1 / 53

Any Questions?

Any Questions?. Chapter 3-User Accounts. ■ Create and manage user accounts ■ Create and modify user accounts by using the Active Directory Users And Computers Microsoft Management Console (MMC) snap-in ■ Create and modify user accounts by using automation ■ Import user accounts

carlos-jimenez
Download Presentation

Any Questions?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Any Questions?

  2. Chapter 3-User Accounts ■ Create and manage user accounts ■ Create and modify user accounts by using the Active Directory Users And Computers Microsoft Management Console (MMC) snap-in ■ Create and modify user accounts by using automation ■ Import user accounts ■ Manage local, roaming, and mandatory user profiles ■ Troubleshoot user accounts ■ Diagnose and resolve account lockouts ■ Diagnose and resolve issues related to user account properties ■ Troubleshoot user authentication issues Pg 3-1

  3. Chapter 3-User Accounts ■ Lesson 1: Creating and Managing User Objects ■ Lesson 2: Creating Multiple User Objects ■ Lesson 3: Managing User Profiles ■ Lesson 4: Securing and Troubleshooting Authentication Pg 3-2

  4. Any Questions?

  5. Chapter 3 Lesson 1Creating and managing User Objects ■ Create user objects in Active Directory using the Active Directory Users And Computers snap-in ■ Configure user object properties ■ Understand important account options that are not self-explanatory based on their descriptions ■ Modify properties of multiple users simultaneously Pg 3-3

  6. Creating Objects with Active Directory • User the Users and Computers Snap-in • Best to create users inside an Organization Unit, not at root of domain • Select the OU or container, click Action then choose New and choose User • Enterprise Admin • Domain Admin • Account Operators • Delegated Admin Permissions Pg 3-3

  7. New User Object • Very Basic Fields • Then Set password • NOTE-Default Domain Policy is for Complex passwords • The selections here take precedence over conflicting GPO • Reversible encryption • Password age Pg 3-4-6

  8. Any Questions?

  9. Managing Users Objects • User Creation requires minimal properties to be set for the user object • After creation, view the properties Pg 3-7

  10. User Object Properties ■ Account properties: the Account tab These properties include those that are configured when you create a user object, including logon names, password, and account flags. ■ Personal information: the General, Address, Telephones, and Organization tabs The General tab exposes the name properties that are configured when you create a user object. ■ User configuration management: the Profile tab Here you can configure the user’s profile path, logon script, and home folder locations. ■ Group membership: the Member Of tab You can add and remove user groups and set the user’s primary group. Pg 3-7-8

  11. User Object Properties ■ Terminal services: the Terminal Services Profile, Environment, Remote Control, and Sessions tabs These four tabs allow you to configure and manage the users’ experience when they are connected to a Terminal Services session. ■ Remote access: the Dial-in tab Allows you to enable and configure remote access permission for a user. ■ Applications: the COM+ tab Assigns Active Directory COM+ partition sets to the user. This feature, new to Windows Server 2003, facilitates the management of distributed applications. Pg 3-7-8

  12. Account Properties • Logon Hours • Can limit hours they can sign on • Log On To • Can limit which workstations they can log on to • Same as Computer Restrictions • Account is trusted for Delegation • Account Expires Pg 3-8-9

  13. Any Questions?

  14. Managing Properties on Multiple Accounts • Can CTRL or SHIFT click multiple users on list • Will have a subset of properties • General tab: Description, Office, Telephone Number, Fax, Web Page, E-mail • Account tab: UPN Suffix, Logon Hours, Computer Restrictions (logon workstations), all Account Options, Account Expires • Address: Street, PO Box, City, State/Province, ZIP/Postal Code, Country/Region • Profile:Profile Path, Logon Script, and Home Folder • Organization: Title, Department, Company, Manager Pg 3-10

  15. Saved Queries and Moving Users • You can query the list of users and save the query • Virtual OU • User Objects can be moved between OUs • Select Move from Action • Drag and Drop

  16. Any Questions?

  17. Chapter 3 Lesson 2Creating Multiple User Objects ■ Create and utilize user object templates ■ Import user objects from comma-delimited files ■ Leverage new command-line tools to create and manage user objects Pg 3-15

  18. Creating and Using Templates • Create a generic User • Then copy that object to create new users • Make sure the template is disabled • Copied information: ■ General No properties are copied. ■ Address All properties except Street address are copied. ■ Account All properties are copied except for logon names, which you are prompted to enter when copying the template. ■ Profile All properties are copied, and the profile and home-folder paths are modified to reflect the new user’s logon name. ■ Telephones No properties are copied. ■ Organization All properties are copied, except for Title. ■ Member Of All properties are copied. ■ Dial-in, Environment, Sessions, Remote Control, Terminal Services Profile, COM+ No properties are copied. Pg 3-15-16

  19. Any Questions?

  20. Importing Object • Command line-Csvde • Import from comma delimited text file • csvde [-i] [-f FileName] [-k] • -i : Specifies import mode. If not specified, the default mode is export. • -f FileName : Identifies the import file name. • -k : Ignores errors including “object already exists,” “constraint violation,” and “attribute or value already exists” during the import operation and continues processing. • Passwords are not imported Pg 3-16

