User accounts in Active Directory represent users and their access to network resources. The main tools for managing user accounts are Active Directory Users and Computers and command line utilities like DSADD and DSMOD. User authentication involves validating a user's identity through interactive or network authentication using protocols like Kerberos v5 and NTLM. User profiles store desktop configuration settings and can be local, roaming, or mandatory. Bulk import/export utilities like LDIFDE and CSVDE allow importing and exporting user data to and from Active Directory.

1. Managing a Microsoft Windows
Server 2003 Environment
Chapter 3:
Creating and Managing
User Accounts

2. 2
Objectives
• Understand the purpose of user accounts
• Understand the user authentication process
• Understand and configure local, roaming, and
mandatory user profiles
• Configure and modify user accounts using different
methods
• Troubleshoot user account and authentication
problems

3. 3
Introduction to User Accounts
• A user account is an Active Directory object
• Represents information that defines a user with
access to network (first name, last name, password,
etc.)
• Required for anyone using resources on network
• Assists in administration and security
• Must follow organizational standards

4. 4
User Account Properties
• Primary tool for creating and managing accounts is
Active Directory Users and Computers
• Active Directory is extensible so additional tabs
may be added to property pages
• Major account properties that can be set include:
• General
• Address
• Account
• Profile
• Sessions

5. 5
Activity 3-1: Reviewing User
Account Properties
• Objective is to review properties of user accounts
through main tabs of Active Directory Users and
Computers
• Start  Administrative Tools  Active Directory
Users and Computers  Users  AdminXX
account  Properties
• Explore tabs and values as directed

6. 6
The Account Tab of Properties

7. 7
User Authentication
• The process by which a user’s identity is validated
• Used to grant or deny access to network resources
• From a client operating system
• Name, password, resource required
• In Active Directory environment
• Domain controller authenticates
• In a workgroup
• Local SAM database authenticates

8. 8
Authentication Methods
• Two main processes
• Interactive authentication
• User account information is supplied at log on
• Network authentication
• User’s credentials are confirmed for network access

9. 9
Interactive Authentication
• The process by which a user provides a user name
and password for authentication
• For domain logon, credentials compared to
centralized Active Directory database
• For local logon, credentials compared to local SAM
database
• In domain environments, users normally don’t have
local accounts

10. 10
Network Authentication
• The process by which a network service confirms
the identify of a user
• For a user who logs on to domain, network
authentication is transparent
• Credentials from interactive authentication valid for
network resources
• A user who logs on to local computer will be
prompted to log on to network resource separately

11. 11
Authentication Protocols
• Windows Server 2003 supports two main
authentication protocols:
• Kerberos version 5 (Kerberos v5)
• NT LAN Manager (NTLM)
• Kerberos v5 is primary protocol for Active
Directory environments but is not supported on all
client systems
• NTLM is primary protocol for older Microsoft
operating systems

12. 12
Kerberos v5
• Primary authentication protocol used in Active
Directory domain environments
• Supported by Windows 2000, Windows XP,
Windows Server 2003
• Protocol followed:
• Log on request passed to Key Distribution Center
(KDC), a Windows Server 2003 domain controller
• KDC authenticates user and, if valid, issues a ticket-
granting ticket (TGT) to client system

13. 13
Kerberos v5 (continued)
• When client requests a network resource, it presents the
TGT to KDC
• KDC issues a service ticket to client
• Client presents service ticket to host server for network
resource
• Every domain controller in Active Directory
environment holds role of KDC
• Not all clients follow this protocol

14. 14
NTLM
• A challenge-response protocol
• Used with operating systems running Windows NT
4.0 or earlier or with Windows 2000 or Server 2003
when necessary
• Protocol followed:
• User logs in, client calculates cryptographic hash of
password
• Client sends user name to domain controller

15. 15
NTLM (continued)
• Domain controller generates random challenge and sends
it to client
• Client encrypts challenge with hash of password and
sends to domain controller
• Domain controller calculates expected value to be
returned from client and compares to actual value
• After successful authentication, domain controller
generates a token for user for network access

16. 16
User Profiles
• A collection of settings specific to a particular user
• Stored locally by default
• Do not follow user logging on to different computers
• Can create a roaming profile
• Does follow user logging on to different computers
• Administrator can create a mandatory profile
• User cannot alter it

