Network Implementation &
Support
Chapter 3
User Accounts

Eric Vanderburg © 2006
User Accounts
•
•
•
•
•
•
•

Used for assigning permissions
Customizing environment & settings
Tracking usage
Should adher...
Adding & Changing accounts
• Active Directory Users & Computers
– Create users & groups
– Disable accounts
– Change accoun...
Property Tabs
• General – personal info
• Address – more personal
info
• Account – logon name,
domain, expiration date,
ho...
Property Tabs
• Member Of – groups
• Dial-in – VPN & Dialup permissions
• Environment – terminal services programs to
run ...
Authentication
• Verify identity
• Submit credentials
– Username/Password
– SmartCard
– Biometrics

• Interactive Authenti...
Kerberos
• Authentication Method (Win2k &2k3
default)
• Based on RFC 1510
• Uses Kerberos version 5

Eric Vanderburg © 200...
Kerberos Components
•

KDC (Key Distribution Center)
– AS (Authentication Service)
• Verifies identity through AD
• Gives ...
Kerberos
• Delegation with Forwarding and Proxy - For a
server such as a database server to access
resources on your behal...
Profiles
• Local Profiles
• Roaming Profiles
• Mandatory Profiles
– Change ntuser.dat to ntuser.man

• Default Profile – f...
Profile Folder
•
•
•
•
•
•
•
•
•
•
•

Application Data
Cookies
Desktop
Favorites
Local Settings – app data, history, temp
...
User Template
• Configure with common settings
• Copy when new users are added
• Disable the template!

Eric Vanderburg © ...
Command Line
• Dsadd
– create users
– Dsadd user “cn=Eric Vanderburg, ou=faculty,
dc=RemingtonCollege, dc=edu” –pwd passwo...
Command Line
• Dsmove
– change location
– Dsmove “current ldap location” –newparent
“new ldap location”

• Dsrm
– delete u...
Command Line
• CSVDE – export AD info to CSV file
• LDIFDE – export AD info to LDIF (LDAP
Interchange Format) file
• Redir...
Account Policies
•
•
•
•

Right click on an object (SDOU)
Select Properties  Group Policy
You will see the object link, c...
Account Policies
• Password Policies (History, Age, Length,
Complexity, Encryption)
• Account Lockout
– Duration – length ...
Auditing
• Audit account logon events
• Computer  Windows  Security 
Local Policies  Audit Policy  Audit
Account Logo...
Acronyms
•
•
•
•

KDC, Key Distribution Center
NTLM, NT LAN Manager
TGT, Ticket Granting Ticket
TGS, Ticket Granting Servi...
Upcoming SlideShare
Loading in …5
×

Network Implementation and Support Lesson 03 User Accounts - Eric Vanderburg

420 views

Published on

Network Implementation and Support Lesson 03 User Accounts - Eric Vanderburg

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
420
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Network Implementation and Support Lesson 03 User Accounts - Eric Vanderburg

