740 likes | 1.23k Views
(Skill 1) Planning Strategies for Creating User Accounts User account A form of identification for a user on a Windows Server 2003 network Used to build the user ticket (also known as a TGT, or Ticket Granting Ticket)
E N D
(Skill 1) Planning Strategies for Creating User Accounts • User account • A form of identification for a user on a Windows Server 2003 network • Used to build the user ticket (also known as a TGT, or Ticket Granting Ticket) • Contains a list of the Security IDs (SIDs) associated with the user account and all groups to which that user account is a member • Used to prove that the user account is valid and to construct session tickets
(Skill 1) Planning Strategies for Creating User Accounts (2) • When the user wants to access a resource, the OS sends the user ticket to the domain controller with a special Kerberos request • The session ticket is presented to the specific computer controlling the resources as a form of identification • The resource server compares the SIDs in the token or ticket to a Discretionary Access Control List (DACL)on the resource
(Skill 1) Planning Strategies for Creating User Accounts (3) • DACLs are composed of Access Control Entries (ACEs) • Each ACE contains the SID for a user account or group and the permissions applied to it • Through this mechanism, a resource determines what level of access each user account should have, and grants an access token to the user for the user’s specific access level
(Skill 1) Planning Strategies for Creating User Accounts (4) • You can create user accounts manually or by writing scripts • To create accounts manually, you use the Active Directory Users and Computers console • To script a user account, you need to be familiar with at least one scripting language, such as VBScript or JScript
(Skill 1) Planning Strategies for Creating User Accounts (5) • It is very important to plan your user accounts before you actually create them • Parameters you need to consider while planning • Naming conventions • Password requirements • Account options
(Skill 1) Planning Strategies for Creating User Accounts (6) • Naming conventions • A good naming convention makes it easy for users to remember their logon names • Also provides for cases in which two users have the same name • Password requirements • Each user account will typically be assigned a password • Passwords prevent unauthorized access to a domain or a computer
(Skill 1) Planning Strategies for Creating User Accounts (7) • Account options • It is also important to consider certain properties before you create user accounts • Log On To option specifies the computers to which a user can log on • Logon Hours section allows you to specify which hours of the day and days of the week a user can log on • Account Expiressection allows you to predefine when a user account will expire
(Skill 1) Figure 5-1 Setting user account properties
(Skill 1) Planning Strategies for Creating User Accounts (9) • Active Directory Services Interfaces (ADSI) • You can use ADSI to create scripts • ADSI is a fully programmable automation object available for administrators • You can also create user accounts in batches from a .csv or an .ldif file using the Csvde.exe or Ldifde.exe utilities
(Skill 2) Creating a Local User Account • Local user accounts • Are created so that users can log on only to a specific computer and access the resources on only that computer • In order for a user using a local user account to access resources on other computers, a local user account must be created with the same name and password on all computers that the user needs to access • This is because local user accounts are stored only in the computer’s local security database
(Skill 2) Creating a Local User Account (2) • Local user accounts • Are not replicated to domain controllers • When a user logs on to a computer, the operating system uses its local security database to authenticate the local user account • Similarly, when a user attempts to access a workgroup resource, the computer providing the resource uses its local accounts database to authenticate the user account
(Skill 2) Creating a Local User Account (3) • Local user accounts • If you create a local user account on a computer that requires access to domain resources, the user cannot access the resources in the domain unless an identical domain user account is created • In this situation, the domain does not recognize local user accounts • Furthermore, the domain administrator cannot manage local user account properties or assign access permissions to the user for domain resources using the local computer
(Skill 2) Creating a Local User Account (4) • Local user accounts • If you have administrative rights, you can use the Local Users and Groups snap-in in the Computer Management console • From this console, you can create, delete, or disable local user accounts on a local computer
(Skill 2) Figure 5-2 Local security database
(Skill 2) Figure 5-3 Creating a local user account
(Skill 3) Creating a Domain User Account • You use a domain user account to log on to a domain and access network resources • You can create a domain user account in an OU on a domain controller • The domain controller then replicates the new user account information to all other domain controllers in the domain • After replication, all domain controllers in the domain will be able to authenticate the user
(Skill 3) Creating a Domain User Account (2) • In addition, all trusting domains can now allow the user account to gain access to their resources • You use the Active Directory Users and Computers console to create domain user accounts
(Skill 3) Creating a Domain User Account (3) • Logon process • A user provides a logon name and password (or inserts a smart card and provides a PIN) • Windows Server 2003 uses this information to authenticate the user and build a user ticket that contains the user’s identification and security settings • The purpose of the user ticket is to identify the user account in order to build session tickets, which are then used to identify the user to the domain member computers • An access token is generated to allow the user specific levels of access
(Skill 3) Creating a Domain User Account (4) • Active Directory domain names are usually the full DNSname of the domain • For backward compatibility, each domain also has a pre-Windows 2000 name that is used by computers running pre-Windows 2000 operating systems • This name can be used to log on to a Windows 2000 or Windows Server 2003 domain from computers running Windows 2000 or XP operating systems
(Skill 3) Figure 5-4 Domain user account
(Skill 3) Figure 5-5 Creating a domain user account
(Skill 3) Figure 5-6 Setting a password for a new domain user account
(Skill 3) Creating a Domain User Account (5) • Built-in user accounts are created by default during the installation of Windows Server 2003 • Administrator built-in user account • Used to perform administrative tasks • Creating and managing user accounts • Setting account properties • Assigning permissions to user accounts to access resources • Used to gain access to network resources
(Skill 3) Creating a Domain User Account (6) • Built-in Guest account • Used to give users access to resources for a short time • Is disabled by default
(Skill 3) Figure 5-7 Summary screen for a new domain user account