  21. Importing Object-Example • DN,objectClass,sAMAccountName,sn,givenName,userPrincipalName "CN=Scott Bishop,OU=Employees, DC=contoso,DC=com", user,sbishop,Bishop,Scott,scott.bishop@contoso.com • Above entry would create • User object in the Employees OU called Scott Bishop. The logon, first, and last names are configured by the file. • The object will be disabled initially. After you have reset the password, you can enable the object. Pg 3-17

  22. Importing Object • Must have • DN • Object Class Pg 3-17

  23. Any Questions?

  24. Other Command line tools ■ Dsadd Adds objects to the directory. ■ Dsget Displays (“gets”) properties of objects in the directory. ■ Dsmod Modifies select attributes of an existing object in the directory. ■ Dsmove Moves an object from its current container to a new location. Can also be used to rename an object without moving it. ■ Dsrm Removes an object, the complete subtree under an object, or both. ■ Dsquery Queries Active Directory for objects that match a specified search criterion. This command is often used to create a list of objects, which are then piped to the other command-line tools for management or modification. Pg 3-18-26

  25. Other Command line tools • Query the object class • User • Group • Etc • Specify the Distinguished name attributes • OU-Organizational Unit • DC-Domain • Properties to search • Stalepwd 60 • Passwords not changed for 60 days Pg 3-18-26

  26. Command line hints • Be familiar with general ideas of commands • What they are used for • General format • Be able to figure it out on exam Pg 3-18-26

  27. Utilizing VBScript • Not a ton on the test • Useful ideas • Check out CD

  28. Any Questions?

  29. Chapter 3 Lesson 3Managing User Profiles • Understand the application of local and roaming user profiles • Configure a roaming user profile • Create a preconfigured roaming user or group profile • Configure a mandatory profile Pg 3-32

  30. User Profile • Includes: ■ Shortcuts in your Start menu, on your desktop, and in your Quick Launch bar ■ Documents on your desktop and, unless redirection is configured, in your My Documents folder ■ Internet Explorer favorites and cookies ■ Certificates (if implemented) ■ Application-specific files such as the Microsoft Office custom user dictionary, user templates, and autocomplete list ■ My Network Places ■ Desktop display settings such as appearance, wallpaper, and screensaver Pg 3-33

  31. Local Profile • Usually details of the profile are stored on each machine that you have logged into • %Systemdrive% \Documents and Settings\%Username% • Created at first login • From default user profile • Changes stored locally • All Users profile is combined with specific user • Local means that machine ONLY Pg 3-33

  32. Roaming Profile • Lets users have same profile on every machine • Stored on a server • Backed up with server Pg 3-33

  33. Setting up Roaming Profiles • Create a shared folder on the server • Must be set to everyone having Full Control • Modify User Account so that the profile path has: • \\<server >\<share>\%Username%. • Not a property of the computer object • Except that they can be disabled by specifying the Only Allow Local User Profiles Pg 3-33-34

  34. Any Questions?

  35. Creating a Preconfigured User Profile • Can create a preconfigured environment for users ■ Provide a productive work environment with easy access to needed network resources and applications ■ Remove access to unnecessary resources and applications ■ Simplify help desk troubleshooting by enforcing a more straightforward and consistent desktop Pg 3-35

  36. Preconfigured Profile • Done Locally on an individual machine • Set up the profile the way you want • Don’t use your own • Log in as an admin, go to system, advanced, user profiles • Select the profile and choose Copy to • Put in the path the to server • Change who is permitted to use the profile Pg 3-33

  37. Preconfigured Default User Profile • Default profile used when no user or roaming profile exists when user logs in • Either for the local system • Create the profile and then copy the details to default profile location • C:\Documents and Settings\Default User. • Domain Wide • Create profile and copy to the NETLOGON folder on domain controller • \\servername\NETLOGON\Default User • Watch out because this takes effect for ALL systems, servers included. Pg 3-37

  38. Preconfigured Group Profile • Create a profile you want to have used by group • Copy the profile to a directory with the group profile name • \\<server>\<share>\<group profile name>. • Grant Access to the profile to the group or the Built-in\Users group • Assign the path in the users profiles • Can use the multiple select trick Pg 3-38

  39. Mandatory Profile • Restrict the user ability to modify settings in the profile • Does not maintain changes • Used to lock down a system • Rename the ntuser.dat to ntuser.man • Must be done on the actual systems directly Pg 3-39

  40. Any Questions?

  41. Chapter 3 Lesson 4Securing and Troubleshooting Authentication ■ Identify domain account policies and their impact on password requirements and authentication ■ Configure auditing for logon events ■ Modify authentication-related attributes of user objects Pg 3-44

  42. Securing Authentication with Policy • Can set policy for Local Accounts • Specific to that machine • For Domain objects • Use the domain security policy MMC Pg 3-44

  43. Password Policy • History • Age • Length • Complexity Pg 3-45

  44. Lockout Policy • Threshold • How Many Times • Duration • How long before auto reset • Counter • How long before threshold counter resets Pg 3-46-47

  45. Cross Platform • Other versions of windows will not support all Active Directory features Pg 3-47-48

  46. Auditing Authentication • Choose what kind of entries will appear on security log • Account Management • Creation or modification of user objects • Account Logon • Events that include the domain controller • Logon • Wherever the logon occurs • Note: • Keep track of the distinction between Account Logon and Logon events. When a user logs on to his or her workstation using a domain account, the workstation registers a Logon event and the domain controller registers an Account Logon event. When the user connects to a network server’s shared folder, the server registers a Logon event and the domain controller registers an Account Logon event. Pg 3-49

More Related