17. 17
User Profile Folders and Contents

18. 18
Local Profiles
• New profiles are created from Default User profile
folder
• User can change local profile and changes are
stored uniquely to that user
• Administrator can manage various elements of
profile
• Change Type
• Delete
• Copy To

19. 19
Activity 3-2: Testing Local
Profile Settings
• Objective is to configure and test a local user
profile
• Start  Administrative Tools  Active Directory
Users and Computers  Users  New  User
• Follow directions to create a new user profile
• Explore and configure properties
• Test by logging in as new user

20. 20
Roaming Profiles
• Roaming profiles
• Allow a profile to be stored on a central server and
follow the user
• Provide advantage of a single centralized location
(helpful for backup)
• Configured from Profiles page of Active Directory
Users and Computers
• Changing a profile from local to roaming requires
care – should copy first

21. 21
Activity 3-3: Configuring and
Testing a Roaming Profile
• Objective: To configure and test a roaming user
profile
• Create a shared folder, copy a local profile to
folder, and configure properties of user account to
use roaming folder
• Follow directions in book to create, configure, and
test the new roaming profile

22. 22
Mandatory Profiles
• Local and roaming profiles allow users to make
permanent changes
• Mandatory profiles allow changes only for a single
session
• Local and roaming profiles can both be configured
as mandatory
• ntuser.dat  ntuser.man

23. 23
Activity 3-4: Configuring a
Mandatory Profile
• Objective: To configure and test a mandatory user
profile
• Start  My Computer
• Follow directions to make previously created test
profile mandatory by renaming file
• Test that no permanent changes can be made by
user

24. 24
Creating and Managing User
Accounts
• Standard tool is Active Directory Users and
Computers
• Also a number of command line tools and utilities

25. 25
Active Directory Users and
Computers
• Available from Administrative Tools menu
• Can be added to a Microsoft Management Console
• Can be run from command line (dsa.msc)
• Graphical tool
• Can add, modify, move, delete, search for user accounts
• Can configure multiple objects simultaneously

26. 26
Activity 3-5: Creating User
Accounts Using Active Directory
Users and Computers
• Objective: Use Active Directory Users and
Computers to create user accounts
• Start  Administrative Tools  Active Directory
Users and Computers
• Follow directions to create a number of new user
accounts

27. 27
User Account Templates
• A user account that is pre-configured with common
settings
• Can be copied to create new user accounts with pre-
defined settings
• New account is then configured with detailed
individual settings

28. 28
Activity 3-6: Creating a User
Account Template
• Objective: Create a user account template and use
the template to create a new user account
• Start  Administrative Tools  Active Directory
Users and Computers
• Create a new user account template
• Use a variable that will automatically populate the
profile path with the name of user account
• Follow directions to create and explore a new user
account from template

29. 29
Command Line Utilities
• Some administrators prefer working from command
line
• Can be used to automate creation or management of
accounts more flexibly

30. 30
DSADD
• Allows object types to be added to directory
• Computer accounts, contacts, quotas, OUs, users, etc.
• Syntax for user account is
• DSADD USER distinguished-name switches
• Switches include
• -pwd (password), -memberof, -email, -profile, -disabled

31. 31
Activity 3-7: Creating User
Accounts Using DSADD
• Objective: Use the DSADD USER command to
create new user accounts
• Start  Run
• Follow directions to enter DSADD command
• Check using Active Directory Computers and Users
• Enter new DSADD command and again check
results

32. 32
DSMOD
• Allows object types to be modified from the
command line
• Computer accounts, users, quotas, OUs, servers, etc.
• Syntax for modifying user account is
• DSMOD USER distinguished-name+
switches+
• Can modify multiple accounts simultaneously

33. 33
Activity 3-8: Modifying User
Accounts Using DSMOD
• Objective is to modify existing user account
properties using the DSMOD USER command
• Start  Run
• Follow directions to enter DSMOD command for a
single user
• Check using Active Directory Comp. and Users
• Enter new DSMOD command for multiple users
• Check results using Active Directory

34. 34
DSQUERY
• Allows various object types to be queried from
command line
• Supports wildcard (*)
• Output can be redirected to another command
(piped)
• Example: return all user accounts that have not
changed passwords in 14 days
• dsquery user domainroot –name * -stalepwd 14

