>UPN logon issues (check Global Catalog server) </li></ul><ul><li>Unable to log on locally (set policy on local server) </li></ul><ul><li>Remote access logon issues (check access on Dial-up properties) </li></ul><ul><li>Terminal services logon issues (check allow logon to terminal server permission) </li></ul>
  49. 49. Summary <ul><li>A user account is an object stored in Active Directory </li></ul><ul><ul><li>Information that defines user and access to network </li></ul></ul><ul><li>Primary tools to create and manage user accounts </li></ul><ul><ul><li>Active Directory Users and Computers </li></ul></ul><ul><ul><li>Command line utilities (DSADD, DSMOD, DSQUERY, DSMOVE, DSRM) </li></ul></ul><ul><li>Two main authentication processes </li></ul><ul><ul><li>Interactive authentication </li></ul></ul><ul><ul><li>Network authentication </li></ul></ul>
  50. 50. Summary (continued) <ul><li>Two main authentication protocols </li></ul><ul><ul><li>Kerberos v5, NTLM </li></ul></ul><ul><li>User profiles used to configure and customize desktop environment </li></ul><ul><ul><li>Local, roaming, mandatory </li></ul></ul><ul><li>Utilities for bulk importing and exporting user data to and from Active Directory </li></ul><ul><ul><li>LDIFDE and CSVDE </li></ul></ul>