Date post: | 24-Dec-2015 |
Category: |
Documents |
Upload: | rafe-foster |
View: | 222 times |
Download: | 2 times |
Chapter 6: WORKING WITH USER ACCOUNTS 2
CHAPTER OVERVIEW• Understand the differences between local
user and domain user accounts.• Plan, create, and manage local and domain
user accounts.• Create and manage user accounts by using
templates, importation, and command-line tools.
• Manage user profiles.• Understand the purpose and function of
profiles.• Troubleshoot user authentication issues.
Chapter 6: WORKING WITH USER ACCOUNTS 3
UNDERSTANDING USER ACCOUNTS• Local user accounts stored in the Security
Accounts Manager (SAM) database on that system
• Can be used only on that system• Domain user accounts
• Stored in Active Directory on domain controllers
• Can be used on any system in Active Directory
Chapter 6: WORKING WITH USER ACCOUNTS 4
WORKGROUPS• No centralized database of user accounts• User account must exist in the SAM of each
system the user accesses• Impractical in environments with more than
10 users
Chapter 6: WORKING WITH USER ACCOUNTS 6
PLANNING USER ACCOUNTS OVERVIEW• Account naming• Choosing passwords• Designing an Active Directory hierarchy
Chapter 6: WORKING WITH USER ACCOUNTS 7
ACCOUNT NAMING• Account names can be up to 256 characters
• Account names authentication credential can be between 1 and 20 characters (letters and/or numbers).
• For names longer than 20 characters the first 20 must be unique.
• Account names are not case sensitive.• The following characters cannot be used in
the account name:• " / \ [ ] : ; | , + = * ? < > @
Chapter 6: WORKING WITH USER ACCOUNTS 8
STRONG PASSWORDS• Cannot be easily guessed or broken by a
password cracking program.• Use password policy:
• Enforce strong password (PASSFILT.DLL)• Must be six characters long• At least three (3) of the following four (4) classes:
• Upper case• Lower case• Westernized Arabic numeral (0 – 9)• Special characters
• Cannot contain user name or any part of full name
• Example: Up2Lower5
Chapter 6: WORKING WITH USER ACCOUNTS 10
DESIGNING AN ACTIVE DIRECTORY HIERARCHY• Create an organizational unit (OU) structure• Place users in appropriate OU• Provides for features such as group policy
Chapter 6: WORKING WITH USER ACCOUNTS 16
MANAGING DOMAIN USER ACCOUNTS• From the Action menu, you can:
• Reset a user account password.• Rename, disable, and delete an account.• Modify group membership.• Send e-mail and open a user’s homepage.
Chapter 6: WORKING WITH USER ACCOUNTS 32
CREATING MULTIPLE USER OBJECTS• Using object templates• Using Csvde.exe• Using Dsadd.exe
Chapter 6: WORKING WITH USER ACCOUNTS 33
USING OBJECT TEMPLATES• Can be an existing user account or an
account created specifically for copying.• Not all properties are copied.• A new SID is generated for the new object• Generic user object templates should be
assigned a password and disabled to prevent use of the account.
Chapter 6: WORKING WITH USER ACCOUNTS 34
IMPORTING USER OBJECTS USING CSV DIRECTORY EXCHANGE• Useful for creating large numbers of users
at a time.• Step 1:
• Create a comma-separated value (CSV) text file of user information.
• Step 2: • Use Csvde.exe to import the user
information from the CSV file into Active Directory.
Chapter 6: WORKING WITH USER ACCOUNTS 35
CREATING USER OBJECTS WITH DSADD.EXE• Command-line utility• Can be used in batch files or scripts• Can be used to add other objects as well as
users
Chapter 6: WORKING WITH USER ACCOUNTS 36
MODIFYING USER OBJECTS WITH DSMOD.EXE• Command-line utility• Can be used in batch files or scripts• Can be used only to modify existing objects
Chapter 6: WORKING WITH USER ACCOUNTS 37
MANAGING USER PROFILES• Allows each user to have a customized
working environment• Preserves application settings, shortcuts,
and preferences• Ensures that users do not affect each
other’s work environment
Chapter 6: WORKING WITH USER ACCOUNTS 38
USER PROFILE CONTENTS• User-stored documents and files• Application configurations and settings• Desktop and environment settings• Control Panel settings and configurations
Chapter 6: WORKING WITH USER ACCOUNTS 40
USING LOCAL PROFILES• Stored on the local system• Available only when the user logs on to that
system• Can be modified by the user as needed
Chapter 6: WORKING WITH USER ACCOUNTS 41
USING ROAMING PROFILES• Allows a user to have the same working
environment from any client computer she logs on to.
• Central storage provides for easier backup.
Chapter 6: WORKING WITH USER ACCOUNTS 42
USING MANDATORY PROFILES• Can be either local or roaming.• User can make changes, but changes are
not saved when user logs off.• Renaming Ntuser.dat to Ntuser.man
designates profile as mandatory.
Chapter 6: WORKING WITH USER ACCOUNTS 43
MONITORING AND TROUBLESHOOTING USER AUTHENTICATION• Using password policies• Using account lockout policies
Chapter 6: WORKING WITH USER ACCOUNTS 44
USING PASSWORD POLICIES• Provides a mechanism to control password
use in the organization. • Should strike a balance between usability
and security.• Creating a password policy that is too
demanding increases password-related support calls.
Chapter 6: WORKING WITH USER ACCOUNTS 45
USING ACCOUNT LOCKOUT POLICIES• Account Lockout Threshold• Account Lockout Duration• Reset Account Lockout Counter After
Chapter 6: WORKING WITH USER ACCOUNTS 46
ACTIVE DIRECTORY CLIENTS• Windows 2000, Windows XP, and Windows
Server 2003 include full Active Directory client capabilities.
• Windows 95, Windows 98, Windows Me, and Windows NT 4 require additional client software to gain full Active Directory functionality.
Chapter 6: WORKING WITH USER ACCOUNTS 47
AUDITING AUTHENTICATION• Allows you to track failed and successful
logon attempts• Can form part of a security policy• Creates minimal system overhead in all but
largest environments
Chapter 6: WORKING WITH USER ACCOUNTS 48
SUMMARY• Local user accounts are stored on the local system and
can provide users with access only to local resources. Domain user accounts are stored on Active Directory domain controllers and can provide users with access to resources all over the network.
• User objects include the properties related to the individuals they represent.
• A user object template is an object that is copied to produce new users. If the template is not a “real” user, it should be disabled. Only a subset of user properties is copied from templates.
• Windows Server 2003 includes command-line tools that you can use to create and manage Active Directory objects, including Csvde.exe, Dsadd.exe, and Dsmod.exe.
Chapter 6: WORKING WITH USER ACCOUNTS 49
SUMMARY (continued)• A user profile is a collection of folders and data
that make up the desktop environment for a specific user.
• Windows Server 2003 generates an individual user profile for each person who logs on to the system. Local user profiles are stored on the local drive, whereas a roaming user profile is stored on a network server.
• A mandatory user profile is one that never changes, providing the same desktop configuration each time the user logs on.
• Auditing for authentication allows you to track logon activity for the network.