(Skill 4) Setting User Account Properties • Every user account you create has a set of default properties you can configure • Including personal information, logon settings, dial-in settings, and Terminal Services settings for a user • The personal properties you define for a domain user account are useful when conducting user searches based on very specific information
(Skill 4) Setting User Account Properties (2) • Logon settings are used to specify the logon hours for a user • Dial-in settings for a user account are used to specify if and how a user can make a dial-connection from a remote location • Terminal Services properties provide the ability to connect to a server from a remote location
(Skill 4) Setting User Account Properties (4) • You can save a lot of time by filling out the common fields shared between user accounts in a “template” account • A template account is a disabled account that is used as a model for creating other accounts • After filling out the appropriate fields, you can right-click the account and select Copyto create a new account with most of your pre-defined fields already filled in
(Skill 4) Figure 5-9 Setting user account properties
(Skill 4) Figure 5-10 Specifying logon hours for a user account
(Skill 5) Introducing User Profiles • A user profileis a collection of data • User’s personal data • Desktop settings • Printer connections • Network connections • User profiles help to provide a consistent desktop environment each time a user logs on to the computer
(Skill 5) Introducing User Profiles (2) • User profiles enable multiple users to work from the same computer or a single user to work from multiple computers on a network without changing any of the settings • User profiles can be stored on a server so that users can use them on any computer running Microsoft Windows NT 4.0 or later • They also store the application settings for applications that comply with Microsoft’s software development guidelines
(Skill 5) Introducing User Profiles (3) • User profiles are stored in the Documents and Settings folder, by default, with the sole exception of servers and clients upgraded from Windows NT or Windows 9x, in which case they are stored in a \Profiles folder
(Skill 5) Introducing User Profiles (4) • There are three types of user profiles • Local user profiles • Roaming user profiles • Mandatory user profiles
(Skill 5) Introducing User Profiles (5) • Local user profiles • Is limited to the computer you log on to and is stored on the system’s local hard disk • Is created the first time you log on to a computer by copying the settings in the Default User profile, and it is the default type of profile • Any changes you make to your local user profile are also specific to the computer on which you made the changes
(Skill 5) Introducing User Profiles (6) • Local user profiles are stored in the folder %Systemdrive%:\Documents and Settings\user_logon_name • systemdrive is the system drive letter • user_logon_name is the name the user uses to log on to the system
(Skill 5) Figure 5-11 A sample user profile folder
(Skill 5) Introducing User Profiles (7) • Roaming user profile • A profile that is stored on a network server and retrieved at user logon • They are useful when users have to work on multiple computers on a network, because they can have a uniform desktop on all computers they use
(Skill 5) Introducing User Profiles (8) • Roaming user profile • To enable a roaming profile, you must configure a network path to the roaming profile in the Properties dialog box for the user account • The profile is then available to the user from all computers in the domain • Any changes the user makes to the roaming user profile are also updated on the server
(Skill 5) Introducing User Profiles (9) • Roaming user profile • Users can view their individual settings on any computer on the network • When the user logs on to a network computer for the first time, the operating system copies the roaming user profile from the network server to the local user profile and temporarily applies the roaming user profile settings to that computer • The profile files are copied to the local profile at logon, and the changes are transferred back to the server at log off
(Skill 5) Introducing User Profiles (10) • Roaming user profile • In the User Profiles dialog box on the local computer (which is accessed by clicking the Change Type button on the Advanced tab in the System Properties dialog box), the user’s profile is automatically set to Roaming • Subsequently, when that user logs on again, Windows Server 2003 copies only the files that have changed since the last time the user logged on
(Skill 5) Introducing User Profiles (11) • Roaming user profile • When the user logs off, Windows Server 2003 copies the changes made to the local copy of the roaming user profile back to the network server • Roaming profiles consume large amounts of network bandwidth • This is due to creating folder structures either on the desktop or in the My Documents folder and placing large quantities of data in these locations
(Skill 5) Introducing User Profiles (12) • Mandatory user profile • A type of roaming profile used to specify particular settings for individuals or a group • It does not permanently save the desktop settings made by a user • The settings are applied to the local computer each time the user logs on • This profile helps you to create a default user profile that is suited specifically for a user’s tasks
(Skill 5) Introducing User Profiles (13) • Mandatory user profile • Set up a mandatory user profile for specific users • These users will be able to modify the desktop settings while they are logged on • None of these changes will be retained when they log off • Creating a mandatory user profile • Involves the same steps as creating a roaming profile, with one exception • After creating a roaming profile, go to the appropriate network share point and rename the ntuser.dat file, ntuser.man
(Skill 5) Introducing User Profiles (14) • The All Users folder in %Systemdrive%:\Documents and Settings is used to modify all profiles applied to an individual computer • Any changes made to the All Users folder will apply to every profile for every user that logs on to this computer
(Skill 5) Figure 5-13 Contents of the All Users folder
(Skill 6) Creating a Roaming User Profile (2) • Suggested practices • Always create standard roaming user profiles on the file server that you back up most frequently • This helps you to track copies of the latest roaming user profiles
(Skill 6) Creating a Roaming User Profile (4) • Standard roaming user profiles provide certain benefits and streamline troubleshooting • For example, you can provide a standard desktop environment to multiple users with similar job profiles • As another example, the system support team can identify solutions for problems more efficiently (because the team is familiar with the user profile settings)
(Skill 6) Creating a Roaming User Profile (5) • To create a standard roaming user profile • Create a shared folder on the server • Create a user profile template with the appropriate configuration • Copy the user profile template to the shared folder on the server and specify the users who will have access to the profile • Specify the path to the profile template in the user account
(Skill 6) Figure 5-14 Assigning Full Control to the Authenticated Users Group