1 / 64

Chapter 8: Managing Accounts and Client Connectivity

Chapter 8: Managing Accounts and Client Connectivity. Learning Objectives. Establish account naming conventions Configure account security policies

matana
Download Presentation

Chapter 8: Managing Accounts and Client Connectivity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 8:Managing Accounts and Client Connectivity

  2. Learning Objectives • Establish account naming conventions • Configure account security policies • Create and manage accounts, including setting up a new account, configuring account properties, delegating account management, and renaming, disabling, and deleting an account

  3. Learning Objectives (continued) • Create local user profiles, roaming profiles, and mandatory profiles • Configure client network operating systems to access Windows 2000 Server, and install client operating systems through Remote Installation Services

  4. Sample Naming Conventions • Last name followed by the initial of the first name • First name initial followed by the last name • Username based on the position in the organization • Username based on the function in the organization

  5. Naming Tip • For accounts that handle money, payroll, budgeting, or accounting transactions, financial auditors typically prefer that accounts are named for individuals

  6. Account Policies • Account policies: security measures set up in a group policy, such as for a domain or local computer • Account policies particularly focus on: • Password security • Account lockout • Kerberos security

  7. Configuring Account Policies • Use the Group Policy MMC snap-in to set up account policies

  8. Setting Account Policies Figure 8-1 Account policies

  9. Password Policy Options • Enforce password history: Enables you to require users to choose new passwords when they make a password change, because the system can remember the previously used passwords • Maximum password age: Permits you to set the maximum time allowed until a password expires • Minimum password age: Permits you to specify that a password must be used a minimum amount of time before it can be changed

  10. Password Policy Options (continued) • Minimum password length: Enables you to require that passwords are a minimum length • Passwords must meet complexity requirements: Enables you to create a filter of customized password requirements that each account password must follow • Store password using reversible encryption for all users in the domain: Enables passwords to be stored in reversible encrypted format

  11. Account Lockout Policy Options • Account lockout duration: Permits you to specify in minutes how long the system will keep an account locked out after reaching the specified number of unsuccessful log on attempts • Account lockout threshold: Enables you to set a limit to the number of unsuccessful tries to log onto an account

  12. Account Lockout Policy Options (continued) • Reset account lockout count after : Enables you to specify the number of minutes between two consecutive unsuccessful logon attempts to make sure that the account will not be locked out too soon

  13. Kerberos Policy Options • Enforce user logon restrictions: Turns on Kerberos security, which is the default • Maximum lifetime for a service ticket: Determines the maximum amount of time in minutes that a service ticket can be used to continually access a particular service in one service session • Maximum lifetime for a user ticket: Determines the maximum amount of time in hours that a ticket can be used in one continuous session for access to a computer or domain

  14. Kerberos Policy Options (continued) • Maximum lifetime for user ticket renewal: Determines the maximum number of days that the same Kerberos ticket can be renewed each time a user logs on • Maximum tolerance for computer clock synchronization: Determines how long in minutes a client will wait until synchronizing its clock with that of the server or Active Directory it is accessing

  15. Creating Accounts • For a server that does not have the Active Directory implemented, use the Local Users and Groups MMC snap-in to create accounts • For a server that employs the Active Directory, use the Active Directory Users and Computers MMC snap-in to create accounts

  16. Active Directory Users and Computers Tool Figure 8-2 Creating a new user in a domain

  17. Entering New User Information Figure 8-3 New user information

  18. Entering Account Parameters Figure 8-4 New user account parameters

  19. Configuring Account Properties Figure 8-5 Account properties in the Active Directory

  20. Account Properties Tabs • General tab: Modify personal information about the user • Address tab: Provide street and city address information • Account tab: Provide account information, such as logon name, plus configure access restrictions, such as for certain days of the week and times of day

  21. Setting Access Restrictions Figure 8-6 Control account access by the day of the week and time

  22. Account Properties Tabs (continued) • Profile tab: Ability to associate a specific profile with an account, associate a home folder and drive, and associate a logon script • Logon script: A file that contains a series of commands to run each time a user logs onto his or her account, such as a command to map a home drive

  23. Windows 2000 Server Logon Script Commands

  24. Account Properties Tabs (continued) • Telephones: Ability to associate telephone contact numbers • Organization: Provide account holder’s title, department, and other information • Member Of: Ability to join this account to one or more groups of users for easier management