  1. 1. Network Implementation & Support Chapter 3 User Accounts Eric Vanderburg © 2006
  2. 2. User Accounts • • • • • • • Used for assigning permissions Customizing environment & settings Tracking usage Should adhere to naming conventions Strong passwords One for each person Two for administrators Eric Vanderburg © 2006
  3. 3. Adding & Changing accounts • Active Directory Users & Computers – Create users & groups – Disable accounts – Change account properties – Change group membership Eric Vanderburg © 2006
  4. 4. Property Tabs • General – personal info • Address – more personal info • Account – logon name, domain, expiration date, hours, computer to login from • Profile – scripts, shared home folders • Telephones • Organization – Title, dept, company, manager Eric Vanderburg © 2006
  5. 5. Property Tabs • Member Of – groups • Dial-in – VPN & Dialup permissions • Environment – terminal services programs to run at startup • Sessions – terminal services drop times, reconnection times • Remote Control – view options for terminal services sessions • Terminal Services Profile • COM+ - allows app filtering by setting a COM+ partition for the user. Eric Vanderburg © 2006
  6. 6. Authentication • Verify identity • Submit credentials – Username/Password – SmartCard – Biometrics • Interactive Authentication – Use the logon screen • Network Authentication – Takes place when network resources are accessed. Eric Vanderburg © 2006
  7. 7. Kerberos • Authentication Method (Win2k &2k3 default) • Based on RFC 1510 • Uses Kerberos version 5 Eric Vanderburg © 2006
  8. 8. Kerberos Components • KDC (Key Distribution Center) – AS (Authentication Service) • Verifies identity through AD • Gives TGT (Ticket Granting Ticket) which gives access to certain resources – TGS (Ticket-Granting Service) • Verifies TGT • Creates a service ticket & session key for a resource based on TGT. Client can present the service ticket to another server to access it’s content. NOTE: Servers have tickets too. • Only services it’s own domain. Must refer to another TGS for interdomain resource access (gives referral ticket) • Server with the desired resource • Client Eric Vanderburg © 2006
  9. 9. Kerberos • Delegation with Forwarding and Proxy - For a server such as a database server to access resources on your behalf. (given proxy or forwarding ticket) • NTP (Network Time Protocol) is used to synchronize time between machines. Keys are based on system time so all must be the same. • Replaces NTLM (NT LAN Manager) & NTLMv2 – still used with pre 2k clients – Challenge – 16 bit random number (seeds the hash) – Hashes password – Hashes are compared Eric Vanderburg © 2006
  10. 10. Profiles • Local Profiles • Roaming Profiles • Mandatory Profiles – Change ntuser.dat to ntuser.man • Default Profile – for new accounts • All Users Profile – for existing accounts • Profile properties – System Properties  User Profiles  Settings Eric Vanderburg © 2006
  11. 11. Profile Folder • • • • • • • • • • • Application Data Cookies Desktop Favorites Local Settings – app data, history, temp My Recent Documents NetHood – My Network Places PrintHood – Printers Folder SendTo – program shell registrations Start Menu – shortcuts Templates Eric Vanderburg © 2006
  12. 12. User Template • Configure with common settings • Copy when new users are added • Disable the template! Eric Vanderburg © 2006
  13. 13. Command Line • Dsadd – create users – Dsadd user “cn=Eric Vanderburg, ou=faculty, dc=RemingtonCollege, dc=edu” –pwd password – memberof administrators –email evanderburg@gmail.com –disabled no • Dsmod – change properties & settings – Dsmod user “cn=Eric Vanderburg, ou=faculty, dc=RemingtonCollege, dc=edu” –phone “440-3762398” • Dsquery – Search – Dsquery user “dc=RemingtonCollege, dc=edu” Eric Vanderburg © 2006
  14. 14. Command Line • Dsmove – change location – Dsmove “current ldap location” –newparent “new ldap location” • Dsrm – delete users, groups – Dsrm “ldap location” –noprompt – Dsrm –subtree -c “ldap location” –noprompt • Dsget user “ldap” -memberof – Find groups user belongs to Eric Vanderburg © 2006
  15. 15. Command Line • CSVDE – export AD info to CSV file • LDIFDE – export AD info to LDIF (LDAP Interchange Format) file • Redirection – Send data out > – append >> – Bring data in < – Make output input cmd1 | cmd2 (ex: | more) Eric Vanderburg © 2006
  16. 16. Account Policies • • • • Right click on an object (SDOU) Select Properties  Group Policy You will see the object link, click edit Under Computer  Windows  Security  Account Policies Eric Vanderburg © 2006
  17. 17. Account Policies • Password Policies (History, Age, Length, Complexity, Encryption) • Account Lockout – Duration – length of lockout – Threshold – how many bad passwords locks out – Reset Counter - grace period • Kerberos Policy – – – – Enforce Logon Restrictions – check logon every time Service ticket max lifetime User ticket max lifetime – TGT life Tolerance of computer clock sync Eric Vanderburg © 2006
  18. 18. Auditing • Audit account logon events • Computer  Windows  Security  Local Policies  Audit Policy  Audit Account Logon events Eric Vanderburg © 2006
  19. 19. Acronyms • • • • KDC, Key Distribution Center NTLM, NT LAN Manager TGT, Ticket Granting Ticket TGS, Ticket Granting Service Eric Vanderburg © 2006

×