35. 35
DSMOVE
• Allows various object types to be moved from
current location to a new location
• Allows various object types to be renamed
• Only moves within the same domain (otherwise use
MOVETREE)
• Example: to move a user account into a marketing
OU
• dsmove "cn=Paul Kohut,cn=users,dc=domain01,
dc=dovercorp,dc=net" –newparent "ou=marketing,
dc=domain01,dc=dovercorp,dc=net"

36. 36
DSRM
• Allows objects to be deleted from directory
• Can delete single object or entire subtree
• Has a confirm option that can be overridden
• Example: to delete the Marketing OU and all its
contained objects without a confirm prompt:
• dsrm –subtree –noprompt –c "ou=marketing,
dc=domain01,dc=dovercorp,dc=net "

37. 37
Bulk Import and Export
• Allows an organization to import existing stores of
data rather than recreating from scratch
• Allows an organization to export data that is
already structured in Active Directory to secondary
databases
• Two command line utilities for import and export
• CSVDE
• LDIFDE

38. 38
CSVDE
• Command-line tool to bulk export and import
Active Directory data to and from comma-
separated value (CSV) files
• CSV files can be created/edited using text-based
editors
• Example:
• csvde –f output.csv

39. 39
LDIFDE
• Command-line tool to bulk export and import
Active Directory data to and from LDIF files
• LDAP Interchange Format
• Industry standard for information in LDAP directories
• Each attribute/value on a separate line with blank lines
between objects
• Can be read in text-based editors
• Common uses: extending AD schemas, importing
bulk data to populate AD, manipulating user and
group objects

40. 40
Activity 3-9: Exporting Active
Directory Users Using
LDIFDE
• Objective is to export Active Directory user
accounts using LDIFDE
• Start  Run
• Follow directions to enter LDIFDE command
• Check exported results using Notepad editor

41. 41
Troubleshooting User Account
and Authentication Issues
• Normally creating and configuring user accounts is
straightforward
• Issues do arise related to
• Configuration of account
• Policy settings

42. 42
Account Policies
• Authentication-related policy settings
• Configured in Account Policies node of Group Policy
objects at domain level
• Account lockout, passwords, Kerberos
• Default Domain Policy
• Accessed from Active Directory Computers and Users
• Configures policies for all domain users

43. 43
Password Policy
• Configuration settings
• Password history and reuse
• Maximum password age
• Minimum password age
• Minimum password length
• Complexity requirements
• Encryption policy

44. 44
Account Lockout Settings
• Configuration settings
• Account lockout duration
• Account lockout threshold
• Reset account lockout counter after

45. 45
Kerberos Policy
• Configuration settings
• Enforce user logon restrictions
• Maximum lifetime for service ticket
• Maximum lifetime for user ticket
• Maximum lifetime for user ticket renewal
• Maximum tolerance for computer clock synchronization

46. 46
Auditing Authentication
• Audit account logon event
• Configured in Group Policy object linked to Domain
Controllers OU (Default Domain Controllers Policy)
• Default is to log only successful logons
• Event viewable in Security log (use Event Viewer)
• Can choose to edit failed logons
• May be helpful for troubleshooting
• Codes provide information about type of failure

47. 47
Resolving Logon Issues
• Some common logon issues (and fixes)
• Incorrect user name or password (administrative reset)
• Account lockout (manual unlock)
• Account disabled (administrative enable)
• Logon hour restrictions (check account restrictions)
• Workstation restrictions (check account restrictions)
• Domain controllers (check configured DNS settings)
• Client time settings (check client clock synchronization)

48. 48
Resolving Logon Issues
(continued)
• Down-level client issues (install Active Directory
Client Extensions)
• UPN logon issues (check Global Catalog server)
• Unable to log on locally (set policy on local server)
• Remote access logon issues (check access on Dial-
up properties)
• Terminal services logon issues (check allow logon
to terminal server permission)

49. 49
Summary
• A user account is an object stored in Active
Directory
• Information that defines user and access to network
• Primary tools to create and manage user accounts
• Active Directory Users and Computers
• Command line utilities (DSADD, DSMOD, DSQUERY,
DSMOVE, DSRM)
• Two main authentication processes
• Interactive authentication
• Network authentication

50. 50
Summary (continued)
• Two main authentication protocols
• Kerberos v5, NTLM
• User profiles used to configure and customize
desktop environment
• Local, roaming, mandatory
• Utilities for bulk importing and exporting user data
to and from Active Directory
• LDIFDE and CSVDE