  25. Adding an Account to a Group via the Member Of Tab Figure 8-7 Adding an account to the Managers and Print Operators groups

  26. Account Properties Tabs (continued) • Dial-in: Controls remote access such as through a modem • Environment: Ability to configure the startup environment for clients using terminal services • Sessions: Configures session parameters, such as timeout limits, for clients using terminal services

  27. Dial-in Access Parameters Figure 8-8 Configuring remote access

  28. Account Properties Tabs (continued) • Remote Control: Configures remote control parameters for the Administrator to view and manage terminal service client sessions • Terminal Services Profile: Ability to set up a user profile for a terminal services client

  29. Creating an OU • To create an OU: • Click the container in which to create the OU, such as the domain or another OU • Click the Create a new organizational unit in the current container button • Enter the name of the OU • Click OK

  30. Delegating Authority in an OU • To delegate authority: • Right-click the OU and click Delegate control • Click Next after the wizard starts • Click the Add button and specify the accounts, groups, or computers to have the control • Click OK and click Next • Select the tasks to delegate and click Next • Click Finish

  31. Delegation of Control Options

  32. Using Find to Locate an Account • To locate a particular account in order to maintain it: • Right-click the domain • Click Find • Enter the username or the account holder’s name • Click Find Now

  33. Account Maintenance Activities • Typical account maintenance activities include: • Disabling an account, such as when a user takes a leave of absence • Enabling an account, such as when a user returns • Renaming an account, such as when one user leaves and another user is hired into the same position • Moving an account, such as into a different OU

  34. Account Maintenance Activities (continued) • Typical account maintenance activities include (continued): • Deleting an account, such as when a user leaves the organization and there will be no replacement person • Resetting a password for users who do not remember theirs • Account auditing to track certain kinds of activity performed by an account holder

  35. Sample Events that Can be Audited for an Account • Logon and logoff activity • Account modifications through account management tools • Accesses to files and other objects (for files, folders, and objects that are set up to be audited)

  36. Troubleshooting Tip • Use account auditing sparingly because every audited event is written to the Security log – you don’t want to overload a server by devoting too much of its resources to auditing (consult your organization’s management and financial auditors for advice on what to audit)

  37. Local User Profile • Local user profile: A desktop setup that is associated with one or more accounts to determine what startup programs are used, additional desktop icons, and other customizations. A user profile is local to the computer on which it is stored.

  38. Roaming Profile • Roaming profile: Desktop settings that are associated with an account so that the same settings are employed no matter what computer is used to access the account (the profile is downloaded to the client)

  39. Mandatory User Profile • Mandatory User Profile: A user profile set up by the server administrator that is loaded from the server to the client each time the user logs on; and changes that the user makes to the profile are not saved

  40. Hardware Profile • Hardware Profile: A consistent setup of hardware components associated with one or more user accounts

  41. Associating a Profile with an Account Figure 8-9 Setting a roaming profile in an account’s properties

  42. Active Directory Support for Non-Windows 2000 Clients • Plan to install Directory Service Client (DSClient) in Windows 95 and Windows 98 clients • DSClient enables non-Windows 2000 Clients for: • Kerberos authentication • Ability to view objects published in the Windows 2000 Active Directory

  43. DSClient Program Location • Obtain the DSClient program, Dsclient.exe from the Windows 2000 Server CD-ROM • Run this program on Windows 95 and Windows 98 clients

  44. Troubleshooting Tip • If the Distributed File System (Dfs) cannot be accessed from a Windows 95 client, run DSClient to install Dfs capability (Dfs client) as well as the capability to access the Active Directory (DSClient)

  45. Setting Up Client Desktops Using Group Policy and Security Policy • Use the Group Policy snap-in to set up group policies that govern clients • Use the System Policy Editor (Poledit.exe) to configure system policies when running a mixture of Windows NT and Windows 2000 servers

  46. Group Policy and System Policy Templates • Windows 2000 Server comes with several templates already set up for using group policies or system policies • System.adm is the default group policy for managing Windows 2000 Professional clients

  47. Administrative Templates Included with Windows 2000

  48. Templates Included with Windows 2000 (continued)

  49. Group Policy Options • A wide range of group policies can be set up to manage clients

  50. Group Policy Components for Windows 2000 Clients

More Related