11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW...

11

WORKING WITH USER ACCOUNTS

Chapter 6

Chapter 6: WORKING WITH USER ACCOUNTS 2

CHAPTER OVERVIEW• Understand the differences between local

user and domain user accounts.• Plan, create, and manage local and domain

user accounts.• Create and manage user accounts by using

templates, importation, and command-line tools.

• Manage user profiles.• Understand the purpose and function of

profiles.• Troubleshoot user authentication issues.


UNDERSTANDING USER ACCOUNTS• Local user accounts stored in the Security

Accounts Manager (SAM) database on that system

• Can be used only on that system• Domain user accounts

• Stored in Active Directory on domain controllers

• Can be used on any system in Active Directory


WORKGROUPS• No centralized database of user accounts• User account must exist in the SAM of each

system the user accesses• Impractical in environments with more than

10 users


DOMAINS


PLANNING USER ACCOUNTS OVERVIEW• Account naming• Choosing passwords• Designing an Active Directory hierarchy


ACCOUNT NAMING• Account names can be up to 256 characters

• Account names authentication credential can be between 1 and 20 characters (letters and/or numbers).

• For names longer than 20 characters the first 20 must be unique.

• Account names are not case sensitive.• The following characters cannot be used in

the account name:• " / \ [ ] : ; | , + = * ? < > @


STRONG PASSWORDS• Cannot be easily guessed or broken by a

password cracking program.• Use password policy:

• Enforce strong password (PASSFILT.DLL)• Must be six characters long• At least three (3) of the following four (4) classes:

• Upper case• Lower case• Westernized Arabic numeral (0 – 9)• Special characters

• Cannot contain user name or any part of full name

• Example: Up2Lower5


ACCOUNT PASSWORD POLICY


DESIGNING AN ACTIVE DIRECTORY HIERARCHY• Create an organizational unit (OU) structure• Place users in appropriate OU• Provides for features such as group policy


WORKING WITH LOCAL USER ACCOUNTS


CREATING A LOCAL USER ACCOUNT


MANAGING LOCAL USER ACCOUNTS


WORKING WITH DOMAIN USER ACCOUNTS


CREATING A DOMAIN USER ACCOUNT


MANAGING DOMAIN USER ACCOUNTS• From the Action menu, you can:

• Reset a user account password.• Rename, disable, and delete an account.• Modify group membership.• Send e-mail and open a user’s homepage.


THE GENERAL TAB


THE ADDRESS TAB


THE TELEPHONES TAB


THE ORGANIZATION TAB


THE ACCOUNT TAB


THE PROFILE TAB


THE MEMBER OF TAB


THE TERMINAL SERVICES PROFILE TAB


THE ENVIRONMENT TAB


THE REMOTE CONTROL TAB


THE SESSIONS TAB


THE DIAL-IN TAB


THE COM+ TAB


MANAGING MULTIPLE USERS


MOVING USER OBJECTS


CREATING MULTIPLE USER OBJECTS• Using object templates• Using Csvde.exe• Using Dsadd.exe


USING OBJECT TEMPLATES• Can be an existing user account or an

account created specifically for copying.• Not all properties are copied.• A new SID is generated for the new object• Generic user object templates should be

assigned a password and disabled to prevent use of the account.


IMPORTING USER OBJECTS USING CSV DIRECTORY EXCHANGE• Useful for creating large numbers of users

at a time.• Step 1:

• Create a comma-separated value (CSV) text file of user information.

• Step 2: • Use Csvde.exe to import the user

information from the CSV file into Active Directory.


CREATING USER OBJECTS WITH DSADD.EXE• Command-line utility• Can be used in batch files or scripts• Can be used to add other objects as well as

users


MODIFYING USER OBJECTS WITH DSMOD.EXE• Command-line utility• Can be used in batch files or scripts• Can be used only to modify existing objects


MANAGING USER PROFILES• Allows each user to have a customized

working environment• Preserves application settings, shortcuts,

and preferences• Ensures that users do not affect each

other’s work environment


USER PROFILE CONTENTS• User-stored documents and files• Application configurations and settings• Desktop and environment settings• Control Panel settings and configurations


USER PROFILE DIRECTORY STRUCTURE


USING LOCAL PROFILES• Stored on the local system• Available only when the user logs on to that

system• Can be modified by the user as needed


USING ROAMING PROFILES• Allows a user to have the same working

environment from any client computer she logs on to.

• Central storage provides for easier backup.


USING MANDATORY PROFILES• Can be either local or roaming.• User can make changes, but changes are

not saved when user logs off.• Renaming Ntuser.dat to Ntuser.man

designates profile as mandatory.


MONITORING AND TROUBLESHOOTING USER AUTHENTICATION• Using password policies• Using account lockout policies


USING PASSWORD POLICIES• Provides a mechanism to control password

use in the organization. • Should strike a balance between usability

and security.• Creating a password policy that is too

demanding increases password-related support calls.


USING ACCOUNT LOCKOUT POLICIES• Account Lockout Threshold• Account Lockout Duration• Reset Account Lockout Counter After


ACTIVE DIRECTORY CLIENTS• Windows 2000, Windows XP, and Windows

Server 2003 include full Active Directory client capabilities.

• Windows 95, Windows 98, Windows Me, and Windows NT 4 require additional client software to gain full Active Directory functionality.


AUDITING AUTHENTICATION• Allows you to track failed and successful

logon attempts• Can form part of a security policy• Creates minimal system overhead in all but

largest environments


SUMMARY• Local user accounts are stored on the local system and

can provide users with access only to local resources. Domain user accounts are stored on Active Directory domain controllers and can provide users with access to resources all over the network.

• User objects include the properties related to the individuals they represent.

• A user object template is an object that is copied to produce new users. If the template is not a “real” user, it should be disabled. Only a subset of user properties is copied from templates.

• Windows Server 2003 includes command-line tools that you can use to create and manage Active Directory objects, including Csvde.exe, Dsadd.exe, and Dsmod.exe.


SUMMARY (continued)• A user profile is a collection of folders and data

that make up the desktop environment for a specific user.

• Windows Server 2003 generates an individual user profile for each person who logs on to the system. Local user profiles are stored on the local drive, whereas a roaming user profile is stored on a network server.

• A mandatory user profile is one that never changes, providing the same desktop configuration each time the user logs on.

• Auditing for authentication allows you to track logon activity for the network.

Date post:	24-Dec-2015
Category:	Documents
Upload:	rafe-foster
View:	222 times
Download:	2 times

11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW...

Documents